Setting up VRM third-party hierarchies and engagements

  • Release version: Xanadu
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Setting up VRM third-party hierarchies and engagements

    This guide explains how to set up third-party hierarchies and engagements in Vendor Risk Management (VRM) within ServiceNow. It is relevant for organizations working with third parties that have multiple subsidiary layers. Setting up these hierarchies allows you to assess risks at each subsidiary level and roll up those risk scores to derive an overall risk rating for the parent third party. This setup also includes managing engagements, which represent the products or services provided by parent or subsidiary organizations, to assess risk comprehensively across the entire third-party structure.

    Show full answer Show less

    These setup procedures are optional and should be followed only if your business works with multi-layered third parties and requires risk assessments at subsidiary and engagement levels.

    Key Features

    • Third-party hierarchies: Define parent-child relationships between parent third parties and their subsidiaries to enable multi-level risk assessments and aggregated risk calculations.
    • Engagements: Represent products or services provided by third parties or their subsidiaries. You can assess risk at the engagement level, and their scores roll up to subsidiaries and then to the parent organization.
    • Risk domains (risk areas): Specify types of risks to assess, such as security risk or financial risk, tailored to the nature of the third party.
    • Risk area criteria: Group relevant risk domains to apply to specific types of third parties for targeted risk assessments.
    • Component criteria: Define which components (engagements, subsidiaries, external monitoring, risk assessments) are included for risk calculation and roll-up.
    • Engagement risk scoring rules: Set rules that determine which engagements qualify for assessment based on criteria like business volume.
    • Third-party risk scoring rules: Define criteria based on risk scores to identify third parties, subsidiaries, or engagements that require risk assessments.

    Practical Outcomes for ServiceNow Customers

    • Establish clear hierarchical relationships among third parties and their subsidiaries to facilitate structured risk management.
    • Perform risk assessments at multiple levels—parent, subsidiary, and engagement—to gain detailed insights into potential risks.
    • Aggregate risk scores effectively to generate comprehensive risk ratings for parent organizations, improving visibility and decision-making.
    • Customize risk domains and scoring rules to fit the specific risk profiles of different third parties and their engagements.
    • Manage contacts for third parties and engagements to streamline assessment workflows via the Third-party portal.

    Create third-party hierarchies by defining the parent-child relationships between the parent third party and all of their subsidiaries. You do this task because some organizations work with third parties that have subsidiaries (or subsidiaries of subsidiaries) that can pose a potential risk to your business. You can perform assessments at each subsidiary organization and roll up the results to calculate an overall risk score for the parent third party.

    Third-party hierarchy

    In this example, parent organization Acme has two subsidiaries and Acme NA has two subsidiaries. In this hierarchy, you perform risk assessments for the parent third party and all subsidiaries and calculate risk scores for each entity. You can then aggregate (roll up) the risk scores to calculate the risk score for Acme.

    Third-party hierarchy.

    Third-party hierarchy with subsidiaries and engagements

    Engagements represent products or services provided to the parent organization—either directly or from subsidiaries—that you can assess for risk. In the case where a subsidiary provides engagements, the risk scores assigned to the engagements are rolled up to calculate the risk score of the subsidiary, which in turn roll up to the parent organization.

    In this example, subsidiary Acme US has three engagements. As in the previous example, risk is assessed for the parent, all of its subsidiaries, and all of their engagements. The risk scores are then rolled up to calculate the risk score for the parent.

    A third-party hierarchy with subsidiaries and engagements.

    See Define a VRM engagement.

    Overview: Setting up a third-party hierarchy

    Note:
    The setup procedures in this section apply only if you work with multi-layered third parties; that is, third parties that operate subsidiaries. They also guide you through the setup of engagements offered by subsidiaries. If these are not the types of third parties you do business with, and you do not want to set up third-party hierarchies, these procedures are optional.
    Table 1. Setup procedures for third-party hierarchies
    Setup procedure Description
    Define third-party risk areas.

    A risk domain defines the type of risk to assess for a third party. For example, you might want to assess a data-management third party in terms of security risk and a bank in terms of financial risk. Security risk and financial risk are risk domains. Some platform applications refer to risk domains as "risk areas."

    See Define a third-party risk domain.
    Define third-party risk area criteria.

    A third-party risk area criteria is a group of risk domains (sometimes called risk areas in other platform features) that applies to a particular type of third party.

    See Define third-party risk area criteria.
    Define component criteria.

    Components are the entities for which you can assess risk. The base system includes the engagements, external monitoring, subsidiaries, and third-party risk assessments components. Risk is calculated for each component and then the risk is aggregated and rolled up to calculate a third-party risk rating.

    See Define component criteria.
    Define engagements for a third party Define an engagement so that you can assess the risks that are associated with the services or products offered by a third party. Engagements can also represent the products or services that are provided to the parent third party, either directly or from departments, partners, or subsidiaries that you can also assess for risk.

    As engagements are defined, you can define primary and secondary contacts for both third parties and engagements. Each type of contact can perform specific activities in the Third-party portal.

    See Define a VRM engagement.
    Define engagement risk scoring rules.

    An engagement risk-scoring rule specifies component criteria that determine which engagements are selected for assessment. For example, a rule could enable assessments for engagements that involve more than $40,000 annual business. Engagement scoring rules apply only to engagements.

    See Define engagement risk scoring rules.
    Define third-party risk scoring rules.

    Define criteria, based on risk scores, that determine which third parties require assessments. Third-party risk scoring rules apply to subsidiaries and engagements and to third-party risk areas.

    See Define third-party risk scoring rules.