Approving or rejecting requests for due diligence

  • Release version: Yokohama
  • Updated March 12, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Approving or rejecting requests for due diligence

    The Third-party Risk Management (TPRM) application in ServiceNow enables you to set up structured approval levels and rules for due diligence requests. Approvers review external questionnaire responses, supporting documents, and other gathered information to approve or reject these requests. This process ensures thorough evaluation of third-party engagements based on risk ratings and geographic location, improving your organization’s risk management and compliance.

    Show full answer Show less

    Setting up Approval Levels and Rules

    Administrators or users with the Third-party risk (TPR) admin role can configure up to 10 approval levels, each containing multiple rules with specific filter conditions. This flexibility allows assigning approvers based on factors such as risk rating or region. For example:

    • Level 1 assigns approvers based on risk rating (low, medium, high).
    • Level 2 assigns approvers based on geographic region.
    • Level 3 assigns administrators for high or very high-risk engagements in specific regions.

    The approval process triggers levels sequentially, stopping if any approver rejects the request. You can use the default configuration or customize approval setups including applying them to different tables. Multi-level approvals integrated with workflows require use of Workflow Studio.

    Approving Due Diligence Requests

    Once all assessments are complete, due diligence requests enter the "Ready for TPRM approval" state. The assigned TPR manager or assessor validates approvers and initiates the approval request, moving it to "Awaiting approval" and notifying approvers via email.

    Approvers, who must be part of the TPR manager user group, review internal and external questionnaire responses, risk intelligence scores, and supporting documents via the Vendor Management Workspace or VRM Classic interface. They can access pending approvals under "My approvals" and take actions to approve or reject requests.

    If approved, the due diligence request and engagement states update to Active. If contract negotiation is required, an approver or manager assigns a contract negotiator, updating the request state accordingly and triggering notification.

    Rejecting Due Diligence Requests

    Approvers can reject requests when issues cannot be resolved or the request is canceled. Rejection requires entering comments explaining the decision. Upon rejection, the due diligence request state changes to Rejected, stakeholders are notified, and the engagement is marked as rejected.

    The request owner can reopen the approval process by providing justification, allowing reassessment or correction before resubmission.

    Practical Benefits for ServiceNow Customers

    • Structured, multi-level approval workflows tailored by risk and region ensure appropriate oversight and accountability.
    • Centralized review of questionnaire responses and risk scores simplifies decision-making.
    • Automated notifications and state updates keep stakeholders informed and processes transparent.
    • Integration with Workflow Studio allows advanced customization of multi-level approval flows.
    • Ability to reject with comments and reopen approvals supports iterative risk evaluation and engagement management.

    Set up the approval levels and rules for due diligence requests in the Third-party Risk Management application to use while approving or rejecting requests after reviewing questionnaire responses and due diligence process results.

    Approval process overview

    Approval levels and rules are used to determine which team members are assigned as approvers to the due diligence request. During the approval process, approvers review the external questionnaire responses and supporting documents that were provided by the third-party contact. They also consider any other information that was gathered during the due diligence process. Approvers can approve or reject due diligence requests depending on their interpretation of the information reviewed.

    For more information on managing approvals, approval levels, and approval rules, see Approval process management.
    Note:
    Any multi-level approvals related to a workflow require updates to be made using Workflow Studio. For more information on creating flows using Workflow Studio, see Create a flow in Workflow Studio.

    Setting up approval levels and rules

    You must have the admin or Third-party risk (TPR) admin [sn_vdr_risk_asmt.vendor_risk_admin] role to make the approval levels and rules for due diligence requests. You can create up to 10 different approval levels that each contain different approval rules. Within each approval level, you can assign one or more rules with different filter conditions that apply to the assigned approvers. For example, you might want different approvers to be assigned to the due diligence request depending on the engagement's risk rating and location.

    With the Third-party due diligence default configuration, you can create three records with approval levels 1, 2, and 3. Level 1 has three rules, level 2 has two rules, and level 3 has two rules. The following example shows how you would assign these rules with filter conditions:

    • Level 1
      • Rule 1: User A and User B are assigned to approve the engagement's low risk rating.
      • Rule 2: User C and User D are assigned to approve the engagement's medium risk rating.
      • Rule 3: User E and User F are assigned to approve the engagement's high-risk rating.
    • Level 2
      • Rule 1: TPR manager is assigned to approve the engagement in Asia/Pacific.
      • Rule 2: TPR manager is assigned to approve the engagement in Europe/North America.
    • Level 3
      • Rule 1: All TPR administrators are assigned to approve an engagement in a specific region that has a high-risk rating.
      • Rule 2: All TPR administrators are assigned to approve an engagement in a specific region that has a very high-risk rating.
    During the approval process, level 1 is triggered first. If all assigned users approve the conditions in level 1, then level 2 is triggered and so on. If any assigned user in level 1 has rejected the due diligence request, level 2 isn't triggered and the due diligence request is rejected. For more information on possible rating definitions, see Set up risk rating scales for scoring.
    Note:
    You can use the Third-party due diligence default configuration included as part of the base system or deactivate the default configuration and create an approval configuration that applies to a different table. For more information, see Set up an approval configuration record.

    For more information on setting up approval levels and rules, see Set up the approval levels for due diligence requests and Set up the approval rules for due diligence requests.

    Approving due diligence requests

    The following infographic shows the approval process.


    Infographic that shows the approval process in the due diligence workflow. For the text description, refer to the text that follows.

    The due diligence request enters the Ready for TPRM approval state after all assessments have been closed. The TPR manager [sn_vdr_risk_asmt.vendor_risk_manager] or TPR assessor [sn_vdr_risk_asmt.vendor_assessor] that has been assigned as the owner of the due diligence request confirm approvers have been assigned to the due diligence request. After validating the assigned approvers, the TPR manager or owner requests approval. The due diligence request enters the Awaiting approval state and the system sends an email notification to all assigned approvers.

    All internal stakeholders (approvers) review the external questionnaire responses and supporting documents that were provided by the third-party contact. You must be part of the Third-party risk (TPR) manager user group to make approvals. Approvers perform all actions by using Vendor Management Workspace or VRM Classic user interface. Approvers can view all of their pending My approvals, Tasks, and Issues by navigating to the Task page.

    To view the Task page in the Vendor Management Workspace, select Workspaces > Vendor Management Workspace. Then, select the task icon .

    To view your assigned approvals, select My approvals.

    To view My approvals in the VRM Classic user interface, navigate to All > Self-Service > Third-party Risk Management > Due Diligence Requests > My Approvals

    From this view, you can accomplish the following tasks:
    • Review the internal questionnaire responses.

      Navigate to the Due diligence request record page by selecting the Due Diligence Request (DDR) number and then selecting the Internal assessment (INA) number on the Internal assessments tab. For more information, see IRQ process management.

    • Review the risk intelligence scores.

      Navigate to the Due diligence request record page by selecting the DDR number and then selecting the Risk intelligence scores tab. For more information, see Viewing risk intelligence scores.

    • Review the external questionnaire responses and supporting documents.

      Navigate to the Due diligence request record page by selecting the DDR number and then selecting the External assessment (VRA) number on the External assessments tab. For more information, see Third-party (external) risk assessment management.

    • Access the approval request record page.

      Select one of the Requested states from the list to open the approval request record page. From this page, you can select Approve or Reject. For more information, see Approval process management.

    If the responses meet your requirements, one or more approvers approves the request, and the owner (TPR manager or TPR assessor) closes the due diligence request and the engagement. The third party or engagement state is now Active. If a contract is going to be prepared, an approver, TPR manager, or owner selects Send to contract negotiator and assigns a contract negotiator. The approved due diligence request's state is updated to the Contract Risk Process state and the contract risk negotiator is notified through an automated email.

    For more information, see Managing the contract risk process.

    Rejecting due diligence requests

    If an issue can't be resolved or the due diligence request is canceled, the approver can enter comments and reject the due diligence request. To view your My approvals, navigate to the task page, select My approvals, and then select a Requested state from the list to open the approval request record page. From this page, you can select Reject to reject the request.

    After the due diligence request is rejected, the following actions occur:

    1. The due-diligence request's state is updated from Awaiting approval to Rejected.
    2. You must enter an explanation for rejecting the due diligence request in the Comments field.
    3. The Due diligence process state is updated to Rejected and all stakeholders are notified that the engagement has been rejected.
    Note:
    The owner can reopen the approval process by selecting the due diligence request from the All request list. The owner is required to provide a justification for restarting the approval process.