We are begining a facelift for the Online Assessment module:
Phase One Changes (completed)
New UI for the Portal
the portal needs a new look and feel, it has been already designed and it will look more or less along the following lines.
NOTE: the portal is missing showing the score (Current Vs Max) in the case scoring is enabled.
Questionnaires must support Multiple Choice as answers
questionnaires must now support multiple choice answers, so the “Predefined” answers option must have an alternative, “PredefinedMultipleChoice” which lets the user select more than one answer.
this option should disable the possibility of having:
- Scoring (column K, L)
- Warnings (column J)
- Conditional Answers being Displayed (M,N)
On the index this type of answer will be displayed as a typicall cell with multiple objects:
And the filter should let people choose one or more items.
Questionnaires must support Dates as answers
Questionaires must have an option to add “Date”, the date provided by the recipient of the OA can be anytime (present, past or future). When date is selected as a possible answer the following columns are not applicable: I,J,K,L
In the old implementation, users had the option to provide both answer types — open and select. Now, we are introducing two new answer types: multiselect and date. Will it still be possible to combine different types of answers (e.g., multiselect and open answer)? How would this be defined in the CSV — multiselect|open|date?
>> good question, today we have the following options (column G): PredefinedAnswers, OpenAnswer, Both.
>> the new option is “PredefinedMultipleChoice” , make sense we give users the option to use this in combination with openanswers, so we need PredefinedMultipleChoiceAndOpen to allow both options.
>> to be consistent, we need to change “Both” to “PredefinedAnswersAndOpen”
>> date for the time being will be left alone, without the option to combine them with open answers.
Will we sum the answers from a multiselect, or will this not be possible with multiselect?
>> is very complicated, we leave it as explained in section 2a from this post.
CSV import language is really bad
the CSV import file is a disaster, the language is terrilble it needs to be re-written completely.
Manage Questionnaires from Web UI not just CSV
we miss a way to edit questionaires using the UI, this requires a proper UI implementation so whatever you do in CSVs can be done on the web interface. in particular the conditionals (if the answer is this then show or hide that question)
What if we implement it in the same way as compliance analysis? That is, you upload a questionnaire, and in the questions index, views are automatically created with questionnaires (similar to compliance packages and compliance analysis). Would it also be possible to filter and sort in the question index (currently this is not possible)?
as discussed we need to simplify the ux as much as possible because one must assume the user might upload an outrageous number of questions. this suggestion works well, every row must be of course editable and the form we load must be “very friendly” in order to support the logic of field types, etc.
Phase Two Changes
Closer link in between Third Parties with OAs
Here we want to tie Third Parties with OAs in a way that is easier for the administrator to assess suppliers.
There are many issues with this to be clarified:
-
FIX-003 — Criteria for publishing a Third Party (transition from Draft to Published) is not clearly defined.
-
FIX-005 — Entry point for creating an Online Assessment is unclear and likely incorrect; it should probably start from the Third Party context instead of the OA module.
-
FIX-007 — Supplier rating or risk scoring ownership is unclear (where it lives, who owns it, and how it is calculated).
-
FIX-008 — Non-portal (internal) validation and publish path is not clearly defined if the portal is not used.
-
FIX-009 — Behaviour when a review timer triggers and the Third Party reverts to Draft is unclear (what data becomes invalid, what actions are blocked, what must be redone).
Third Party / OA Access
Today we allow OA submissions using two different mechanisms, both require one or more eramba user account:
- Magic Link (no timeouts, works or not depending if the OA is started or stopped)
- Eramba Authentication (Settings/Authentication/*)
In both scenarios, we require a user account because of notifications for the most part, the account has the email we need to reach. We need to simplify the creation of accounts for the OA portal so anyone with the right permissions can manage them (CRUD). This is crucial for this to work.
Related post: Feature - Access Management Updates
Third Party Validation Portal
We need to let the administrator (optionally) validate the third party details using a public portal. The key features for this portal are:
General Concept:
- A public portal is used for the Third Party to validate its details (we leverage the OA portal)
- The portal loads fields from the Third Party form (user defines which ones) and when saved, the Third Party item gets updated
- Access to the portal is done by a magic link that: has a timeout (setting), can be revoked anytime
Process:
- Optional - adjust fields on the Third Party module
- Create a Third Party, define one or more “Third Party Contacts” with eramba accounts that include the email
- Enable the OA portal, define the following settings:
- magic link timeout in days
- default notification to use for recipients invite
- default notification to use for recipient submission of portal
- default notification to use if a link is revoked
- default notification to use if a link is expired
- Third Party items now have magic link button enabled
- Admin clicks on the button and emails go out, we log this on the Activity Log
- You can re-send this as many times as you want (there can only be one active link at a time)
- Dynamic status triggers for this item (Supplier Portal Enabled)
- At this stage, only the fields can be edited, the rest are disabled as they are the ones to be complited on the portal: GRC Contact, Third Party Contact, Type, Potential Liabilities, Business Units, Processes
- Email is sent (based on settings)
- Once sent, the button renames to “Revoke Supplier Portal Access” in case the admin wants to disable the active link (there can only be one active link at a time). This triggers a log on the “Activity Log”. If the link is revoked fields are editable.
- The supplier goes to the portal, complete fields.
- The portal displays the “Add” form as it is defined by the user with the following exceptions:
- The following fields: GRC Contact, Third Party Contact, Type, Potential Liabilities, Business Units, Processes
- Any custom field that links to another module (remember we allow these type of customisations now)
- Supplier submits (this updates the activity log), the link becomes disabled so no further updates are possible. The form is fully editable now.
- Email is sent (based on settings)
Status (they all must trigger a record on the activity log):
- New Item (this is actually when the item is created by admin)
- Invite Sent (the admin click on send token, this only happens if settings are defined)
- Revoked (admin triggered)
- Submitted (supplier responded)
- Expired (automatically based on settings)
Status and fields:
Third Party Risk Matrix
We need to somehow Risk assess a third party:
- Use defines a Risk Matrix on the Third Party risk module (which is the same across other Risk modules)
- Under settings on the third party module, the user defines:
- risk levels: name+description+colour (one variable)
- if the risk classification:
- is mandatory for all third parties
- is optional for third parties
- how often this review must be performed:
- at regular intervals: monthly, yearly, quarterly (number plus period)
- pre-defined by the user on every review cycle
- when risk settings are configured you trigger automatically
- missing risk settings (if mandatory and is missing)
- from now on, if risk settings are enabled, every third party has a tab where the user can choose if the risk is:
- unknown (this creates a dynamic status: “risk unknown”)
- some defined scale from their settings
Third Party Risk Risk Reviews
On a world where reviews work as a timer that trigger events the following options come to mind:
- the third party is moved to “draft” (this is only possible if workflows are enabled)
- the third party risk classification is set to unknown, this instead triggers a dynamic status
- the review triggers a dynamic status “risk expired” and that triggers a notification
Third Party Assessments (OA)
At this stage the supplier is created, validated and perhaps risk rated. The process now moves into an optional stage of sending online assessments to suppliers. The objective is to send questions, receive answers and update (manually or automatically) the associated Third Party fields (risk rating or whatever custom field the user has defined). A completed OA includes a “Review date” and “Review notes” which when linked to a Third Party could:
- Trigger an additional modal for “Risk Rate this Third Party” and push that update to the Third Party from the OA module.
- If you have workflows enabled, this could trigger a change on the third party to draft where the approval process must begin.
references:
https://eramba.zendesk.com/agent/tickets/30934
https://eramba.zendesk.com/agent/tickets/26884
https://eramba.zendesk.com/agent/tickets/22640
https://eramba.zendesk.com/agent/tickets/21371
https://eramba.zendesk.com/agent/tickets/17087
https://eramba.zendesk.com/agent/tickets/30765
https://eramba.zendesk.com/agent/tickets/30818
https://eramba.zendesk.com/agent/tickets/26089
https://eramba.zendesk.com/agent/tickets/18914
https://discussions.eramba.org/t/feature-select-multiple-answers-in-online-assessments/1168
https://discussions.eramba.org/t/question-how-to-create-multiple-select-drop-downs-on-questionnaires/3340