Third-party (external) risk assessment management

  • Release version: Xanadu
  • Updated July 31, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Third-party (external) risk assessment management

    The Third-party (external) risk assessment management process in ServiceNow enables customers to manage risk assessments for third-party organizations by sending questionnaires and document requests, tracking responses, and collaborating with third-party contacts. It supports ongoing communication, issue tracking, and assessment lifecycle management to ensure thorough and accurate third-party risk evaluations.

    Show full answer Show less

    Key Features

    • Access and Manage External Assessments: View and work on third-party risk assessments through the Due Diligence Management page by selecting engagement requests and corresponding external assessments identified by unique VRA numbers.
    • Communication and Collaboration: Use the Discuss action to send messages recorded in the activity log, enabling clear, auditable communication with internal users and third-party contacts.
    • Questionnaires and Document Requests: Send and manage questionnaires and document requests via dedicated tabs. Configure permissions for third-party risk assessors to modify responses to questionnaires as needed.
    • Tracking and Status Indicators: Monitor the status of assessments, questionnaires, and document returns with visual indicators and completion percentages to prioritize follow-ups.
    • Risk Domains (Risk Areas): Define and assess third-party risk areas such as security or financial risks tailored to the specific nature of the third party.
    • Issue and Task Management: Create and manage non-compliance issues and tasks throughout the assessment lifecycle, with options to assign contacts and resolve items collaboratively before closing assessments.
    • Lifecycle States: Track the assessment process through multiple lifecycle states, such as when assessments are submitted to third parties and when responses are received.
    • Template Management: Create and manage questionnaire and assessment templates using forms designed for assessment metric types, external assessments, and smart assessment templates.
    • Notes and Comments: Add private work notes visible only to internal users and comments visible to third-party contacts, ensuring appropriate information sharing.

    Practical Use and Benefits

    This module empowers ServiceNow customers to systematically conduct third-party risk assessments by providing a structured workflow for issuing questionnaires, collecting responses, tracking progress, and managing follow-up actions. The integration of communication tools, risk domain categorization, and task management facilitates comprehensive oversight and collaboration, helping organizations reduce third-party risks effectively. Customers can expect streamlined due diligence processes, enhanced visibility into third-party compliance, and improved risk mitigation outcomes.

    After the IRQ process is complete, you send questionnaires and document requests to the third-party contact. You manage the third-party risk assessment by working with the contacts to help ensure that the responses are complete and accurate.

    Accessing an external assessment

    On the Due diligence management page, select the DDR number for any engagement due diligence request and the select the External assessments tab. The tab displays the list of all third-party risk assessments (external due diligence processes) for the selected engagement request.

    List of third-party risks assessments.

    Working on a third-party risk assessment

    For each external risk assessment, the system auto-assigns a unique ID number that starts with the text VRA. A risk assessment can represent the work on an engagement request for a third-party organization or an engagement request for a group within the parent organization. Select a VRA number to work on the risk assessment on the External assessments tab.

    Overview of a third-party risk assessment— external due diligence — process.

    Actions on any tab

    Table 1. Actions
    Action Description
    Discuss Select Discuss to send a message to other users. The message is recorded in the Activity section of the Details tab.
    Create Create an issue or task as describe in the following sections.
    Save Select Save to save any change you made to a value on any tab.
    Submit to third party Submit all questionnaires and document requests to the TP contact. The action is recorded in the Activity section on the Details tab.
    … Delete Select Delete to delete the record of the engagement request.
    Adding an attachment

    Select Browse in the Attachments section or select the attachment icon to select and add an attachment.

    Working on third-party risk assessments

    Risk overview tab on the External assessments page
    • The symbols indicate the current state of the external assessment process for the engagement request. See Life cycle states of a external assessment for descriptions of the states.

      Symbols identify the state of the third-party risk assessment process.

    • Overview section: List of assessments that are associated with the engagement.
    • Questionnaires and document requests section: List of questionnaires and document requests for the engagement.
    • Fourth-party questionnaires section: List of questionnaires and document requests for fourth parties and their sub-parties that are associated with the engagement.
    • Tracking section: Count of assessments associated with the third party that are in the Open, Overdue, and Closed status.
    Details tab on the External assessments page
    • Third-party risk assessment section: General information on the third party plus schedules for the overall assessment and questionnaire due dates from the engagement due diligence request.
    • The Compose section on the Details tab enables you to permanently add text to the record. The Activity section is updated with any actions on issues and tasks, submissions to TP contacts, and also with work notes and comments that users add to the record. Add text in the following fields as needed:
      • Work notes (Private): Information about the third-party risk assessment. Work notes are visible only to internal users who are assigned to the process.
      • Comments: Comments about the third-party risk assessment are visible both to internal users and to third-party contacts.
    Questionnaire templates tab on the External assessments page
    The tab lists the questionnaires that the third-party contact will respond to. Select a name to view the details. For more information, see Create a questionnaire or document request template and Create a questionnaire or document request template using the Designer.
    To enable TPR assessors to modify responses, configure the Allow TPR assessors to modify responses in third-party questionnaires [sn_svdp.allow_assessor_edit] system property. You can set the following options:
    • Enable TPR assessors to answer questions or modify responses (default)
    • Enable TPR assessors to modify responses
    • Do not enable TPR assessors to answer questions or modify responses
    See Configure TPRM properties.
    Document templates tab on the External assessments page
    The tab lists the requests for documents that the third-party contact should return. The information in the columns helps you to prioritize your work in following up with third-party contact. In particular, the state and percent complete values are key indicators. Select a name to view the details. For more information, see Create a questionnaire or document request template and Create a questionnaire or document request template using the Designer.
    Fourth-party templates tab on the External assessments page
    The tab lists the fourth-party questionnaires that the third-party contact will respond to. Select a name to view the details. For more information, see Monitoring your fourth-nth parties.
    Third-party risk areas tab on the External assessments page
    A risk domain defines the type of risk to assess for a third party. For example, you might want to assess a data-management third party in terms of security risk and a bank in terms of financial risk. Security risk and financial risk are risk domains. Some platform applications refer to risk domains as "risk areas." See Define a third-party risk domain.
    Issues tab on the External assessments page

    In an iterative process, before the TPR manager closes an assessment, the TPR manager can generate non-compliance issues and tasks. The TPR manager communicates with the TP contacts and engagement contacts by using comments to close the issues and tasks. The TPR manager can also assign different contacts as needed. See Create an issue for a third party or engagement and Manage issues.

    Tasks tab on the External assessments page

    In an iterative process, before the TPR manager closes an assessment, the TPR manager can generate non-compliance issues and tasks. The TPR manager communicates with the TP contacts and engagement contacts by using comments to close the issues and tasks. The TPR manager can also assign different contacts as needed. See Create a task for a third party or engagement and Manage a task for a third party or engagement.