Assessing your third-party risk

  • Release version: Xanadu
  • Updated July 31, 2025
  • 9 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Assessing your third-party risk

    ServiceNow’s Third-party Risk Management (TPRM) enables organizations to identify, assess, and mitigate risks related to third-party relationships. By leveraging internal and external questionnaires, documentation requests, and compliance verification, customers gain a comprehensive understanding of each third party’s risk profile. This facilitates informed decisions about risk mitigation strategies and compliance with regulations.

    Show full answer Show less

    Responding to Questionnaires

    The process begins with the Inherent Risk Questionnaire (IRQ), which internal assessors complete after approval by the TPR manager or assessor. The system manages notifications and status updates throughout the IRQ workflow. Questionnaire templates should not be altered after distribution; instead, duplicates should be created for any changes to ensure consistency and traceability.

    Third-party Element Collection

    After completing the IRQ, if additional third-party (TP) elements are needed, the TPR manager initiates a collection task assigning TP element questionnaires to the external third-party contacts. Upon submission, responses are reviewed, and TP element records are manually created. This optional process integrates additional data points into the due diligence workflow.

    Due Diligence and Compliance Verification

    Following IRQ and optional TP element collection, the TPR manager sends external assessments comprising questionnaires and document requests to third parties or engagements. The completion and review of these assessments enable verification of compliance with laws, regulations, and internal policies. The system supports the creation of reusable assessment templates to streamline this process.

    Security and privacy practices of third parties are critically evaluated, including data protection and cybersecurity measures. The platform also allows TPR roles to respond or modify external questionnaires on behalf of third parties when necessary.

    Pre-populating Questionnaires

    To expedite assessments, the system allows pre-population of questionnaires with responses from prior completed versions related to the same third party. This reduces repetitive data entry and focuses third-party contacts on updating relevant information. Some question types, such as attachments and signatures, are excluded from pre-population.

    Managing Issues and Tasks

    TPR assessors and managers can create and manage tasks and issues related to questionnaire responses or document requests. This functionality ensures follow-up on concerns and tracks remediation efforts, maintaining accountability throughout the risk assessment lifecycle.

    Additional Assessment Actions

    Assessments can be reopened if new information arises or if further data collection is required. Conversely, assessments can be canceled for expedited onboarding or renewal processes. Regardless of cancellations, due diligence requests progress to the approval stage, maintaining workflow integrity.

    Use Third-party Risk Management to identify and assess potential risks that are associated with your third-party relationships. The information gathered from internal questionnaires, external questionnaires, and documentation requests helps you to understand the third party's risk profile, determine the appropriate risk mitigation strategies, and determine whether the third party or engagement meets all necessary compliance requirements.

    Responding to questionnaires

    The following processes outline the timing and methods for responding to internal and external questionnaires:

    Inherent Risk Questionnaire (IRQ) process

    The following infographic shows the IRQ process.


    Infographic that shows the IRQ process in the due diligence workflow. For the text description, refer to the process steps that follows.
    The following are the steps of the IRQ process.
    1. After the due diligence request is approved by the Third-party risk (TPR) manager [sn_vdr_risk_asmt.vendor_risk_manager] or TPR assessor [sn_vdr_risk_asmt.vendor_assessor] that has been assigned as the owner of the due diligence request, they select an IRQ and attach it to an internal assessment.
    2. The system sends out an email notification to the employee that has been assigned as the IRQ assessor [snc_internal].
    3. The IRQ assessor completes the internal assessment by responding to the IRQ.
    4. After the IRQ assessor submits their responses and the TPR manager or owner reviews and closes the IRQ, the due diligence request state updates from IRQ in progress to IRQ in review.
    Note:
    Don’t change a questionnaire template after it has been sent out as part of an internal assessment. Instead, duplicate the template by making a copy and make your changes in the new copy. If you update a questionnaire after it has been sent out, the changes won't appear in the version shown to the IRQ assessor. To send an updated version, you must cancel the existing questionnaire by deassociating it from the internal assessment and then add the questionnaire using the updated template. For more information, see Create a questionnaire or document request template, Create a questionnaire or document request template using the Designer, Create a TPRM SAE questionnaire or document request template.

    Based on the information gathered, the TPR manager and their team assess the potential risks that are associated with the engagement. They evaluate factors such as the financial stability, the operational capacity, the adherence to quality standards, the compliance with regulations, and the third party's ability to meet delivery timelines. This assessment helps the team to understand the third party's risk profile and to determine the appropriate risk mitigation strategies.

    For more information about IRQs or internal assessments, see Create an internal assessment and Respond to an internal assessment.

    Third-party (TP) element collection process: Collect TP element information

    The following infographic shows the TP element collection process.


    Infographic that shows the TP element collection process in the due diligence workflow. For the text description, refer to the process steps that follows.
    The following are the steps of the TP element collection process.
    1. After your due diligence request has completed the IRQ process, if TP elements are needed, the TPR manager or due diligence request owner selects Start collection and a collection task is created.
    2. The TPR manager or owner assigns TP element questionnaires to an external assessment for collecting elements and sends that assessment to an engagement to collect required information for TP elements.
    3. The system sends out an email notification to the third-party engagement contact that has been assigned the TP element questionnaire.
    4. After the third-party engagement contact submits their responses, the TPR manager or owner reviews and verifies all the required information was provided in the questionnaires.
    5. The TPR manager or owner then navigates to the list of third-party elements and manually creates a third-party element record for each set of responses in each questionnaire.

      For more information, see Create a third-party element record.

    6. After all TP elements are created, the TPR manager or owner closes the collection task assessment. The system changes the state of the request from Collection in progress to Collection in review.
    7. The internal stakeholders (TPR assessor, TPR approver, TPR manager, or TPR administrator) review and approve the element records.

    This is an optional process for collecting TP elements and assigning them to engagements so that they can be assessed as part of the overall due diligence workflow. For more information on TP elements, see Monitoring third-party elements.

    Due diligence process: Compliance verification

    The following infographic shows the due diligence process.


    Infographic that shows the due diligence process in the due diligence workflow. For the text description, refer to the process steps that follows.
    The following are the steps of the Due diligence process.
    1. After the IRQ process or TP element collection process is completed, the TPR manager or owner selects questionnaires and requests for documentation to attach to external assessments for sending to the third party or engagement. For more information on creating assessments, see Create an external assessment and Third-party risk assessment form.
      Note:
      If you completed the optional TP element collection process, a questionnaire must be selected and assigned as part of an assessment for each third-party element you created. The TP element questionnaires are completed by the engagement contact.
    2. The system sends out an email notification to the third-party and engagement contact that has been assigned each assessment.
      Note:
      Don’t change a questionnaire template after it has been sent out as part of an external assessment. Instead, duplicate the template by making a copy and make your changes in the new copy. If you update a questionnaire after it has been sent out, the changes won't appear in the version shown in the third-party portal. To send an updated version, you must cancel the existing questionnaire by deassociating it from the external assessment and then add the questionnaire using the updated template. For more information, see Create a questionnaire or document request template, Create a questionnaire or document request template using the Designer, Create a TPRM SAE questionnaire or document request template.
    3. After the third-party and engagement contacts submit their responses, the TPR manager or owner reviews and verifies all the required information was provided in the assessments. Issues and tasks are created if remediation or additional information is required.
    4. The TPR manager or owner approves and closes each assessment.

    The TPR manager can develop assessment templates to simplify and automate the process of determining which questionnaires and document requests to send to a third party of this type. The TPR administrator can define questionnaire templates, document request templates, and then the TPR manager can group them into an assessment template. Your organization can reuse the template to send the questionnaires and document requests to similar third parties in future assessments. For more information about templates, see Create an external assessment template, Create a questionnaire or document request template, and Create a questionnaire or document request template using the Designer.

    The TPR manager and their team use the third party's responses and internal analysis to determine whether the third party meets all the necessary compliance requirements. These requirements could include verifying the third party's compliance with applicable laws and regulations, such as environmental regulations, labor laws, and anti-corruption policies.

    Note:
    The third-party risk assessor, manager, or admin can answer questions, modify responses, and submit external questionnaires on behalf of third parties or engagements. For more information, see Respond to a questionnaire for a third party or engagement.

    Due to the sensitive nature of the items involved, the TPR manager and their team evaluate the third party's data security and privacy practices. They assess the third party's information security measures, data protection policies, access controls, and vulnerability management processes. If the third party has access to proprietary information or customer data, they might require the third party to undergo a cybersecurity audit or provide evidence of their data protection measures.

    For more information about reviewing responses, see Review responses to external questionnaires.
    Note:
    Your TPR assessor can export received or returned questionnaires to Microsoft Excel spreadsheets. This option enables your organization to use the spreadsheet environment to review the questions and answers. For more information about exporting questionnaire responses, see Export questionnaire responses to a spreadsheet.

    Pre-populate questionnaires with responses

    The TPR manager or TPR assessor can pre-populate questionnaires for third parties, engagements, and entities with responses from complete questionnaires associated with the same third party. After sending out the assessment, the questionnaire is pre-populated with all responses from the most recent completed version of that questionnaire, regardless of whether the original associated assessment is completed. This is helpful for questionnaires where responses are expected to remain consistent, expediting the process and enabling third-party contacts to review and update responses only if necessary. For more information on creating assessments, see Create an external assessment.
    Important:
    When the TPR manager or TPR assessor adds a questionnaire to an assessment, they have the option to select or deselect the Include previous responses option on the questionnaire page. The option can’t be changed after the questionnaire is sent to the third party. For more information, see Create a questionnaire or document request template and Assessment metric type form.

    When a third-party or engagement contact opens a pre-populated questionnaire in the Third-party portal, they receive a notification that the responses were copied from an earlier questionnaire. The notification includes a link to the assessment that supplied the responses and its last updated date as shown in the following example.

    Notification that the responses are copied from an earlier questionnaire.

    Limitations:
    • Some question types and their responses can’t be pre-populated such as the attachment, duration, and signature question types. These question responses remain blank and previous responses aren’t included.
    • Responses are copied from the original assessment (Assessment A) to the newer assessment (Assessment B) one time. This copying occurs when Assessment B is submitted to a third party or an engagement. Any changes you make to Assessment A afterward won't be reflected in Assessment B. Both assessments remain separate.

    Issues and tasks

    The role of TPR assessor [sn_vdr_risk_asmt.vendor_assessor] is required to create and manage both tasks and issues.

    The TPR manager, TPR assessor, or contract negotiator can create tasks to help ensure that a team member or the third-party contact responds to concerns about the questionnaire responses or requested documents. They can manage existing tasks to verify that the assigned team member or third-party contact responds to a task and updates it as needed. For more information about creating and managing issues, see Create a task for a third party or engagement and Manage a task for a third party or engagement.

    The TPR manager, TPR assessor, or contract negotiator can create an issue to help ensure the teams concerns about a third party or engagement are remediated. They can also manage the existing issues to verify that they’re understood, shared with the correct persons, and are acted on as needed. For more information about creating and managing tasks, see Create an issue for a third party or engagement and Manage issues.

    Additional assessment actions

    The TPR manager, due-diligence request owner, or contract negotiator may need to reopen an assessment because there’s new information available that impacts the engagement or some other change has occurred. For more information, see Why you conduct due diligence.

    If the TPR manager, due-diligence request owner, or contract negotiator must gather more information from an engagement, they can send out an additional questionnaire or document request by reopening an assessment and doing the following actions:
    1. Navigate to the Due diligence request record page by selecting the relevant DDR number.
    2. View the related third-party risk assessment by selecting the VRA number on the External assessments tab.
    3. Select Re-open.

    The due diligence request state updates from Ready for TPRM approval to Due diligence. The TPR manager, owner, or contract negotiator can request questionnaires and document requests as needed. For more information, see Reopen an assessment.

    If the TPR manager, due-diligence request owner, or contract negotiator doesn’t require an assessment for an ongoing engagement or requires a quick close for onboarding or renewing an engagement, they can cancel an assessment by doing the following actions:
    1. Navigate to the Due diligence request record page by selecting the relevant DDR number.
    2. View the related third-party risk assessment by selecting the VRA number on the External assessments tab.
    3. Select Cancel.
    Even if one or all assessments are canceled, the due diligence request proceeds to the Approval process.