Integrating Third-party Risk Management with GRC: Policy and Compliance Management

  • Release version: Xanadu
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Integrating Third-party Risk Management with GRC: Policy and Compliance Management

    The integration between Third-party Risk Management (TPR) and the GRC: Policy and Compliance Management application enables dynamic compliance tracking of controls and control objectives based on questionnaire responses from third parties or engagements. This integration helps TPR managers with the Compliance Manager role efficiently assess and manage third-party compliance by linking controls directly to questionnaire questions and entities.

    Show full answer Show less

    Key Features

    • Control Association: TPR managers can associate controls with specific third parties, engagements, and questions within questionnaire templates. This creates a direct connection between controls and the compliance process for those entities.
    • Granular Compliance Assessment: Each question in a questionnaire can be linked to multiple control objectives, allowing detailed and precise compliance evaluations.
    • Automatic Compliance Status Updates: When third parties respond to questionnaires, the system automatically updates the compliance status of linked controls—marking controls as compliant or non-compliant based on the accuracy of responses.
    • Entity Categorization: All third parties are categorized as Vendors, ensuring clear entity representation and facilitating control associations.
    • Monitoring and Visibility: Both Policy and Compliance Management users and Third-party risk assessors can monitor the compliance status of controls related to third parties and engagements.

    Practical Application for ServiceNow Customers

    By leveraging this integration, ServiceNow customers can:

    • Maintain an up-to-date and real-time compliance status for third parties through automated questionnaire response analysis.
    • Link specific controls and control objectives directly to questionnaire questions, enabling focused and granular risk assessments.
    • Ensure that third-party entities and engagements are systematically represented and managed as Vendors within the system.
    • Utilize role-based capabilities (Compliance Manager and Third-party risk assessor roles) to assign responsibility and streamline compliance monitoring workflows.

    Additional Notes

    While direct mapping of control objectives to questions is not available for SAE questionnaires, compliance can still be flagged through post-assessment actions in SAE. For comprehensive implementation details and instructions on manually adding controls or control objectives, customers should refer to the related procedural documentation in ServiceNow.

    The GRC: Policy and Compliance Management integration updates the compliance status of controls and control objectives based on the questionnaire responses from a third party or engagement. Third-party risk (TPR) managers with the Compliance Manager [sn_compliance.manager] role can associate controls with specific questions, third parties, and engagements.

    If you have the Policy and Compliance Management application installed, TPR managers with the Compliance Manager role can perform several key tasks that help manage and assess Third-party compliance.

    • You can associate third parties and engagements to specific control objectives. This association creates controls for the third party or engagement, establishing a direct connection between them and the compliance management process.

      For more information, see Manually add a control to a third party or engagement.

    • You can individually link the question to multiple control objectives for each question in a questionnaire template. This enables for a granular and detailed assessment of compliance.

      For more information, see Manually add a control objective to a question.

    • When third parties and engagements respond to questionnaires, the system automatically updates the compliance status of the linked controls. If they provide an incorrect answer, the associated controls are marked as non-compliant. Conversely, correct answers keep the controls compliant.
    Note:
    Although it is not possible to directly map control objectives to questions in SAE questionnaires, SAE provides the capability to flag controls as compliant or non-compliant through post-assessment actions.

    All third parties are automatically categorized into an entity type called Vendors. This helps ensure that each third party and engagement is represented as an entity.

    When an entity, such as a third party or engagement, is associated with a control objective a corresponding control is created for that entity. This association links the third party or engagement with the control, which can influence the compliance status of the control.

    In the context of Third-party Risk Management, each question in a questionnaire template can be individually linked to multiple control objectives through a related list. When a questionnaire is sent to a third party and the third party responds with an incorrect answer, the controls associated with the linked control objectives are marked as non-compliant. Conversely, if the third party provides the correct answer, the controls remain compliant.

    This feature helps ensure that the compliance status of controls is dynamically updated based on the third party or engagements responses, providing a real-time and accurate assessment of their compliance. Both Policy and Compliance Management users and Third-party risk assessors [sn_vdr_risk_asmt.vendor_assessor] can monitor the status of a control.

    For more information on implementing Policy and Compliance Management, see Implementing Policy and Compliance Management.