Working in the VRM Classic user interface
Summarize
Summary of Working in the VRM Classic user interface
The VRM Classic user interface allows you to perform Vendor Risk Management (VRM) tasks, but the newer Vendor Management Workspace provides enhanced third-party risk management (TPRM) features and more effective reporting. This content outlines key VRM Classic functionalities relevant to managing third-party risks, configuring assessments, and organizing third-party relationships.
Show less
Key Features
- Recurring Risk Assessments: Configure third-party risk assessments to recur on a set schedule, ensuring regular updates of risk results for third parties or engagements. This automation supports ongoing risk monitoring. Required role: snvdrriskasmt.vendorassessor.
- Creating Third-Party Records: Ability to create and manage third-party records, essential for initiating risk assessments. Required roles: admin or snvdrriskasmt.vendorriskmanager.
- Third-Party Hierarchies and Engagements: Define parent-child relationships among third parties and their subsidiaries to assess risk at multiple organizational levels. This hierarchical approach enables rolling up subsidiary risk scores to the parent entity. Roles: snvdrriskasmt.vendorriskmanager or snvdrriskasmt.vendorassessor.
- Defining Engagements: Establish engagements to assess risks related to products or services from third parties, including subsidiaries and partners. Engagements can be requested by any user but are typically defined by risk managers or assessors. Roles: snvdrriskasmt.vendorriskmanager or snvdrriskasmt.vendorassessor.
- Risk Tiering Assessments: Classify third parties into risk tiers (None, Low, Minor, Moderate, High, Critical) at onboarding, each linked to specific assessment questions and document requests, facilitating standardized risk evaluation.
- Legacy External Risk Assessment Management: Before closing an assessment, stakeholders handle issues and tasks, communicate via comment streams, and assign third parties as needed. Third-party contacts access assessments through the Third-party portal.
- Creating External Assessments: Initiate third-party risk assessments following a defined lifecycle. Note that the Vendor Risk Overview dashboard is deprecated starting with TPR version 18.1.3, but remains available if installed before that version.
Practical Implications for ServiceNow Customers
ServiceNow customers using VRM Classic can continue managing vendor risks with familiar tools while preparing to transition to the Vendor Management Workspace for advanced capabilities. Understanding roles required for tasks ensures proper access control for risk assessments, third-party record management, and engagement definitions. Leveraging hierarchical structures and scheduled assessments supports comprehensive and up-to-date risk monitoring across complex vendor ecosystems. Awareness of deprecated dashboards helps in planning reporting strategies.
While you can continue to use the legacy user interface to perform Vendor Risk Management tasks, the Vendor Management Workspace offers enhanced TPRM features and more useful reports.
- Configure a risk assessment to recur on a schedule
-
Configure a third-party risk assessment to recur on a schedule to regularly update risk results for a third party or an engagement.
Role required: sn_vdr_risk_asmt.vendor_assessor
- Create a VRM third party record
-
Configure a third-party risk assessment to recur on a schedule to regularly update risk results for a third party or an engagement.
Role required: admin or sn_vdr_risk_asmt.vendor_risk_manager.
- Setting up VRM third-party hierarchies and engagements
-
Create third-party hierarchies by defining the parent-child relationships between the parent third party and all of their subsidiaries. You do this task because some organizations work with third parties that have subsidiaries (or subsidiaries of subsidiaries) that can pose a potential risk to your business. You can perform assessments at each subsidiary organization and roll up the results to calculate an overall risk score for the parent third party.
Role required: sn_vdr_risk_asmt.vendor_risk_manager or sn_vdr_risk_asmt.vendor_assessor.
- Define a VRM engagement
-
Define an engagement so that you can assess the risks that are associated with the services or products offered by a third party. Engagements can also represent the products or services that are provided to the parent third party, either directly or from departments, partners, or subsidiaries that you can also assess for risk.Tip:Any person with access to your instance at your organization can request an engagement. That process is typically more streamlined and more effective than the process described here, where a Third-party risk (TPR) manager or TPR assessor defines an engagement. For more information, see Request due diligence for a third-party engagement.
Role required: sn_vdr_risk_asmt.vendor_risk_manager or sn_vdr_risk_asmt.vendor_assessor.
- VRM third-party risk tiering assessments
- Organizations use risk tiering to classify their third parties into categories of potential risk posed at the time of onboarding. The standard predefined risk tiers are None, Low, Minor, Moderate, High, and Critical. Each risk tier has associated assessment questions and document requests.
- Managing external risk assessments — Legacy process
- Before the TPR manager closes an assessment, stakeholders create issues and tasks, usually during the Generating observations state. The TPR assessor assigns third parties as needed and communicates using comment streams to achieve closure on non-compliance. The third-party primary contact uses the Third-party portal to view all assessments.
- Create an external assessment — Legacy process
- Create an assessment and initiate the third-party risk assessment life cycle.