Mary Hain
- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
07-03-2025 11:09 AM - edited 07-09-2025 03:16 PM
One of the feature highlights of your third-party risk management program is the ability to be powered by live risk intelligence providers. You can replace periodic, manual assessments with continuous third-party monitoring and ongoing tracking of cyber, ESG, financial, and reputational risks.
Setting up frequency, automation rules, and selecting the right intelligence sources is typically a joint effort between a ServiceNow admin or product owner and the Third-Party Risk Management (TPRM) users. Aligning triggers and score sensitivity is vital in driving value and more informed decisions.
With continuous risk monitoring by risk intelligence providers in TPRM, you can:
- Connect to external feeds – Integrate with providers like BitSight (cyber), EcoVadis (ESG), Interos (supply chain), Dun & Bradstreet (financial), or World-Check (sanctions) to bring real-time risk scores into the platform.
- Auto-update vendor profiles – Configure incoming risk intelligence provider scores to automatically update third-party records so that risk ratings are current without additional manual effort.
- Trigger actions based on scores – Define thresholds and workflows (e.g., create an issue if BitSight score < 500) so you can take immediate action when risk scores change.
- Track in one place – Use dashboards (e.g., Vendor Risk Workspace) to monitor score changes, and to create issues and remediation tasks across your vendor landscape.
In addition to score-based feeds, ServiceNow also supports risk intelligence through standardized questionnaire templates, including industry-standard standardized information gathering (SIG) questionnaires from Shared Assessments. These questionnaires can be used to assess vendors consistently and at scale, using templates or customized versions.
Demos
- Speed Learning – Risk Intelligence in TPRM (PPT attachment below)
- Speed Learning – TPRM Architecture and Data Model (PPT attachment below)
- Manage Third-Party Cyber Risk with Data Intelligence from CyberGRX
- What’s new in Third-party Risk Management (26:40 - 27:15)
- Stay Ahead of Third-party risk: Get an overview of how ServiceNow can help you manage the risk posed... (3:38 – 4:18)
Resources
- TPRM Process Guide
- Product Documentation
Using risk intelligence reports and scores
Request a risk intelligence report
Request a risk intelligence report associated with a due diligence request
Track sanctions-related information
Integrating scores from risk intelligence providers
Register a risk intelligence provider
Set up a risk intelligence provider service
Set up a request type for a provider
Add a risk intelligence score to risk data for a third party
Automate actions upon risk intelligence updates
Integrating EcoVadis with Third-party Risk Management
FAQs
What are risk intelligence providers in ServiceNow TPRM?
Risk intelligence providers are external entities that supply risk data, such as security ratings or financial assessments. They enable continuous monitoring of vendors through targeted risk intelligence scores and ratings, enabling you to evaluate and mitigate risks more effectively.
What is the purpose of risk intelligence reports in ServiceNow TPRM?
They provide insights into a third party's risk posture by integrating external data, such as scores and ratings, from risk intelligence providers. This helps you effectively assess and monitor third-party risks.
How do I request a Risk Intelligence Report for a third party?
To request a report:
- Navigate to **All > Self-Service > Third-party Risk Management > Risk Intelligence Provider Setup > Report Requests**.
- Click **New** and fill in the required fields.
- Submit the request to initiate the process.
How often is the risk data updated through these integrations?
ServiceNow supports continuous monitoring by scheduling regular data retrievals from risk intelligence providers, ensuring you access the latest vendor information.
Should I use industry-specific risk assessments?
Industry-specific risk assessments allow for more accurate risk scoring and compliance management and can be better tailored to needs within your organization.
How do I set up a risk intelligence provider service?
After registering the provider, you specify which of the scoring or rating services you'll use. Then you define how these scores will map to your organization's risk categories within TPRM.
How do I request risk scores for a specific third party?
Once the provider service is set up, you can initiate requests for risk scores directly from the third-party's profile within TPRM.
How do risk intelligence scores impact the risk profile of a third party in ServiceNow?
The external scores provide additional context about a third party's risk posture. This improves the accuracy and completeness of your risk assessments for better decision-making about vendor relationships.
What are the prerequisites for integrating risk intelligence providers into TPRM?
Prerequisites may include obtaining necessary API credentials from the provider, ensuring compatibility with your ServiceNow instance, and having the appropriate permissions to configure integrations.
What should I do if there's a discrepancy between the provider's score and my internal assessment?
Investigate the factors contributing to the discrepancy, consult with the provider for clarification, and adjust your internal assessment methodologies as necessary to align with external insights.
Can I associate a risk intelligence report with a due diligence request?
It’s a good practice to link a risk intelligence report and due diligence request because it enhances the assessment process with external risk data.
How do I track sanctions-related information for third parties?
You can easily monitor sanctions lists to identify third parties that may be subject to sanctions. This capability is provided by external providers, such as World-Check.
How do I register a new risk intelligence provider in TPRM?
To register a provider:
- Navigate to the Risk Intelligence Provider Setup section in TPRM.
- Enter the provider's details and configure the necessary settings.
- Save the configuration to enable integration.
Can I automate actions based on risk intelligence updates?
You can set up rules to trigger actions, such as creating issues or updating risk scores, when new risk intelligence data is received that exceeds preset thresholds.
