Monitoring your third-party risk

  • Release version: Yokohama
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Monitoring your third-party risk

    The Third-party Risk Management (TPRM) application in ServiceNow enables you to continuously monitor potential risks associated with your third-party relationships. This ongoing process ensures that third parties comply with agreed-upon terms and helps you maintain control over vendor risk and resilience.

    Show full answer Show less

    Key Features

    • Vendor Management Workspace: Provides a centralized space to monitor and review third-party performance, risk reports, and engagements. It features a vertical navigation panel for easier access to related records, assessments, and dashboards, enhancing workflow clarity and consistency across user roles such as TPR managers, assessors, and reviewers.
    • Risk Reporting: Allows you to view comprehensive risk reports by navigating to the Risk tab within the Vendor Management Workspace, enabling quick identification and detailed review of third parties or engagements by risk rating.
    • Personalized Dashboards: TPR managers and assessors can create, customize, and share dashboards and reports that focus on key metrics and workflows, improving decision-making with tailored insights at various organizational levels.
    • Due Diligence Monitoring: You can track the status of critical due diligence processes—including request handling, inherent risk questionnaires, risk assessments, approvals, and contract risk—directly from Due Diligence Request record pages.
    • Managing Fourth-nth Parties: Extends risk management to entities beyond direct third parties to ensure compliance and security standards are upheld throughout the supply chain.
    • Third-party Elements Monitoring: Supports enhanced risk assessments through scoring models, relationship analysis, and integrated due diligence workflows focused on specific third-party components.
    • Smart Assessment Templates: After upgrading to version 22.0.1 with Unified Content Management installed, TPR managers can access a centralized library of assessment templates aligned with global standards, which can be activated and updated within the Vendor Management Workspace.
    • Managed Activities Tracking: Usage of managed activities is tracked via a read-only analytics table, accessible to users with the Third-party assessment reviewer role, helping verify activity consumption and license usage.

    Practical Benefits

    • Regularly assess third-party adherence to contracts and mitigate risks proactively.
    • Utilize improved navigation and reporting tools to streamline vendor risk management workflows.
    • Leverage customizable dashboards for focused insights that align with your organizational risk priorities.
    • Monitor due diligence and compliance processes efficiently to ensure thorough risk evaluation.
    • Extend risk oversight to dependent fourth-nth parties to maintain supply chain integrity.
    • Access and manage up-to-date assessment templates to standardize evaluations according to industry best practices.
    • Track managed activity usage transparently to optimize license management and operational oversight.

    Access and Roles

    Access to features like the Vendor Management Workspace, dashboards, and managed activity analytics is role-based. Key roles include Third-party risk (TPR) manager, TPR assessor, and Third-party assessment reviewer. Some capabilities require installation of additional applications like Unified Content Management or Due diligence management and possession of the Third-party Risk Management application license.

    You can monitor the potential risks that are associated with your third-party relationships by using the Third-party Risk Management application. An ongoing monitoring process can help you regularly assess the third party's performance and adherence to the agreed-upon terms.

    Ongoing monitoring and review

    You can monitor and review the performance of your third parties with Vendor Management Workspace. For example, you can regularly assess whether the third party is adhering to the agreed-upon terms.

    Note:
    The Vendor Management Workspace is designed for users with the Third-party risk (TPR) manager [sn_vdr_risk_asmt.vendor_risk_manager], TPR assessor [sn_vdr_risk_asmt.vendor_assessor], and Third-party assessment reviewer [sn_vdr_risk_asmt.vendor_assessment_reviewer] roles.

    Viewing risk reports and other information

    Starting with version 21.1.x, the legacy horizontal tab-based layout in the Vendor Management Workspace has been replaced by a structured vertical navigation panel. This design introduces:
    • Grouped Related Lists: Organizes access to third-party records, assessments, and dashboards into logical sections.
    • Clearer Workflows: Navigation is streamlined to support risk management processes and dependency tracking for third parties and engagements.
    • Consistent Availability: The vertical panel is accessible across all internal user roles, ensuring a unified experience for managing vendor risk and resilience.
    For more information on configuring related lists, see Configure related lists for vertical navigation on record pages.

    You can view the risk reports for all third parties and engagements by navigating to Workspaces > Vendor Management Workspace and then selecting the Risk tab to open the workspace to the home page. For more information, see Viewing third-party risk reports.

    You can also view the status and all current information for a third party or engagement by navigating to Workspaces > Vendor Management Workspace. On the Risk tab, select the home page icon .

    As shown in the following example, you can select any number in the Third-party risk overview section to open a list of third parties or engagements with that risk rating value. You can then select a third party or engagement.
    Figure 1. How to open a third party or engagement page by risk rating
    Sequence showing the selections needed to view a third party or engagement. For the text description, refer to the text that preceded this example.
    For more information, see Get an overview of a third party.

    TPRM personalized dashboards

    Monitor and analyze your assessment data at various levels using the Third-party insights dashboard and TPRM custom analytics dashboard. If you have the TPR manager [sn_vdr_risk_asmt.vendor_risk_manager] or TPR assessor [sn_vdr_risk_asmt.vendor_assessor] role, you can create and share your own dashboards and reports. TPR managers can also customize report layouts, widgets, and data views to prioritize key metrics and workflows that align with your individual roles and risk programs. These dashboards provide you and your team with tailored insights and deliver relevant information at a glance, improving your decision-making process. You can view TPRM personalized dashboards by navigating to Workspaces > Vendor Management Workspace and selecting the dashboard page icon . For more information, see Monitoring assessment data using TPRM dashboards.

    Due diligence processes

    You can view the status of the following due diligence processes from the Due diligence request record page:
    • Request process
    • Inherent Risk Questionnaire (IRQ) process
    • Third-party risk assessment process
    • Approval process
    • Contract risk process
    To access the Due diligence request record page, you can select the DDR number for any due diligence request. For more information about the due diligence process, see Monitoring the due diligence request process.

    Managing fourth-nth parties

    You can use Third-party Risk Management to help identify, understand, and manage risks that are related to third parties dependent on the services of fourth-nth parties. Monitoring fourth-nth parties can help ensure that they adhere to the same security and compliance standards as the primary third party. For more information about fourth-nth parties, see Monitoring your fourth-nth parties.

    Managing third-party elements

    You can monitor third-party elements through scalable scoring models, relationship analysis, and due diligence workflow integration as part of the third-party element collection process. Monitoring third-party elements and leveraging that information can help with conducting more informed risk assessments as part of your third-party risk program. For more information about third-party elements, Monitoring third-party elements.

    Managing Smart assessment templates

    After upgrading to version 22.0.1 and installing the Unified Content Management application, TPR managers [sn_vdr_risk_asmt.vendor_risk_manager] can view a centralized library of smart assessment templates aligned with global regulations and industry standards. From the unified content management module in the Vendor Management Workspace you can activate and update templates. You can access the unified content module by navigating to Workspaces > Vendor Management Workspace, select the unified content management icon and then navigate to Smart assessment templates. For more information, see Managing TPRM SAE templates with Unified Content Management and Sample questionnaires.

    Viewing managed activities

    An engagement only consumes one license, regardless of whether there’s one managed activity or many managed activities per contract year. Managed activity usage is triggered only when an activity is initiated. You can view your managed activities for verification purposes with the Usage analytics activities [sn_vdr_risk_asmt_ua_activity] table. This read-only table stores a record whenever a managed activity occurs. You must have the Third-party assessment reviewer [sn_vdr_risk_asmt.vendor_assessment_reviewer] role to view this table. You can access the Usage analytics activities table by navigating to All > Third Party Risk Management > Administration > Managed Activity Analytics. For more information, see Tracking a managed activity.

    Note:
    The Usage analytics activities [sn_vdr_risk_asmt_ua_activity] table is only available to those users that have purchased the Third-party Risk Management application and have access to the Due diligence management application. To see the instructions for downloading a GRC application from the ServiceNow® Store, see Download a GRC application from the ServiceNow Store for the first time.