Running a third-party risk management program at scale is complex, especially with limited resources, a growing ecosystem of vendors, and rising vendor security concerns.
ServiceNow Third-Party Risk Management (TPRM) provides you with a wide range of ways to initiate assessments for continuous monitoring of your third parties. The risk team can tailor its due diligence activities to your organization’s risk appetite, resource capacity, and program maturity. As your risk posture matures, TPRM enables you to move from reactive, manual third-party assessments to fully automated, AI-driven workflows.
You have three assessment options:
- Out-of-the-box questionnaire templates, including security risk, privacy and data protection, regulatory and compliance, financial risk, operational risk, business continuity, resilience, etc.,
- Industry-standard templates like the Standard Information Gathering (SIG) questionnaire, a widely used third-party vendor risk tool,
- Your own custom questionnaires.
TPRM also gives you several options for triggering an external third-party risk assessment to be activated:
- Inherent risk questionnaires (IRQ) responses – Trigger external assessments based on responses to standardized questions during intake
- Third-party tiering – Trigger external assessments based on risk tiers, with the appropriate scope of questions and cadence of assessments for each tier
- Manual initiation – Trigger external assessments when an ad-hoc review is required
- Recurring or scheduled reviews – Trigger external assessments by adopting regular, calendar-based re-assessments
- Event-driven workflows – Trigger external assessments to be sent automatically to multiple third parties when incidents, business changes, or service modifications occur
- Risk intelligence inputs – Trigger external assessments when risk scores or external signals indicate a change in third party status
- 4th- to nth-party due diligence – Trigger external assessments to expand visibility and risk mitigation beyond your third parties to their vendors (and so on)
In addition, third-party elements are useful when considering assessments. Elements represent the downstream components and sub-components your third parties rely on, including subcontractors, cloud providers, or critical partners. Elements help you extend risk visibility beyond your direct vendors by allowing targeted assessments, scoring, and monitoring of these connected entities.
🆕 New in Zurich: Smart Assessment Engine makes it easier to navigate assessments, apply templates, and break down questions into sections. You can now collaborate on third-party assessments and normalize scores for consistent reporting. The third-party portal has also been upgraded to fully support Smart Assessments.
TPRM assessment configuration
The assessment configuration capability helps you design targeted, repeatable, and efficient third-party risk assessments. You can set up risk domains, templates for questionnaires and document requests, and standardized scoring rules to ensure assessments are tailored to relevant risk areas, like financial, security, or privacy, while staying consistent across all vendors.
Think of assessment templates as reusable containers that simplify the triggering and managing of assessments, especially as third-party risk tiers or responses change. This capability helps you streamline assessment delivery, improve response quality, and enable scalable risk evaluation at every stage of the vendor lifecycle.
TPRM scoring
ServiceNow’s TPRM scoring program offers a systematic, consistent, and configurable way for you to assess third-party risk. It assigns scores based on factors like security posture, financial health, compliance history, and potential operational impact to deliver a comprehensive view of a vendor’s risk.
The scoring logic can be tailored to your organization’s risk appetite, and scores can trigger automated actions such as issue creation or reassessment. With real-time updates from assessments and external risk intelligence feeds, the program helps you stay current with vendor risk postures, prioritize your assessments effectively, and make better decisions about risk exposure.
Demos
- Speed Learning – External Risk Assessment (PPT attachment below)
- Speed Learning – TPRM Architecture and Data Model (PPT attachment below)
- Speed Learning - Approval configurations (PPT attachment below)
- Speed Learning - Risk Scoring
- Using elements in TPRM (time stamp: 2:04-3 min.)
Resources
- TPRM Process Guide
- Product Documentation
Third-party (external) risk assessment management
Life cycle states of a third-party (external) risk assessment
Third-party risk assessment form
Monitoring your third-party risk
Monitoring third-party elements
Monitoring assessment data using TPRM dashboards
Monitoring the due diligence request process
Monitoring your fourth-nth parties
FAQs
How do I initiate an external risk assessment?
In TPRM, navigate to All > Third-party Risk Management > External Risk Assessments > All Assessments. Select 'New,' and fill in the required fields to create and initiate an assessment.
How does ServiceNow facilitate third-party (external) risk assessment management?
After completing the Internal Risk Questionnaire (IRQ) process with your internal contacts and determining the required due diligence, you can send questionnaires and document requests to third-party contacts. You can then use TPRM to collaborate with your internal contacts to ensure third-party responses are complete and accurate.
Why conduct third-party risk assessments?
Third-party risk assessments help your risk team identify and evaluate potential risks associated with external vendors, partners, and suppliers. This approach ensures that third-party relationships do not introduce vulnerabilities that could result in business disruptions or other negative impacts.
What is the purpose of the third-party risk assessment form?
It captures the information needed to create an external assessment within TPRM. The form requires fields such as name, description, and number to identify and describe the assessment.
What is the assessment metric type form used for?
The assessment metric type form allows you to create custom assessment questionnaire templates to capture information for your organization.
What steps do I take to create an external risk assessment in TPRM?
The first step is to specify the details of the third-party engagement and define the assessment details. This process includes sending questionnaires and document requests to your third-party contacts and reviewing the responses to ensure completeness and accuracy.
How can I ensure the accuracy of third-party risk assessment responses?
With TPRM, you can collaborate with your third-party contacts throughout the assessment process, not just at the start or end. Ongoing communication improves risk evaluation and mitigation efforts.
What are the lifecycle states of a third-party risk assessment?
The risk assessment lifecycle reflects the various phases an external assessment goes through from start to finish:
- Draft: Assessment is being prepared
- Scheduled: Assessment is planned and scheduled for execution
- In Progress: Third party is completing the assessment
- Awaiting Approval: Third party has submitted the assessment; the risk team is reviewing for approval
- Closed: Assessment has been reviewed and approved
How do I manage third-party risk assessments?
You use the TPRM workspace to create, monitor, and update third-party risk assessment forms.
What is a third-party element record?
Once a third party submits an assessment, you will create a third-party elements record to document and manage the information within the TPRM application.
What information is captured in the third-party element form?
This form captures the details necessary to create a third-party element record, including information about the third party and the specific elements being assessed.
How do I monitor third-party elements?
You can monitor third-party elements using scalable scoring models, relationship analysis, and due diligence workflow integration within the TPRM application. Third party elements can be a datacenter, manufacturing facility, or beneficial owner. Information from monitoring third-party elements can help you conduct more informed risk assessments.
What are assessment metric categories and how are they used?
Assessment metric categories group related metrics together, helping you to organize and structure assessments for more effective evaluation of third-party risks. You must specify a weight, a numeric value that indicates the importance of the category or metric relative to other categories and metrics. The greater the weight value, the more important the item is. The system uses weight values in assessment result calculations.
