Monitoring your third-party risk

  • Release version: Washingtondc
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Monitoring your third-party risk

    The Third-party Risk Management application enables ServiceNow customers to monitor potential risks associated with their third-party relationships. Regular assessments of third-party performance and compliance with agreed terms are crucial for effective risk management.

    Show full answer Show less

    Key Features

    • Ongoing Monitoring: Utilize the Vendor Management Workspace to regularly assess third-party adherence to terms, requiring specific user roles such as TPR manager, assessor, or reviewer.
    • Risk Reports: Access comprehensive risk reports and current third-party information through the Risk tab in the Vendor Management Workspace.
    • Personalized Dashboards: Create and customize dashboards to analyze assessment data. TPR managers and assessors can tailor metrics to enhance decision-making.
    • Due Diligence Processes: Track various due diligence processes, including risk assessment and contract compliance, from the Due diligence request record page.
    • Fourth-nth Party Management: Identify and manage risks related to third parties that depend on fourth-nth parties, ensuring compliance with security standards.
    • Managed Activities Monitoring: View managed activities through the Usage analytics activities table, accessible to users with specific roles.

    Key Outcomes

    By implementing ongoing monitoring and utilizing the features of the Third-party Risk Management application, ServiceNow customers can enhance their risk assessment processes, ensure compliance with security standards, and make informed decisions based on tailored insights and data analysis.

    You can monitor the potential risks that are associated with your third-party relationships by using the Third-party Risk Management application. An ongoing monitoring process can help you regularly assess the third party's performance and adherence to the agreed-upon terms.

    Ongoing monitoring and review

    You can monitor and review the performance of your third parties with Vendor Management Workspace. For example, you can regularly assess whether the third party is adhering to the agreed-upon terms.

    Note:
    The Vendor Management Workspace is designed for users with the Third-party risk (TPR) manager [sn_vdr_risk_asmt.vendor_risk_manager], TPR assessor [sn_vdr_risk_asmt.vendor_assessor], and Third-party assessment reviewer [sn_vdr_risk_asmt.vendor_assessment_reviewer] roles.

    Viewing risk reports and other information

    You can view the risk reports for all third parties and engagements by navigating to Workspaces > Vendor Management Workspace and then selecting the Risk tab to open the workspace to the home page. For more information, see Viewing third-party risk reports.

    You can also view the status and all current information for a third party or engagement by navigating to Workspaces > Vendor Management Workspace. On the Risk tab, select the home page icon Home page icon..

    As shown in the following example, you can select any number in the Third-party risk overview section to open a list of third parties or engagements with that risk rating value. You can then select a third party or engagement.
    Figure 1. How to open a third party or engagement page by risk rating
    Sequence showing the selections needed to view a third party or engagement. For the text description, refer to the text that preceded this example.
    For more information, see Get an overview of a third party.

    TPRM personalized dashboards

    Monitor and analyze your assessment data at various levels using the Third-party insights dashboard and TPRM custom analytics dashboard. If you have the TPR manager [sn_vdr_risk_asmt.vendor_risk_manager] or TPR assessor [sn_vdr_risk_asmt.vendor_assessor] role, you can create and share your own dashboards and reports. TPR managers can also customize report layouts, widgets, and data views to prioritize key metrics and workflows that align with your individual roles and risk programs. These dashboards provide you and your team with tailored insights and deliver relevant information at a glance, improving your decision-making process. You can view TPRM personalized dashboards by navigating to Workspaces > Vendor Management Workspace and selecting the Dashboards page icon Dashboards page icon.. For more information, see Monitoring assessment data using TPRM dashboards.

    Due diligence processes

    You can view the status of the following due diligence processes from the Due diligence request record page:
    • Request process
    • Inherent Risk Questionnaire (IRQ) process
    • Third-party risk assessment process
    • Approval process
    • Contract risk process
    To access the Due diligence request record page, you can select the DDR number for any due diligence request. For more information about the due diligence process, see Monitoring the due diligence request process.

    Managing fourth-nth parties

    You can use Third-party Risk Management to help identify, understand, and manage risks that are related to third parties dependent on the services of fourth-nth parties. Monitoring fourth-nth parties can help ensure they adhere to the same security and compliance standards as the primary third party. For more information about fourth-nth parties, see Monitoring your fourth-nth parties.

    Managing third-party elements

    You can monitor third-party elements through scalable scoring models, relationship analysis, and due diligence workflow integration as part of the third-party element collection process. Monitoring third-party elements and leveraging that information can help with conducting more informed risk assessments as part of your third-party risk program. For more information about third-party elements, Monitoring third-party elements.

    Viewing managed activities

    An engagement only consumes one license, regardless of whether there’s one managed activity or many managed activities per contract year. Managed activity usage is triggered only when an activity is initiated. You can view your managed activities for verification purposes with the Usage analytics activities [sn_vdr_risk_asmt_ua_activity] table. This read-only table stores a record whenever a managed activity occurs. You must have the Third-party assessment reviewer [sn_vdr_risk_asmt.vendor_assessment_reviewer] role to view this table. You can access the Usage analytics activities table by navigating to All > Third Party Risk Management > Administration > Managed Activity Analytics. For more information, see Tracking a managed activity.

    Note:
    The Usage analytics activities [sn_vdr_risk_asmt_ua_activity] table is only available to those users that have purchased the Third-party Risk Management application and have access to the Due diligence management application. To see the instructions for downloading a GRC application from the ServiceNow® Store, see Download a GRC application from the ServiceNow Store for the first time.