Third-party (external) risk assessment management

  • Release version: Washingtondc
  • Updated January 30, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Third-party (external) risk assessment management

    This document outlines the process for managing third-party risk assessments within ServiceNow's Governance, Risk, and Compliance module. Following the IRQ process, you will send questionnaires and document requests to third-party contacts, ensuring their responses are complete and accurate.

    Show full answer Show less

    Key Features

    • Accessing Assessments: Navigate to the Due diligence management page, select the DDR number, and choose the Third-party risk assessments tab to view all related assessments.
    • Unique ID Assignment: Each risk assessment is assigned a unique ID (starting with VRA) to track engagement requests effectively.
    • Actions Available: Users can discuss issues, create tasks, save changes, submit requests to third parties, and delete records as needed.
    • Tracking Progress: The system provides an overview of assessments, including questionnaires, document requests, and overall status indicators (Open, Overdue, Closed).
    • Risk Domains: Define the type of risk for assessment, such as security or financial risk, to tailor evaluations to specific third-party activities.
    • Control Objectives and Templates: Admins can create control objectives, assessment templates, and questionnaire templates to standardize assessments.

    Key Outcomes

    By effectively managing third-party risk assessments, customers can ensure compliance, mitigate risks, and maintain accurate records of interactions with third-party entities. The structured approach enables clear communication, timely follow-ups, and the ability to track the status of assessments efficiently, leading to informed decision-making and enhanced risk management capabilities.

    After the IRQ process is complete, you send questionnaires and document requests to the third-party contact. You manage the third-party risk assessment by working with the contacts to help ensure that the responses are complete and accurate.

    Accessing an external assessment

    On the Due diligence management page, select the DDR number for any engagement due diligence request and the select the Third-party risk assessments tab. The tab displays the list of all third-party risk assessments (external due diligence processes) for the selected engagement request.

    List of third-party risks assessments.

    Working on a third-party risk assessment

    For each external risk assessment, the system auto-assigns a unique ID number that starts with the text VRA. A risk assessment can represent the work on an engagement request for a third-party organization or an engagement request for a group within the parent organization. Select a VRA number to work on the risk assessment on the Third-party risk assessments tab.

    Overview of a third-party risk assessment— external due diligence — process.

    Actions on any tab

    Table 1. Actions
    Action Description
    Discuss Select Discuss to send a message to other users. The message is recorded in the Activity section of the Details tab.
    Create Create an issue or task as describe in the following sections.
    Save Select Save to save any change you made to a value on any tab.
    Submit to third party Submit all questionnaires and document requests to the TP contact. The action is recorded in the Activity section on the Details tab.
    … Delete Select Delete to delete the record of the engagement request.
    Adding an attachment

    Select Browse in the Attachments section or select the attachment icon to select and add an attachment.

    Working on third-party risk assessments

    Risk overview tab on the Third-party risk assessments page
    • The symbols indicate the current state of the external assessment process for the engagement request. See Life cycle states of a third-party (external) risk assessment for descriptions of the states.

      Symbols identify the state of the third-party risk assessment process.

    • Overview section: List of assessments that are associated with the engagement.
    • Questionnaires and document requests section: List of questionnaires and document requests for the engagement.
    • Fourth-nth party questionnaires section: List of questionnaires and document requests for fourth parties and their sub-parties that are associated with the engagement.
    • Tracking section: Count of assessments associated with the third party that are in the Open, Overdue, and Closed status.
    Details tab on the Third-party risk assessments page
    • Third-party risk assessment section: General information on the third party plus schedules for the overall assessment and questionnaire due dates from the engagement due diligence request.
    • The Compose section on the Details tab enables you to permanently add text to the record. The Activity section is updated with any actions on issues and tasks, submissions to TP contacts, and also with work notes and comments that users add to the record. Add text in the following fields as needed:
      • Work notes (Private): Information about the third-party risk assessment. Work notes are visible only to internal users who are assigned to the process.
      • Comments: Comments about the third-party risk assessment are visible both to internal users and to third-party contacts.
    Questionnaires tab on the Third-party risk assessments page
    The tab lists the questionnaires that the third-party contact will respond to. Select a name to view the details. See Create a questionnaire or document request template and Create a questionnaire or document request template using the Designer.
    To enable TPR assessors to modify responses, configure the Allow TPR assessors to modify responses in third-party questionnaires [sn_svdp.allow_assessor_edit] system property. You can set the following options:
    • Enable TPR assessors to answer questions or modify responses (default)
    • Enable TPR assessors to modify responses
    • Do not enable TPR assessors to answer questions or modify responses
    See Configure TPRM properties.
    Document requests tab on the Third-party risk assessments page
    The tab lists the requests for documents that the third-party contact should return. The information in the columns helps you to prioritize your work in following up with third-party contact. In particular, the state and percent complete values are key indicators. Select a name to view the details. For more information, see Create a questionnaire or document request template and Create a questionnaire or document request template using the Designer.
    Third-party risk areas tab on the Third-party risk assessments page
    A risk domain defines the type of risk to assess for a third party. For example, you might want to assess a data-management third party in terms of security risk and a bank in terms of financial risk. Security risk and financial risk are risk domains. Some platform applications refer to risk domains as "risk areas." See Define a third-party risk domain.
    Issues tab on the Third-party risk assessments page

    In an iterative process, before the TPR manager closes an assessment, the TPR manager can generate non-compliance issues and tasks. The TPR manager communicates with the TP contacts and engagement contacts by using comments to close the issues and tasks. The TPR manager can also assign different contacts as needed. See Create an issue for a third party or engagement and Manage issues.

    Tasks tab on the Third-party risk assessments page

    In an iterative process, before the TPR manager closes an assessment, the TPR manager can generate non-compliance issues and tasks. The TPR manager communicates with the TP contacts and engagement contacts by using comments to close the issues and tasks. The TPR manager can also assign different contacts as needed. See Create a task for a third party or engagement and Manage a task for a third party or engagement.