Skip to main content



Coupa Success Portal

Risk Assess Program Types

Risk Assess offers two difference categories of programs:

  • Relationship-based > Associated with a single supplier through the relationship.  Available types include: Compliance programs and Performance programs. For more information see the Risk Assess online help topic, “How To Create a Relationship-based Program.”
  • Enterprise > Associated with multiple objects (supplier, supplier location, relationship, relationship location, engagement and engagement candidate supplier) across the Client enterprise.  Available types include: Compliance programs, Performance programs, Risk programs, Information Management programs (SIM) and Robotic (Robo) programs. For more information, see the Risk Assess online help topic, “How To Create an Enterprise Program.”

Under these categories, the application incorporates five different types of programs:

  • Risk Assessment
  • Compliance Attestation
  • Performance Appraisal
  • Information Management
  • Robotic (Robo)

While there are a number of similarities, each program type has some unique characteristics, as well as some usage conventions.

Risk assessments

Risk assessment programs are typically administered to evaluate different dimensions of risk associated with doing business with a supplier, either for the supplier in general, or in the context of doing business with the supplier under a particular relationship. These dimensions cross a broad spectrum that includes financial risk, business continuity risk, information privacy and security risk, viability, strategic importance to the organization, and many other categories. Since the determination of risk is evaluated on a continuum, risk programs generally return a numeric value as a result, although this value is often translated into discrete bands using a rating scale, such as “high-medium-low” or “red-yellow-green.” The individual items evaluated in a risk assessment are called “risk items.” Risk assessments can be designed to be evaluated by internal participants, or the supplier may play a role in the evaluation.

Compliance attestations

A compliance program is a set of requirements to which a supplier/relationship must conform, either voluntarily or by mandate as a condition of the relationship. These compliance requirements are used to determine a supplier’s conformance to any number of factors, from laws and regulations to policies and guidelines. Compliance may be sought for insurance certifications, evidence of employment eligibility, adherence to sound financial principles, or acceptance of procurement policies and codes of conduct. In general, compliance attestations are administered to the supplier, and the results either reviewed internally or automatically approved (in the case where the response is 100% compliant). Compliance programs typically return a binary result, with a final “score” of either “PASS” or “FAIL.”

Performance appraisals

A performance program is a set of KPIs or performance measures which, when completed, are used to evaluate the degree to which a supplier is delivering goods and/or services in accordance with an agreed upon statement of work (SOW), service level agreement (SLA), or service level expectations (SLE) within the context of a relationship. Performance scorecards can be used to measure the performance of a supplier against most any type of contract, from annual customer satisfaction surveys to formal quarterly business reviews for outsourced service providers. Performance appraisals often include multiple categories of performance, each with a variety of KPIs. Both categories and KPIs can be individually weighted, and any number of evaluators can participate in the assessment, with each evaluator’s score assigned a different weight. The final score is mathematically “rolled up” to arrive at an overall score. Performance appraisals generally result in a numeric expression from 0% to 100%, although this value can be translated into ranges as well. The performance appraisal can be used to conduct formal periodic business reviews with the supplier.

Since performance programs are often used to determine performance-based compensation, the program can be used to calculate an “at risk fee” based on individual organization scores, as well as the overall score.

Information management programs

The information management module is designed to facilitate the automated collection and maintenance of supplier and relationship information. There are Information Management-specific programs that allow customers to pull in standard and UDFs from the supplier and relationship records to create a program. An example of an Information Management Program is one that presents a supplier with their current corporate address, phone number and name and address of the account executive. The program recipient can review, update and finally approve and submit their response, which will update the appropriate fields of the supplier record. Since the Information Management Program type is intended only to update data, there is no quantitative result to it; only a result of ‘Open’ or ‘Closed.’ Information Management Programs are often used externally to allow suppliers to maintain their own data and internally to validate data regarding relationships with business unit owners. Information Management programs can be automatically sent to the supplier on a regular basis to request the review and update of profile information. The supplier’s responses will update the supplier and relationship records accordingly.

For more information, see the Risk Assess online help topic, “How To Create an Information Management Program.”

Robotic (Robo) programs

Robo programs run in the background to fully automate the gathering of new/updated information. These programs do not get scored, approved or collaborated; they simply execute the workflow-enabled components contained within them. An example of a Robo Program would be one that employs data about a supplier to compute that supplier’s classification: If the supplier is a strategic supplier with spending > $6,000,000 and it’s been identified as a high-risk supplier, then a classification is assigned of “Level 1.” Robo programs can be used to create risk profiles. Assignment defaults can be configured to send notifications to supplier users. For more information, see the Risk Assess online help topic, “How To Create a Robo Program.”

A word about programs and evaluations/assessments

There is a clear distinction in Risk Assess between a program and an evaluation, assessment, or scorecard (the last three terms are used interchangeably and mean the same thing).

The program in the application is only the definition of all the program parameters, including workflow options, evaluation items such as risk items or KPIs, and weights and evaluators. Think of the program as a rubber stamp that can stamp out an evaluation or assessment.

An evaluation or assessment is a copy of a program that is launched for a particular object, whether that is a supplier, relationship, or location. An evaluation or assessment is the set of questions or evaluation items for a particular program, launched for a particular period, and pertaining to a particular supplier or relationship. For example, an evaluation may be the annual supplier risk assessment launched for a single supplier on January 1st of every year.

Once an evaluation is launched, the underlying program may be changed without affecting either evaluations that are in process, or completed evaluations (evaluation history). In this way, evaluations always reflect the state of the program at the time they were launched.

  • Was this article helpful?