Playbook stages and activities when Third-party Risk Due Diligence is installed

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Playbook stages and activities when Third-party Risk Due Diligence is installed

    This playbook outlines the stages and activities involved in performing a risk assessment when the Third-party Risk Due Diligence (TPRM) application is installed in ServiceNow. It guides supplier managers and fulfillers through assigning, managing, assessing, reviewing, and closing due diligence cases related to third-party suppliers.

    Show full answer Show less

    Key Features

    • Case Assignment and Management: Users can assign due diligence cases to themselves or others, update case descriptions, and transition cases to work in progress.
    • Request Creation and Validation: The playbook checks if the TPRM plugin is installed and prevents duplicate due diligence requests for the same supplier by allowing cancellation or creation of new requests.
    • Due Diligence Request Submission: Users onboard new engagements by entering supplier and engagement details, submitting requests that then await approval to begin the risk process.
    • Risk Assessment Workflow: The process waits for Initial Risk Questionnaires (IRQ) completion, due diligence completion, and formal review and approval of the due diligence request.
    • Risk Rating Review: Users review supplier risk ratings and accept or reject them. Rejection triggers a specific rejection stage in the playbook.
    • Case Closure: Once approved, the requester is notified via email (or the notification can be skipped), closing comments are added, and the case state is updated to Closed complete.

    Key Outcomes

    • Ensures structured and consistent management of third-party risk assessments within ServiceNow.
    • Reduces duplicate efforts by checking for existing due diligence requests for suppliers.
    • Facilitates clear communication and status tracking throughout the due diligence lifecycle.
    • Supports informed decision-making by enabling acceptance or rejection of supplier risk ratings.
    • Completes the risk assessment cycle with proper closure and notification, maintaining auditability and process compliance.

    The following table lists the Perform risk assessment playbook stages and activities when Third-party risk Due Diligence is installed.

    Table 1. Perform risk assessment playbook stages and activities
    Stage Activity Activity Details
    Review case Assign case As a supplier manager or fulfiller, you can use this activity to assign the case to a different person or keep the case assigned to you.

    You can do the following:

    • In the Assigned to search field, search for and select the person that you want to assign the case to.
    • In the Short description field, update the description for the case.
    • Select one of the following actions:
      • Select Save to save your changes.
      • Select Start work to start working on the case.
    Update case to work in progress

    Updates the state of the due diligence case to work in progress.
    Create request Check if TPRM is installed Checks if the TPRM plugin is installed.
    Check for duplicate due diligence (risk assessment) requests Reviews existing due diligence requests for this supplier.
    You can do the following:
    • Cancel: If there's an existing due diligence request, you can select this option to cancel this due diligence case.
    • Create new request: Creates a new due diligence request.
    Create due diligence request Do the following:
    • Under Options, select Onboard a new engagement.
    • In the Third party field, select the supplier.
    • Fill in the required fields in the following sections:
      • Third-party information
      • Third-party address
      • Engagement information
      • Engagement address
      • Engagement primary contact
    • Select Submit.
    Check the status of the due diligence request Waits for initial approval on the due diligence request and the risk process to start. Select View record to view the due diligence request.
    Assess risk Waiting on IRQs to be completed Waits for the approval of the IRQs and the due diligence to start.
    Waiting on the due diligence to be completed Waits for the due diligence to be completed and the formal review process to start.
    Waiting on the due diligence to be reviewed and approved Waits for the due diligence request to be reviewed and approved.
    Review risk rating Accept or reject risk ratings Review the risk rating of the supplier and choose to accept or reject the risk rating.

    Available actions:

    • Accept
    • Reject

      If you select Reject, the playbook opens the Rejection stage.
    Close case Notify the requester that the request has been approve Available actions:
    • Send email: Sends an email to the requester, informing them that the case has been approved.
    • Skip: Skips this activity.
    Close case Add closing comments to complete the case.

    In the Close notes field, add your comments and select Close case.

    The state of the due diligence case is updated to Closed completed.