Setting up third-party hierarchies and engagements—Legacy process
Summarize
Summary of Setting up third-party hierarchies and engagements—Legacy process
This process allows organizations to create third-party hierarchies by establishing parent-child relationships between a parent third party and its subsidiaries. This setup is essential for organizations that engage with third parties having subsidiaries, as it enables comprehensive risk assessments and aggregated risk scoring across all levels of the hierarchy.
Show less
Key Features:
- Hierarchical Risk Assessment: Perform risk assessments for both the parent organization and its subsidiaries, rolling up scores to determine the overall risk for the parent.
- Engagement Management: Track products or services provided to the parent by subsidiaries. Risk scores from these engagements contribute to the risk calculations of both the subsidiary and the parent organization.
- Risk Domain Definitions: Set up risk areas that define the types of risks to assess, such as security or financial risk.
- Component Criteria: Assess risk for various components including subsidiaries, engagements, and third-party risk assessments, aggregating the results for a comprehensive risk rating.
- Scoring Rules: Establish rules for engagement and third-party risk scoring to determine which entities require assessments based on defined criteria.
Key Outcomes:
By implementing these procedures, ServiceNow customers will effectively manage third-party risks across multi-layered organizations, ensuring that potential risks from subsidiaries and their engagements are identified and quantified. This leads to informed decision-making and improved risk management strategies at the organizational level.
Create third-party hierarchies by defining the parent-child relationships between the parent third party and all of their subsidiaries. You do this task because some organizations work with third parties that have subsidiaries (or subsidiaries of subsidiaries) that can pose a potential risk to your business. You can perform assessments at each subsidiary organization and roll up the results to calculate an overall risk score for the parent third party.
Third-party hierarchy
In this example, parent organization Acme has two subsidiaries and Acme NA has two subsidiaries. In this hierarchy, you perform risk assessments for the parent third party and all subsidiaries and calculate risk scores for each entity. You can then aggregate (roll up) the risk scores to calculate the risk score for Acme.
Third-party hierarchy with subsidiaries and engagements
Engagements represent products or services provided to the parent organization—either directly or from subsidiaries—that you can assess for risk. In the case where a subsidiary provides engagements, the risk scores assigned to the engagements are rolled up to calculate the risk score of the subsidiary, which in turn roll up to the parent organization.
In this example, subsidiary Acme US has three engagements. As in the previous example, risk is assessed for the parent, all of its subsidiaries, and all of their engagements. The risk scores are then rolled up to calculate the risk score for the parent.
Overview: Setting up a third-party hierarchy
| Setup procedure | Description |
|---|---|
| Define third-party risk areas. | A risk domain defines the type of risk to assess for a third party. For example, you might want to assess a data-management third party in terms of security risk and a bank in terms of financial risk. Security risk and financial risk are risk domains. Some platform applications refer to risk domains as "risk areas." |
| Define third-party risk area criteria. | A third-party risk area criteria is a group of risk domains (sometimes called risk areas in other platform features) that applies to a particular type of third party. |
| Define component criteria. | Components are the entities for which you can assess risk. The base system includes the engagements, external monitoring, subsidiaries, and third-party risk assessments components. Risk is calculated for each component and then the risk is aggregated and rolled up to calculate a third-party risk rating. |
| Define engagements for a third party | Define an engagement so that you can assess the risks that are associated with the services or products offered by a third party. Engagements can also represent the products or services that are
provided to the parent third party, either directly or from departments, partners, or subsidiaries that you can also assess for risk.
As engagements are defined, you can define primary and secondary contacts for both third parties and engagements. Each type of contact can perform specific activities in the Third-party portal. |
| Define engagement risk scoring rules. | An engagement risk-scoring rule specifies component criteria that determine which engagements are selected for assessment. For example, a rule could enable assessments for engagements that involve more than $40,000 annual business. Engagement scoring rules apply only to engagements. |
| Define third-party risk scoring rules. | Define criteria, based on risk scores, that determine which third parties require assessments. Third-party risk scoring rules apply to subsidiaries and engagements and to third-party risk areas. |