Document Management system in Third-party Risk Management

  • Release version: Yokohama
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Document Management system in Third-party Risk Management

    The Document Management System (DMS) in Third-party Risk Management (TPRM), introduced in version 21.1.x, offers a centralized repository for storing, organizing, and managing third-party documents throughout the vendor lifecycle. It enhances third-party collaboration and streamlines internal workflows by enabling document reuse across assessments, contracts, issues, and tasks. DMS helps reduce duplication, improve audit readiness, and supports metadata, version control, search, reporting, and audit tracking of all document actions.

    Show full answer Show less

    Internal users access the DMS via the Vendor Management Workspace, while external third-party contacts use the Third-party portal. Role-based permissions govern document access, with assessors, managers, and administrators having write access, and reviewers having read-only access.

    Key Features

    • Third-party contacts can upload and manage documents through the portal, while internal users manage documents via the Vendor Management Workspace.
    • Document version management allows uploading new versions, viewing history, and downloading attachments.
    • Documents can be linked to multiple TPRM record types—Tasks, Issues, Engagements, and Assessments—with automatic rollup and no duplicate references to the same record.
    • Role-based permissions allow internal users to manage document sharing and primary contact access.
    • Advanced search and reporting capabilities enable filtering by document type, risk category, expiration date, and third-party association.
    • Complete audit tracking logs all document actions, including uploads, version updates, approvals, and rejections, enhancing transparency and compliance readiness.
    • Integration with Now Assist provides AI-driven skills such as issue summarization, smart document summarization with Q&A, and extraction of specific information from documents, helping to reduce manual effort and accelerate risk workflows.

    Document Life Cycle and Traceability

    Each document captures essential metadata (creation date, type, description, version, status) used for classification, reporting, and workflow routing. Multiple versions are supported and sorted by creation date. Linking documents to various TPRM records creates formal relationships supporting lifecycle tracking and reporting.

    Audit logs track all document-related actions and are accessible to authorized users, ensuring full traceability.

    Limitations

    • External users cannot preview documents in the portal and must download them to view.
    • The third-party field is optional for document creation but required if the document is associated with a third party.
    • Document creation and versioning are currently performed in separate steps.

    Practical Benefits for ServiceNow Customers

    ServiceNow customers using TPRM can leverage the DMS to centralize and streamline document handling, improve collaboration with third parties, maintain comprehensive audit trails, and enhance compliance readiness. The system’s integration with AI-powered Now Assist capabilities further reduces manual workload and improves accuracy in managing complex third-party risk documents. Role-based access controls and linking documents to multiple TPRM records ensure efficient traceability and reporting.

    Learn how the enhanced Document Management system supports third-party collaboration and internal workflows in Third-party Risk Management (TPRM).

    Document Management Overview

    Starting with version 21.1.x, the Document Management System (DMS) in Third-party Risk Management (TPRM) provides a centralized repository for storing, organizing, and managing third-party documents throughout the vendor life cycle. DMS streamlines evidence tracking, reduces duplication, and improves audit readiness by enabling document reuse across assessments, contracts, issues, and tasks. Access DMS in the Vendor Management Workspace or third-party portal to create, manage, and reference documents. Primary contacts manage permissions in the portal. TPR assessors [sn_vdr_risk_asmt.vendor_assessor], TPR managers [sn_vdr_risk_asmt.vendor_risk_manager], and TPR administrators have write access, while third-party assessment reviewers [sn_vdr_risk_asmt.vendor_assessment_reviewer] have read-only access. DMS supports metadata, version control, search, reporting, and audit tracking for all document actions.

    The DMS is accessible for internal users through the Documents module in the Vendor Management Workspace as shown in the following example.
    Figure 1. Document Management System in Vendor Management Workspace
    Documents module in the Vendor Management Workspace.
    The DMS is accessible for external users through the Third-party portal as shown in the following example.
    Figure 2. Document Management System in the Third-party portal
    DMS in the third-party portal. For detailed descriptions refer to the paragraphs preceding and following this image.

    Key capabilities

    • Third-party contacts can upload and manage documents using the third-party portal.

      For more information, see Upload and manage documents in the third-party portal.

    • Internal users can create and access document records through the Documents module in the Vendor Management Workspace.

      For more information, see Create a document record.

    • Users can manage document versions, download attachments, and track their metadata.

      For more information, see Create a document version.

    • Documents can be linked to multiple TPRM record types with auto-rollup:
      • Tasks
      • Issues
      • Engagements
      • Assessments

      For more information, see Link documents to a TPRM record.

    • Internal users can manage role-based permissions for primary contacts and other internal users.

      For more information, see Define document sharing permissions.

    • Each document version supports download options, advanced search and reporting for metadata and relationships, and complete audit tracking of actions and version history.

    Document life cycle and traceability

    Each document captures metadata including creation date, type, description, version, and status. Metadata is used for classification, reporting, and workflow routing.

    Each document supports multiple versions. TPR assessors, managers, and administrators can upload new versions, view version history, and download attachments for any version. Versions are sorted by creation date in descending order.

    Documents can be linked to assessments, engagements, issues, and tasks. These references automatically roll up to related third-party records. Duplicate references aren’t allowed.
    Note:
    A linked document is a document record associated with another record (assessment, engagement, issue, or task) for traceability and reporting. Linking creates a formal relationship that supports life-cycle tracking. A reference is the entry that represents this link, shown in the document’s References tab and the related record’s Documents list. Each reference includes metadata like record type and ID. The key difference is that linking is the action and a reference is the result. Multiple references to one document are possible, but duplicate references to the same record aren’t allowed.

    All document actions including uploads and version updates are tracked for audit purposes. Audit logs are accessible to authorized users.

    Collaboration and insights

    All actions, including approvals and rejections, are tracked in the audit log for transparency and reporting. You can search documents by metadata fields and generate reports on document usage, status, and relationships. Filters include document type, risk category, expiration date, and third-party association. You can generate reports on document usage, version history, and linked records using the Reports module or Performance Analytics.

    Report types can include:
    • Document inventory report with metadata and version details.
    • Linkage report showing documents associated with assessments, engagements, and tasks.
    • Audit report for document actions and life-cycle events.

    Now Assist document skills

    If your organization uses DMS and Now Assist for TPRM, you can leverage AI-driven skills to streamline document-heavy workflows. These capabilities reduce manual effort, improve accuracy, and accelerate risk tasks. Now Assist for Document Management and Now Assist for TPRM offer the following key skills:

    • TPRM issue summarization– Condenses complex third-party risk issues into actionable summaries, helping risk analysts review and respond faster.

      For more information, see TPRM issue summarization skill.

    • Smart documents – Summarizes risk management documents and provides quick Q&A, reducing manual review and speeding up due diligence.

      For more information, see Smart Documents.

    • Extract information from documents – Uses AI to pull specific data points (such as risk indicators, compliance clauses, or contract terms) from large documents, reducing manual review time and improving accuracy.

      For more information, see Now Assist extract information from documents.

    For more information on Now Assist for Document Management skills, see Explore Now Assist in Document Management.

    Limitations

    • External users can’t preview documents due to restrictions; they must download documents from the portal to view them.
    • The third-party field is optional when creating a document. However, if the document is associated with a third party, this field is required. For internal documents with no third-party association, the field can remain empty.
    • Document creation and versioning currently require separate steps.