IRQ process management

  • Release version: Yokohama
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of IRQ process management

    The IRQ process in ServiceNow Yokohama release is the first internal step after an engagement request is approved. It scopes third-party risk by determining the third party’s risk score through internal risk assessments. This management process helps you track and evaluate risk associated with third-party engagements efficiently.

    Show full answer Show less

    Accessing and Navigating the IRQ Process

    Access the IRQ process from the Due Diligence Management page by selecting the DDR number for a due diligence request and then the Internal Assessments tab. This tab lists all IRQ processes linked to the engagement request, each identified by a unique ID starting with INA. You can search or filter using this ID to locate and manage specific assessments.

    Internal Assessments Tab Details

    • Number: Unique INA ID for each IRQ process, used across the system.
    • Name, Assigned to, Risk rating: Derived from the engagement request data.
    • State: Tracks progress stages such as Draft, Awaiting response, Response received, or Closed.
    • Respondents: Lists users who have responded to the request.

    Risk Overview Tab

    Within each IRQ process (selected via the INA number), you can view:

    • Questionnaire requests: Lists questionnaires associated with the third party, accessible by name.
    • Tracking: Displays counts of assessments by status—Open, Overdue, and Closed.

    Details Tab

    • Internal assessment section: Shows general third-party info and schedules for assessments and questionnaire deadlines.
    • Compose section: Enables permanent text additions to the record.
    • Activity section: Logs actions on issues, tasks, submissions, work notes, and comments.
    • Work notes: Private notes visible only to internal users assigned to the process.
    • Comments: Visible to both internal users and third-party contacts.
    • Third-party overview: Provides key information about the third party tied to the engagement.

    Questionnaire Templates and Scales Tabs

    The Questionnaire Templates tab lists open IRQs and allows viewing questionnaire details. The Scales tab defines rating and tier values for risk scoring, supporting configuration of risk rating scales and VRM third-party tiering.

    Questionnaire Requests Tab

    • Number: Unique ID starting with AINST for each questionnaire instance generated.
    • Assessment number: Unique ID starting with VRA for external risk assessments.
    • Metric type: Defines questionnaires used in the assessment.
    • Assigned to: User responsible for managing the IRQ response.
    • Due date: Deadline for the third party to respond.
    • State: Current stage of the IRQ process.

    Internal Risk Scoring

    Engagement risk-scoring rules determine which engagements require assessment based on criteria such as annual business volume. These rules apply only to engagements and help prioritize assessment efforts effectively.

    Creating Internal Assessments

    You can create internal assessment forms to capture necessary information for risk evaluation. Third-party risk assessors can also create customized assessment templates to streamline the process.

    Practical Benefits for ServiceNow Customers

    • Efficiently initiate and track third-party risk assessments with unique identifiers for easy reference.
    • Maintain clear visibility of the status and progress of risk assessments through defined states and tracking sections.
    • Collaborate internally with private work notes and externally with third-party contacts through comments.
    • Customize questionnaires and risk scoring to align with your organization's risk policies.
    • Ensure timely responses and comprehensive risk evaluation to support informed decision-making on third-party engagements.

    The first internal step after an engagement request is approved is to start the IRQ process to scope the risk by determining the third party's risk score.

    Accessing the IRQ process

    On the Due diligence management page, select the DDR number for any due diligence request and then select the Internal assessments tab.

    The tab displays the list of all IRQ processes for the engagement request. For each IRQ process, the system auto-assigns a unique ID number that starts with the text INA.

    Accessing the Vendor Management Workspace.

    Viewing the list of internal risk assessments

    Internal assessments tab
    Table 1. Internal assessments tab
    Column Description
    Number

    For each IRQ process, the system auto-assigns a unique ID number that starts with the text INA.

    Select an INA number to work on the Internal assessments page to the Risk overview tab.

    The unique ID is used in all references to the item. You can use the ID to search or filter for the item that you want to work on.
    Name, Assigned to, Risk rating Data from the engagement request.
    State The current state of the internal assessment: Draft, Awaiting response, Response received, or Closed.
    Respondents Users who responded to the request.
    Risk overview tab on the Internal assessments page

    For each IRQ process, the system auto-assigns a unique ID number that starts with the text INA. Select an INA number to work on the IRQ process on the Internal assessments page.

    Select the INA number to work on the Internal assessments page.

    • The symbols indicate the state of each stage in the IRQ process for the request.

      IRQ process stages.

    • Questionnaire requests section: List of questionnaires that are associated with the third party. You can view each questionnaire by selecting the Name.
    • Tracking section: Count of assessments associated with the third party that are in the Open, Overdue, and Closed state.
    Details tab on the Internal assessments page
    • Internal assessment section: General information on the third party and schedules for the overall assessment and questionnaire due dates from the engagement due diligence request.
    • The Compose section on the Details tab enables you to permanently add text to the record. The Activity section is updated with any actions on issues and tasks, submissions to TP contacts, and also with work notes and comments that users add to the record. Add text in the following fields as needed:
      • Work notes (Private): Information about the third-party risk assessment. Work notes are visible only to internal users who are assigned to the process.
      • Comments: Comments about the third-party risk assessment are visible both to internal users and to third-party contacts.
    • The Third-party overview section provides key information on the third party that is associated with the engagement request.
    Questionnaire templates tab on the Internal assessments page
    The tab lists all open IRQs. Select a questionnaire name to view the details.
    Scales tab on the Internal assessments page
    The tab lists the definitions of the calculated rating and tier values. See Set up risk rating scales for scoring and VRM third-party risk tiering assessments for instructions for defining the settings.
    Questionnaire requests tab on the Internal assessments page

    All values on the tab come from the internal assessments that have been conducted on the third part in the engagement.

    Table 2. Questionnaire requests tab
    Column Description
    Number

    When a questionnaire template is added to an assessment and sent out, the system generates assessment instances for each template. Each of these instances is automatically assigned a unique ID number that starts with the text AINST.

    The unique ID is used in all references to the item. You can use the ID to search or filter for the item that you want to work on.
    Assessment number

    For each external risk assessment, the system auto-assigns a unique ID number that starts with the text VRA.

    The unique ID is used in all references to the item. You can use the ID to search or filter for the item that you want to work on.
    Metric type Questionnaire that determined the questionnaires used in the assessment.
    Assigned to User that is responsible for managing and responding to the IRQ.
    Due date Deadline for third party to respond to and return all questionnaires.
    State Current stage of the IRQ process for the engagement request.
    Internal risk score

    An engagement risk-scoring rule specifies component criteria that determine which engagements are selected for assessment. For example, a rule could enable assessments for engagements that involve more than $40,000 annual business. Engagement scoring rules apply only to engagements.

    See Define engagement risk scoring rules.