Working in the VRM Classic user interface

  • Release version: Washingtondc
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Working in the VRM Classic user interface

    The VRM Classic user interface continues to support Vendor Risk Management tasks, but the Vendor Management Workspace provides improved Third-Party Risk Management (TPRM) features and reporting capabilities. This guide outlines key processes in the legacy interface, including scheduling risk assessments, managing third-party hierarchies, and conducting risk tiering assessments.

    Show full answer Show less

    Key Features

    • Scheduled Risk Assessments: Configure assessments to recur, ensuring regular updates on third-party risk. Roles required: snvdrriskasmt.vendorassessor or admin.
    • Third-Party Hierarchies: Establish parent-child relationships between third parties and their subsidiaries to better assess overall risk. Roles required: snvdrriskasmt.vendorriskmanager or snvdrriskasmt.vendorassessor.
    • Engagement Definition: Define engagements to evaluate risks associated with the services or products of a third party. Any user with access can request an engagement, enhancing efficiency. Roles required: snvdrriskasmt.vendorriskmanager or snvdrriskasmt.vendorassessor.
    • Risk Tiering Assessments: Classify third parties by predefined risk tiers—None, Low, Minor, Moderate, High, and Critical—each linked to specific assessment questions and document requests.
    • External Risk Management: Manage assessments collaboratively, with stakeholders generating tasks and issues to address non-compliance, while third-party contacts can view assessments via the Third-party portal.
    • External Assessments: Initiate and manage the third-party risk assessment lifecycle. Note that the Vendor Risk Overview dashboard is deprecated starting with version 18.1.3, although still available for installations prior to this version.

    Key Outcomes

    By utilizing the VRM Classic interface effectively, organizations can maintain a systematic approach to manage vendor risks, ensuring regular updates and comprehensive assessments that contribute to informed decision-making regarding third-party relationships.

    While you can continue to use the legacy user interface to perform Vendor Risk Management tasks, the Vendor Management Workspace offers enhanced TPRM features and more useful reports.

    Configure a risk assessment to recur on a schedule

    Configure a third-party risk assessment to recur on a schedule to regularly update risk results for a third party or an engagement.

    Role required: sn_vdr_risk_asmt.vendor_assessor

    Create a third party record—Legacy process

    Configure a third-party risk assessment to recur on a schedule to regularly update risk results for a third party or an engagement.

    Role required: admin or sn_vdr_risk_asmt.vendor_risk_manager.

    Setting up third-party hierarchies and engagements—Legacy process

    Create third-party hierarchies by defining the parent-child relationships between the parent third party and all of their subsidiaries. You do this task because some organizations work with third parties that have subsidiaries (or subsidiaries of subsidiaries) that can pose a potential risk to your business. You can perform assessments at each subsidiary organization and roll up the results to calculate an overall risk score for the parent third party.

    Role required: sn_vdr_risk_asmt.vendor_risk_manager or sn_vdr_risk_asmt.vendor_assessor.

    Define an engagement — Legacy process
    Define an engagement so that you can assess the risks that are associated with the services or products offered by a third party. Engagements can also represent the products or services that are provided to the parent third party, either directly or from departments, partners, or subsidiaries that you can also assess for risk.
    Tip:
    Any person with access to your instance at your organization can request an engagement. That process is typically more streamlined and more effective than the process describe here, where a Third-party risk (TPR) manager or TPR assessor defines an engagement. For more information, see Request due diligence for a third-party engagement.

    Role required: sn_vdr_risk_asmt.vendor_risk_manager or sn_vdr_risk_asmt.vendor_assessor.

    Third-party risk tiering assessments — Legacy process
    Organizations use risk tiering to classify their third parties into categories of potential risk posed at the time of onboarding. The standard predefined risk tiers are None, Low, Minor, Moderate, High, and Critical. Each risk tier has associated assessment questions and document requests.
    Managing external risk assessments — Legacy process
    Before the TPR manager closes an assessment, stakeholders create issues and tasks, usually during the Generating observations state. The TPR assessor assigns third parties as needed and communicates using comment streams to achieve closure on non-compliance. The third-party primary contact uses the Third-party portal to view all assessments.
    Create an external assessment — Legacy process
    Create an assessment and initiate the third-party risk assessment life cycle.
    Important:
    Starting with version 18.1.3 of Third-party Risk Management the Vendor Risk Overview dashboard is deprecated. If Third-party Risk Management was installed prior to 18.1.3 the Vendor Risk overview dashboard is still available for your use.