Smart assessment configuration

  • Release version: Xanadu
  • Updated July 31, 2025
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Smart assessment configuration

    This guide outlines how ServiceNow customers can configure the Smart Assessment Engine (SAE) within the Third-Party Risk Management (TPRM) application to optimize risk assessment processes. After setting up the TPRM base system, administrators and managers use SAE to enhance scoring and assessment of third parties, engagements, and other entities. Proper configuration enables automated workflows, risk scoring, and streamlined assessment management tailored to organizational needs.

    Show full answer Show less

    Key Configuration Tasks

    • Enable Smart Assessment Engine: Activate SAE by setting the appropriate system property, making it the default engine. Note this action is irreversible.
    • Migrate Templates: Optionally convert existing questionnaire or document request templates to SAE templates to leverage enhanced functionalities.
    • Update Assessment Templates and Issue Rules: Ensure assessment templates are compatible with SAE to maintain effective tier-based, provider-based, issue generation, and event-driven management rules.
    • Create Automation Rules: Optionally configure post-assessment impact rules and response automation to trigger workflows like risk mitigation, notifications, or follow-up actions based on assessment outcomes.
    • Set Up Risk Rating Scales: Define default scoring scales used across questionnaires for consistent risk evaluation.
    • Configure Risk Domains and Criteria: Establish third-party risk areas and criteria, including scoring methods and weightings, to reflect organizational risk priorities.
    • Define Component Criteria: Assign scoring and weights to third-party and engagement components such as subsidiaries, products, or facilities, which contribute to overall risk ratings.
    • Establish Risk Scoring Rules: Set criteria determining when third parties or engagements require assessments based on risk scores.
    • Create Templates: Build reusable questionnaire, document request, and assessment templates to standardize and accelerate assessment creation.
    • Implement Issue Generation Rules: Optionally automate issue creation triggered by specific assessment responses to facilitate timely remediation.
    • Set Up Event-Driven Management Rules: Optionally automate scheduling and sending of questionnaires and document requests based on defined criteria and schedules, replacing legacy recurring assessments.
    • Configure Questionnaire Scoring: Define how responses are scored and normalized for accurate risk assessments.

    Practical Benefits for ServiceNow Customers

    • Streamlined transition from legacy assessments to the more advanced Smart Assessment Engine.
    • Automated risk assessment processes reducing manual effort and improving response times.
    • Flexible configuration of risk domains, scoring, and automation tailored to specific third-party risk profiles.
    • Improved risk visibility and actionable insights through automated issue generation and impact workflows.
    • Consistent and repeatable assessment frameworks via reusable templates and scoring rules.

    By following these configuration steps, ServiceNow customers can effectively leverage the Smart Assessment Engine within TPRM to enhance risk assessment accuracy, efficiency, and automation, thereby strengthening their third-party risk management program.

    The TPR manager and TPR admin roles involve a broad variety of responsibilities. After the TPRM base system is set up, you configure Smart Assessment Engine specific settings as well as other assessment settings that enable and enhance everyday risk-assessment tasks. TPRM admins can enable SAE and work with SAE templates.

    Assessment setup overview

    By performing the tasks in the Assessment setup checklist for TPRM, you’re setting up and configuring the TPRM application to address your unique requirements for scoring and assessing risk for third parties, engagements, and other entities using the Smart Assessment Engine for TPRM assessments.

    Note:

    For any custom messages you create, it is your responsibility to generate the corresponding sys_ui_message records. This step is crucial if you want the custom messages to be extracted and translated.

    Assessment setup checklist for Smart Assessment Engine integration with TPRM

    Table 1. Setup tasks for assessments and questionnaires
    Task Description
    Set Smart Assessment Engine enabled [sn_vdr_risk_asmt.sae_enabled] property.
    After setting this property, SAE becomes the default assessment engine and replaces the legacy experience.
    Warning:
    After this option is enabled, this selection can’t be reversed.

    For more information, see Configure TPRM properties and Migrating from Classic Assessment Engine to Smart Assessment Engine.

    Role required: sn_vdr_risk_asmt.vendor_risk_admin
    Migrate questionnaire templates. This task is optional.

    You can migrate existing questionnaire or document request templates to an SAE template.

    Note:
    If you’re setting up assessments for TPRM for the first time, you don’t need to complete this task.

    For more information, see Migrating from Classic Assessment Engine to Smart Assessment Engine, Migrate a template to an SAE template, Results of migrating a template to a TPRM SAE template, and How legacy metric types are migrated to sections in templates.

    Role required: sn_vdr_risk_asmt.vendor_risk_admin
    Update assessment templates and issue generation rules. This task is optional.

    Add published SAE questionnaire templates to all related assessment templates and Issue generation rules. For more information, see Create an external assessment template and Create an issue generation rule.

    Note:
    If assessment templates aren’t updated to be compatible with SAE templates, tier-based, provider-based, issue generation, and event-driven management rules won’t run as expected.

    Role required: sn_vdr_risk_asmt.vendor_risk_admin
    Create post assessment impact automation rules. This task is optional.

    Configure automation rules that trigger impact actions after an assessment is completed. These rules can initiate workflows such as risk mitigation, notifications, or updates to related records based on assessment outcomes.

    Plugin Dependency: Smart Assessment Post-assessment Actions (com.sn_impact_fwk and com.sn_smart_imp_auto).

    Access vendor risk assessment configurations, including automation rule setup and impact framework integration. Rules are asynchronous and can be tailored to specific assessment types or risk thresholds.

    Role required: sn_vdr_risk_asmt.vendor_risk_admin
    Create response automation rules. This task is optional.

    Enable automatic responses for assessments based on predefined conditions. For example, if a vendor scores below a certain threshold, the system can auto-generate follow-up actions or flag the record for review.

    Plugin Dependency: Smart Response Automation (com.sn_smart_resp_auto)

    Configure response logic and manage automation settings within the Smart Assessment Engine. Rules can be configured using templates and conditions based on scoring, risk levels, or assessment responses.

    Role required: sn_vdr_risk_asmt.vendor_risk_admin
    Set up risk rating scales for scoring assessments and questionnaires. This task is required for the initial setup of TPRM.

    You can configure the risk rating scale that is selected by default for all questionnaires.

    For more information, see Set up risk rating scales for scoring.

    Role required: admin or sn_vdr_risk_asmt.vendor_risk_manager
    Set up third-party risk domains or areas. This task is required for the initial setup of TPRM.

    You can configure the scoring method and weight that is selected by default for all third parties associated with a specific risk area.

    For more information, see Define a third-party risk domain.

    Role required: sn_vdr_risk_asmt.vendor_risk_manager
    Set up third-party risk area criteria, which are the group of risk domains or areas that apply to a type of third party. This task is required for the initial setup of TPRM.

    You can adjust the weight and scoring method of each risk area within a criteria definition.

    For more information, see Define third-party risk area criteria.

    Role required: sn_vdr_risk_asmt.vendor_risk_manager
    Set up third party and engagement component criteria. This task is required for the initial setup of TPRM.

    Components are entities that can be assessed for risk. Component criteria are groups of components that are related to a particular type of third party or engagement.

    You can’t add new components or modify existing ones. You can, however, define the criteria (in terms of scoring method and weight) to be used to assess the components. You can update the Default scoring method to specify how multiple scores for each risk area are calculated. You can use the Default weight to adjust the weight of third-party provider scores in the third party's overall risk rating.

    The following component classifications are available.
    • Third-party components
      • Third-party risk assessments (External risk assessments)
      • Subsidiaries
      • Engagements
      • Risk intelligence rating
    • Engagement components
      • Engagement risk assessments
      • Product
      • Principal
      • Facility
      • Other

    For more information on setting up component criteria, see Define component criteria.

    For more information on how engagement components impact third-party elements, see Monitoring third-party elements.

    Role required: sn_vdr_risk_asmt.vendor_risk_manager
    Set up third-party and engagement risk scoring rules. This task is required for the initial setup of TPRM.

    Define the criteria, based on risk scores, that determine which third parties or engagements require assessments. Third-party risk scoring rules apply to subsidiaries, engagements, and third-party risk areas. Engagement risk scoring rules only apply to engagements.

    For more information, see Define third-party risk scoring rules and Define engagement risk scoring rules.

    Role required: sn_vdr_risk_asmt.vendor_risk_manager
    Create questionnaire or document request templates. This task is required for the initial setup of TPRM.

    You can reuse questionnaire templates and document-request templates to streamline the creation of new questionnaires and document requests.

    The following template purposes (classifications) are available.
    • TPRM external 3rd-party element questionnaire
    • TPRM external 4th-party questionnaire
    • TPRM external document request
    • TPRM external questionnaire
    • TPRM internal IRQ
    • TPRM internal tiering questionnaire
    For more information, see Create a TPRM SAE questionnaire or document request template.

    Role required: sn_vdr_risk_asmt.vendor_risk_admin
    Create assessment templates for external questionnaires. This task is required for the initial setup of TPRM.

    You can create an assessment template with set duration requirements and questionnaires attached by default to help streamline the assessment process for different types of third parties and engagements.

    For more information, see Create an external assessment template.

    Role required: admin or sn_vdr_risk_asmt.vendor_risk_manager
    Create issue generation rules. This task is optional.

    Set up rules that auto-generate issues for external assessments. Specify a Third-party risk assessment, a Questionnaire template, and the Questions to apply the rule to, as well as an Issue template and a Task template to use while generating it.

    For more information on setting up these rules, see Create an issue generation rule.

    Role required: admin or sn_vdr_risk_asmt.vendor_risk_admin
    Set up event-driven management rules. This task is optional.

    Set up rules that auto-generate and send questionnaires and doc requests to engagements and third parties. For engagements and third parties that meet the criteria you define, you specify the schedule and the assessment templates. You can automate all request types except onboarding.

    For more information on setting up these rules, see Event-driven management — automate assessment processes.
    Note:
    The Event-driven management rules feature is the default option for scheduling assessments and replaces Recurring assessments.

    Role required: sn_vdr_risk_asmt.vendor_risk_manager
    Set up scoring for questionnaires. This task is required for the initial setup of TPRM.

    You can configure how questionnaires and document requests are scored.

    For more information, see Configure scoring for an assessment and Normalization in assessment.

    Role required: sn_vdr_risk_asmt.vendor_risk_admin