Working in the VRM Classic user interface

Release version: Xanadu

Updated July 31, 2025

2 minutes to read

Summarize

Summarized using AI

Summary of Working in the VRM Classic user interface

The VRM Classic user interface allows ServiceNow customers to perform Vendor Risk Management (VRM) tasks using a legacy interface. However, the Vendor Management Workspace provides enhanced Third-Party Risk Management (TPRM) capabilities and more comprehensive reporting options. While you can continue using the legacy interface, migrating to the Workspace is recommended for improved functionality.

Show full answer Show less

Key Capabilities in VRM Classic

Scheduled Risk Assessments: Configure third-party risk assessments to recur on a set schedule, ensuring regular updates of risk results for third parties or engagements. This requires the snvdrriskasmt.vendorassessor role.
Creating Third-Party Records: Establish third-party risk profiles and manage them effectively. Roles required are admin or snvdrriskasmt.vendorriskmanager.
Third-Party Hierarchies and Engagements: Define parent-child relationships within third-party organizations to assess risks at subsidiary levels and roll up overall risk scores to parent entities. Roles needed include vendorriskmanager or vendorassessor.
Defining Engagements: Set up engagements to assess risks related to specific products or services offered by third parties or their subsidiaries. Any user in your instance can request an engagement, but risk managers or assessors typically define them for streamlined processing.
Risk Tiering Assessments: Classify third parties into predefined risk tiers (None, Low, Minor, Moderate, High, Critical) at onboarding, with each tier linked to specific assessment questions and document requirements.
Legacy External Risk Assessments: Manage the external assessment life cycle, including issue creation, task assignment, and communication via comment streams to resolve non-compliance before closing assessments.

Important Notes

The Third-party portal enables primary contacts at third parties to view all assessments.
Starting with Third-party Risk Management version 18.1.3, the Vendor Risk Overview dashboard is deprecated. Customers on earlier versions still have access to it.

Practical Implications for ServiceNow Customers

This content equips ServiceNow customers with guidance on continuing to use the VRM Classic UI while encouraging migration to the Vendor Management Workspace for enhanced features. Customers can schedule recurring risk assessments, manage complex third-party hierarchies, define engagements, and classify third parties by risk tiers to maintain proactive risk oversight. Role-based access controls ensure appropriate assignment of tasks and permissions. Awareness of legacy features and deprecated dashboards helps customers plan upgrades and process improvements effectively.

While you can continue to use the legacy user interface to perform Vendor Risk Management tasks, the Vendor Management Workspace offers enhanced TPRM features and more useful reports.

Configure a risk assessment to recur on a schedule

Configure a third-party risk assessment to recur on a schedule to regularly update risk results for a third party or an engagement.

Role required: sn_vdr_risk_asmt.vendor_assessor

Create a VRM third party record

Configure a third-party risk assessment to recur on a schedule to regularly update risk results for a third party or an engagement.

Role required: admin or sn_vdr_risk_asmt.vendor_risk_manager.

Setting up VRM third-party hierarchies and engagements

Create third-party hierarchies by defining the parent-child relationships between the parent third party and all of their subsidiaries. You do this task because some organizations work with third parties that have subsidiaries (or subsidiaries of subsidiaries) that can pose a potential risk to your business. You can perform assessments at each subsidiary organization and roll up the results to calculate an overall risk score for the parent third party.

Role required: sn_vdr_risk_asmt.vendor_risk_manager or sn_vdr_risk_asmt.vendor_assessor.

Define a VRM engagement

Define an engagement so that you can assess the risks that are associated with the services or products offered by a third party. Engagements can also represent the products or services that are provided to the parent third party, either directly or from departments, partners, or subsidiaries that you can also assess for risk.

Tip:

Any person with access to your instance at your organization can request an engagement. That process is typically more streamlined and more effective than the process described here, where a Third-party risk (TPR) manager or TPR assessor defines an engagement. For more information, see Request due diligence for a third-party engagement.

Role required: sn_vdr_risk_asmt.vendor_risk_manager or sn_vdr_risk_asmt.vendor_assessor.

VRM third-party risk tiering assessments

Organizations use risk tiering to classify their third parties into categories of potential risk posed at the time of onboarding. The standard predefined risk tiers are None, Low, Minor, Moderate, High, and Critical. Each risk tier has associated assessment questions and document requests.

Managing external risk assessments — Legacy process

Before the TPR manager closes an assessment, stakeholders create issues and tasks, usually during the Generating observations state. The TPR assessor assigns third parties as needed and communicates using comment streams to achieve closure on non-compliance. The third-party primary contact uses the Third-party portal to view all assessments.

Create an external assessment — Legacy process

Create an assessment and initiate the third-party risk assessment life cycle.

Important:

Starting with version 18.1.3 of Third-party Risk Management the Vendor Risk Overview dashboard is deprecated. If Third-party Risk Management was installed prior to 18.1.3 the Vendor Risk overview dashboard is still available for your use.