The GRC: Policy and Compliance Management integration updates the compliance status of controls and control objectives based on the questionnaire responses from a third party or engagement. Third-party risk (TPR) managers with the Compliance Manager [sn_compliance.manager] role can associate controls with specific questions, third parties, and engagements.

If you have the Policy and Compliance Management application installed, TPR managers with the Compliance Manager role can perform several key tasks that help manage and assess Third-party compliance.

All third parties are automatically categorized into an entity type called Vendors. This helps ensure that each third party and engagement is represented as an entity.

When an entity, such as a third party or engagement, is associated with a control objective a corresponding control is created for that entity. This association links the third party or engagement with the control, which can influence the compliance status of the control.

In the context of Third-party Risk Management, each question in a questionnaire template can be individually linked to multiple control objectives through a related list. When a questionnaire is sent to a third party and the third party responds with an incorrect answer, the controls associated with the linked control objectives are marked as non-compliant. Conversely, if the third party provides the correct answer, the controls remain compliant.

This feature helps ensure that the compliance status of controls is dynamically updated based on the third party or engagements responses, providing a real-time and accurate assessment of their compliance. Both Policy and Compliance Management users and Third-party risk assessors [sn_vdr_risk_asmt.vendor_assessor] can monitor the status of a control.

For more information on implementing Policy and Compliance Management, see Implementing Policy and Compliance Management.