Create a third party record—Legacy process

  • Release version: Washingtondc
  • Updated January 30, 2025
  • 5 minutes to read

    • Set up the key data and contact information for a third party that your organization will engage.

    Before you begin

    Contact your system administrator before you update the portfolio of third parties.

    Role required: sn_vdr_risk_asmt.vendor_risk_manager or sn_vdr_risk_asmt.vendor_risk_admin

    About this task

    In addition to adding new records, TPR managers make ongoing updates to third-party information, including risk security scores, risk tiers, critical third-party contacts, and the business services that the third parties fulfill.

    You can import third-party data from a spreadsheet, integrate the data from an onboarding system, or import data from the vendor table.

    Procedure

    1. Use either of the following methods to start the process:
      • In the Vendor Management Workspace, click the List icon (List.) and then navigate to Third parties > All Third parties.
      • Navigate to All > Third-party Risk Management > All Third parties.
    2. Click New and then fill in the fields.
      Table 1. Third party form
      Field Description
      Name Third party name.
      Website URL for the third party.
      DUNS number Unique numeric identifier for the single business entity. A DUNS number is not legally required for a business.
      Industry Type of industry.
      Vendor type Specify the type of product or service that the third party will provide.
      Parent If you set up third-party hierarchies, and this third party is a subsidiary, select the parent third party.
      Total annual spend Expected amount that you expect to spend annually on this third party.
      Security Score The security score provided by a risk intelligence provider.
      Score provider The risk intelligence provider that provided the normalized security score.
      Status Status of the third party.
      Contract start date Date that the contracted engagement should start.
      Risk rating After third-party risk assessment responses have been received, this weighted average of the components (that is, the risk ratings of assessments, engagements, and subsidiaries) is calculated. For more information, see Setting up third-party hierarchies and engagements—Legacy process.
      Rank tier Type of supplier.
      Third-party tier Risk tier for the third party calculated by mapping the tiering score to a risk tier.
      Vendor manager The employee assigned as the manager to this third party.
      Business owner The employees that use this third party in their daily business.
      Notes Additional information.
      Contact tab
      Street Street address of third party.
      City City of third party.
      State / Province State or Province of the third party.
      Zip / Postal code Zip code or postal code of the third party.
      Country Country of the third party.
      Phone Phone number of the third party.
      Fax phone Fax number of the third party.
      Profile tab
      Publicly traded Is the third party publicly traded?
      Stock symbol Stock symbol of the third party.
      Revenue per year Annual revenue of the third party.
      Number of employees Count of the third party's employees.
      Banner image Banner image for the third party.
      Banner text Banner text for the third party.
      Risk Scoring tab
      Computed risk rating Average of the third-party risk area risk ratings.
      Override risk rating Enables you to override the computer risk rating for the third party.
      Assessment risk rating

      Calculated risk assessment rating. The risk rating scale helps business users better understand risk assessment results. For example, in the default settings, risk scores in the 20 through 39 range indicate high risk, while scores in the 60 through 79 range indicate low risk.
      Engagement risk rating

      Calculated engagement rating. The risk rating scale helps business users better understand risk assessment results. For example, in the default settings, risk scores in the 20 through 39 range indicate high risk, while scores in the 60 through 79 range indicate low risk.

      Subsidiary risk rating

      Child third-party risk rating

      Calculated risk rating for subsidiaries. The risk rating scale helps business users better understand risk assessment results. For example, in the default settings, risk scores in the 20 through 39 range indicate high risk, while scores in the 60 through 79 range indicate low risk.
      Risk intelligence rating See Integrating scores from risk intelligence providers.
      Overridden risk rating If you selected Override risk rating, enter the new risk rating.
      Overridden on If you selected Override risk rating, date that the override occurred.
      Justification If you selected Override risk rating, you must enter a reason for the override.
    3. If Third-party Risk Management is integrated with other GRC applications, or if you set up vendor hierarchies (that is, third-party risk domains, component criteria, and risk scoring rules), the form can include some or all of the following related lists.

      For more information, see Setting up third-party hierarchies and engagements—Legacy process.

      Note:
      Risk domains are called "risk areas" in some platform applications.
      • Child Vendors: This table stores all information for subsidiaries. Subsidiary risk ratings are automatically aggregated and displayed on the Risk Rating tab on the Third-party form.
      • Vendor Contacts: This table stores information for all of the third-party stakeholders. Typically, the customer creates one primary third-party contact and one or more secondary contacts. The primary contact adds other contacts to the list.
      • Business Services: The Services table is part of the CMDB. It relates the third parties to the services they provide. For example, assume the IT team has a service called “Video Conference Services” that is used for internal employees to communicate internally and with customers. That business service, they have decided, comes from Zoom rather than building anything in-house.
      • Vendor Engagements: This table stores all engagement information for third parties. Engagements risk ratings are automatically aggregated as displayed on the Risk rating tab on the Third-party form.
      • Tiering Assessments: This table stores the history of tiering assessments.
      • Repeating Assessments: This table stores the history of recurring assessments.
      • Assessments: This table stores the history of assessments. Assessment risk ratings are automatically aggregated and displayed on the Risk rating tab on the Third-party form.
      • Vendor Risk Components: This table stores all third-party risk components. If third-party risk components (that is, assessments, engagements, or subsidiaries) are present, their risk ratings are automatically aggregated and displayed on the Risk rating tab on the Third-party form.
      • Issues: This table stores the history of issues.
      • Tasks: This table stores the history of tasks.