Using risk intelligence reports and scores

  • Release version: Xanadu
  • Updated July 31, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Using Risk Intelligence Reports and Scores

    The Third-party Risk Management (TPRM) application enables you to request and manage risk intelligence reports and scores directly from external risk intelligence providers. These providers analyze various third-party risk domains, similar to credit scoring, helping you assess the trustworthiness and risk level of your third parties. This capability supports your due diligence and risk management processes by delivering detailed insights such as geopolitical risks, economic stability, industry trends, and regulatory impacts.

    Show full answer Show less

    Requesting Risk Intelligence Reports and Scores

    If you hold roles such as TPR manager, TPR assessor (due diligence request owner), or contract negotiator assigned to a due diligence request, you can initiate requests for Risk Intelligence Reports (RIR) or scores using the risk intelligence request form. Requests can be linked either directly to a third party or to a due diligence request, facilitating easier access and review of all related risk information within the Vendor Management Workspace.

    Requests must be made after the inherent risk questionnaire (IRQ) stage is in progress if associating with a due diligence request. Upon submission and approval, the request enters an Order pending state, during which no changes can be made to prevent errors. Requests can be canceled when open or pending if circumstances change or reports are no longer needed. Once the provider issues the reports and scores, these are linked to the request record, which is then marked Closed complete.

    To avoid duplication, you cannot submit multiple requests for the same report type from the same provider for a single third party. Additionally, you can manually add and review risk intelligence scores for third parties through the related list.

    Setup Requirements

    Users with the TPR assessment reviewer role must register risk intelligence providers and configure both provider settings and request types within the TPR application before requests can be made. Note that risk reports can only be requested for third parties, not for engagements.

    Sanctions Tracking

    The application also supports tracking sanctions-related information about third parties. This helps ensure compliance by identifying third parties involved in activities restricted or prohibited by government sanctions. Maintaining up-to-date sanctions data aids your team during due diligence reviews and approvals.

    Request risk intelligence reports or scores directly from your external risk intelligence content providers by using the Third-party Risk Management application. This information can be requested and managed based on the importance or risk level of the individual third party.

    Risk intelligence overview

    Risk intelligence providers are companies that specialize in analyzing and generating risk scores for various third-party risk domains. These providers offer services that are similar to personal credit scoring systems, delivering data that helps organizations assess third parties.

    If you have the third-party risk (TPR) assessor [sn_vdr_risk_asmt.vendor_risk_assessor] and are the due diligence request owner or the TPR manager [sn_vdr_risk_asmt.vendor_risk_manager] role, you can use the TPRM application to request scores or reports for third parties by using the risk intelligence request form. After the reports and scores are generated by the risk intelligence provider, the links to these reports are delivered and associated with that risk intelligence report record.

    The information in these reports can cover various topics, including the geopolitical risks, economic stability, industry-specific trends, and regulatory changes that could affect your third-party interaction. You can order different types of reports, such as credit risk reports, compliance reports, strategic risk reports, and more, for your specific risk management program requirements.

    Setting up risk intelligence providers and request types

    If you have the TPR assessment reviewer [sn_vdr_risk_asmt.vendor_assessment_reviewer] role, you must register the providers and set up both the providers and request types in the Third-party Risk Management application before you can request a report. For more information, see Register a risk intelligence provider, Set up a risk intelligence provider service, and Set up a request type for a provider.
    Note:
    You can request risk reports for third parties but not for engagements.

    Requesting risk intelligence

    As a TPR manager [sn_vdr_risk_asmt.vendor_risk_manager], TPR assessor [sn_vdr_risk_asmt.vendor_risk_assessor] that is the due diligence request owner, or contract negotiator [sn_vdr_risk_asmt.contract_negotiator] that is assigned to the due diligence request, you can request a Risk Intelligence Report (RIR) or score to gain insight on how trustworthy a particular third party can be. You would follow this process to request risk intelligence reports or scores:

    1. Fill out the RIR request form. An RIR request can be associated with a third party or due diligence request. When you associate a RIR request with a due diligence request, reviewers and approvers can more easily access all the related activity, scores, reports, and details through the Risk Intelligence report request tab in the Vendor Management Workspace[var.vendor-management-ws]. For more information, see Request a risk intelligence report and Request a risk intelligence report associated with a due diligence request.
      Note:
      If you want to associate an RIR request with a due diligence request, it must be after the inherent risk questionnaire (IRQ) has been completed (that is, when the due diligence request has entered the IRQ in progress state).
    2. The TPR manager [sn_vdr_risk_asmt.vendor_risk_manager] and their team reviews the request.
    3. The TPR manager [sn_vdr_risk_asmt.vendor_risk_manager], TPR assessor [sn_vdr_risk_asmt.vendor_risk_assessor] that is the due diligence request owner, or contract negotiator [sn_vdr_risk_asmt.contract_negotiator] that is assigned to the due diligence request can submit it if it’s approved. After the request has been submitted and has entered the Order pending state, all fields in the Risk intelligence report request section are read-only to help to prevent incorrect orders from being submitted to the provider.
      Note:
      The TPR manager, TPR assessor, or contract negotiator can cancel a RIR request while the request is in the Open or Order pending state. An RIR request can also be canceled if the report is no longer needed due to new information that impacts the third party or some other change.
    4. After the reports and scores are generated by the risk intelligence provider, the links to these reports and the scores are delivered and associated with the risk intelligence report request. The RIR request then enters the Closed complete state.

    For more information on RIR requests and their process states, see Risk intelligence report requests management.

    Note:
    You can’t have multiple RIR requests with the same provider, request type, or third party. For example, if you have already associated an RIR request with a third party, you can’t request the same report from the same provider as part of a due diligence request for an engagement. This process helps with preventing duplicate orders from being submitted to the provider.

    You can manually add scores to third parties and use the Risk intelligence scores related list to review the background information on the existing scores for a third party. For more information, see Add a risk intelligence score to risk data for a third party.

    Tracking sanctions-related information

    By tracking sanction-related information about your third parties, you can check if that third party is involved in any activities that are prohibited or restricted by government sanctions or regulations. Logging and updating sanctions-related information for third parties keeps your team informed as you review and approve a due diligence request as part of your third-party risk program. For more information about tracking sanctions-related information, see Track sanctions-related information.