Vendor Risk & Trust

Approval Workflows

Configure and manage multi-stage, role-based approval workflows for vendor risk assessments

What are Approval Workflows?

Approval workflows define a structured, multi-stage approval process for vendor risk assessments. Each workflow consists of multiple stages that must be completed in sequence, with each stage requiring approval from users with specific roles. This ensures proper governance and oversight before assessments are finalized.

Multi-Stage Process

Define sequential approval stages (e.g., GRC Review → Security Review → Executive Approval) that must be completed in order.

Role-Based Approvals

Each stage requires approval from users assigned to specific roles, ensuring proper authorization and separation of duties.

Workflow Components

Workflow

A workflow defines the overall approval process. It contains multiple stages and can be set as the default workflow for assessments. Workflows can be active or inactive.

Stage

A stage represents one step in the approval process. Each stage has a required role, minimum number of approvers, and can be marked as required or optional.

Role

Roles define who can approve each stage. Common roles include "GRC Team", "Security Ops", "Executive Approver", etc. Users are assigned to roles at tenant, vendor, or assessment levels.

Approval

An approval is a decision (Approve/Reject) made by a user for a specific stage. Once the minimum number of approvals is reached for a stage, the workflow progresses to the next stage.

Creating Approval Workflows

Step-by-Step Guide

Configure a new approval workflow for vendor risk assessments

Navigate to Settings

Go to Settings → Vendor Risk tab → Scroll to the "Approval Workflows" section.

Create Workflow

Click "Create Workflow" and provide:

Name *

Descriptive name (e.g., "Standard Approval Process")

Description

Overview of the workflow's purpose

Set as Default

Check if this should be the default workflow for new assessments

Active

Whether the workflow is currently active

Add Approval Stages

Click "Add Stage" for each approval stage. Configure:

Stage Order *

Sequential order (1, 2, 3, etc.) - stages execute in this order

Stage Name *

Name of the stage (e.g., "Initial Review", "Security Review")

Description

What this stage is responsible for reviewing

Required Role *

Role that can approve this stage (e.g., "GRC Team", "Security Ops")

Minimum Approvers *

Minimum number of users with the required role who must approve (typically 1)

Required Stage

Whether this stage must be completed (uncheck to make it optional)

Save Workflow

Once all stages are added, click "Save Workflow". The workflow is now available for use in assessments.

Example Workflow: A typical workflow might have Stage 1: "GRC Review" (GRC Team), Stage 2: "Security Review" (Security Ops), Stage 3: "Executive Approval" (Executive Approver). Stages execute sequentially.

Assigning Team Members to Roles

Team Assignment Hierarchy

Assign users to roles at different levels for flexible access control

Three Levels of Assignment

Level 1Tenant-Level

Applies to all vendors in the tenant. Set in Settings →Vendor Risk → Team Assignments section.

Use Case: Default team assignments that apply organization-wide

Level 2Vendor-Level

Applies to a specific vendor. Set in Vendor Detail →Team tab.

Use Case: Override tenant assignments for specific vendors

Level 3Assessment-Level

Applies to a specific assessment. Set in Assessment Detail →Team tab.

Use Case: Override for specific assessments requiring special handling

Priority Order

Assessment-level assignments have the highest priority, followed by vendor-level, then tenant-level. This allows for flexible overrides when needed.

Example:

If Tenant-Level assigns "John" to GRC Team, but Vendor-Level assigns "Jane" to GRC Team for Vendor A, then Vendor A assessments will use "Jane". However, if Assessment-Level assigns "Bob" to GRC Team for a specific assessment, that assessment will use "Bob".

Approval Process

How Approvals Work

Understanding the approval workflow execution

Review Prerequisite

Before any approval stages can begin, questionnaire responses must be reviewed. Users will see a "Review Required" alert until this is complete.

Stage Activation

Once review is complete, the first stage becomes active. Users assigned to the stage's required role can see the assessment in their My Workspace.

Approval Decision

Users with the required role can:

Approve: Approve the stage and move forward
Reject: Reject the assessment (requires rejection reason)
Add optional comments

Stage Completion

Once the minimum number of approvals is reached for a stage, that stage is marked as complete and the next stage becomes active. Rejected assessments stop the workflow.

Workflow Completion

When all required stages are approved, the assessment is marked as "Completed" and can be finalized.

My Workspace Integration

Accessing Assessments for Approval

How users find and approve assessments assigned to them

All assessments requiring approval appear in the user's My Workspace for convenient access.

Navigate to My Workspace

Click "My Workspace" in the navigation sidebar, then select"Vendor Risk" from the left menu.

View Assessment Tasks

You'll see all assessments assigned to your roles. If review is required, a yellow "Review Required" alert will be displayed.

Complete Review (If Needed)

If review is required, click "Review Questionnaire Responses"and complete the review before approvals can begin.

Approve or Reject

Once review is complete (if required), scroll to the "Action Required" section, select Approve or Reject, add comments, and submit your decision.

Next Steps

Scoring Methods

Learn how to configure scoring methods that calculate risk from questionnaire responses

Learn About Scoring

Need Help?

Our support team is here to help you with approval workflows.

Contact Support Continue to Scoring