Taming the supply chain: Addressing vendor risks to the nth tier

  • Now on Now
  • Mark Gardner
  • Solutions
  • 2022
July 11, 2022

Vendor risk in the supply chain: feet walking on glass stairs

Vendor risk ranks alongside cybersecurity, compliance, reputational, and financial risks as one of the top risks to any organization.

With any risk, you need to identify, monitor, and mitigate that risk, especially when it comes to your supply chain. The question for someone in my role as a senior manager of compliance management is: What level of risk is being posed and why? Stated another way: Do I really know what my supply chain is doing?

When looking at our vendor contracts at ServiceNow, I can easily find information about our first-line supply chain vendors. But digging deeper has proven to be challenging. How do I get objective visibility into the risks of the second-line vendors’ business relationships—and third, fourth, and fifth-line vendors? How do I know when those risks change?

Being able to answer these questions has a direct impact on the business’s bottom line. A 2021 study by the Ponemon Institute found the global average cost of a data breach is $4.24 million. If the risk is related to vulnerabilities at third parties, it’s even higher. Compliance best practices include understanding our supply chain landscape at all times.

Identifying vendor risks

As with any large organization, vendors play a critical role in the success of ServiceNow. That’s why we use Vendor Risk Management (VRM) to manage our third-party risk. We identify emerging vendor risks and continually monitor these risks across our enterprise. But the data is limited to our first-tier vendors.

Evaluating Global Vendor Risk: figures in circles on a global map

You need objective data to assess the risks posed by third parties and make good decisions. But it’s not easy to gather details on vendor supply chains manually. Typically, it takes hundreds of hours scouring the web. Even then, not all the data is available.

That’s why we integrated Interos, a risk intelligence software solution, into the latest release of the Now Platform®. It uses algorithmically generated risk scores to rate company performance against six different risk factors:

  • Financial

  • Operational

  • ESG

  • Geopolitical

  • Company and country restrictions

  • Cyber risk

The data comes from thousands of different sources on the web.

Interos had exactly the data we needed to detect areas of concern and vulnerabilities across physical and digital supply chains worldwide. I can view ServiceNow’s business relationships across entire ecosystems and continuously assess second and third to nth-tier vendors against multiple risk types. I can pull a report in seconds rather than having to question every vendor in our supply chain about the vendors they use.

Gaining visibility

The combination of Vendor Risk Management and risk intelligence software such as Interos is worth its weight in gold because of the visibility and transparency it gives me into the supply chain. The risk scores save a tremendous amount of time and help me understand my unforeseen risk exposure.

For example, if a vendor tells me its cybersecurity program or financial stability is good and its risk score is low, I can ask for verification. Or, I can conduct additional screenings to determine if the data is accurate and fits within my risk threshold. Equipped with data, I can skip blanket risk questions and instead start with targeted questions, saving time and effort.

A great example of how risk intelligence software can impact vendor risk is the hacking of SolarWinds in 2020. I can see if SolarWinds was in my supply chain and which areas are at risk. I can then query those vendors about potential data loss within specific time frames. More importantly, I can move quickly to assess the risk and mitigate any impact.

Risk intelligence software is worth its weight in gold because of the visibility and transparency it gives me into the supply chain.

Mapping vendors to the nth degree

According to the Ponemon research, the average total cost of a data breach grew nearly 10% between 2020 and 2021, representing the largest annual cost increase in the last seven years. Supply chain vulnerabilities are only one of many risks that can contribute to these breaches.

Using Interos, I’m more confident in analyzing data and quickly recommending decisions about our suppliers because I can see our exposure through the entire ecosystem. Best of all, I can sleep at night knowing I’ve done what I can to help avoid the business disruptions, data loss, and operational or financial impact of our supply chain.

See an Interos/Vendor Risk Management demo and find out more about Vendor Risk Management.

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.


  • Total experience companies outperform: prism refraction with an arrow pointing to the right
    Employee Experience
    Survey says: Total experience-focused companies outperform
    Organizations are aligning employee experience and customer experience to create a positive total experience. See findings from the latest research.
  • 4 ServiceNow employees who worked on support case creation and auto-agent workflows
    Now on Now
    Streamlining support case creation and administration
    When customer feedback revealed areas ripe for improvement, ServiceNow employees listened and upgraded two support workflows: case creation and auto-agent.
  • Scaled Agile Framework (SAFe): business man looking at phone while standing on bridge overlooking a city
    IT Management
    How the Scaled Agile Framework (SAFe) truly supports business
    The Scaled Agile Framework (SAFe) delivery model can help IT leaders manage the transition from a stability-focused to a continuously evolving infrastructure.

Trends & Research

  • Total experience companies outperform: prism refraction with an arrow pointing to the right
    Employee Experience
    Survey says: Total experience-focused companies outperform
  • Customer service: smiling businessman on phone walking outdoors
    Customer Experience
    Survey: 3 tips to deliver world-class customer service
  • Enterprise SRE (site reliability engineering): where service reliability and business agility meet
    Application Development
    Service quality and the rising need for enterprise SRE