Requesting third-party risk due diligence

  • Release version: Yokohama
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Requesting third-party risk due diligence

    ServiceNow’s Third-party Risk Management enables your organization to request third-party risk due diligence to evaluate risks associated with engagements involving third parties or downstream parties (such as fourth parties). This process helps you make informed decisions, establish controls, and mitigate potential risks when working with external entities.

    Show full answer Show less

    Any employee can initiate a due diligence request for an engagement, which is the business relationship or contract with a third party outlining services or products provided. Due diligence assesses the risk exposure from these relationships, including subsidiaries and further downstream parties.

    Due diligence request process

    • An employee requests due diligence for a third-party engagement.
    • The system sends email notifications to the requester and the due diligence request assignment group.
    • A group member assigns a Third-party Risk (TPR) manager or assessor as the request owner, who receives a notification.
    • The TPR manager reviews and either approves or rejects the request based on the information provided and organizational feasibility.
    • Upon approval, the Inherent Risk Questionnaire (IRQ) process begins to further assess risk.

    Each due diligence request is automatically assigned a unique ID prefixed with “DDR” for tracking. Users can communicate with reviewers and attach relevant documents within the system.

    Types of due diligence requests

    • Onboard a new engagement: Start onboarding a new engagement with an existing third party.
    • Reassess an existing engagement: Conduct additional due diligence in response to changes such as adverse news or supply chain shifts.
    • Reassess for contract renewal: Evaluate risk before renewing a contract with a current third party.
    • Offboard with due diligence: Assess risk to determine if terminating the engagement is appropriate, considering factors like supply challenges or long-term relationships.
    • Offboard without due diligence: Request permanent termination without additional due diligence, typically when services end or switching providers for other reasons; the IRQ process still confirms service cessation.

    Practical benefits for ServiceNow customers

    This due diligence process empowers your organization to systematically manage and monitor third-party risks, ensuring compliance and risk mitigation. It provides a structured workflow with notifications, ownership assignment, and tracking, streamlining collaboration and decision-making around third-party engagements. By leveraging the different request types, you can flexibly manage onboarding, reassessment, contract renewals, and offboarding aligned with your risk management policies.

    Request third-party risk due diligence to determine the level of risk for interactions with a third party, engagement, or fourth party by using Third-party Risk Management. You conduct due diligence to become aware of the associated risks so that you can make informed decisions, establish appropriate controls, and mitigate the potential negative impact when working with external parties.

    Any employee at your organization can request due diligence, which is an investigation or examination of business relationship risk, for an engagement.
    • An engagement is the informal or contracted relationship that you intend to form with a third party that could potentially expose your organization to risk. The engagement outlines the services or products to be provided by the third party and other details of the relationship.
    • A third party is any organization or individual that you’ve interacted or entered into a business relationship with. Third parties can have subsidiaries and can contract with fourth parties. For example, departments are subsidiaries.
    • A fourth party can contract with further parties. All downstream parties, such as the fourth through the nth parties, carry risk in the same ways as third parties.

    For more information about the terms that are used in these sections or why you might conduct due diligence, see Terminology and Why you conduct due diligence.

    The following infographic shows the due diligence request process.


    Infographic that shows the due diligence request process in the due diligence workflow. For the text description, refer to the process steps that follows.
    The following are the steps of the due diligence request process.
    1. An employee at your organization requests due diligence for a third-party engagement.
    2. The system sends out an email notification to the employee who made the request.
    3. The system sends out an email notification to the Due diligence request assignment group.
    4. A member of the group can assign a Third-party risk (TPR) manager [sn_vdr_risk_asmt.vendor_risk_manager] or TPR assessor [sn_vdr_risk_asmt.vendor_assessor] to act as the owner of the request.
    5. The system sends out an email notification to the assigned owner of the due diligence request.
    6. The TPR manager reviews the request for due diligence for the engagement and approves it. If the information provided by the requester was insufficient or the engagement isn’t possible for your organization, the TPR manager rejects it.
    7. The IRQ process starts after the TPR manager approves the request for due diligence.

    To learn more about creating or monitoring a due diligence request, see Request due diligence for a third-party engagement and Monitoring the due diligence request process.

    When creating a due diligence request, the following options are available:

    • Onboard a new engagement Start the onboarding process for a new engagement with an existing third party. For more information about this type of onboarding, see Example: Onboarding a third party.
    • Reassess an existing engagement Reassess an existing engagement when the conditions change. For example, let's say that you hear adverse news or have changes in your third-party's supply lines. You might want to reassess the risk by conducting additional due diligence.
    • Reassess an existing engagement for contract renewal Reassess the risk before your organization renews the contract with a current third party or engagement by conducting due diligence.
    • Offboard an engagement with due diligence Determine if offboarding (terminating the relationship) with an engagement is the optimal course of action by conducting due diligence. For example, it might be too risky to switch third parties or engagements even if their current performance doesn’t meet expectations.

      Extenuating circumstances can contribute to the decision. For example, if the third party is sourcing materials that are difficult to obtain, switching providers might be costly and introduce additional risks. In such cases, continuing with the existing third party, with whom a long-term relationship exists, might be preferable to mitigate potential disruptions and higher risks.

    • Offboard an engagement with no due diligence Request that an engagement be permanently terminated when an engagement ends or you want to switch to a different third party for other reasons. In this case, you typically don't need to conduct additional due diligence. The process does, however, include the normal Inherent Risk Questionnaire (IRQ) process to confirm that the services provided by the engagement will no longer continue. For more information about this type of offboarding, see Offboarding an engagement without conducting due diligence.
    For each due diligence request, the system auto-assigns a unique ID number that starts with the text DDR. Use the ID to track your request. You can post a message to reviewers and add attachments from the page.

    The following example shows how a new due diligence request appears.

    Figure 1. Due diligence request tracking example
    Due diligence request view from the activity tab in Employee Service Center.

    For more information on the different processes that make up the overall due diligence workflow, see Due diligence workflow and Assessing your third-party risk.