Third-Party Risk Management > Foundational Data Management

Every organization has information silos, with scattered third-party data--from contact details to risk data and criticality levels--across multiple, disconnected sources. When managing thousands of third parties and engagements, the risk team will lack transparency and visibility into the risks associated with these third-party engagements.  

The first step in building an effective and efficient third-party risk management program is establishing a single source of truth for third parties and their related information. Data lays the groundwork for the success of the implementation.

Foundational data includes all the data that you need to support your risk program, including regulations, policies, and control objectives. Understanding the relationships of how your data fields map to those in ServiceNow products is the key to fully leveraging the platform and avoiding confusion.

Investing in the integrity of your data enables the next step in implementation: making design decisions for assessments, processes, and forms. To proceed, you must recognize the attributes of your data to power your workflows. Key foundational data in ServiceNow Third-Party Risk Management (TPRM) includes:

• Third parties – The inventory of any external entity that is not part of the company but provides products, services, or support that the company relies on. Third parties can include vendors, suppliers, contractors, consultants, service providers, or any other external organization that interacts with the company in a business relationship.
• Third-party engagement – Data that documents the separate and distinct product or service provided to an organization by a third party. Each engagement requires different levels of risk data due to variations in the nature of the services provided, level of access to sensitive data or critical systems, and potential impact on your organization.

Centralizing third-party data makes it easier to track new third parties and expand the scope of your TPRM program beyond IT vendors or critical third parties to include suppliers, service providers, customers, partners, facilities, and contractors. As programs mature, this data foundation supports an easier transition to risk assessments and continuous monitoring. If you are upgrading from Vendor Risk Management to TPRM, watch this Product Success video.

ServiceNow Third-Party Risk Management centralizes the management of your third party in one place and automates the vendor assessment processes. By laying the right data foundation, you will be able to take control of the third-party risk information as part of a lifecycle that starts at onboarding through retirement. 

You will also:

• Be able to import third-party inventory from spreadsheets and other systems
• Enable your business users to more easily request new third-party evaluations (in the Employee Center)
• Expand the scope of TPRM beyond IT vendors or critical third parties
• Visualize risk concentration to uncover systemic vulnerabilities (concentration risk map)

Your risk team will be able to track performance and monitor risks. They can easily see changes, trigger new assessments and, when needed, adjust the type, frequency, and scope based on company policies and risk levels. This encourages timely assessments, risk-based prioritization, and better collaboration between business and risk functions.

Demos

• Speed learning: Inventory maintenance video (PPT attachment below)
• Speed learning: Third-party engagement due diligence video (PPT attachment below)
• Stay Ahead of Third-party risk - TPRM - Risk Products
• Vendor hierarchies and risk areas
• What’s new in TPRM (Vancouver)

Resources

• TPRM Process Guide
• Getting started: Gathering your foundation data
• Product Documentation: Risk Profile, Import existing data from other systems, and Benefits of your third-party risk management program on ServiceNow.

FAQs

As a developer, how do I import data into the platform?

Importing data into TPRM is a fast and easy way to create records in the application tables. Use the import data feature to import legacy records into new applications to preserve history or seed tables with critical application data. (Sign up for this developer course:  Importing data into ServiceNow.)

Where can I import data from?

You can import existing data (third parties, engagements, assessments, questionnaires, issues, etc., from other systems (the Aravo platform, the ProcessUnity platform, etc). You aren’t charged for importing the data. You need the admin role.

What is a transform map?

A transform map is a set of field maps that determine the relationships between fields in an import set and fields in an existing ServiceNow table, such as Incidents [incident] or Users [sys_user]. After creating a transform map, you can reuse it to map data from another import set to the same ServiceNow table.

How do I create a data source?

You can create a data source record to define what data an import set should import (JDBC, LDP, OIDC, REST, custom).  For guidance on specific imports, you should visit this Product Documentation page.