Third-party Risk Management upgrade information

  • Release version: Xanadu
  • Updated March 3, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Third-party Risk Management upgrade information

    The Third-party Risk Management (TPRM) application has been upgraded in the Xanadu release, including significant changes from the previous Vendor Risk Management (VRM) application introduced in the Vancouver release. This summary provides essential upgrade instructions, plugin requirements, and key differences in the data models to help ServiceNow customers transition smoothly and maintain data integrity.

    Show full answer Show less

    Upgrade Instructions

    • When upgrading from VRM to TPRM, it is critical to run each upgrade sequentially from one release to the next without skipping versions. This ensures all fix scripts execute properly and prevents data inconsistencies or broken functionality.

    Plugin Activation Requirements

    • For TPRM use, activate these plugins:
      • Third-party Risk Management application [com.snvdrriskasmt]
      • Third-party Risk Due Diligence application [com.sntprmdd]
      • Vendor Risk Management Workspace [snvrmws], if workspace functionality is desired
    • For VRM use, activate:
      • Vendor Risk Management application [com.snvdrriskasmt]
      • Vendor Risk Management Workspace [snvrmws], if applicable

    Refer to licensing documentation for detailed information on metering and managed activity tracking.

    Key Changes from VRM to TPRM

    • The application name changed from Vendor Risk Management to Third-party Risk Management starting in the Vancouver release.
    • A new internal assessment table [snvdrasmtinternalassessment] extends the existing tiering assessment table.
    • The Due Diligence Review (DDR) workflow is introduced, which integrates internal and external (VRA) assessments.
    • Existing customizations on tiering and VRA tables may need adjustments to work with the new DDR workflow.
    • The “Third-party Scores” table was renamed to “Risk Intelligence Scores” to clarify purpose.
    • The user interface now uses “third party” terminology instead of “vendor,” although some global references may remain.
    • If not using the DDR workflow, the original tiering and external assessment workflows remain functional.

    Data Model Differences

    Understanding the structural changes between VRM and TPRM data models is crucial for effective application use and customization.

    Vendor Risk Management (VRM) Data Model Components

    • Tiering assessment [snvdrriskasmtvdrtieringassessment]
    • Company [corecompany]
    • Vendor risk assessment [snvdrriskasmtassessment]
    • Vendor engagement [snvdrriskasmtvendorengagement]
    • Vendor contact [vmdrcontact]
    • Assessment metric type [asmtmetrictype]
    • Assessment template [snvdrriskasmtassessmenttemplate]
    • Engagement risk scoring rule [snvdrriskasmtengagementriskscoringrule]
    • Engagement level risk rating [snvdrriskasmtengagementlevelrating]

    Third-party Risk Management (TPRM) Data Model Components

    • Risk intelligence score [snvdrriskasmtsecurityscore]
    • Internal assessment [snvdrasmtinternalassessment]
    • Tiering assessment [snvdrriskasmtvdrtieringassessment]
    • Event-driven management history [sntprmddruleexecutionhistory]
    • Third-party due diligence request [sntprmddrequest]
    • Company [corecompany]
    • Event-driven management rule [sntprmddgenerationrule]
    • Third-party risk assessment [snvdrriskasmtassessment]
    • Third-party engagement [snvdrriskasmtvendorengagement]
    • Vendor contact [vmdrcontact]
    • Assessment metric type [asmtmetrictype]
    • Assessment template [snvdrriskasmtassessmenttemplate]
    • Third-party risk issue [snvdrriskasmtissue]
    • Engagement risk scoring rule [snvdrriskasmtengagementriskscoringrule]
    • Engagement level risk rating [snvdrriskasmtengagementlevelrating]

    These enhanced data model components support improved workflows and risk assessments aligned with the third-party risk management framework.

    ServiceNow® Third-party Risk Management application upgrade information for the Xanadu release.

    Important information for upgrading Vendor Risk Management to Xanadu

    Starting with the Vancouver release, if you’re a VRM user upgrading to TPRM, from an earlier release, you must run each upgrade sequentially to ensure that fix scripts run correctly. This means upgrading from one release to the next rather than skipping to the latest release. Not running scripts in the correct order can result in data inconsistencies, broken functionalities, and conflicts.

    Plugin requirements

    TPRM
    • Activate the Third-party Risk Management application [com.sn_vdr_risk_asmt].
    • Activate the Third-party Risk Due Diligence application [com.sn_tprm_dd].
    • Activate the Vendor Risk Management Workspace application [sn_vrm_ws] if you want to use the Vendor Risk Management workspace.
    VRM
    • Activate the Vendor Risk Management application [com.sn_vdr_risk_asmt].
    • Activate the Vendor Risk Management Workspace application [sn_vrm_ws] if you want to use the Vendor Risk Management workspace.

    For more information on licensing or metering, see Tracking a managed activity, Third-party Risk Management (TPRM) Licensing and Vendor Risk Management (VRM) Licensing.

    VRM to TPRM changes

    • The name of the application changed from Vendor Risk Management to Third-party Risk Management as part of the Vancouver release.
    • The internal assessment [sn_vdr_asmt_internal_assessment] table is introduced, extending the tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment] table.
    • The Due Diligence Review (DDR) workflow is introduced, which uses both the internal assessment and the external (VRA) assessment.
      Note:
      If you have customizations on the Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment] and VRA [sn_vdr_risk_asmt_assessment] tables, they might need modifications to work with the DDR workflow.
    • The Third-party Scores [sn_vdr_risk_asmt_security_score] table has been relabeled to Risk Intelligence Scores [sn_vdr_risk_asmt_security_score] to reduce confusion.
    • All instances of “vendor” are changed to “third party” in the user interface, though some global instances might remain unchanged.
      Note:
      If you don’t want to use the due diligence workflow, your original workflow (Tiering assessment and External assessments (VRAs) should be the same).

    VRM and TPRM data model

    The Vendor Risk Management data model primarily uses the term “vendor” and includes the Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment] and VRA [sn_vdr_risk_asmt_assessment] tables.

    The Third-party Risk Management data model uses the term “third-party” in most user interface elements and introduces the DDR workflow, which uses both internal [sn_vdr_asmt_internal_assessment] and [sn_vdr_risk_asmt_assessment] external assessments.

    The following models show VRM's and TPRM's capabilities.

    Figure 1. VRM data model
    Relationship Vendor risk management main tables. For a text description, see the text that preceded and follows this data model.

    The components included in the Vendor Risk Management data model are as follows:

    • Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • Company [core_company]
    • Vendor risk assessment [sn_vdr_risk_asmt_assessment]
    • Vendor engagement [sn_vdr_risk_asmt_vendor_engagement]
    • Vendor contact [vm_dr_contact]
    • Assessment metric type [asmt_metric_type]
    • Assessment template [sn_vdr_risk_asmt_assessment_template]
    • Engagement risk scoring rule [sn_vdr_risk_asmt_engagement_risk_scoring_rule]
    • Engagement level risk rating [sn_vdr_risk_asmt_engagement_level_rating]
    Figure 2. TPRM data model
    Relationship between due diligence, and third-party management main tables. For a text description, see the text that preceded and follows this data model.

    The components included in the Third-party Risk Management data model are as follows:

    • Risk intelligence score [sn_vdr_risk_asmt_security _score]
    • Internal assessment [sn_vdr_asmt_internal_assessment]
    • Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • Event-driven management history [sn_tprm_dd_rule_execution_history]
    • Third-party due diligence request [sn_tprm_dd_request]
    • Company [core_company]
    • Event-driven management rule [sn_tprm_dd_generation_rule]
    • Third-party risk assessment [sn_vdr_risk_asmt_assessment]
    • Third-party engagement [sn_vdr_risk_asmt_vendor_engagement]
    • Vendor contact [vm_dr_contact]
    • Assessment metric type [asmt_metric_type]
    • Assessment template [sn_vdr_risk_asmt_assessment_template]
    • Third-party risk issue [sn_vdr_risk_asmt_issue]
    • Engagement risk scoring rule [sn_vdr_risk_asmt_engagement_risk_scoring_rule]
    • Engagement level risk rating [sn_vdr_risk_asmt_engagement_level_rating]