Smart assessment configuration
The TPR manager and TPR admin roles involve a broad variety of responsibilities. After the TPRM base system is set up, you configure Smart Assessment Engine specific settings as well as other assessment settings that enable and enhance everyday risk-assessment tasks. TPRM admins can enable SAE and work with SAE templates.
Assessment setup overview
By performing the tasks in the Assessment setup checklist for TPRM, you’re setting up and configuring the TPRM application to address your unique requirements for scoring and assessing risk for third parties, engagements, and other entities using the Smart Assessment Engine for TPRM assessments.
For any custom messages you create, it is your responsibility to generate the corresponding sys_ui_message records. This step is crucial if you want the custom messages to be extracted and translated.
Assessment setup checklist for Smart Assessment Engine integration with TPRM
| Task | Description |
|---|---|
| Set Smart Assessment Engine enabled [sn_vdr_risk_asmt.sae_enabled] property. |
After setting this property, SAE becomes the default assessment engine and replaces the legacy experience.
Warning: After this option is enabled, this selection can’t be reversed. For more information, see Configure TPRM properties and Migrating from Classic Assessment Engine to Smart Assessment Engine. Role required: sn_vdr_risk_asmt.vendor_risk_admin |
| Migrate questionnaire templates. | This task is optional. You can migrate existing questionnaire or document request templates to an SAE template. Note: If you’re setting up assessments for TPRM for the first time, you don’t need to complete this task. For more information, see Migrating from Classic Assessment Engine to Smart Assessment Engine, Migrate a template to an SAE template, Results of migrating a template to a TPRM SAE template, and How legacy metric types are migrated to sections in templates. Role required: sn_vdr_risk_asmt.vendor_risk_admin |
| Update assessment templates and issue generation rules. | This task is optional. Add published SAE questionnaire templates to all related assessment templates and Issue generation rules. For more information, see Create an external assessment template and Create an issue generation rule. Note: If assessment templates aren’t updated to be compatible with SAE templates, tier-based, provider-based, issue generation, and event-driven management rules won’t run as expected. Role required: sn_vdr_risk_asmt.vendor_risk_admin |
| Create post assessment impact automation rules. | This task is optional. Configure automation rules that trigger impact actions after an assessment is completed. These rules can initiate workflows such as risk mitigation, notifications, or updates to related records based on assessment outcomes. Plugin Dependency: Smart Assessment Post-assessment Actions (com.sn_impact_fwk and com.sn_smart_imp_auto). Access vendor risk assessment configurations, including automation rule setup and impact framework integration. Rules are asynchronous and can be tailored to specific assessment types or risk thresholds. Role required: sn_vdr_risk_asmt.vendor_risk_admin |
| Create response automation rules. | This task is optional. Enable automatic responses for assessments based on predefined conditions. For example, if a vendor scores below a certain threshold, the system can auto-generate follow-up actions or flag the record for review. Plugin Dependency: Smart Response Automation (com.sn_smart_resp_auto) Configure response logic and manage automation settings within the Smart Assessment Engine. Rules can be configured using templates and conditions based on scoring, risk levels, or assessment responses. Role required: sn_vdr_risk_asmt.vendor_risk_admin |
| Set up risk rating scales for scoring assessments and questionnaires. | This task is required for the initial setup of TPRM. You can configure the risk rating scale that is selected by default for all questionnaires. For more information, see Set up risk rating scales for scoring.Role required: admin or sn_vdr_risk_asmt.vendor_risk_manager |
| Set up third-party risk domains or areas. | This task is required for the initial setup of TPRM. You can configure the scoring method and weight that is selected by default for all third parties associated with a specific risk area. For more information, see Define a third-party risk domain.Role required: sn_vdr_risk_asmt.vendor_risk_manager |
| Set up third-party risk area criteria, which are the group of risk domains or areas that apply to a type of third party. | This task is required for the initial setup of TPRM. You can adjust the weight and scoring method of each risk area within a criteria definition. For more information, see Define third-party risk area criteria.Role required: sn_vdr_risk_asmt.vendor_risk_manager |
| Set up third party and engagement component criteria. | This task is required for the initial setup of TPRM. Components are entities that can be assessed for risk. Component criteria are groups of components that are related to a particular type of third party or engagement. You can’t add new components or modify existing ones. You can, however, define the criteria (in terms of scoring method and weight) to be used to assess the components. You can update the Default scoring method to specify how multiple scores for each risk area are calculated. You can use the Default weight to adjust the weight of third-party provider scores in the third party's overall risk rating. The following component classifications are available.
For more information on setting up component criteria, see Define component criteria. For more information on how engagement components impact third-party elements, see Monitoring third-party elements. Role required: sn_vdr_risk_asmt.vendor_risk_manager |
| Set up third-party and engagement risk scoring rules. | This task is required for the initial setup of TPRM. Define the criteria, based on risk scores, that determine which third parties or engagements require assessments. Third-party risk scoring rules apply to subsidiaries, engagements, and third-party risk areas. Engagement risk scoring rules only apply to engagements. For more information, see Define third-party risk scoring rules and Define engagement risk scoring rules.Role required: sn_vdr_risk_asmt.vendor_risk_manager |
| Create questionnaire or document request templates. | This task is required for the initial setup of TPRM. You can reuse questionnaire templates and document-request templates to streamline the creation of new questionnaires and document requests. The following template purposes (classifications) are available.
Role required: sn_vdr_risk_asmt.vendor_risk_admin |
| Create assessment templates for external questionnaires. | This task is required for the initial setup of TPRM. You can create an assessment template with set duration requirements and questionnaires attached by default to help streamline the assessment process for different types of third parties and engagements. For more information, see Create an external assessment template.Role required: admin or sn_vdr_risk_asmt.vendor_risk_manager |
| Create issue generation rules. | This task is optional. Set up rules that auto-generate issues for external assessments. Specify a Third-party risk assessment, a Questionnaire template, and the Questions to apply the rule to, as well as an Issue template and a Task template to use while generating it. For more information on setting up these rules, see Create an issue generation rule.Role required: admin or sn_vdr_risk_asmt.vendor_risk_admin |
| Set up event-driven management rules. | This task is optional. Set up rules that auto-generate and send questionnaires and doc requests to engagements and third parties. For engagements and third parties that meet the criteria you define, you specify the schedule and the assessment templates. You can automate all request types except onboarding. For more information on setting up these rules, see Event-driven management — automate assessment processes.Note: The Event-driven management rules feature is the default option for scheduling assessments and replaces Recurring assessments. Role required: sn_vdr_risk_asmt.vendor_risk_manager |
| Set up scoring for questionnaires. | This task is required for the initial setup of TPRM. You can configure how questionnaires and document requests are scored. For more information, see Configure scoring for an assessment, Normalization in assessment, andConfigure normalization in assessment.Role required: sn_vdr_risk_asmt.vendor_risk_admin |
| Set up Unified Content Management | This task is optional. Install the Unified Content Management application. If you have the TPR manager [sn_vdr_risk_asmt.vendor_risk_manager] role you can access and update Smart Assessment Engine templates from the Unified Content Management page in the Vendor Management Workspace. The UCM application serves as a starter template library, providing ready-to-use SAE templates for TPRM assessments, including SIG Full, SIG Core, and SIG Lite templates for 2026. You can view available templates, and activate or update template versions for use in TPRM assessments. For more information, see Managing TPRM SAE templates with Unified Content Management, Activate or update Smart Assessment templates, and Using the SIG questionnaire for a risk assessment. Role required: sn_vdr_risk_asmt.vendor_risk_admin |