Monitoring third-party elements

  • Release version: Yokohama
  • Updated March 12, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Monitoring third-party elements

    The Third-party Risk Management application enables ServiceNow customers to monitor third-party elements (TP elements) such as suppliers, contractors, facilities, or individuals involved in providing goods, services, or support. Monitoring these elements through scalable scoring models, relationship analysis, and due diligence workflows helps organizations conduct informed risk assessments as part of their third-party risk programs.

    Show full answer Show less

    Third-party elements are linked to a single third party and can be associated with multiple engagements under that third party but cannot be shared across different third parties. Examples include datacenters and manufacturing facilities (classified as Facility TP elements) and beneficial owners (classified as Principal TP elements).

    Collecting and Reviewing Third-party Elements

    The collection and review of TP elements is optional and can be initiated after completing the Inherent Risk Questionnaire (IRQ) process. Users with the Third-party risk (TPR) assessor or TPR manager roles can start the collection in the Vendor Management Workspace. The process involves:

    • Starting the collection task and adding TP element questionnaires to an external assessment.
    • Reviewing and approving questionnaires before sending them to the engagement.
    • Verifying questionnaire responses and manually creating TP element records based on responses.
    • Closing the collection task to change its state to "Collection in review".
    • Having internal stakeholders review and approve the TP element records.

    Adding Third-party Elements to Engagements

    After approval, the TPR manager or owner adds the TP elements manually to the Engagement elements tab for the corresponding third party in the Vendor Management Workspace. Once added, due diligence for each TP element can begin by assigning and completing element-specific questionnaires during external assessments.

    Third-party Element Scoring

    TP elements are categorized into types such as Facility, Product, Principal, or Other to organize assessment criteria and scoring. Scoring is based on averaging risk ratings from the latest third-party risk assessments per engagement, ensuring current evaluation relevance.

    The scoring hierarchy works as follows:

    • Individual TP element scores are aggregated into component scores based on their classification (e.g., all Facility elements combined).
    • Component scores contribute to an overall engagement score by combining scores of all relevant TP elements and assessments.
    • The engagement scores roll up into a third-party level score by aggregating scores from all engagements under that third party, using configurable aggregation rules (average, minimum, maximum).

    This rolled-up score reflects the overall risk and performance of the third party, encompassing all associated engagements and TP elements. Additionally, customers can create custom TP element classifications and assign weights to tailor scoring to their specific risk program needs.

    You can monitor third-party elements through scalable scoring models, relationship analysis, and due diligence workflow integration by using the Third-party Risk Management application. Monitoring third-party elements and leveraging that information can help with conducting more informed risk assessments as part of your third-party risk program.

    Third-party elements overview

    Third-party elements (TP elements) are the external organizations that an engagement relies on to provide goods, services, or support. These organizations can include the suppliers, contractors, facilities, individuals, or any other external organization that can access the engagement's systems, data, or facilities. Each third‑party element is linked to a single third party. Third‑party elements can be associated with multiple engagements for the same third party but cannot be shared or reused across different third parties.

    Let's look at some TP element class and risk examples:
    Datacenter
    A facility or location where an engagement or third party outsources the storage, processing, and management of their data and IT infrastructure. A datacenter could potentially experience a data breach, downtime, or compliance violation that exposes their engagements to unexpected risk. This example would be classified as a Facility TP element.
    Manufacturing facility
    A facility or location where an engagement or third party outsources the production or assembly of their products. A manufacturing facility could potentially experience a supply chain disruption, a counterfeit part, or regulatory compliance issue that exposes their engagements to unexpected risk. This example would be classified as a Facility TP element.
    Beneficial owner
    An individual who owns or controls an organization that is involved in a business relationship or transaction. These individuals may not be the registered or legal owners of the organization but have significant influence or control over its operations, decision-making, or financial affairs. This example would be classified as a Principal TP element.

    The following infographic shows the TP element collection process.


    Infographic that shows the TP element collection process in the due diligence workflow. For the text description, refer to the text that follows.

    For more information on Third-party (TP) elements and examples of their associated controls and potential risks, see Terminology.

    Collecting and reviewing third-party elements

    Collecting and reviewing third-party elements is optional. If you have the Third-party risk (TPR) assessor [sn_vdr_risk_asmt.vendor_assessor] role and are the due diligence request owner or TPR manager [sn_vdr_risk_asmt.vendor_risk_manager] role, you can start this process after your due diligence request has completed the Inherent Risk Questionnaire (IRQ) process.

    You would follow this process to collect and review TP elements:
    1. In the Vendor Management Workspace, if TP elements are needed, the Third-party risk (TPR) manager or due diligence request owner selects Start collection and a collection task is created.
    2. The TPR manager or owner opens the external assessment for collecting elements and adds the relevant TP element collection questionnaires.
    3. The TPR manager or owner reviews and approves the questionnaires and they’re sent to the engagement. For more information on assessments, see Assessing your third-party risk.
    4. In Vendor Management Workspace, the TPR manager or owner opens the questionnaires and verifies that all the required information was provided.
    5. The TPR manager or owner then navigates to the list of TP elements and manually creates a TP element record for each set of responses in each questionnaire.
    6. After all TP elements are created, the TPR manager or owner closes the collection task assessment. The system changes the state of the request from Collection in progress to Collection in review.
    7. The internal stakeholders (TPR assessor, TPR approver, TPR manager, or TPR administrator) review and approve the element records.
    For more information, see Create a third-party element record.

    Adding third-party elements to engagements

    After the TP elements are reviewed and approved by the TPR manager and internal stakeholders in Vendor Management Workspace, the TPR manager or owner opens the engagement and manually adds the reviewed and approved TP elements to the Engagement elements tab of the engagement for that third party. For more information, see Add a third-party element record to an engagement. After you add all TP elements to an engagement, you can start the due diligence process. During the due diligence process, you must select and assign a questionnaire as part of an external assessment for each TP element that you created. The third-party contact completes the TP element questionnaires. For more information, see Assessing your third-party risk.

    Third-party element scoring

    You can categorize each TP element into one of the following types: Facility, Product, Principal, or Other. This classification helps you with organizing the assessment criteria and subsequent scoring. Scoring on a TP element is determined by averaging the risk ratings from its associated third-party risk assessments. If you conduct multiple assessments for the same TP element, the system considers only the latest assessment for each engagement for scoring, disregarding duplicates. This process helps to ensure that the TP element's risk rating reflects the most current evaluation. For example, if a TP element has assessments with risk ratings of very high and very low, the average of these ratings leads to the overall risk being moderate.

    After an element is assessed and a risk rating is determined, this rating is first aggregated into a component score that is based on its classification, such as Facility. For example, all Facility-type elements are aggregated into a single component score, which contributes to the overall score of the engagement. The engagement score is then compiled by aggregating the scores from all relevant component scores within that engagement. If multiple assessments or TP elements are within an engagement, each is scored individually and then combined to form the overall engagement score. The engagement score is then rolled up to the third-party level by aggregating the scores from all the engagements that are associated with a particular third party. The aggregation at this level could be based on different rules, such as averaging, taking the minimum, or maximum scores, depending on the scoring rules set within the system. This rolled-up score represents the overall risk or performance score of the third party and reflects all the engagements and elements that are associated with it.

    Note:
    You can create your own TP element classifications to meet your specific risk program requirements. For more information on creating classifications and assigning weights for scoring, see Third-party element form and Define component criteria.