Third-Party Risk Management > Issue management and remediation

In ServiceNow Third-Party Risk Management (TPRM), issues originate from any identified risk or gap in risk assessments, internal investigations, control failures, risk acceptances, or continuous monitoring (e.g., threat intelligence or news alerts).

 

ServiceNow’s out-of-the-box (OOTB) issue management workflow helps third-party risk teams track, monitor, and remediate issues throughout their lifecycles, from creation and analysis to third-party collaboration, review, and closure.

 

Once the issue is analyzed, remediation tasks or actions taken to resolve the issue, are generated, assigned to the third party as needed, and then tracked through the issue execution, internal review, and closure process in TPRM. This end-to-end visibility drives accountability and a timely resolution for all involved parties.

 

ServiceNow’s data model supports automation, audit trails, mapping to third-party records, and role-based access for both internal stakeholders and external third-party contacts. This flexible data model makes it easier to handle issues and integrate the process with the broader TPRM lifecycle.

 

The issue management workflow is tailored to the unique needs of various TPRM personas, such as the:

• TPRM manager, who oversees the issue portfolio and drives accountability
• TPRM assessor, who investigates issues and recommends action
• Third-party contact, who remediates issues securely
• TPRM reviewer, who validates closure and ensures proper resolution

By proactively managing issues in a centralized issue management process, you can prevent escalation, ensure timely remediation, and reduce the compliance, operational, and reputational risks and maintain a strong third-party risk posture.

 

Demos

• Speed Learning – Issue Management and Remediation (PPT attachment below)
• Speed Learning – TPRM Architecture and Data Model  (PPT attachment below)
• Vendor Risk Overview Demo (from 10:45 - 12:18)
• What’s new in Third-party Risk Management (25:55 – 26:07)

Resources

• TPRM Process Guide
• Product Documentation
  • Create an issue for a third party or engagement
  • Manage issues
  • Create a task for a third party or engagement
  • Manage a task for a third party or engagement

FAQs

What information is required when creating a new issue for a third party?

When creating a new issue, you need to provide details including the issue's name, description, category, priority, and the third party or engagement it relates to. This ensures proper tracking and management of the issue.

 

Can I assign an issue to a specific individual or team?

You can assign them to specific individuals or teams responsible for addressing them. This is done by selecting the appropriate assignee in the issue's record.

 

How do I  update the status of an existing issue?

Open the issue record in ServiceNow, modify the status field to reflect the current state (e.g., open, in progress, resolved), and save the changes.

 

Is it possible to link related issues together?

You can link related issues by using the 'parent' and 'child' fields or by associating them through related lists in the issue record. This helps in tracking and managing interconnected issues effectively.

 

How can I track the progress of an issue over time?

You can track the progress of an issue by reviewing the activity log within the issue record. This log captures all updates, comments, and changes made to the issue, providing a comprehensive history.

 

What should I do if an issue is no longer relevant or was created in error?

You can close or delete the issue record. Be sure to document the reason for closure or deletion for future reference.

 

Can I set deadlines or due dates for resolving issues?

When creating or managing an issue, you can set deadlines or due dates by specifying the 'due date' field in the issue record. This helps you prioritize your tasks for timely issue resolution.

 

Is there a way to categorize issues for better organization?

You can categorize issues by selecting appropriate categories or subcategories in the issue record. You can organize and filter issues based on their nature or impact.

 

How can I notify stakeholders about updates to an issue?

You can add them as watchers to an issue record or send notifications through the 'comments' section of the issue record. You can also use the platform’s capabilities to send automated notifications based on specific triggers or status changes.

 

What information is required when creating a task?

You need to provide:

• Task name
• Assigned to (the individual responsible)
• Due date
• Description of the task
• Related third-party or engagement

How can I manage an existing task in TPRM?

It’s simple. To manage a task:

• Navigate to Workspaces > Vendor Management Workspace
• Select the Risk tab to open the workspace
• Locate and open the task you wish to manage
• Update the task details as needed and save your changes

Can I assign tasks to specific individuals?

When creating or editing a task, you can assign it to a specific user by selecting their name in the Assigned to field. By defining who is responsible for completing the task, you improve accountability and resolution time.

 

Is it possible to set due dates for tasks?

During task creation or editing, you can specify a due date or deadline for task completion.

 

How do I track the progress of tasks?

In the Vendor Management Workspace, under the Risk tab, you can view all tasks associated with third parties or engagements and their current status. This makes it easy to monitor progress and take necessary actions.

 

Can tasks be linked to specific assessments or issues?

You can associate tasks with specific assessments or issues. Linking the two provides context for the issue and enables you to see if tasks are aligned with the relevant risk assessments or identified issues.

 

What happens if a task is overdue?

If a task surpasses its due date without completion, it is marked as overdue. This status highlights pending tasks that require your immediate attention to mitigate potential risks.

 

Can I add comments or notes to a task?

Within each task, there's a section to add comments or work notes to facilitate communication among team members and provide a history of actions taken related to the task.

 

Is there a way to automate task creation based on certain triggers?

The standard process involves manual task creation. However, you can use Flow Designer to set up flows that automatically create tasks when specific conditions are met, such as the completion of a third-party assessment.