We are begining a facelift for the Online Assessment module:
1/ New UI for the Portal
the portal needs a new look and feel, it has been already designed and it will look more or less along the following lines.
NOTE: the portal is missing showing the score (Current Vs Max) in the case scoring is enabled.
2a/ Questionnaires must support Multiple Choice as answers
questionnaires must now support multiple choice answers, so the “Predefined” answers option must have an alternative, “PredefinedMultipleChoice” which lets the user select more than one answer.
this option should disable the posibility of having:
- Scoring (column K, L)
- Warnings (column J)
- Conditional Answers being Displayed (M,N)
On the index this type of answer will be displayed as a typicall cell with multiple objects:
And the filter should let people choose one or more items.
2.b/ Questionnaires must support Dates as answers
Questionaires must have an option to add “Date”, the date provided by the recipient of the OA can be anytime (present, past or future). When date is selected as a possible answer the following columns are not applicable: I,J,K,L
3c/ CSV import language is really bad
the CSV import file is a disaster, the language is terrilble it needs to be re-written completely.
3/ Manage Questionnaires from Web UI not just CSV
we miss a way to edit questionaires using the UI, this requires a proper UI implementation so whatever you do in CSVs can be done on the web interface. in particular the conditionals (if the answer is this then show or hide that question)
4/ Recipients by Email address not eramba Accounts
we need to let people create OAs without the need to access Settings / User Management , this will simplify the submission of these questionnaires.
- Do you want Authenticated OAs?
- Yes: then you need an account created in Settings / User Management that has a password, no way around this.
- NOTE: this dropdown needs to exclude “Disabled” accounts and only shows accounts where at least the OA portal is enabled. We do not need to show groups here.
- No, recipients to this OA access it using URLs. In this situation admin can select user accounts (same logic as above) or define recipients by specifying users with the following fields: Name, Surname, Email (up to 3 recipients)
- NOTE: When admin saves the OA, eramba will automatically create an account for each specified user on User Management settings module with the following attributes:
- Portal: OA
- Group: No Access
- API: Disabled
- Password: Blank (we need to make sure the person can not reset password nor specify a password)
- Disabled: Yes (Logins only)
- NOTE:
- accounts could be repeated
- the user might change these accounts by editing the OA
- NOTE: When admin saves the OA, eramba will automatically create an account for each specified user on User Management settings module with the following attributes:
- Yes: then you need an account created in Settings / User Management that has a password, no way around this.
This setup should keep all operational in terms of notifications and access permissions.
Link: https://www.figma.com/board/uzNtraRJltXsAUgklEFOgw/Functionalities?node-id=180-2204
5/ Update OA form to simplify things a bit
the form needs to change a little bit, we don’t need a description for the portal, the option to download things must be unified as one option, “OA Report” which is a PDF file that includes:
- OA title and unique ID
- OA Recipients (Name, Surname, Email)
- Date it was started, date it was submitted
- Score and Max Score
- the questions, answers (who* answered and when)
- attachments (as file name)/comments
NOTE: we need a new UX for this report, this UX we create should be compatible with our current reporting widgets.
NOTE: * .. if its an authenticated OA you have this information, if is not an authenticated OA then you leave it empty and simply put the date.
5b/ OA Phases include a “Reviewed” flag
The idea is that we will include a mandatory reviewed phase, this means that when a OA is submitted there will be a button shown called “Review”.
The button is shown at all times, no matter if the OA is submitted or not (you might revew questions as the recipient answers them).
This button should take the admin to the OA portal, where we clarly indicated this versino of the portal is the “Reviewer” version (only the user/group members defined as Assessor can access) where we show clearly which questions have been reviewed and which ones not, a checkbox of sorts is used to manage this.
When a question is “Reviewed” it should be “Locked” , so the “Recipient” can no longer make modifications. If the checkbox is unticked, the question becomes editable. We need to rename the “Locked” or statistick to “Reviewed” or “Missing Review”
On the “Feedback” tab, we will need to rename these fields as well
When all questions have the “Review” flag, we show the stauts “Reviewed”. This is a database flag that tracks the date when it was done (this is used on third party module). The status “Missing Review” shows when the OA has at least one question not reviewed.
The portal should also allow you to create a “Finding” (finding tab), ideally we open the same modal we have for Findings with the fields: Online Assessment and Associated Questions pre-completed.
6/ Third Party Should have On-boarding Stages
When we create a Third Party, we should have a Onboarding Phase dropdown with, for the time being (this will be later on adjusted by the user with some form of setting), the following options: On-boarding, Active, Off-boarding, Inactive
The reason for this is to be able to know in which phase of the onboarding process the supplier is. We can make a nice chart with this information.
6b/ Third Party should have a Risk Level
We will include also pre-defined Risk Levels for the supplier, these will be “Unknown, Low, Medium, High”. The user will again be able to adjust these settings to whatever they want, later on, with some form of settings.
This will also let us create reports in a nicer way. Automation rules can later on adjust this field based on the risk score of risks on the Third party module.
6c/ GRC Contact missing
we have the Third Party contact, is not clear if this is somene from the supplier side or is their representative or contat in our orgnisation, we want this to be the later option.
we still miss a GRC contact here to be consistent with all modules in the system (we always have two roles)
7a/ Third Parties should have (optionally) “Assets” linked (DISCARDED IDEA)
today assets and third parties are linked on the risk module, its a mandatory field:
the proposal here is to link Third Parties to Assets for the following reasons:
- this will work later on as “Suggestions” when you create a third party risk (the asset field above could be pre-completed)
- on the Data Flow module (when you create a flow for an asset, there is an optional third party field)
- we could let someone on the OA module create a risk automatically, the title of hte risk could come out of hte question, the grc owner could be the assessor, the risk owner the third party owner, the third party could be linked on the OA, the assets would come from the third party.
x/ how can you do vendor assessments in eramba?
- create the TP, set it as on-boarding
- Create a OA and link the TP, at the OA set the recipient to be the Third Party contact
- here it would be nice to have the contact resolved by taking contacts from the Third Party
- Run the OA, complete the review of the OA
- The third Party shows as “reviewed”
- complete the risk level
- set the status of “active”
- if findings were identified you have a status on the third party?
y/ how can we regularly review third parties?
- here we miss the “Review” approach we have with Risks, Assets, etc
- when a review deadline is due, what happens?
- someone manually completes the review record saying “we did the review, is all good”? that review record could also include a OA as reference (optionally)
- that OA would have to be created asynchronically though
- in that way you have a field which is “Latest Review on this Third Party”
z/ how i keep track of my suppliers certifications, etc?
- use custom fields…everyone has a different opinion on what to track for each supplier
references:
https://eramba.zendesk.com/agent/tickets/30934
https://eramba.zendesk.com/agent/tickets/26884
https://eramba.zendesk.com/agent/tickets/22640
https://eramba.zendesk.com/agent/tickets/21371
https://eramba.zendesk.com/agent/tickets/17087
https://eramba.zendesk.com/agent/tickets/30765
https://eramba.zendesk.com/agent/tickets/30818
https://eramba.zendesk.com/agent/tickets/26089
https://eramba.zendesk.com/agent/tickets/18914
https://discussions.eramba.org/t/feature-select-multiple-answers-in-online-assessments/1168
https://discussions.eramba.org/t/question-how-to-create-multiple-select-drop-downs-on-questionnaires/3340