Configuring Third-party Risk Management

  • Release version: Xanadu
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configuring Third-party Risk Management

    This guide outlines the steps required to activate and configure the Third-party Risk Management (TPRM) application in ServiceNow. Customers can download the application from the ServiceNow Store and follow a setup checklist to ensure proper configuration tailored to their organizational needs.

    Show full answer Show less

    Key Features

    • Application Activation: Activate the TPRM app, Due Diligence Request Workflow, and Vendor Risk Management Workspace, all requiring admin role.
    • Authentication Policy: Set up an authentication policy for secure access by external third parties.
    • User Management: Assign TPRM roles and group users according to their responsibilities to streamline process management.
    • TPRM Properties Configuration: Adjust property settings for various TPRM operations.
    • Email Communication: Enable email notifications for third-party contacts regarding assessments and issues.
    • Data Import: Optionally import existing data from other systems without incurring charges.
    • Third-party Contacts Setup: Grant external users access to the Third-party portal for task management and communication.
    • Language Configuration: Optionally activate a different language for TPRM.
    • Quick-start Tests: Optionally run tests to ensure TPRM functions correctly after configuration changes.

    Key Outcomes

    By following the setup tasks, ServiceNow customers can effectively implement TPRM, enhancing their risk management processes. Proper configuration leads to improved oversight of third-party risks, streamlined communication with external contacts, and efficient role management that supports organizational compliance and risk mitigation efforts.

    You can activate or upgrade TPRM, by downloading the applications from the ServiceNow Store and then configuring the settings to meet your needs.

    Configuration overview

    By performing the tasks in the Setup tasks for TPRM checklist, you can upgrade or install the TPRM application. After you’ve completed the tasks, you can perform additional configuration as described in Classic assessment configuration.

    Note:

    For any custom messages you create, it is your responsibility to generate the corresponding sys_ui_message records. This step is crucial if you want the custom messages to be extracted and translated.

    Initial setup and upgrade checklist for TPRM

    Table 1. Setup tasks for TPRM
    Task Description
    Activate the Third-party Risk Management app [com.sn_vdr_risk_asmt]. To see the instructions for downloading a GRC application from the ServiceNow® Store, see Download a GRC application from the ServiceNow Store for the first time.
    Important:
    The base system includes many sample questions that you can use in your question bank. To include sample questionnaires, select Load demo data while installing the app.

    Role required: admin
    Activate the Due diligence request workflow application [com.sn_tprm_dd]. To see the instructions for downloading a GRC application from the ServiceNow® Store, see Download a GRC application from the ServiceNow Store for the first time.

    Role required: admin
    Activate the Vendor Risk Management Workspace application [sn_vrm_ws]. To see the instructions for downloading a GRC application from the ServiceNow® Store, see Download a GRC application from the ServiceNow Store for the first time.

    Role required: admin
    Add an authentication policy to enable secure access for external third parties.

    For more information, see Add an authentication policy to enable secure access for external third parties.

    Role required: admin

    Use the platform post-authentication policies to enable third parties to secure access to your instance. For background information on this feature, see Post-authentication context.
    Assign TPRM roles to users and user groups.

    Assign roles to users before you implement or use the Third-party Risk Management application. Assigning roles in a well-organized manner simplifies and improves process management and helps to ensure that users are promptly notified of tasks in their areas of responsibility.

    For more information, see Assign TPRM roles to users and user groups.

    Role required: admin
    Add users to groups based on their responsibilities.

    Assign users to groups before you implement or use the Third-party Risk Management application. Each group contains users with particular roles. Well-organized user groups simplify and improve process management and help to ensure that users are promptly notified of tasks in their areas of responsibility.

    For more information, see Add users to groups based on responsibilities.

    Role required: admin
    Configure TPRM properties.

    Configure property settings for a variety of TPRM operations.

    For more information, see Configure TPRM properties.

    Role required: admin
    Enable the TPRM Risk concentration map.

    This task is optional. For more information, see Enable the TPRM Risk concentration map.

    Role required: admin

    After you install the Risk concentration map feature, you must install a Google license to enable the feature.
    Enable your emails with third-party contacts.

    Configure email communication with third-party contacts to enable email notification of assessments and issues.

    For more information, see Enable email with third-party contacts.

    Role required: admin
    Import the existing data from other systems.

    This task is optional. Import existing data (third parties, engagements, assessments, questionnaires, issues, and so on) from other systems (like the Aravo platform, the ProcessUnity platform, and so on). You aren’t charged for importing the data.

    For more information, see Import existing data from other systems.

    Role required: admin
    Set up third-party contacts.

    Third-party contacts are external users at the third-party organization. They use the Third-party portal to securely organize, prioritize, and perform tasks like responding to questionnaires for assessments, performing tasks, and communicating with your risk-assessment staff regarding issues. You grant access to the Third-party portal and specify the permissions for third-party contacts.

    For more information, see Set up third-party contacts.

    Role required: admin or sn_vdr_risk_asmt.vendor_risk_manager
    Activate a language.

    This task is optional. The ServiceNow AI Platform uses American English by default. You can configure TPRM to use a different language.

    For more information, see Activate a language.

    Role required: admin
    Run the quick-start tests for third-party risk management.

    This task is optional. Verify that TPRM still works after you make configuration changes such as applying an upgrade or developing an application. Copy and customize the quick-start tests to pass when using your instance-specific data.

    For more information, see Run the Quick Start tests for Third-party Risk Management.