We're reclaiming inactive PDIs to keep them available for active builders. Learn what's changing, who's affected, and how to protect your work. Read More

Mary Hain
Administrator

Third-party risk programs are growing in complexity — more vendors, more regulations, more assessments. Managing that complexity with fragmented tools, developer-dependent configurations, and manual review processes doesn't scale.

 

Introduced in Zurich (Q3'25), Smart Assessment Engine is ServiceNow's unified assessment framework that powers the entire Third-Party Risk Management (TPRM) lifecycle — from tiering and inherent risk questionnaires through external assessments, risk scoring, and continuous monitoring.

 

Smart Assessment Engine provides an intuitive, configurable, and access-controlled assessment experience so organizations to design and execute their own assessments. It can be used by three distinct personas: the third-party risk team, third-party responders, and business users with 75+ out-of-the-box assessment templates and AI-native capabilities.

Check out our video tutorial on using Smart Assessment Engine in TPRM.  


Transform TPRM with SAE.png

 

How it works: TPRM Lifecycle

The Smart Assessment Engine powers four of the five TPRM lifecycle stages:

  • Onboarding — Vendor and engagement request is captured. The foundation for everything that follows.
  • Tiering & IRQ (Powered by Smart Assessment Engine) — Inherent risk assessment sets vendor priority and automatically determines the due diligence scope.
  • External Assessment (Powered by Smart Assessment Engine) — The right questionnaires are triggered based on the due diligence scope. Third-party Responders complete assessments in the modern portal.
  • Risk Scoring (Powered by Smart Assessment Engine) — Normalized risk ratings roll up consistently across all vendor relationships for true apples-to-apples comparison.
  • Continuous Monitoring (Powered by Smart Assessment Engine) — Periodic reassessments are automatically triggered by renewal dates or risk-score changes, keeping the vendor risk posture current.

 

Assessment lifecycle

The assessment lifecycle for each persona. Business users build and configure assessments without developer dependency. Third-party responders complete assessments in a modern, guided experience. Risk teams get automated workflows, normalized scoring, and AI-surfaced issues, all in one engine.

 

  • Third-party risk team — Build → Automate → Trigger → Monitor
  • Third-party responder — Respond accurately & faster
  • Business user — Engage seamlessly

 

How it can help your third-party risk program

Migrating to the Smart Assessment Engine (SAE) in Third-Party Risk Management (TPRM) is an important step toward modernizing your assessment workflows. Every Classic Assessment feature has a direct equivalent in the Smart Assessment Engine, so existing investments are fully protected following migration. And on top of parity, the Smart Assessment Engine offers capabilities the Classic framework does not.

  • Developer independence — TPRM managers build, configure, and trigger assessments through a low-code interface. No developer assistance required.
  • Automated workflows — Post-assessment automation tracks incidents, follows up assessments, and records updates after a responder submits.   
  • True collaboration — Multiple assessors can work simultaneously with live presence indicators, granular section delegation, and question-level comments.
  • Consistent scoring — Scoring normalization brings vendor scores into a common range for more consistent risk reporting.
  • AI readiness — AI Response Assist and AI-based Issue Recommendation are built exclusively on the Smart Assessment Engine and use AI to automate many of the manual processes embedded in the assessment process. (Classic assessments are not receiving any AI updates.)
  • Cross-app synergies — Smart Assessment Engine is built into all Risk products (IRM, Business Continuity Mgmt., Privacy Mgmt., AI Control Tower, and TPRM) and can be used across your ServiceNow program.

 

Key components for the third-party risk team

  • Template designer + versioning — Drag-and-drop, low-code questionnaire builder. Create, publish, and manage template versions without impacting past or in-progress assessments. When a new version is published, the previous one auto-retires, and changes apply to future assessments.
  • Quick edit — Fix typos, grammar, and formatting directly on published templates without creating a new version and without disrupting live assessments. (Rule of thumb: If the meaning of the question doesn't change, use Quick Edit. If the meaning changes, use Versioning.)
  • Response automation — Pre-fill assessment responses using one of four mechanisms: static defaults for fixed answers, conditional defaults that shift based on vendor tier or engagement type, scripted automation that pulls data from the company record, and read-only vs. editable controls for admin override management.
  • Post-assessment automation — After a responder submits an assessment, the Smart Assessment Engine acts to create incidents, trigger follow-up assessments, update vendor records, and automatically advance due diligence phases. Set up configurations on the Automations tab on the Questionnaire record to get started.
  • Scoring normalization — You can define scores at the question, subsection, section, and assessment level and weigh critical areas to ensure a more accurate score.  You can also standardize scores from different scales into a single user-defined common range for vendor comparison.
  • Question-level comments and flag — Assessors and responders can comment directly on individual questions with full conversation threads, user attribution, timestamps, and @mentions. Focused, traceable discussions replace email chains, especially for multi-assessor assessments.
  • AI-based issue recommendation —AI helps you analyze historical issues and current vendor responses —both long-form and yes/no — to surface predicted issues. Analysts can then focus on risk decisions rather than response scanning. The  Now Assist for TPRM store app (sn_tprm_gen_ai) and the sn_tprm_genai.nowassist_user role are required.
  • Wide library of assessment templates — Pre-built Smart Assessment Engine templates covering regulatory compliance, security frameworks, and industry standards including SIG, NIST, and GDPR. Global coverage across the US, EU, Singapore, and India. More than 75 out-of-the-box (OOTB) templates can be activated with one click.

 

Key components for third-party responders

  •  Modern questionnaire experience — Guided, section-structured portal offers auto-save and resume, indicators for unanswered questions, evidence attachment, and a save-and-sign e-signature upon completion. Assessments can be accessed via Employee Center > GRC tasks > My pending tasks.
  • Granular delegation — The primary owner assigns specific sections to the appropriate subject matter experts so that contributors respond only to their assigned sections. Three access levels are provided: primary owner (full control and submit rights), assessment contributors (full read/write), and sectional contributors (scoped to assigned sections only).
  • Collaboration — Multiple contributors can work on the same assessment simultaneously with real-time updates and live presence indicators. Every response is attributed with a Last Responded by tag. Full change tracking maintains a transparent audit record.
  • AI Response Assist — AI analyzes past assessment responses and uploads relevant answers with cited sources from the responder's own data specifications. The design includes human-in-the-loop: while AI drafts possible answers, responders must review and apply. Smart Assessment Response Assist Skill must be activated.

 

Classic template migration

You can migrate Classic Assessment templates to the Smart Assessment Engine in bulk. Navigate to All > Third-party Risk Management > Assessment Setup > Questionnaire Templates, select templates, and click Migrate. Migration Status updates to Completed, Partially Completed, or Errored. Note: Responses from previous assessments are not migrated; only the template structure migrates.

 

Enabling Smart Assessment Engine

To enable Smart Assessment Engine: All > Third-Party Risk Management > Administration > Properties > Set "Smart Assessment Engine enabled" (sn_vdr_risk_asmt.sae_enabled) to "Yes". This is a one-time, irreversible switch. Test in a sub-production instance before enabling in production.

FAQ

Q: Are there question types that don't migrate from Classic to Smart Assessment Engine?

A: Custom, Duration, Image Scale, Percentage, Ranking, and Ratings question types are not carried over by the migration tool and must be rebuilt manually in the Smart Assessment Engine template. For example, Image Scale should be rebuilt as a Choice (radio button) type. Review Product Documentation for the latest supported question types.

 

Q: What roles are required to configure Smart Assessment Engine templates in TPRM?

  • Template configuration requires sn_vdr_risk_asmt.vendor_risk_admin or sn_vdr_risk_asmt.vendor_risk_manager.
  • For responders and assessors: sn_smart_asmt.assessment_actor, sn_vdr_risk_asmt.vendor_assessor, and snc_internal.
  • For third-party contacts accessing the portal: vendor_contact and snc_external.

 

Q: Can granular delegation be used for both internal and external assessments?

A: Granular Delegation works for both internal assessments and external third-party assessments. The primary owner can assign sections to internal SMEs or configure access for third-party contributors. Sectional contributors can view everything but respond only to their assigned sections. Only the owner can submit the assessment.

 

Some Useful Resources

Documentation

Smart Assessment Engine Product Documentation

Third-party Risk Management Documentation

Exploring Smart Assessment Engine

Using the template designer

Scoring assessments

Configure scoring for an assessment

Normalization in assessment

Automate response

Post-assessment automations

Template versioning

Responding to assessments

SAE configuration for TPRM

Migrating from Classic Assessment Engine to Smart Assessment Engine

Managing TPRM SAE templates with Unified Content Management

Configure AI-assisted questionnaire pre-fill for TPRM

TPRM Speed Learning Series

ServiceNow GRC Community

TPRM Speed Learning Series on YouTube

TPRM SAE Migration Tips — Community Blog

GRC: Third-party Risk Management Knowledge & Troubleshooting Hub

 

For more information, visit the ServiceNow Third-Party Risk Management Product Documentation or join the GRC Community to discuss Smart Assessment Engine adoption with other ServiceNow practitioners.

Version history
Last update:
46m ago
Updated by: