Managing the Third-party portal

  • Release version: Xanadu
  • Updated July 31, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Managing the Third-party Portal

    The Third-party portal serves as the primary interface for third-party contacts to respond to questionnaires, documentation requests, and address issues raised by risk assessors. It facilitates efficient communication and management between third-party contacts and your organization's risk assessment team.

    Show full answer Show less

    Key Features

    • Third-party Contacts: Individuals representing third parties, categorized as primary or secondary contacts. Each third party must have at least one primary contact responsible for responding to assessments.
    • Role Assignments: Primary contacts automatically receive the vendorcontact and sncexternal roles, ensuring access to the portal while restricting unauthorized access.
    • Task Management: Primary contacts can delegate tasks, update contact information, and manage notification preferences. Secondary contacts can view and respond to assigned assessments and manage passwords.
    • Progress Tracking: Assessment requests are tracked through states: New, In Progress, and Completed, with specific actions required upon completion.
    • Response Options: Third-party contacts can respond to questionnaires using a Microsoft Excel template or the Shared Assessments SIG questionnaire, facilitating streamlined documentation processes.
    • Portal Access: Third-party contacts access the portal via a designated URL and can refer to an FAQ page for common inquiries.
    • Management Tools: TPR assessors can manage third-party contacts, including creating logins, resetting passwords, and assigning roles.

    Key Outcomes

    By effectively utilizing the Third-party portal, organizations can enhance their third-party risk management processes, ensure secure access for external contacts, and streamline the completion of assessments. This leads to improved oversight of third-party relationships and better compliance with risk assessment requirements.

    Third-party contacts respond to questionnaires, requests for documentation, tasks, and issues on the Third-party portal. The portal is the point of interaction between third parties and risk assessors.

    Third-party contacts

    Third-party contacts are the individuals that represent the third party. By using the third-party portal, they can respond to questionnaires, work on tasks, and address issues that your third-party risk assessment team raises. Third-party contacts are either primary or secondary contacts. The primary contact is the assigned individual who receives the assessment questionnaires. Each third party must have at least one primary contact. The Third-party editor [vendor_editor], Third-party Risk (TPR) manager [sn_vdr_risk_asmt.vendor_risk_manager], TPR assessor [sn_vdr_risk_asmt.vendor_assessor], or the primary contact can create third-party contacts.

    You assign the primary contact responsibility to the third-party contact who can directly answer assessment questions or assign another contact at the third party to answer the questions. Primary contacts can manage other contacts for the third party.

    Third-party contacts are automatically assigned two roles: vendor_contact and snc_external. The vendor_contact role provides third-party contacts with access to the Third-party portal, while the snc_external role is a safeguard that restricts access only to the portal. The snc_external role helps prevent any unauthorized entry into your instance. For more information, see Set up third-party contacts.

    Note:
    Third-party contacts see your organization's name in all references on the Third-party portal. You specify the name in the sn_vdr_risk_asmt.company.name property setting. See Configure TPRM properties.

    Tasks for third-party contacts

    The primary third-party contact can perform the following tasks:

    • Delegate questionnaires, tasks, and issues to other third-party contacts.
    • View and update the third-party contact information.
    • Update the notification preferences.

    Secondary third-party contacts can use the portal to perform the following tasks:

    • View and respond to "assigned to me" assessments.
    • Change a password or request a new password.
    Important:
    The third-party contact role should be used only for external contacts. The role prohibits access to the ServiceNow AI Platform and grants access only to the Third-party portal.

    Third-party contacts see the portal as shown in the following example.

    Figure 1. Third-party portal example
    Third-party portal as seen by a third-party contact.

    Questionnaire and document request states

    Progress is tracked in assessment requests and the progress is indicated by the state of the requests within the questionnaires and document requests. Here are the possible states for requests.

    New
    After questionnaires and document requests are sent out, they are in the New state.
    In progress
    After the third-party or engagement contact has started providing responses in a questionnaire or document request, the requests is in the In progress state.
    Completed
    After the third-party or engagement contact has provided responses for all questions in a questionnaire or document request and saved, the request is in the Completed state.
    Note:
    After all requests have entered the Completed state, you must return to the assessment page and submit the assessment.

    Responding to questionnaires using a Microsoft Excel template

    Third-party contacts can use a Microsoft Excel template to respond to questionnaires by downloading the template, completing it, and importing the final version into the Third-party portal. The Microsoft Excel questionnaire template contains instructions for filling out the template. This enables third-party contacts to provide information outside the third-party portal, streamlining the due diligence process. For more information, see Using a Microsoft Excel spreadsheet template for external questionnaires and Respond using a Microsoft Excel template.

    Responding to assessments using a SIG questionnaire

    Third parties can use the Shared Assessments Standardized Information Gathering questionnaire (SIG) to provide assessment documentation in the Third-party Risk Management application. The third-party contact can upload the pre-filled SIG spreadsheet or respond to a form-based questionnaire that is imported to the instance. For more information, see Using the SIG questionnaire for a risk assessment and Respond using the SIG.

    Note:
    Third-party contacts can reassign a questionnaire to another team member by selecting the more actions menu icon and selecting Reassign. After reassigning the questionnaire, they lose access to the questionnaire.

    Launching the portal

    Third-party contacts launch the portal by using [your instance URL]/svdp).

    Learning to use the portal—the FAQ page

    Third-party contacts can select FAQ to view answers to common questions, such as how to invite additional users to the portal and how to assign primary contacts to third-party or engagement records.

    Managing third-party contacts

    Users in your organization with the TPR assessor role [sn_vdr_risk_asmt.vendor_assessor] use TPRM to manage the following third-party contact activities:
    • Create a login for a new third-party contact.
    • Enable or disable a third-party contact login.
    • Reset a password for a third-party contact.
    • Assign a user role to a third-party contact.
    • Assign a third-party contact to an assessment.
    • View and update the customer contact information.
    • Access the completed assessments.

    For more information, see Set up third-party contacts and Manage the access for your third-party contacts.

    Note:
    If necessary, you can respond on behalf of third parties or engagements to questionnaires. See Respond to a questionnaire for a third party or engagement for more information.

    The Allow assessors to answer/edit questionnaires for third-party contacts property (sn_svdp.allow_assessor_edit) must be active. For more information on configuring this property, see Configure TPRM properties.