Track risk assessments from the due diligence playbook

  • Release version: Washingtondc
  • Updated March 14, 2024
  • 3 minutes to read

    • As procurement specialists, use the due diligence playbook to track supplier risk assessments and complete the associated tasks.

    Before you begin

    Role required: Procurement specialist

    About this task

    When a sourcing request is added to a negotiation event, in the Qualification needed state, a supplier case of type due diligence is triggered to address risk assessments. You can choose to close the case through the playbook if there are duplicate requests. In case of no duplicates, a new due diligence is initiated through the playbook. The same Third-Party Risk Management (TPRM) record producer is used here. You are notified at each step in the TPRM workflow, such as inherent risk assessment, third-party risk assessment, and so on. You can review the risk rating after the due diligence is complete. Now, you can either accept or reject the risk rating, and take necessary actions based on this decision. Select Mark Complete to close the due diligence case.

    Procedure

    1. Navigate to All > Procurement Case Management > Procurement Workspace.
    2. Select the List icon (List icon.) and select All team work > Cases.
    3. Select the applicable procurement case from the list for further processing.
      The Playbook tab opens with the Assign case section.
    4. In the Assigned to field, select a procurement specialist to work on this case.
    5. Select Start work.
      The procurement case moves to the Work in progress state.
    6. Review the supplier details.
    7. Select Continue.
    8. Check for duplicate due diligence requests, if any.
    9. Optional: In case there are any existing Due Diligence Request (DDR) records with risk ratings, decide whether to cancel or use those cases.
    10. Optional: To cancel those cases, select Cancel case.
    11. Select Create new request to initiate a new risk assessment.
    12. In the Create due diligence request section, select the purpose of the request.
      The relevant third party, if available, is automatically populated.
    13. Optional: If the third party is not listed here or incomplete information is provided, enter the following details:
      • Third-party information
      • Engagement information
      • Third-party address
      • Engagement address
      • Third-party primary contact
      • Engagement primary contact
    14. Optional: Add any relevant attachments, if required.
    15. Select Submit.
      A due diligence case is created for the supplier. After that, the created case record ID gets populated in the Related DDR field under the Details tab.
    16. Wait for the risk process to start.
      At this point, the TPRM team starts onboarding the supplier associated with the created DDR.
    17. Wait for the inherent risk assessment to complete.
      Here, the assigned respondent completes and submits the inherent risk questionnaire, and the TPRM team updates the INA record and sets it to Closed state. Details of the INA record are provided in parallel in the playbook. A notification is sent to you with the information that the inherent risk assessment is now complete.
    18. Wait for the third-party risk assessments to complete.
      Here, the TPRM team starts the due diligence for the supplier associated with the created DDR. Details of the third-party risk assessments for the third party and the engagement are provided in parallel in the playbook. A notification is sent to you when both these risk assessments are completed and in the Closed state.
    19. Review the status of the entire due diligence approval process.
      At this point, the TPRM team moves the DDR to the TPRM approved state. A notification is sent to you with the information that the due diligence request has been approved by the TPRM team. The risk ratings from all the above assessments are now displayed in the playbook.
      Note:
      At any point during the above TPRM activities, if the record gets rejected, then a notification is sent to you regarding this rejection, and the case is moved to Closed rejected.
    20. Do one of the following:
      • Select Reject Risk Rating, notify the requester that the request has been rejected, and mark the case as Rejected.
      • Select Accept Risk Rating, notify the supplier, and mark the case as Complete.