Third-party risk management data model

  • Release version: Xanadu
  • Updated July 31, 2025
  • 7 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Third-party risk management data model

    The Third-party Risk Management (TPRM) data model in ServiceNow enables your organization to assess, monitor, and mitigate risks associated with third parties as part of your overall risk management program. It supports the Governance, Risk, and Compliance (GRC) framework by providing structured components and relationships that facilitate comprehensive third-party risk assessments, due diligence, scoring, and risk intelligence integration.

    Show full answer Show less

    Core Components and Their Purpose

    • Third-party Risk Assessment: Includes internal assessments, tiering assessments, external assessments, and templates that help evaluate third-party risk exposure based on standardized questionnaires and metrics.
    • Third-party Engagement: Manages relationships with third parties, including contacts and engagement levels, linking them to risk and control components for comprehensive oversight.
    • Third-party Due Diligence: Supports due diligence requests, management histories, and tracking of issues and tasks related to third-party validations.
    • Scoring Setup: Defines how risk scores are aggregated from assessments to produce meaningful risk ratings for third parties and engagements, using configurable scoring rules and criteria.
    • Risk Intelligence: Integrates external risk intelligence providers and their service scores to enrich the understanding of third-party risk profiles.

    Key Relationships and Data Flow

    The model establishes multiple relationships to ensure comprehensive data linkage:

    • One-to-many and many-to-many relationships connect assessments, engagements, due diligence requests, and vendor contacts to provide a full picture of third-party risks.
    • Assessment templates, metric types, and questionnaire templates support reusable, standardized evaluation frameworks.
    • Risk scoring rules and component criteria enable flexible aggregation and weighting of risk data, facilitating tailored risk ratings.
    • Risk intelligence components link external provider data with internal assessments to enhance risk visibility.

    Roles and Permissions

    Specific roles govern access and actions within the TPRM data model, ensuring proper control and workflow integrity:

    • Approver: Approves due diligence requests.
    • Contract Negotiator: Handles contract risk during onboarding.
    • Assessment Reviewer: Edits third-party assessments.
    • Vendor Assessor: Manages third-party information and executes assessments.
    • Vendor Risk Admin: Has full control over vendor risk data and configurations.
    • Vendor Risk Manager: Manages templates, questionnaires, and scheduled assessments.

    Practical Benefits for ServiceNow Customers

    • Comprehensive Risk Assessment: Use the model’s structured data and relationships to conduct thorough and repeatable third-party risk assessments.
    • Due Diligence Management: Track due diligence requests, histories, and issues systematically to maintain regulatory and internal compliance.
    • Customizable Scoring: Configure scoring aggregation rules and risk criteria without customization to reflect your organization’s risk appetite and priorities.
    • Integration of External Intelligence: Enhance risk decisions by incorporating external risk intelligence scores and data.
    • Role-based Access: Maintain security and governance through defined roles aligned with risk management processes.

    Next Steps

    Leverage the TPRM data model to implement or enhance your third-party risk program by:

    • Configuring assessment templates and questionnaires aligned with your risk criteria.
    • Setting up scoring rules to automate risk aggregation and prioritization.
    • Integrating external risk intelligence providers for enriched risk insights.
    • Assigning appropriate roles to your risk management team to ensure smooth operations.

    Use the Third-party Risk Management (TPRM) data model to assess, monitor, and mitigate the risks for your risk management program.

    TPRM data model overview

    The Third-party Risk Management application is one of the Governance, Risk, and Compliance products.

    The following model is used to support TPRM's capabilities.

    Figure 1. TPRM data model
    Relationship between due diligence, third-party management, policy and compliance, and risk main tables. For a text description, refer to the text that follows.

    The third-party risk assessment data model includes various components and relationships:

    Components:
    • Risk intelligence score [sn_vdr_risk_asmt_security _score]
    • Internal assessment [sn_vdr_asmt_internal_assessment]
    • Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • Event-driven management history [sn_tprm_dd_rule_execution_history]
    • Third-party due diligence request [sn_tprm_dd_request]
    • Company [core_company]
    • Event-driven management rule [sn_tprm_dd_generation_rule]
    • Third-party risk assessment [sn_vdr_risk_asmt_assessment]
    • Third-party engagement [sn_vdr_risk_asmt_vendor_engagement]
    • Vendor contact [vm_dr_contact]
    • Assessment metric type [asmt_metric_type]
    • Assessment template [sn_vdr_risk_asmt_assessment_template]
    • Third-party risk issue [sn_vdr_risk_asmt_issue]
    • Engagement risk scoring rule [sn_vdr_risk_asmt_engagement_risk_scoring_rule]
    • Engagement level risk rating [sn_vdr_risk_asmt_engagement_level_rating]
    • Risk [sn_risk_risk]
    • Control [sn_compliance_control]
    Relationships:
    • The third-party risk assessment component can have a one-to-many relationship with the following components:
      • Event-driven management histories
      • Third-party due diligence requests
      • Company
      • Third-party engagements
      • Third-party risk issues
      • Assessment templates
    • The Event-driven management histories component can have a many-to-one relationship with the Event-driven management rules component.
    • The Event-driven management rules component can have a one-to-many relationship with the Assessment metric type component and the Assessment template component.
    • The third-party engagement component can have a one-to-many relationship with the following components:
      • Company
      • Engagement risk scoring rule
      • Third-party risk issue
    • The Third-party engagement component can have a many-to-many relationship with the Vendor contact component.
    • The Vendor contact component can have a one-to-many relationship with the Company and a Third-party risk issue component.
    • The Engagement level risk rating component can have a one-to-many with the Third-party engagement component.
    • The Third-party engagement component is related to the Risk and Control component.
    • The Risk intelligence score component is related to the Third-party due diligence component.
    • The Tiering assessment component can have a one-to-many relationship with the following components:
      • Third-party due diligence
      • Third-party engagement
      • Company
    • The Tiering assessment component can have a many-to-many relationship with the Assessment metric type component.
    • The Third-party due diligence component can have one-to-many relationships with the following components:
      • Event-driven management history
      • Third-party risk assessment
      • Company
    • The following components are related to Risk due diligence:
      • Event-driven management rule
      • Event-driven management history
      • Third-party risk due diligence request
    • The following components are related to Third-party management:
      • Risk intelligence score
      • Internal assessment
      • Tiering assessment
      • Third-party risk assessment
      • Third-party engagement
      • Assessment template
      • Third-party risk issue
      • Engagement risk scoring rule
      • Engagement level risk rating
    • The internal assessment component is an extension of the tiering assessment component.
    • The Control component is related to Policy and Compliance Management.
    • The Risk component is related to Risk Management.
    • The following components are Global:
      • Vendor contact
      • Company
      • Assessment metric type
    The following table lists the roles that are required for the components in the TPRM data model.
    Table 1. Roles for the TPRM data model
    Role Description
    sn_vdr_risk_asmt.approver Approve due diligence requests in the third-party risk management process.
    sn_vdr_risk_asmt.contract_negotiator Work in the contract risk process stage of the onboarding process.
    sn_vdr_risk_asmt.vendor_assessment_reviewer Edit assessments.
    sn_vdr_risk_asmt.vendor_assessor Manage third parties, third-party contacts, third-party risk assessments, and issues, and complete third-party risk assessment requests.
    sn_vdr_risk_asmt.vendor_risk_admin Have full control over all vendor risk management data and assessment metric types.
    sn_vdr_risk_asmt.vendor_risk_manager Manage third parties, third-party contacts, third-party assessment templates, questionnaire templates, documentation request templates, and scheduled assessments.

    For more information on the roles, see Roles in Third-party Risk Management.

    Core components

    TPRM is based on sending assessments and calculating scores from the received responses.

    You can use these core components to perform assessments:
    • Third-party risk assessment
    • Third-party engagement
    • Third-party due diligence
    • Scoring setup
    • Risk intelligence

    The following diagram shows the main tables and flow for a third-party risk assessment of the TPRM data model.

    Figure 2. Third-party risk assessment data model
    Relationship between due diligence, third-party management, policy and compliance, and risk main tables or third-party risk assessments. For a text description, refer to the text that follows.

    Here are the components and relationships that make up the Third-party risk assessment data model.

    Components:
    • Internal assessments [sn_vdr_risk_asmt_internal_assessment]
    • Tiering assessments [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • External assessments [sn_vdr_risk_asmt_assessment]
    • Assessment template [sn_vdr_risk_asmt_template]
    • Questionnaire templates [asmt_metric_type]
    • Questionnaire instance [asmt_assessment_instance]
    • Category [asmt_metric_category]
    • Metric [asmt_metric]
    Relationships:
    • The Metric component can have a many-to-one relationship with the Category component.
    • The Category component can have a many-to-one relationship with the Questionnaire component.
    • The Questionnaire templates component can have a many-to-one relationship with the following components:
      • Assessment template
      • Tiering assessments
      • External assessments
    • The Questionnaire instance component can have a many-to-one relationship with the following components:
      • External assessments
      • Tiering assessments
    • The Assessment template component can have a one-to-many relationships with the following components:
      • Tiering assessments
      • External assessments
    • The Internal assessment component is an extension of the Tiering assessment component.
    • The Internal assessment components are related to Risk due diligence.
    • The following components are related to Third-party management:
      • Tiering assessments
      • External assessments
      • Assessment templates
    • The following components are Global:
      • Questionnaire templates
      • Category
      • Metric
      • Questionnaire instance

    For more information on assessments, see Assessing your third-party risk.

    The following diagram shows the main tables and flow that are used for the due diligence in the TPRM data model.

    Figure 3. Due diligence data model
    Relationship between the risk due diligence, third-party management, policy and compliance, and risk main tables used for due diligence. For a text description, refer to the text that follows.

    Here are the components and relationships that make up the due diligence data model.

    Components:
    • Third party [core_company]
    • Engagements [sn_vdr_risk_asmt_vendor_engagement]
    • Due diligence [sn_tprm_dd_request]
    • Issues [sn_vdr_risk_asmt_issue]
    • Tasks [sn_vdr_risk_asmt_task]
    • Vendor contacts [vm_vdr_contact]
    • Risk intelligence scores [sn_vdr_risk_asmt_security_score]
    • External assessments [sn_vdr_risk_asmt_assessment]
    • Tiering assessments [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • Internal assessments [sn_vdr_risk_asmt_vdr_internal_assessment]
    Relationships:
    • The Third party component has a one-to-many relationship with subsidiaries.
    • The Third party component has a one-to-many relationship with the following components:
      • Vendor contacts
      • Internal assessments
      • External assessments
      • Tiering assessments
      • Risk intelligence scores
      • Issues
      • Tasks
    • The Due diligence component has a one-to-many relationship with the following components:
      • Vendor contacts
      • Internal assessments
      • Tiering assessments
      • Risk intelligence scores
    • The Engagements component has a one-to-many relationship with the following components:
      • Vendor contacts
      • Internal assessments
      • External assessments
      • Tiering assessments
      • Issues
      • Tasks
    • The Third party component is related to the Due diligence component.
    • The Engagements component is related to the Due diligence component.
    • The External assessments component is related to the Due diligence component.
    • The Internal assessment component is an extension of the Tiering assessment component.
    • The following components are related to Risk due diligence:
      • Due diligence
      • Internal assessments
    • The following components are related to Third-party management:
      • Engagements
      • Issues
      • Tasks
      • Risk intelligence scores
      • External assessments
      • Tiering assessments
    • The following components are Global:
      • Third party
      • Vendor contact

    The following diagram shows the required roles, processes, and choices that are part of the due diligence workflow.

    Figure 4. Due diligence workflow
    Work flow that shows the required roles, processes, and choices that exist as part of the due diligence workflow.

    For more information on the due diligence workflow, see Due diligence workflow.

    The following diagram shows the main tables that are used for scoring the TPRM data model.

    Figure 5. Scoring data model
    Relationship between due diligence, third-party management, policy and compliance, and risk main tables that are used for scoring risk. For a text description, refer to the text that follows.

    Here are the components and relationships that make up the scoring data model.

    Components:
    • Third party [core_company]
    • Third-party risk scoring rule [sn_vdr_risk_asmt_vendor_risk_scoring _rule]
    • Component criteria [sn_vdr_risk_asmt_component_criteria]
    • Components [sn_vdr_risk_asmt_component]
    • Engagement [sn_vdr_risk_asmt_vendor_engagement]
    • Engagement risk scoring rule [sn_vdr_risk_asmt_engagement_risk_scoring_rule]
    • Risk area criteria [sn_vdr_risk_asmt__risk_area_criteria]
    • Risk domains [sn_vdr_risk_asmt_risk_area_definition]
    Relationships:
    • The Risk area criteria component has a one-to-many relationship with the Risk domain component.
    • The Risk area criteria component has a one-to-one relationship with the Engagement risk scoring rule component and the Third-party risk scoring rule component.
    • The Engagement risk scoring rule has a one-to-many relationship with the Engagement component.
    • The Component criteria has a one-to-many relationship with Components.
    • The Component criteria has a one-to-one relationship with the Third-party risk scoring rule component.
    • The Third-party risk scoring rule component has a one-to-many relationship with the Third-party component.
    • All of these components are related to Third-party management.

    Use the scoring setup in TPRM configure how the scores from the external risk assessments are aggregated to the engagements and third parties. The criteria tables have the information that is related to the aggregation of the scores of multiple records (MIN, MAX, AVG) or from multiple tables (weights for each table). Use the scoring rules to group third parties or engagements and assign criteria. You can configure all the records in these tables without any customization.

    For more information on scoring, see Scoring calculations using the classic assessment engine.

    The following model diagram shows the main tables that are used for risk intelligence in the TPRM data model.

    Figure 6. Risk intelligence model
    Relationship between the risk due diligence, third-party management, policy and compliance, and risk main tables. For a text description, refer to the text that follows.

    Here are the components and relationships that make up the Risk intelligence data model.

    Components:
    • Third party [core_company]
    • Provider Services [sn_vdr_risk_asmt_tpss_provider]
    • Risk intelligence scores [sn_vdr_risk_asmt_security_score]
    • Score subfactors [sn_vdr_risk_asmt_tpss_subfactor]
    Relationships:
    • The Risk intelligence providers component has a one-to-many relationship with the Providers Services component.
    • The Providers Services component has a one-to-many relationship with the Risk intelligence scores component.
    • The Risk intelligence scores component has a one-to-many relationship with the Scores subfactors component.
    • The Risk intelligence scores component is related to the Risk intelligence providers component.
    • All of these components are related to Third-party management.

    For more information on risk intelligence, see Risk intelligence report requests management.