Example: Onboarding a third party

  • Release version: Yokohama
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Example: Onboarding a third party

    This example demonstrates a typical third-party onboarding process using the ServiceNow Third-Party Risk Management (TPRM) application. It covers the key steps from initiating a due diligence request to ongoing risk monitoring, helping organizations systematically assess and manage risks associated with new suppliers or partners.

    Show full answer Show less

    Onboarding Process Steps

    • Request Initiation: An employee submits a third-party due diligence request via the Employee Center. A Third-party Risk (TPR) manager then reviews and approves the request before starting the due diligence workflow.
    • Inherent Risk Questionnaire (IRQ): The IRQ assessor completes an inherent risk assessment by answering a questionnaire in the Vendor Management Workspace. This step calculates the third party’s initial risk level.
    • Due Diligence Assessment: The TPR manager or assessor sends questionnaires and document requests to the third party through the third-party portal. The third party responds, and the organization reviews the submissions to verify compliance, regulatory adherence, and data security requirements. Use of assessment templates streamlines this process.
    • Contractual Agreements and Risk Mitigation: After due diligence, contract negotiators finalize risk-related contractual clauses based on the assessment findings, ensuring risk mitigation is incorporated in agreements.
    • Ongoing Monitoring and Review: Post-onboarding, stakeholders continuously monitor the third party’s risk posture through periodic assessments and reviews, tracking any changes during the engagement lifecycle.

    Practical Benefits for ServiceNow Customers

    • Provides a clear, structured workflow to onboard and assess third parties efficiently and consistently.
    • Enables automated risk scoring through the Inherent Risk Questionnaire, helping prioritize focus areas.
    • Facilitates collaboration with third parties via the portal for secure questionnaire and document exchange.
    • Supports contract risk management by linking assessment outcomes to contractual controls.
    • Ensures continuous risk monitoring to maintain a proactive security and compliance posture throughout the third-party relationship.

    Acme, a large manufacturing company, is in the process of onboarding a new third party to supply critical components for their production line. To help ensure the third party's reliability and to mitigate potential risks, Acme starts a thorough third-party risk management onboarding process.

    Onboarding process example

    This example illustrates a typical third-party onboarding flow in the TPRM application, from initiating a request through ongoing monitoring.

    Request process

    An employee initiates onboarding by submitting a third-party due diligence request in the Employee Center.

    A Third-party Risk (TPR) manager opens the request record from the Requests list and selects Approve.

    After approval, the TPR manager selects Start due diligence to move the request into the due diligence workflow.

    For more information, see Requesting third-party risk due diligence and Request due diligence for a third-party engagement.

    Inherent Risk Questionnaire (IRQ) process

    After due diligence starts, an inherent risk assessment is generated.

    On the Tasks page of the Vendor Management Workspace, the IRQ assessor opens the request record, navigates to the associated assessment, and opens the Inherent Risk Questionnaire.

    The assessor answers the IRQ questions and submits the assessment to calculate the third party’s inherent risk level.

    For more information, see Assessing your third-party risk and Respond to an internal assessment.

    Due diligence process: Compliance verification and data security and privacy assessment

    When the IRQ is complete, the assessment continues through the due diligence phase.

    From the assessment record, the TPR manager or TPR assessor selects Submit to third party to send questionnaires and document requests.

    Third-party contacts receive and respond to questionnaires and document requests in the third-party portal.

    For more information, see Assessing your third-party risk, Create an external assessment, Respond to a questionnaire for a third party or engagement, and Review responses to external questionnaires.

    Note:
    To streamline this step, Acme uses assessment templates, which group predefined questionnaire and document request templates for reuse.

    Acme reviews the submitted responses and uploaded documents from the assessment record to verify regulatory, compliance, and security requirements.

    Contractual agreements and risk mitigation

    After due diligence is complete, contract risk requirements are finalized.

    The TPR contract negotiator reviews assessment findings and confirms that required contractual clauses are included in the third-party agreement.

    For more information, see Managing the contract risk process and Accessing DD requests that are in the contract risk process.

    Ongoing monitoring and review

    Once onboarding is complete, Acme monitors the third party throughout the engagement lifecycle.

    Stakeholders review ongoing assessments, monitoring results, and periodic reviews from the third-party record to track changes in risk posture.

    For more information, see Monitoring your third-party risk.