Setting up VRM third-party hierarchies and engagements

  • Release version: Yokohama
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Setting up VRM third-party hierarchies and engagements

    This guidance helps ServiceNow customers manage complex third-party relationships by establishing hierarchies that represent parent companies and their subsidiaries. It enables risk assessments at multiple levels—subsidiaries, engagements (products or services), and parent organizations—and aggregates these risk scores to provide a comprehensive view of overall third-party risk. This setup is particularly valuable for organizations working with multi-layered third parties that may pose varying risks across subsidiaries and their engagements.

    Show full answer Show less

    The procedures are optional and primarily relevant if your third parties have subsidiaries or if you want to assess risks related to products or services provided through engagements.

    Key Features

    • Third-party hierarchies: Define parent-child relationships among third parties and their subsidiaries to reflect organizational structures and assess risk at each level.
    • Engagements: Represent products or services offered by subsidiaries or the parent organization. Risks associated with engagements roll up to subsidiaries and then to the parent, allowing detailed risk evaluation.
    • Risk assessment components: Assess risk across components such as engagements, external monitoring, subsidiaries, and third-party risk assessments, with scores aggregated to determine the overall third-party risk rating.
    • Risk domains and criteria: Define risk areas (e.g., security, financial) specific to third-party types, and establish criteria for risk areas and components to tailor risk assessments.
    • Risk scoring rules: Configure rules to select which engagements and third parties require assessments based on risk thresholds, such as financial exposure or risk scores.
    • Contact roles: Assign primary and secondary contacts for third parties and engagements who can perform designated activities within the Third-party portal.

    Practical Application

    By setting up VRM third-party hierarchies and engagements, you can:

    • Perform granular risk assessments not only on parent organizations but also on their subsidiaries and specific engagements.
    • Aggregate risk scores to understand the cumulative risk posed by complex third-party structures.
    • Prioritize assessments and risk management efforts based on defined risk domains and scoring rules, ensuring focus on higher-risk entities or engagements.
    • Maintain clear accountability and communication by designating contacts for each third party and engagement.

    This structured approach enhances your ability to identify, evaluate, and mitigate risks across all levels of your third-party relationships within the ServiceNow Vendor Risk Management framework.

    Create third-party hierarchies by defining the parent-child relationships between the parent third party and all of their subsidiaries. You do this task because some organizations work with third parties that have subsidiaries (or subsidiaries of subsidiaries) that can pose a potential risk to your business. You can perform assessments at each subsidiary organization and roll up the results to calculate an overall risk score for the parent third party.

    Third-party hierarchy

    In this example, parent organization Acme has two subsidiaries and Acme NA has two subsidiaries. In this hierarchy, you perform risk assessments for the parent third party and all subsidiaries and calculate risk scores for each entity. You can then aggregate (roll up) the risk scores to calculate the risk score for Acme.

    Third-party hierarchy.

    Third-party hierarchy with subsidiaries and engagements

    Engagements represent products or services provided to the parent organization—either directly or from subsidiaries—that you can assess for risk. In the case where a subsidiary provides engagements, the risk scores assigned to the engagements are rolled up to calculate the risk score of the subsidiary, which in turn roll up to the parent organization.

    In this example, subsidiary Acme US has three engagements. As in the previous example, risk is assessed for the parent, all of its subsidiaries, and all of their engagements. The risk scores are then rolled up to calculate the risk score for the parent.

    A third-party hierarchy with subsidiaries and engagements.

    See Define a VRM engagement.

    Overview: Setting up a third-party hierarchy

    Note:
    The setup procedures in this section apply only if you work with multi-layered third parties; that is, third parties that operate subsidiaries. They also guide you through the setup of engagements offered by subsidiaries. If these are not the types of third parties you do business with, and you do not want to set up third-party hierarchies, these procedures are optional.
    Table 1. Setup procedures for third-party hierarchies
    Setup procedure Description
    Define third-party risk areas.

    A risk domain defines the type of risk to assess for a third party. For example, you might want to assess a data-management third party in terms of security risk and a bank in terms of financial risk. Security risk and financial risk are risk domains. Some platform applications refer to risk domains as "risk areas."

    See Define a third-party risk domain.
    Define third-party risk area criteria.

    A third-party risk area criteria is a group of risk domains (sometimes called risk areas in other platform features) that applies to a particular type of third party.

    See Define third-party risk area criteria.
    Define component criteria.

    Components are the entities for which you can assess risk. The base system includes the engagements, external monitoring, subsidiaries, and third-party risk assessments components. Risk is calculated for each component and then the risk is aggregated and rolled up to calculate a third-party risk rating.

    See Define component criteria.
    Define engagements for a third party Define an engagement so that you can assess the risks that are associated with the services or products offered by a third party. Engagements can also represent the products or services that are provided to the parent third party, either directly or from departments, partners, or subsidiaries that you can also assess for risk.

    As engagements are defined, you can define primary and secondary contacts for both third parties and engagements. Each type of contact can perform specific activities in the Third-party portal.

    See Define a VRM engagement.
    Define engagement risk scoring rules.

    An engagement risk-scoring rule specifies component criteria that determine which engagements are selected for assessment. For example, a rule could enable assessments for engagements that involve more than $40,000 annual business. Engagement scoring rules apply only to engagements.

    See Define engagement risk scoring rules.
    Define third-party risk scoring rules.

    Define criteria, based on risk scores, that determine which third parties require assessments. Third-party risk scoring rules apply to subsidiaries and engagements and to third-party risk areas.

    See Define third-party risk scoring rules.