Document Management system in Third-party Risk Management

  • Release version: Xanadu
  • Updated October 21, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Document Management system in Third-party Risk Management

    Starting with version 21.1.x, the Document Management System (DMS) in Third-party Risk Management (TPRM) offers a centralized repository to efficiently store, organize, and manage third-party documents throughout the vendor lifecycle. It enhances collaboration between third parties and internal teams by streamlining evidence tracking, minimizing document duplication, and improving audit readiness through document reuse across assessments, contracts, issues, and tasks.

    Show full answer Show less

    DMS is accessible internally via the Vendor Management Workspace and externally through the Third-party portal. Role-based access controls allow primary contacts to manage permissions, with TPR assessors, managers, and administrators having write access, and assessment reviewers having read-only access.

    Key Features

    • Third-party Portal Access: External contacts can upload and manage documents directly via the portal.
    • Internal Document Management: Internal users create and access documents through the Vendor Management Workspace’s Documents module.
    • Version Control and Metadata: Supports multiple document versions, metadata capture (creation date, type, description, status), version history, downloads, and audit tracking.
    • Document Linking: Documents can be linked to multiple TPRM records such as Tasks, Issues, Engagements, and Assessments with automatic rollup of references for traceability and reporting.
    • Role-based Permissions: Internal users can define document sharing permissions for primary contacts and others.
    • Search and Reporting: Advanced search by metadata, filters (document type, risk category, expiration date, third-party association), and reporting capabilities including document inventory, linkage, and audit reports.
    • Audit Log: Complete tracking of all document actions including uploads, version changes, approvals, and rejections, ensuring transparency and regulatory compliance.

    Document Life Cycle and Traceability

    Each document maintains comprehensive metadata and supports multiple versions that are sorted by creation date. Linking documents to TPRM records creates formal relationships that enable lifecycle tracking and prevent duplicate references to the same record. All document actions are audit logged and accessible to authorized users, supporting robust traceability and compliance requirements.

    Collaboration and Insights

    The system promotes transparency by tracking all document-related activities and allows users to generate detailed reports on document usage, status, version history, and relationships, facilitating informed decision-making and improved governance.

    Limitations

    • External users cannot preview documents in the portal; they must download them to view.
    • The third-party field is optional during document creation unless the document is associated with a third party, in which case it is mandatory.
    • Document creation and versioning are currently handled in separate steps.

    Learn how the enhanced Document Management system supports third-party collaboration and internal workflows in Third-party Risk Management (TPRM).

    Document Management Overview

    Starting with version 21.1.x, the Document Management System (DMS) in Third-party Risk Management (TPRM) provides a centralized repository for storing, organizing, and managing third-party documents throughout the vendor life cycle. DMS streamlines evidence tracking, reduces duplication, and improves audit readiness by enabling document reuse across assessments, contracts, issues, and tasks. Access DMS in the Vendor Management Workspace or third-party portal to create, manage, and reference documents. Primary contacts manage permissions in the portal. TPR assessors [sn_vdr_risk_asmt.vendor_assessor], TPR managers [sn_vdr_risk_asmt.vendor_risk_manager], and TPR administrators have write access, while third-party assessment reviewers [sn_vdr_risk_asmt.vendor_assessment_reviewer] have read-only access. DMS supports metadata, version control, search, reporting, and audit tracking for all document actions.

    The DMS is accessible for internal users through the Documents module in the Vendor Management Workspace as shown in the following example.
    Figure 1. Document Management System in Vendor Management Workspace
    Documents module in the Vendor Management Workspace.
    The DMS is accessible for external users through the Third-party portal as shown in the following example.
    Figure 2. Document Management System in the Third-party portal
    DMS in the third-party portal. For detailed descriptions refer to the paragraphs preceding and following this image.

    Key capabilities

    • Third-party contacts can upload and manage documents using the third-party portal.

      For more information, see Upload and manage documents in the third-party portal.

    • Internal users can create and access document records through the Documents module in the Vendor Management Workspace.

      For more information, see Create a document record.

    • Users can manage document versions, download attachments, and track their metadata.

      For more information, see Create a document version.

    • Documents can be linked to multiple TPRM record types with auto-rollup:
      • Tasks
      • Issues
      • Engagements
      • Assessments

      For more information, see Link documents to a TPRM record.

    • Internal users can manage role-based permissions for primary contacts and other internal users.

      For more information, see Define document sharing permissions.

    • Each document version supports download options, advanced search and reporting for metadata and relationships, and complete audit tracking of actions and version history.

    Document life cycle and traceability

    Each document captures metadata including creation date, type, description, version, and status. Metadata is used for classification, reporting, and workflow routing.

    Each document supports multiple versions. TPR assessors, managers, and administrators can upload new versions, view version history, and download attachments for any version. Versions are sorted by creation date in descending order.

    Documents can be linked to assessments, engagements, issues, and tasks. These references automatically roll up to related third-party records. Duplicate references aren’t allowed.
    Note:
    A linked document is a document record associated with another record (assessment, engagement, issue, or task) for traceability and reporting. Linking creates a formal relationship that supports life-cycle tracking. A reference is the entry that represents this link, shown in the document’s References tab and the related record’s Documents list. Each reference includes metadata like record type and ID. The key difference is that linking is the action and a reference is the result. Multiple references to one document are possible, but duplicate references to the same record aren’t allowed.

    All document actions including uploads and version updates are tracked for audit purposes. Audit logs are accessible to authorized users.

    Collaboration and insights

    All actions, including approvals and rejections, are tracked in the audit log for transparency and reporting. You can search documents by metadata fields and generate reports on document usage, status, and relationships. Filters include document type, risk category, expiration date, and third-party association. You can generate reports on document usage, version history, and linked records using the Reports module or Performance Analytics.

    Report types can include:
    • Document inventory report with metadata and version details.
    • Linkage report showing documents associated with assessments, engagements, and tasks.
    • Audit report for document actions and life-cycle events.

    Limitations

    • External users can’t preview documents due to restrictions; they must download documents from the portal to view them.
    • The third-party field is optional when creating a document. However, if the document is associated with a third party, this field is required. For internal documents with no third-party association, the field can remain empty.
    • Document creation and versioning currently require separate steps.