Create a VRM automated risk assessment when the assigned risk tier changes

  • Freigeben Version: Australia
  • Aktualisiert 12. März 2026
  • 2 Minuten Lesedauer

    • Create a risk assessment when the risk changes for a third party by using a tier-based assessment submission rule. With this process, you can start reassessing the risk automatically if the source of the tier change is the engagement or third party.

    Vorbereitungen

    Role required: sn_vdr_risk_asmt.vendor_risk_manager

    Warum und wann dieser Vorgang ausgeführt wird

    The comprehensive Inherent Risk Questionnaire (IRQ) process replaces tiering.

    Wichtig:

    In the TPRM application, the IRQ is an internal questionnaire that improves the original tiering assessment process. IRQs enhance internal risk assessments with increased flexibility, control, and scalability. Unlike a tiering assessment where external questionnaires are determined solely by the risk tier, an IRQ can dynamically trigger external questionnaires based on both respondents' answers and risk tier.

    To enable a seamless transition to TPRM, you have the option to duplicate existing tiering assessments and designate them as IRQ internal assessments. Risk tiering is supported as an unchanging legacy process.

    Prozedur

    1. Navigate to All > Third-party Risk Management > Assessment Submission Rules > Tier Based Submission.
    2. Select a rule record or select New.
    3. On the form, fill in the fields.
      Tabelle : 1. Security Score Providers form
      Field Description
      Third party Name of the third party to apply the rule to. This rule also applies to the selected third party's engagements.
      Hinweis:
      Leave the field empty to apply the rule to all third parties and engagements.
      Active Option to turn a tier-based assessment submission rule on or off.
      When you select the check box, the tier-based assessment submission rule is on. When you clear the check box, the rule is turned off.
      Hinweis:
      When all rules are turned off, the third-party risk assessments aren’t automatically generated by tier changes.
      Tier
      Risk tier that should automatically generate an external assessment:
      • None
      • Critical
      • High
      • Moderate
      • Low
      • Minor
      Assessment Template Template to send when the risk tier scale changes to the tier that is specified in the rule.
      Auto submit to third party Option to automatically submit an external assessment to a third party or engagement after the external assessment is generated. If the option isn’t selected, the external assessment stays in the Draft state after it’s created.
    4. Select Update.

      When a change to the tier activates the rule, the system generates an external assessment and sends it out to either the third party or engagement. An external assessment is only sent to the source of the tier change. If the third party or engagement caused the tier to change, an external assessment is sent to both the third party and the engagement.