Classic assessment configuration
The TPR manager and TPR admin roles involve a broad variety of responsibilities. After the TPRM base system is set up, you configure additional settings that enable and enhance everyday risk-assessment tasks.
Assessment setup overview
By performing the tasks in the Assessment setup checklist for TPRM, you’re setting up and configuring the TPRM application to address your unique requirements for scoring and assessing risk for third parties, engagements, and other entities using the classic assessment engine.
For any custom messages you create, it is your responsibility to generate the corresponding sys_ui_message records. This step is crucial if you want the custom messages to be extracted and translated.
Assessment setup checklist for TPRM
| Task | Description |
|---|---|
| Set up risk rating scales for scoring assessments and questionnaires. | You can configure the risk rating scale that is selected by default for all questionnaires. For more information, see Set up risk rating scales for scoring.Role required: admin or sn_vdr_risk_asmt.vendor_risk_manager |
| Set up third-party risk domains or areas. | You can configure the scoring method and weight that is selected by default for all third parties associated with a specific risk area. For more information, see Define a third-party risk domain.Role required: sn_vdr_risk_asmt.vendor_risk_manager |
| Set up third-party risk area criteria, which are the group of risk domains or areas that apply to a type of third party. | You can adjust the weight and scoring method of each risk area within a criteria definition. For more information, see Define third-party risk area criteria.Role required: sn_vdr_risk_asmt.vendor_risk_manager |
| Set up third party and engagement component criteria. |
Components are entities that can be assessed for risk. Component criteria are groups of components that are related to a particular type of third party or engagement. You can’t add new components or modify existing ones. You can, however, define the criteria (in terms of scoring method and weight) to be used to assess the components. You can update the Default scoring method to specify how multiple scores for each risk area are calculated. You can use the Default weight to adjust the weight of third-party provider scores in the third party's overall risk rating. The following component classifications are available.
For more information on setting up component criteria, see Define component criteria. For more information on how engagement components impact third-party elements, see Monitoring third-party elements. Role required: sn_vdr_risk_asmt.vendor_risk_manager |
| Set up third-party and engagement risk scoring rules. | Define the criteria, based on risk scores, that determine which third parties or engagements require assessments. Third-party risk scoring rules apply to subsidiaries, engagements, and third-party risk areas. Engagement risk scoring rules only apply to engagements. For more information, see Define third-party risk scoring rules and Define engagement risk scoring rules.Role required: sn_vdr_risk_asmt.vendor_risk_manager |
| Create questionnaire or document request templates. | You can reuse questionnaire templates and document-request templates to streamline the creation of new questionnaires and document requests. The following template classifications are available.
Role required: admin or sn_vdr_risk_asmt.vendor_risk_admin |
| Import questionnaires using an excel spreadsheet. | This task is optional. After preparing your excel spreadsheet, you can import your data and then create questionnaires automatically from templates. For more information, see Import a questionnaire from a spreadsheet.Role required: sn_vdr_risk_asmt.vendor_risk_manager |
| Set up a metric category (question bank), which is a group of questions related to a type of an assessment. | Add questions to a question bank so that you can reuse sets of questions in a questionnaire template. You can add new questions and questions from existing questionnaires. For more information, see Set up and maintain a question bank.Role required: admin or sn_vdr_risk_asmt.vendor_risk_admin |
| Create questions to meet your assessment requirements. | You can create custom questions, add existing questions, or add and customize the sample questions that are included with the base system. For more information, see Define a question.Role required: admin or sn_vdr_risk_asmt.vendor_risk_manager |
| Set up option to use normalized values for scoring. | You can use the Maximum normalization input setting to use normalized values to calculate assessment scores for Choice or Multiple Selection questions with the scored check box not selected. Normalization of values can help ensure consistent comparisons across different entities. For more information on how this setting impacts scoring, see Normalize the scores for metrics.Note: This option is available under the question type tab of an assessment metric (question) record. For more information on setting up questions, see Define a question. Role required: admin or sn_vdr_risk_asmt.vendor_risk_manager |
| Create assessment templates for external questionnaires. | You can create an assessment template with set duration requirements and questionnaires attached by default to help streamline the assessment process for different types of third parties and engagements. For more information, see Create an external assessment template.Role required: admin or sn_vdr_risk_asmt.vendor_risk_manager |
| Create issue generation rules. | This task is optional. Set up rules that auto-generate issues for external assessments. Specify a Third-party risk assessment, a Questionnaire template, and the Questions to apply the rule to, as well as an Issue template and a Task template to use while generating it. For more information on setting up these rules, see Create an issue generation rule.Role required: admin or sn_vdr_risk_asmt.vendor_risk_admin |
| Schedule recurring assessments. | This task is optional. Recurring assessments can be scheduled for third parties or engagements. You can use an assessment template you created or manually attach questionnaire and document requests as needed. For more information, see Configure a risk assessment to recur on a schedule.Role required: sn_vdr_risk_asmt.vendor_assessor |
| Set up an internal questionnaire's responses to automatically attach questionnaires to external assessments that are based on the responses, the calculated risk tier, or both. | This task is optional. For more information, see Set up internal questionnaire responses to automatically attach external questionnaires to assessments. Role required: admin or sn_vdr_risk_asmt.vendor_risk_admin |
| Set up event-driven management rules. | This task is optional. Set up rules that auto-generate and send questionnaires and doc requests to engagements and third parties. For engagements and third parties that meet the criteria you define, you specify the schedule and the assessment templates. You can automate all request types except onboarding. For more information on setting up these rules, see Event-driven management — automate assessment processes.Role required: sn_vdr_risk_asmt.vendor_risk_manager |
| Verify risk ratings and scoring calculations. | This task is optional. Review scores and risk ratings in your questionnaires and help ensure the accuracy and consistency of risk scoring by verifying the correct application of weights, normalized values, scoring methods, and risk rating scales. For more information, see Verifying scoring calculations using the classic assessment engine. |
For more information on calculations for risk ratings and scoring, see Scoring calculations using the classic assessment engine.
For more information on assessment and score-related automation, see Set up internal questionnaire responses to automatically attach external questionnaires to assessments, Assessing your third-party risk, Event-driven management — automate assessment processes, and Automate actions upon risk intelligence updates.