Calculating Vendor Risk Rating on a single questionnaire

andrewgreen · ‎10-30-2018

In our Vendor Risk Management application we have an Assessment Template that contains multiple questionnaire templates and document request templates. We are trying to only score 1 of the questionnaire templates as part of the Assessment record Risk Rating value. Does anyone have ideas on how this can easily be done?

Example:

Assessment Template contains a SIG Lite questionnaire and a Business Information questionnaire. There are no right/wrong answers on the Business Information questionnaire, so none of those questions or the questionnaire itself should be used in factoring the Assessment Risk Rating.

I have set all questions on the Business Information questionnaire to NOT be scored, and have removed all 'weights' associated with those questions, but it is still be factored into the Assessment Risk Rating?

This would apply for Document Request Templates as well. The system is taking those into account when scoring the Assessment Risk Rating, and we would like to remove that?

Thoughts?

Thomas_J_C · ‎04-02-2019

No problem!

I did find a current workaround to this issue which I'll include with screenshots in this answer.

Essentially, since the document request risk rating is scored regardless, what I've done for my organization is to amend the business rule "Calculate document request risk rating" so when a document request is submitted, it automatically scales to the lowest possible risk rating value (ours is Low).

Step 1: Locate Business Rule

Step 2: Create an additional OR "Filter Condition" statement. (This filter condition OR statement assures that if a vendor does not have documentation/attachment to an answer and they submit the document request template, the business rule will still run)

-"Responses received" indicates vendor has submitted assessment

Step 3: On the "Actions" tab, create a 'Set field values' statement

^

I have set my document request risk rating to the LOWEST possible choice value on the risk rating scale (Low). It isn't perfect however it is better than a skewed "Critical" or "High" every time a vendor submits one.

This statement essentially sets the risk rating of any document request to the lowest value once it is submitted.

Step 4: Comment out "Advanced" script (DO NOT DELETE)

Coming from a developer background, do not delete OOB scripts, rather comment them out for them to not run.

If these steps are taken, any document requests once submitted by vendor, should revert to the lowest score regardless of what the vendor responses are.

It works fine with applicable questionnaires and does not skew the results.

-Thomas

View solution in original post

Jan Spurlin · ‎10-30-2018

Have you tried to adjust the weights of the questions? I have not tried to set something to zero, but I think you could.

Also, I have noticed that rating values appear on list views even when the Question is not scored. I haven't tested it, but I don't think these are included in the Vendor Risk Assessment calculation.

Also, after you make these adjustments - they won't impact any questionnaires that were created previously. You will have to start with a newly generated Vendor Risk Assessment.

Does any of this help?

andrewgreen · ‎10-30-2018

Jan,

Yes, I have set all weights to 0 for each of the questions. Still calculating in the Risk Rating.

Any other ideas?

Thanks!

DoJo · ‎01-24-2023

HI Jan, Im Trying to setup a Questionnaire Template and If the Answer is Correct there are points given (either 5, 1, or 3) If any other choice other than the correct choice is selected, we want 0 Points for the answer. Is there an easy way to do this in the Questionnaire Template? I am trying to implement the CMMC CyberSecurity Maturity Model Certification in a questionnaire. They give Points for Fully Implemented, but we want to give 0 Points if the answer is planned implementation or not implemented.

Thomas_J_C · ‎03-26-2019

I too am having issues with this. I do not want my doc requests template to be scored either and it is causing issues. Found the source of the issues and unfortunately, the metric calculations are hard-coded within the protected script include. I've attached a screenshot of the source of the issue.

It is concerning because of audit reasons for the vendor manager to change risk scores and answers from vendors.