Configuring Third-party Risk Management

  • Release version: Washingtondc
  • Updated January 30, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configuring Third-party Risk Management

    Configuring the Third-party Risk Management (TPRM) application in ServiceNow involves activating, upgrading, and customizing the application to meet your organizational needs. This process is essential for managing third-party risks effectively.

    Show full answer Show less

    Key Features

    • Activation of TPRM App: Download and activate the Third-party Risk Management app, Due Diligence Request Workflow, and Vendor Risk Management Workspace from the ServiceNow Store. Admin role is required.
    • Authentication Policies: Implement authentication policies for secure external access and use post-authentication policies for enhanced security.
    • Role Assignments: Assign TPRM roles to users and groups to streamline process management and ensure timely notifications.
    • Data Configuration: Convert existing risk tier assessments to Inherent Risk Questionnaire (IRQ) assessments and configure various TPRM properties.
    • Third-party Contacts: Set up external contacts who will use the Third-party portal for assessments and communications.
    • Importing Data: Optionally import existing data from other systems without incurring additional charges.
    • Language Activation: Optionally enable different languages for the TPRM application.
    • Testing: Conduct quick-start tests to verify the functionality of TPRM after configuration changes.

    Key Outcomes

    By completing the setup tasks, you will enhance your organization’s ability to manage third-party risks, streamline user roles and responsibilities, and ensure effective communication with third-party contacts. Proper configuration leads to improved risk assessment processes and compliance management.

    You can activate or upgrade TPRM, by downloading the applications from the ServiceNow Store and then configuring the settings to meet your needs.

    Configuration overview

    By performing the tasks in the Setup tasks for TPRM checklist, you can upgrade or install the TPRM application. After you’ve completed the tasks, you can perform additional configuration as described in Assessment configuration.

    Note:

    For any custom messages you create, it is your responsibility to generate the corresponding sys_ui_message records. This step is crucial if you want the custom messages to be extracted and translated.

    Initial setup and upgrade checklist for TPRM

    Consider printing the following checklist so that you can check off the tasks as you complete them. To generate a PDF, select Save As PDF (Save as PDF icon.) and then select Selected topic.

    Table 1. Setup tasks for TPRM
    Task Description
    Activate the Third-party Risk Management app [com.sn_vdr_risk_asmt]. To see the instructions for downloading a GRC application from the ServiceNow® Store, see Download a GRC application from the ServiceNow Store for the first time.
    Important:
    The base system includes many sample questions that you can use in your question bank. To include sample questionnaires, select Load demo data while installing the app.

    Role required: admin
    Activate the Due diligence request workflow application [com.sn_tprm_dd]. To see the instructions for downloading a GRC application from the ServiceNow® Store, see Download a GRC application from the ServiceNow Store for the first time.

    Role required: admin
    Activate the Vendor Risk Management Workspace application [sn_vrm_ws]. To see the instructions for downloading a GRC application from the ServiceNow® Store, see Download a GRC application from the ServiceNow Store for the first time.

    Role required: admin
    Add an authentication policy to enable secure access for external third parties.

    For more information, see Add an authentication policy to enable secure access for external third parties.

    Role required: admin

    Use the platform post-authentication policies to enable third parties to secure access to your instance. For background information on this feature, see Post-authentication context.
    Assign TPRM roles to users and user groups.

    Assign roles to users before you implement or use the Third-party Risk Management application. Assigning roles in a well-organized manner simplifies and improves process management and helps to ensure that users are promptly notified of tasks in their areas of responsibility.

    For more information, see Assign TPRM roles to users and user groups.

    Role required: admin
    Add users to groups based on their responsibilities.

    Assign users to groups before you implement or use the Third-party Risk Management application. Each group contains users with particular roles. Well-organized user groups simplify and improve process management and help to ensure that users are promptly notified of tasks in their areas of responsibility.

    For more information, see Add users to groups based on responsibilities.

    Role required: admin
    Convert risk tier assessments to IRQ assessments. For more information, see Convert risk tier assessments to IRQ assessments.

    Role required: sn_vdr_risk_asmt.vendor_assessor

    To make optimum use of TPRM workspace operations, convert existing tiering assessment data to Inherent Risk Questionnaire (IRQ) data.
    Configure TPRM properties.

    Configure property settings for a variety of TPRM operations.

    For more information, see Configure TPRM properties.

    Role required: admin
    Enable the TPRM Risk concentration map.

    This task is optional. For more information, see Enable the TPRM Risk concentration map.

    Role required: admin

    After you install the Risk concentration map feature, you must install a Google license to enable the feature.
    Enable your emails with third-party contacts.

    Configure email communication with third-party contacts to enable email notification of assessments and issues.

    For more information, see Enable email with third-party contacts.

    Role required: admin
    Import the existing data from other systems.

    This task is optional. Import existing data (third parties, engagements, assessments, questionnaires, issues, and so on) from other systems (like the Aravo platform, the ProcessUnity platform, and so on). You aren’t charged for importing the data.

    For more information, see Import existing data from other systems.

    Role required: admin
    Set up third-party contacts.

    Third-party contacts are external users at the third-party organization. They use the Third-party portal to securely organize, prioritize, and perform tasks like responding to questionnaires for assessments, performing tasks, and communicating with your risk-assessment staff regarding issues. You grant access to the Third-party portal and specify the permissions for third-party contacts.

    For more information, see Set up third-party contacts.

    Role required: admin or sn_vdr_risk_asmt.vendor_risk_manager
    Activate a language.

    This task is optional. The ServiceNow AI Platform uses American English by default. You can configure TPRM to use a different language.

    For more information, see Activate a language.

    Role required: admin
    Run the quick-start tests for third-party risk management.

    This task is optional. Verify that TPRM still works after you make configuration changes such as applying an upgrade or developing an application. Copy and customize the quick-start tests to pass when using your instance-specific data.

    For more information, see Run the Quick Start tests for Third-party Risk Management.