When managing third-party risk there is a need to determine the risk profile of that supplier and highlight where the third-party is either not in an acceptable state or is trending negatively.  Many solutions will offer that information through dashboards, reporting, and alerts.  However, the limitation of that approach is that it requires a savvy business user to check this information and make an individual determination of what to do with that information depending on the context which is challenging to proactively enforce to the corporate risk policy.

"Risk Aware decisions" is a label for embedding the risk knowledge naturally into the source to pay decision process.  For example, when selecting which suppliers should be included into a RFx, the solution can naturally look at the risk profile of suppliers and exclude those suppliers that do not meet the minimum risk threshold for inclusion.  The business user is no longer making individual decisions that would increase the risk for the company, nor wasting resources by including suppliers that would ultimately get eliminated through further resource intensive due diligence activity.

A few examples of Risk Aware decisions:

• Supplier Onboarding - the automatic classification of a supplier at time of onboarding to exclude or reject a supplier on a sanction/watchlist, send a supplier for additional review for financial risk, etc.


• Supplier Qualification - the automatic inclusion of risk scoring to drive additional relevant due diligence in the supplier qualification process.


• Supplier Performance - the automatic inclusion of risk scoring into the supplier scorecard to support Quarterly Business Reviews (QBRs)


• Sourcing: Supplier Selection - the automatic exclusion or warning when selecting suppliers that are outside the acceptable risk threshold determined by the customer's corporate risk standards.


• Sourcing: Award - the automatic award scenario creation to look beyond cost savings into the lowest risk that might suggest dual sourcing, regional selections, or other recommendations for award that represent the lowest risk to the customer.


• Contract: Authoring - the systematic reference to risk scoring that would automatically adjust contract clause inclusion based on the customer's risk standards, for example requiring more buffer inventory or insurance minimums if the third-party is determined to be higher risk


• Contract Signature - the "final" automated review of the third-party's risk profile prior to allowing signature to catch situations where the risk score has deteriorated below the corporate acceptable standard.


• Buying: the automatic inclusion of a risk team in purchase requisition workflow if the risk score drops below an acceptable standard or the automated rejection in the workflow based on a customer configured risk process.


• Invoicing: similar to the buying process allowing for the coverage of risk score influence for non-PO invoices

In order to trust the risk aware decision automation, there needs to be trust and relevance in the scoring.  The risk scores can be classified and weighted according to customer standards and data is sourced from adverse media alerts, corporate data, country risk profiles, customer preferred content providers, as well as full risk engagement assessments to tie the activity of the third-party to the appropriate risk categorization of commodity, location, and business unit.

As well, SAP Ariba is working to natively include risk aware decisions throughout the solution portfolio.  In addition, for any risk aware decision need there are apis available for a customer to include risk information in that decision workflow not yet natively covered in the solution portfolio or to extend the capability into applications not part of the SAP Ariba suite.

For more information on the Risk Exposure api, click here.

For more information on the approval flow api, click here.