Using risk intelligence reports and scores

  • Release version: Yokohama
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Using risk intelligence reports and scores

    The Third-party Risk Management (TPRM) application in ServiceNow enables customers to request and manage risk intelligence reports and scores directly from external risk intelligence content providers. These providers analyze and generate risk scores across various third-party risk domains, similar to credit scoring systems, helping organizations assess the trustworthiness and risks associated with their third parties.

    Show full answer Show less

    Risk intelligence reports can cover geopolitical, economic, industry-specific, and regulatory risks, supporting informed decision-making in third-party risk management. Different report types—such as credit risk, compliance, and strategic risk reports—can be ordered based on organizational needs.

    Setting up Providers and Request Types

    Before requesting reports, users with the TPR assessment reviewer role must register risk intelligence providers and configure both providers and request types within the TPRM application. This setup is essential for enabling requests. Note that risk intelligence reports can be requested only for third parties, not for engagements.

    Requesting Risk Intelligence Reports and Scores

    • Users with roles including TPR manager, TPR assessor (due diligence request owner), or contract negotiator can initiate risk intelligence report (RIR) or score requests.
    • The process involves completing an RIR request form, which can be linked either directly to a third party or to a due diligence request. Associating the request with a due diligence request helps reviewers and approvers track related activities and reports efficiently within the Vendor Management Workspace.
    • Requests linked to due diligence must be made only after the inherent risk questionnaire has started (IRQ in progress state).
    • Once submitted and in the "Order pending" state, request fields become read-only to prevent errors. Requests can be canceled while open or pending if no longer needed.
    • Providers evaluate requests based on their own criteria and agreements with the customer; a report is provided only if these requirements are met.
    • The system prevents duplicate requests by disallowing multiple RIR requests for the same provider, request type, and third party combination.

    After report generation, links and scores are attached to the relevant RIR record, which moves to the "Closed complete" state.

    Managing Risk Intelligence Scores and Sanctions Information

    Customers can manually add risk intelligence scores to third parties and review all related risk data in a dedicated scores list, enhancing visibility into third-party risk profiles.

    Tracking sanctions-related information within the TPRM application helps ensure compliance by flagging third parties potentially involved in prohibited or regulated activities. This information supports due diligence reviews and approvals by keeping teams informed throughout the risk management process.

    Request risk intelligence reports or scores directly from your external risk intelligence content providers by using the Third-party Risk Management application. This information can be requested and managed based on the importance or risk level of the individual third party.

    Risk intelligence overview

    Risk intelligence providers are companies that specialize in analyzing and generating risk scores for various third-party risk domains. These providers offer services that are similar to personal credit scoring systems, delivering data that helps organizations assess third parties.

    If you have the third-party risk (TPR) assessor [sn_vdr_risk_asmt.vendor_risk_assessor] and are the due diligence request owner or the TPR manager [sn_vdr_risk_asmt.vendor_risk_manager] role, you can use the TPRM application to request scores or reports for third parties by using the risk intelligence request form. After the reports and scores are generated by the risk intelligence provider, the links to these reports are delivered and associated with that risk intelligence report record.

    The information in these reports can cover various topics, including the geopolitical risks, economic stability, industry-specific trends, and regulatory changes that could affect your third-party interaction. You can order different types of reports, such as credit risk reports, compliance reports, strategic risk reports, and more, for your specific risk management program requirements.

    The Risk Intelligence Report framework provides a common way to request reports, but it does not enforce provider‑specific requirements. Each risk intelligence provider decides whether a request can be fulfilled based on its own integration and the your organization's agreement with that provider. A report is returned only if the provider’s requirements are met.

    Setting up risk intelligence providers and request types

    If you have the TPR assessment reviewer [sn_vdr_risk_asmt.vendor_assessment_reviewer] role, you must register the providers and set up both the providers and request types in the Third-party Risk Management application before you can request a report. For more information, see Register a risk intelligence provider, Set up a risk intelligence provider service, and Set up a request type for a provider.
    Note:
    You can request risk reports for third parties but not for engagements.

    Requesting risk intelligence

    As a TPR manager [sn_vdr_risk_asmt.vendor_risk_manager], TPR assessor [sn_vdr_risk_asmt.vendor_risk_assessor] that is the due diligence request owner, or contract negotiator [sn_vdr_risk_asmt.contract_negotiator] that is assigned to the due diligence request, you can request a Risk Intelligence Report (RIR) or score to gain insight on how trustworthy a particular third party can be. You would follow this process to request risk intelligence reports or scores:

    1. Fill out the RIR request form. An RIR request can be associated with a third party or due diligence request. When you associate a RIR request with a due diligence request, reviewers and approvers can more easily access all the related activity, scores, reports, and details through the Risk Intelligence report request tab in the Vendor Management Workspace[var.vendor-management-ws]. For more information, see Request a risk intelligence report and Request a risk intelligence report associated with a due diligence request.
      Note:
      If you want to associate an RIR request with a due diligence request, it must be after the inherent risk questionnaire (IRQ) has been completed (that is, when the due diligence request has entered the IRQ in progress state).
    2. The TPR manager [sn_vdr_risk_asmt.vendor_risk_manager] and their team reviews the request.
    3. The TPR manager [sn_vdr_risk_asmt.vendor_risk_manager], TPR assessor [sn_vdr_risk_asmt.vendor_risk_assessor] that is the due diligence request owner, or contract negotiator [sn_vdr_risk_asmt.contract_negotiator] that is assigned to the due diligence request can submit it if it’s approved. After the request has been submitted and has entered the Order pending state, all fields in the Risk intelligence report request section are read-only to help to prevent incorrect orders from being submitted to the provider.
      Note:
      The TPR manager, TPR assessor, or contract negotiator can cancel a RIR request while the request is in the Open or Order pending state. An RIR request can also be canceled if the report is no longer needed due to new information that impacts the third party or some other change.
    4. After the reports and scores are generated by the risk intelligence provider, the links to these reports and the scores are delivered and associated with the risk intelligence report request. The RIR request then enters the Closed complete state.

    After a request is submitted, the risk intelligence provider determines whether the request can be fulfilled based on its own requirements. The platform submits the request and records the outcome, but does not validate provider-specific prerequisites.

    For more information on RIR requests and their process states, see Risk intelligence report requests management.

    Note:
    You can’t have multiple RIR requests with the same provider, request type, or third party. For example, if you have already associated an RIR request with a third party, you can’t request the same report from the same provider as part of a due diligence request for an engagement. This process helps with preventing duplicate orders from being submitted to the provider.

    You can manually add scores to third parties and use the Risk intelligence scores related list to review the background information on the existing scores for a third party. For more information, see Add a risk intelligence score to risk data for a third party.

    Tracking sanctions-related information

    By tracking sanction-related information about your third parties, you can check if that third party is involved in any activities that are prohibited or restricted by government sanctions or regulations. Logging and updating sanctions-related information for third parties keeps your team informed as you review and approve a due diligence request as part of your third-party risk program. For more information about tracking sanctions-related information, see Track sanctions-related information.