Third-Party Risk Management > Managing your foundational data for implementation

Every organization has information silos, with scattered third-party data--from contact details to risk data and criticality levels--across multiple, disconnected sources. When managing thousands of third parties and engagements, the risk team lacks transparency and visibility into the risks they pose.  

In this article and video, we will discuss how to build an effective and efficient third-party risk management program by establishing a single source of truth for third parties and their related information. Data lays the groundwork for a successful implementation.

Foundational data includes all the data that you need to support your risk program, including regulations, policies, and control objectives. Understanding how your data fields map to those in ServiceNow products is key to fully leveraging the platform and avoiding confusion.

Investing in the integrity of your data enables the next step in implementation: making design decisions for assessments, processes, and forms. To proceed, you must recognize the attributes of your data to power your workflows. Key foundational data in ServiceNow Third-Party Risk Management (TPRM) includes:

• Third parties – The inventory of any external entity that is not part of the company but provides products, services, or support that the company relies on. Third parties include vendors, suppliers, contractors, consultants, service providers, and any other external organizations that interact with the company in a business relationship.
• Third-party engagement – Data that documents the separate and distinct product or service provided to an organization by a third party. Each engagement requires different levels of risk data due to variations in the nature of the services provided, level of access to sensitive data or critical systems, and potential impact on your organization.

Centralizing third-party data makes it easier to track new third parties and expand the scope of your TPRM program beyond IT vendors or critical third parties to include suppliers, service providers, customers, partners, facilities, and contractors. As programs mature, this data foundation enables a smoother transition to risk assessments and continuous monitoring. If you are upgrading from Vendor Risk Management to TPRM, watch this Product Success video.

ServiceNow Third-Party Risk Management centralizes third-party management in one place and automates vendor assessment processes. By laying the right data foundation, you will be able to take control of third-party risk information throughout the lifecycle, from onboarding through retirement. 

You will also:

• Be able to import third-party inventory from spreadsheets and other systems
• Enable your business users to more easily request new third-party evaluations (in the Employee Center)
• Expand the scope of TPRM beyond IT vendors or critical third parties
• Visualize risk concentration to uncover systemic vulnerabilities (concentration risk map)

Your risk team will be able to track performance and monitor risks. They can easily see changes, trigger new assessments, and, when needed, adjust the type, frequency, and scope based on company policies and risk levels. This encourages timely assessments, risk-based prioritization, and better collaboration between business and risk functions.

TPRM Demos

• Speed learning: Inventory maintenance video (PPT attachment below)
• Speed learning: Third-party engagement due diligence video (PPT attachment below)
• Stay Ahead of Third-party risk - TPRM - Risk Products
• Vendor hierarchies and risk areas
• What’s new in TPRM (Vancouver)

TPRM Resources

• TPRM Process Guide
• Getting started: Gathering your foundation data
• Product Documentation: Risk Profile, Import existing data from other systems, and Benefits of your third-party risk management program on ServiceNow.

TPRM FAQs

As a developer, how do I import data into the platform?

Importing data into TPRM is a fast and easy way to create records in the application tables. Use the import data feature to import legacy records into new applications to preserve history or seed tables with critical application data. (Sign up for this developer course:  Importing data into ServiceNow.)

Where can I import data from?

You can import existing data (third parties, engagements, assessments, questionnaires, issues, etc., from other systems (the Aravo platform, the ProcessUnity platform, etc). You aren’t charged for importing the data. You need the admin role.

What is a transform map?

A transform map is a set of field maps that determine the relationships between fields in an import set and fields in an existing ServiceNow table, such as Incidents [incident] or Users [sys_user]. After creating a transform map, you can reuse it to map data from another import set to the same ServiceNow table.

How do I create a data source?

You can create a data source record to define what data an import set should import (JDBC, LDP, OIDC, REST, or custom).  For guidance on specific imports, you should visit this Product Documentation page.