06.02 Running a Self-Assessment with the Assessments Extra

Requires: Assessments Extra

The questionnaire workflow described here lives in the Assessments Extra. Core SimpleRisk shows the Assessments menu and a single Self Assessments entry, but the contacts list, questionnaire builder, sending, and results review are added by the Extra. The Extra is labelled "Risk Assessment Extra" on the Extras list page in admin, but renders as "Assessments Extra" once you're inside the management page — the same Extra, two names. See Introducing SimpleRisk for an overview of how Extras layer onto Core.

Why this matters

A self-assessment is how the GRC program reaches the people whose job isn't GRC. Control owners, vendor managers, the developer who can answer one question about how the production database is backed up — these are the people your register depends on, and they're not logging into SimpleRisk to volunteer answers. You go to them. The questionnaire is the vehicle.

That's the program-distribution piece. The compliance piece is that ISO 27001's clause 9.2 (internal audit) and SOC 2's Trust Services Criteria both expect periodic, documented evidence that controls are operating as designed. A self-assessment is the cheapest first pass: ask the control owner, capture the answer, follow up on the gaps. Auditors won't accept "we assessed our controls" without the paper trail. The Assessments Extra produces the trail.

Before you start

The Assessments Extra installed and activated. Admins enable it under Configure → Extras → Assessments Extra; the Assessments sidebar menu gains its full sub-menu (Assessment Contacts, Questionnaire Questions, Questionnaire Templates, Questionnaires, Questionnaire Results, Risk Analysis, Import/Export, Questionnaire Audit Trail) once it's on.
The right permission. The base gate is Allow Access to "Assessments" Menu; to build and send a questionnaire you also need Able to Add Questionnaires and Able to Send Questionnaires. Without those, the Add and Send buttons don't render.
A questionnaire template, or the questions to build one. Templates are the reusable shape; a questionnaire is one instance of a template addressed to specific recipients.
A list of recipients in Assessment Contacts (for people outside SimpleRisk — vendors, third parties) or as enabled SimpleRisk users (for internal control owners). Both can be addressed from the same questionnaire.
Clarity on what you'll do with the results. A questionnaire that nobody reviews is a survey, not an assessment.

Step-by-step

1. Open the Questionnaires list

In the sidebar, expand Assessments and click Questionnaires. The page lands on /assessments/questionnaires.php and lists every questionnaire you've already built; an Add button sits at the top right if your role grants Able to Add Questionnaires.

2. Add a questionnaire and configure it

Click Add. The questionnaire form opens with a Settings card at the top. Fill in:

Name (required) — the questionnaire's label. Recipients see this in the email subject line.
Team, Additional Stakeholders, Owner — who's responsible for this questionnaire on your side. The Owner is the single accountable name; Stakeholders get notified.
User Instructions appears at the top of the questionnaire when the recipient opens it; Email Instructions appears in the invitation email body. Use the first to explain what to answer; use the second to explain why you're asking.
Risk Details (collapsible) — defaults that flow into any pending risks the questionnaire generates: project, site/location, affected assets, owner, manager, stakeholders, tags.
Bypass 'Pending Risks' and create Risks immediately after Assessment completion — by default, generated risks sit in a pending queue for review before entering the register. Tick this only if you trust the questionnaire and the recipient enough to skip the human pass.
Notify assessment contacts every [N] days until completed and Schedule and send this assessment every [N] days — reminder and recurring-resend cadences (each has a numeric input). Useful for annual or quarterly recertification.

Below the Settings card, the Templates card pairs one or more Questionnaire Templates (the question set) with Assessment Contacts (the people who get them). One questionnaire can mix multiple pairings — the legal team gets the legal template, engineering gets the engineering template, all sent on the same schedule.

3. Save, or save and send

Two save buttons sit at the top right of the form. Save stores the questionnaire as a draft you can edit later. Save & Send stores it and immediately emails every contact paired with a template. Save & Send is gated by Able to Send Questionnaires — without that permission, only Save appears.

When Save & Send fires, SimpleRisk generates a unique 40-character token per recipient, writes a row to questionnaire_tracking, and sends an email titled Risk Assessment Questionnaire - containing the recipient's personalized link. The token is what gates the recipient's view; no SimpleRisk login is required.

4. Recipients respond

Each recipient receives an email with a link to /assessments/questionnaire.index.php?token=. They open it, see the User Instructions and the questions, and answer. Auto-save (configurable under Configure → Extras → Assessments Extra) persists partial responses on a timer, so a closed browser tab doesn't lose the work.

Recipients don't see a "tracking ID" — they see the questionnaire title, the instructions, and the questions. On submission, the response is recorded against the token. Tracking IDs surface on your side, in Questionnaire Results, when you review or approve.

5. Review the results

In the sidebar, expand Assessments and click Questionnaire Results. Each completed (or in-progress) response shows up as a row with Questionnaire Name, Date Sent, Questionnaire Status, Completion Date, Approval Status, Last Comment, plus the contact's company and name. Open a result to see every question, the recipient's answer, and any score the response carries.

A response that no human reads isn't an assessment, it's a backup of an opinion. Set a standing weekly slot for whoever owns the program to walk the results and decide whether each completed questionnaire is approved or rejected.

6. Approve or reject

From a result, Approve finalizes the response — it locks the answers in and (if the questionnaire opted into pending-risk bypass, or you separately push pending risks) flows generated risks into the register. Reject sends the response back with an optional Reject comment explaining what to revisit. The reject comment is optional by design: sometimes the response needs another look without a written reason yet, and the reviewer adds context in the audit trail later.

If the tracking ID can't be resolved on approve or reject — for example because the result was deleted between the page load and the click — the alert "Missing or invalid tracking ID." surfaces and the action stops. Refresh the list and try again.

7. Close out the assessment

For a one-shot questionnaire, "close out" is implicit: every result is approved or rejected, generated risks are in the register, and the questionnaire entry can be archived. For a recurring questionnaire (the Schedule and send this assessment every [N] days path), pre-population means the next round starts from the previous round's answers, so recipients only confirm or update. That's where the time savings on annual recertification actually show up.

Common pitfalls

A handful of patterns we see often enough that they're worth flagging before you send the first questionnaire.

Recipients ignoring the email. The single biggest failure mode. The email sits in a control owner's inbox under twelve other things and never gets opened. Set the reminder cadence on every questionnaire that matters, and send a personal heads-up before the first send so the recipient knows it's coming. A two-line "you'll get an automated email asking five questions; please reply within a week" beats every generic reminder.
Questions whose answers can't be scored. A free-text "Describe your backup process" produces six different essays and no aggregate signal. If you want a number out of the questionnaire, ask a question with a small fixed answer set — Yes/No, Quarterly/Monthly/Weekly/Daily, Tier 1/2/3. Free-text fields are fine as supplementary context but shouldn't be the only thing you ask.
Scoping too broadly. A 200-question template gets a 12% completion rate. Three targeted 30-question templates get answered.
Treating the questionnaire score as the risk score. A response can flag a gap, generate a pending risk, or trigger a follow-up, but it isn't itself the risk's score. Score the resulting risk using the methodology your program uses (Risk Scoring Methodologies). Conflating the two means a single questionnaire's wording quirk drives the register.
No close-out step. A questionnaire without a review-and-approve pass isn't an assessment, it's a survey. The cron job that sends reminders won't approve responses for you.
Sending without explaining the why. Email Instructions is the field for this; one paragraph explaining the audit, the deadline, and the consequence of skipping it is the difference between a 30% response rate and a 90% one.