Third-party risk management data model
Use the Third-party Risk Management (TPRM) data model to assess, monitor, and mitigate the risks for your risk management program.
TPRM data model overview
The Third-party Risk Management application is one of the Governance, Risk, and Compliance products.The following model is used to support TPRM's capabilities.
The third-party risk assessment data model includes various components and relationships:
Components:
- Risk intelligence score [sn_vdr_risk_asmt_security _score]
- Internal assessment [sn_vdr_asmt_internal_assessment]
- Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment]
- Event-driven management history [sn_tprm_dd_rule_execution_history]
- Third-party due diligence request [sn_tprm_dd_request]
- Company [core_company]
- Event-driven management rule [sn_tprm_dd_generation_rule]
- Third-party risk assessment [sn_vdr_risk_asmt_assessment]
- Third-party engagement [sn_vdr_risk_asmt_vendor_engagement]
- Vendor contact [vm_dr_contact]
- Assessment metric type [asmt_metric_type]
- Assessment template [sn_vdr_risk_asmt_assessment_template]
- Third-party risk issue [sn_vdr_risk_asmt_issue]
- Engagement risk scoring rule [sn_vdr_risk_asmt_engagement_risk_scoring_rule]
- Engagement level risk rating [sn_vdr_risk_asmt_engagement_level_rating]
- Risk [sn_risk_risk]
- Control [sn_compliance_control]
Relationships:
The following table lists the roles that are required for the components in the TPRM data model.- The third-party risk assessment component can have a one-to-many relationship with the following components:
- Event-driven management histories
- Third-party due diligence requests
- Company
- Third-party engagements
- Third-party risk issues
- Assessment templates
- The Event-driven management histories component can have a many-to-one relationship with the Event-driven management rules component.
- The Event-driven management rules component can have a one-to-many relationship with the Assessment metric type component and the Assessment template component.
- The third-party engagement component can have a one-to-many relationship with the following components:
- Company
- Engagement risk scoring rule
- Third-party risk issue
- The Third-party engagement component can have a many-to-many relationship with the Vendor contact component.
- The Vendor contact component can have a one-to-many relationship with the Company and a Third-party risk issue component.
- The Engagement level risk rating component can have a one-to-many with the Third-party engagement component.
- The Third-party engagement component is related to the Risk and Control component.
- The Risk intelligence score component is related to the Third-party due diligence component.
- The Tiering assessment component can have a one-to-many relationship with the following components:
- Third-party due diligence
- Third-party engagement
- Company
- The Tiering assessment component can have a many-to-many relationship with the Assessment metric type component.
- The Third-party due diligence component can have one-to-many relationships with the following components:
- Event-driven management history
- Third-party risk assessment
- Company
- The following components are related to Risk due diligence:
- Event-driven management rule
- Event-driven management history
- Third-party risk due diligence request
- The following components are related to Third-party management:
- Risk intelligence score
- Internal assessment
- Tiering assessment
- Third-party risk assessment
- Third-party engagement
- Assessment template
- Third-party risk issue
- Engagement risk scoring rule
- Engagement level risk rating
- The internal assessment component is an extension of the tiering assessment component.
- The Control component is related to Policy and Compliance Management.
- The Risk component is related to Risk Management.
- The following components are Global:
- Vendor contact
- Company
- Assessment metric type
| Role | Description |
|---|---|
| sn_vdr_risk_asmt.approver | Approve due diligence requests in the third-party risk management process. |
| sn_vdr_risk_asmt.contract_negotiator | Work in the contract risk process stage of the onboarding process. |
| sn_vdr_risk_asmt.vendor_assessment_reviewer | Edit assessments. |
| sn_vdr_risk_asmt.vendor_assessor | Manage third parties, third-party contacts, third-party risk assessments, and issues, and complete third-party risk assessment requests. |
| sn_vdr_risk_asmt.vendor_risk_admin | Have full control over all vendor risk management data and assessment metric types. |
| sn_vdr_risk_asmt.vendor_risk_manager | Manage third parties, third-party contacts, third-party assessment templates, questionnaire templates, documentation request templates, and scheduled assessments. |
For more information on the roles, see Roles in Third-party Risk Management.
Core components
TPRM is based on sending assessments and calculating scores from the received responses.
You can use these core components to perform assessments:
- Third-party risk assessment
- Third-party engagement
- Third-party due diligence
- Scoring setup
- Risk intelligence
The following diagram shows the main tables and flow for a third-party risk assessment of the TPRM data model.
Here are the components and relationships that make up the Third-party risk assessment data model.
Components:
- Internal assessments [sn_vdr_risk_asmt_internal_assessment]
- Tiering assessments [sn_vdr_risk_asmt_vdr_tiering_assessment]
- External assessments [sn_vdr_risk_asmt_assessment]
- Assessment template [sn_vdr_risk_asmt_template]
- Questionnaire templates [asmt_metric_type]
- Questionnaire instance [asmt_assessment_instance]
- Category [asmt_metric_category]
- Metric [asmt_metric]
Relationships:
- The Metric component can have a many-to-one relationship with the Category component.
- The Category component can have a many-to-one relationship with the Questionnaire component.
- The Questionnaire templates component can have a many-to-one relationship with the following components:
- Assessment template
- Tiering assessments
- External assessments
- The Questionnaire instance component can have a many-to-one relationship with the following components:
- External assessments
- Tiering assessments
- The Assessment template component can have a one-to-many relationships with the following components:
- Tiering assessments
- External assessments
- The Internal assessment component is an extension of the Tiering assessment component.
- The Internal assessment components are related to Risk due diligence.
- The following components are related to Third-party management:
- Tiering assessments
- External assessments
- Assessment templates
- The following components are Global:
- Questionnaire templates
- Category
- Metric
- Questionnaire instance
For more information on assessments, see Assessing your third-party risk.
The following diagram shows the main tables and flow that are used for the due diligence in the TPRM data model.
Here are the components and relationships that make up the due diligence data model.
Components:
- Third party [core_company]
- Engagements [sn_vdr_risk_asmt_vendor_engagement]
- Due diligence [sn_tprm_dd_request]
- Issues [sn_vdr_risk_asmt_issue]
- Tasks [sn_vdr_risk_asmt_task]
- Vendor contacts [vm_vdr_contact]
- Risk intelligence scores [sn_vdr_risk_asmt_security_score]
- External assessments [sn_vdr_risk_asmt_assessment]
- Tiering assessments [sn_vdr_risk_asmt_vdr_tiering_assessment]
- Internal assessments [sn_vdr_risk_asmt_vdr_internal_assessment]
Relationships:
- The Third party component has a one-to-many relationship with subsidiaries.
- The Third party component has a one-to-many relationship with the following components:
- Vendor contacts
- Internal assessments
- External assessments
- Tiering assessments
- Risk intelligence scores
- Issues
- Tasks
- The Due diligence component has a one-to-many relationship with the following components:
- Vendor contacts
- Internal assessments
- Tiering assessments
- Risk intelligence scores
- The Engagements component has a one-to-many relationship with the following components:
- Vendor contacts
- Internal assessments
- External assessments
- Tiering assessments
- Issues
- Tasks
- The Third party component is related to the Due diligence component.
- The Engagements component is related to the Due diligence component.
- The External assessments component is related to the Due diligence component.
- The Internal assessment component is an extension of the Tiering assessment component.
- The following components are related to Risk due diligence:
- Due diligence
- Internal assessments
- The following components are related to Third-party management:
- Engagements
- Issues
- Tasks
- Risk intelligence scores
- External assessments
- Tiering assessments
- The following components are Global:
- Third party
- Vendor contact
The following diagram shows the required roles, processes, and choices that are part of the due diligence workflow.
For more information on the due diligence workflow, see Due diligence workflow.
The following diagram shows the main tables that are used for scoring the TPRM data model.
Here are the components and relationships that make up the scoring data model.
Components:
- Third party [core_company]
- Third-party risk scoring rule [sn_vdr_risk_asmt_vendor_risk_scoring _rule]
- Component criteria [sn_vdr_risk_asmt_component_criteria]
- Components [sn_vdr_risk_asmt_component]
- Engagement [sn_vdr_risk_asmt_vendor_engagement]
- Engagement risk scoring rule [sn_vdr_risk_asmt_engagement_risk_scoring_rule]
- Risk area criteria [sn_vdr_risk_asmt__risk_area_criteria]
- Risk domains [sn_vdr_risk_asmt_risk_area_definition]
Relationships:
- The Risk area criteria component has a one-to-many relationship with the Risk domain component.
- The Risk area criteria component has a one-to-one relationship with the Engagement risk scoring rule component and the Third-party risk scoring rule component.
- The Engagement risk scoring rule has a one-to-many relationship with the Engagement component.
- The Component criteria has a one-to-many relationship with Components.
- The Component criteria has a one-to-one relationship with the Third-party risk scoring rule component.
- The Third-party risk scoring rule component has a one-to-many relationship with the Third-party component.
- All of these components are related to Third-party management.
Use the scoring setup in TPRM configure how the scores from the external risk assessments are aggregated to the engagements and third parties. The criteria tables have the information that is related to the aggregation of the scores of multiple records (MIN, MAX, AVG) or from multiple tables (weights for each table). Use the scoring rules to group third parties or engagements and assign criteria. You can configure all the records in these tables without any customization.
For more information on scoring, see Scoring calculations using the classic assessment engine.
The following model diagram shows the main tables that are used for risk intelligence in the TPRM data model.
Here are the components and relationships that make up the Risk intelligence data model.
Components:
- Third party [core_company]
- Provider Services [sn_vdr_risk_asmt_tpss_provider]
- Risk intelligence scores [sn_vdr_risk_asmt_security_score]
- Score subfactors [sn_vdr_risk_asmt_tpss_subfactor]
Relationships:
- The Risk intelligence providers component has a one-to-many relationship with the Providers Services component.
- The Providers Services component has a one-to-many relationship with the Risk intelligence scores component.
- The Risk intelligence scores component has a one-to-many relationship with the Scores subfactors component.
- The Risk intelligence scores component is related to the Risk intelligence providers component.
- All of these components are related to Third-party management.
For more information on risk intelligence, see Risk intelligence report requests management.
SAE TPRM data model
The following model diagram shows the main tables that are used for Smart Assessment Engine in TPRM.
Here are the components and relationships that make up the SAE TPRM data model.
Components:
- Assessment to SAE Questionnaire Templates [sn_vdr_risk_asmt_m2m_tiering_sae_template, sn_vdr_risk_asmt_m2m_tpra_sae_template]
- TPRM Assessments [sn_vdr_risk_asmt_assessment, sn_vdr_risk_asmt_internal_assessment]
- Engagement [sn_vdr_risk_asmt_vendor_engagement]
- Scoring Rules [sn_vdr_risk_asmt_vendor_risk_scoring_rule, sn_vdr_risk_asmt_engagement_risk_scoring_rule]
- SAE Instance [sn_smart_asmt_instance]
- SAE Questionnaire Template [sn_vdr_risk_asmt_sae_questionnaire_template]
- SAE Rating Scale [sn_vdr_risk_asmt_sae_rating_scale]
- Scoring Normalization (represented by SAE rating scale and score‑mapping tables: sn_vdr_risk_asmt_sae_rating_scale, sn_vdr_risk_asmt_score_mapping)
- Issue-generation rule [sn_vdr_risk_asmt_issue_generation_rule]
- Post-assessment Automation (issue generation, workflow triggers)
Relationships:
- The Assessment to SAE Questionnaire Templates component has a many-to-one relationship with TPRM assessments.
- The Assessment to SAE Questionnaire Templates component has a one-to-one relationship with the SAE instance component.
- The TPRM Assessments component has a many-to-one relationship with the Engagement component.
- The Engagement component has a many-to-one relationship with the Scoring Rules component.
- The SAE Questionnaire Template component has a many-to-many relationship with the SAE Rating Scale component.
- The SAE Rating Scale component has a one‑to‑many relationship with the Scoring Normalization component.
- The SAE Questionnaire Template component has a many-to-one relationship with the Issue-generation rule component.
- The SAE Questionnaire Template component has a one-to-many relationship with the Post-assessment Automation component.
For more information on Smart Assessment Engine and TPRM, see Smart assessments with Third-party Risk Management.
Digital Resilience Third-party Information Register TPRM data model
Here are the components and relationships that make up the TPRM data model.
Components:
- Third party [core_company]
- Provider Services [sn_vdr_risk_asmt_tpss_provider]
- Risk intelligence scores [sn_vdr_risk_asmt_security_score]
- Score subfactors [sn_vdr_risk_asmt_tpss_subfactor]
- SAE Questionnaire Template [sn_vdr_risk_asmt_sae_questionnaire_template]
- SAE Rating Scale [sn_vdr_risk_asmt_sae_rating_scale]
- Scoring Normalization [sn_vdr_risk_asmt_sae_rating_scale, sn_vdr_risk_asmt_score_mapping] (represented by SAE rating and score-mapping tables)
- Multi-user Collaboration [sn_vdr_risk_asmt_m2m_sae_template_asmt] (supported by SAE template and assessment relationships)
- Automated Response [sn_vdr_risk_asmt_issue_generation_rule] (enabled via SAE automation and issue generation rules)
- Post-assessment Automation (issue generation, workflow triggers)
- Assessment Template [sn_vdr_risk_asmt_template]
- Engagement [sn_vdr_risk_asmt_vendor_engagement]
- Third Party [core_company, vendor tables]
- Scoring Rules [sn_vdr_risk_asmt_vendor_risk_scoring_rule, sn_vdr_risk_asmt_engagement_risk_scoring_rule]
Relationships:
- The Third party component has a one-to-many relationship with the Provider Services component.
- The Provider Services component has a one-to-many relationship with the Risk intelligence scores component.
- The Risk intelligence scores component has a one-to-many relationship with the Score subfactors component.
- The SAE Questionnaire Template component has a many-to-many relationship with the Assessment Template component via the sn_vdr_risk_asmt_m2m_asmt_template_sae_questionnaire_template table.
- The SAE Questionnaire Template component has a one-to-many relationship with the SAE Rating Scale component.
- The SAE Rating Scale component, together with the score-mapping tables, represents the Scoring Normalization component, which has a one-to-many relationship with the SAE Questionnaire Template component.
- The SAE Questionnaire Template component has a many-to-many relationship with the Multi-user Collaboration component, supported by the sn_vdr_risk_asmt_m2m_sae_template_asmt table.
- The SAE Questionnaire Template component has a one-to-many relationship with the Automated Response component, enabled via the sn_vdr_risk_asmt_issue_generation_rule table.
- The SAE Questionnaire Template component has a one-to-many relationship with the Post-assessment Automation component, supporting issue generation and workflow triggers after assessments are completed.
- The Assessment Template component has a one-to-many relationship with the Engagement component.
- The Engagement component has a one-to-many relationship with the Third Party component (including vendor tables).
- The Third Party component has a one-to-many relationship with the Risk Intelligence component.
- The Risk Intelligence component has a one-to-many relationship with the Scoring Rules component, including vendor and engagement risk scoring rules.
- All of these components are related to Third-party risk management.
For more information on risk intelligence, see Risk intelligence report requests management.
Roles Assessment Admin: Define normalization rules, manage SAE templates, and oversee collaboration. TPRM Admin, Assessor, Reviewer: Expanded permissions for SAE templates, scoring setup, and automation management. SAE enhances TPRM by adding automation, collaboration, and normalization features, while maintaining backward compatibility with classic TPRM assessments and scoring models. SAE-specific tables (prefixed with sn_vdr_risk_asmt_sae_ and related m2m tables) extend the core TPRM data model for advanced risk management workflows.