Approval Workflows
Approval workflows define a structured, multi-stage approval process for vendor risk assessments. Each workflow consists of sequential stages that must be completed in order, with each stage requiring approval from users with specific roles. This ensures proper governance and oversight before assessments are finalized.
Workflow components
A workflow has four components:
Workflow — The overall approval process. Contains multiple stages, can be set as default for all assessments, and can be active or inactive.
Stage — One step in the approval process. Each stage has a required role, minimum number of approvers, and can be marked as required or optional.
Role — Defines who can approve each stage. Common roles include “GRC Team”, “Security Ops”, and “Executive Approver”. Users are assigned to roles at tenant, vendor, or assessment levels.
Approval — A decision (Approve or Reject) made by a user for a specific stage. Once the minimum number of approvals is reached, the workflow progresses to the next stage.
Creating a workflow
Navigate to settings
Go to Settings → Vendor Risk tab → scroll to the Approval Workflows section.
Create the workflow
Click Create Workflow and provide a name, description, and whether to set it as default and active.
Add approval stages
Click Add Stage for each approval stage and configure:
| Field | Description |
|---|---|
| Stage Order | Sequential order (1, 2, 3, etc.) — stages execute in this order |
| Stage Name | Name of the stage (e.g., “Initial Review”, “Security Review”) |
| Description | What this stage is responsible for reviewing |
| Required Role | Role that can approve this stage (e.g., “GRC Team”) |
| Minimum Approvers | Minimum number of users who must approve (typically 1) |
| Required Stage | Whether this stage must be completed (uncheck for optional) |
Save the workflow
Review all stages and click Save Workflow. The workflow is now available for use in assessments.
A typical workflow has three stages: Stage 1 “GRC Review” (GRC Team), Stage 2 “Security Review” (Security Ops), Stage 3 “Executive Approval” (Executive Approver). Stages execute sequentially.
Team assignment hierarchy
Users are assigned to approval roles at three levels, with the most specific level taking priority:
Level 1 — Tenant-level — Applies to all vendors. Set in Settings → Vendor Risk → Team Assignments. Use for organization-wide default assignments.
Level 2 — Vendor-level — Applies to a specific vendor. Set in the Vendor Detail → Team tab. Overrides tenant-level assignments for that vendor.
Level 3 — Assessment-level — Applies to a specific assessment. Set in the Assessment Detail → Team tab. Overrides both vendor-level and tenant-level assignments.
For example, if the tenant assigns John to GRC Team, but vendor-level assigns Jane for Vendor A, then Vendor A assessments use Jane. If a specific assessment assigns Bob, that assessment uses Bob.
How approvals work
Review prerequisite
Before any approval stages begin, questionnaire responses must be reviewed. Users see a “Review Required” alert until this is complete.
Stage activation
Once review is complete, the first stage becomes active. Users assigned to the stage’s required role can see the assessment in their My Workspace.
Approval decision
Users with the required role can approve the stage (moving the workflow forward), reject the assessment (which requires a rejection reason and stops the workflow), or add optional comments.
Stage completion
Once the minimum number of approvals is reached for a stage, that stage is marked as complete and the next stage becomes active.
Workflow completion
When all required stages are approved, the assessment is marked as Completed and can be finalized.
My Workspace integration
All assessments requiring your approval appear in My Workspace → Vendor Risk. From there you can see assessments assigned to your roles, complete the response review if required, and submit your approval or rejection decision with comments.
Best practices
Start with a simple two-stage workflow (GRC Review → Executive Approval) and add complexity as your program matures. Set minimum approvers to 1 for most stages unless your governance requires multiple sign-offs. Use vendor-level and assessment-level overrides sparingly — tenant-level defaults provide consistency across your program. Review and approve promptly to keep assessments moving through the pipeline.