VaranAwesomenow
Mega Sage
Vendor risk management (VRM) is a very interesting and great application with lot of benefits and functionality in this blog and video series I unpack and provide deep dive of all the features of VRM.
 
Notes
***************************
Risk tolerance can be determined by internal policy and guided by regulatory compliance obligations.
Six key capabilities for ServiceNow VRM
Vendor Portfolio
Vendor Tiering
Assessment management
Vendor Portal
Issues and Remediation
GRC Integration

 

Fictitious company : Varan Electric provides green energy in varan awesomeland.
Vendor Risk Management (VRM) is part of the ServiceNow Governance, Risk, and Compliance (GRC) portfolio.
Targeted to address concerns that comes with Vendor.
Assessments is the highly focused area.
Vendor portal is a great feature which provides vendors ability to answer assessments, remediate issues.

 

Benefits
Efficiencies through automation
Reduce risk exposure
response to high risk vendors
increase communication
leverage a unified platform

 

Ongoing Vendor assessment Process
Outside scope of VRM app Request process : A request comes to the risk management team
An initial tiering process is performed
An assessment that matches the vendor tier is chosen and is sent to the vendor
When the vendor responses are received, the risk analyst generates findings
Issues are shared with the vendor for confirmation and remediation
Based on the findings and status of those issues, the residual risk of the third-party is determined and reported
The third-party is monitored
The assessment process repeats periodically
Outside scope of VRM app Retire process : The process continues until the company no longer does business with the third-party

 

Tiering -> Referencing internal process, who is vendor what is he going to be doing for us.

 

Vendor Risk overview Dashboard
******************************
VRA -> uniqueness occurences of (copy of document + questionnaire template) for a vendor
Reputation
security
    Network security
    patching cadence
    Hacking chatter

 

3rd party vendor score

 

    TransUnion
    Equifax -> Interos
    Experian
GRC Integration
    VRM
    Control specific to a vendor -> makes vendor compliant and non-compliant
   
    Policy and compliance management
        Control for vendor
    Risk management
        Risk for vendor

 

Primary contact -> Sriti
Vendor risk assessor -> JanyaSau

 

Impersonate VR assessor
    Look at vendors find a vendor called Varan Electric
    Look for Vendor contacts in related lists
    Look for vendor assessments -> Filtered out submitted to vendor
    Look for a VRA record
        questionnaire
        document request
Impersonate as primary contact (vm_vdr_contact) (snc_external, vendor_contact)
    Vendor level
    Engagement level
    complete assessment

 

Vendor assessment (sn_vdr_risk_asmt_assessment)
    Draft
    Response received
        questionnaire
        document    
            100% complete
            Verify vendor response
                Include when creating an issue / follow up
                Comment back to vendor
                Internal Comment
                Questionnaire -> Reviewer comments -> Create an issue / return to vendor  / export responses
                Returned in red color
                Issue state -> New

 

Primary contact
    Vendor portal
    Questionnaire -> Returned
        Make changes and exit -> Resubmit Assessment
        Issue not sent to contact since its in New

 

Issue states -> New, Analyze, Sumbmitted to vendor (appears in portal), response received,
Recommendation -> Drop down, explanation
                            Issue -> question related
                                    Resolve issue.
                                    Show follow ups , show unanswered questions
        Document request
            Response recieved
Generating observations
Finalizing with Vendor
Closed
Risk rating Calculation
Triggered by vendor tier

 

Modules
    Vendor portfolio
    Submission Rules and Admin
    Assessments
    Issues and tasks
    Assessment and tiering Setup
    3rd party provider
    Vendor management workspace
        Vendor risk overview
            vendors
            engagements
        quick actions
        vendor population overview

 

VRM architecture
Internal                                                vendor portal                                         External
    Assessment template -> vendor record -> vendor contacts (for assessments or engagements)                    vendor
                                            assessment instance or engagements                              child vendor
                         GRC -> Risk, audit, compliance     Response
                                       Issues/ tasks                                                                        
ServiceNow store releases
    Released outside family releases
            Release Notes
New
Added support for third-party scores to roll up in risk rating calculation.
Fixed
Inaccurate message sometimes seen on Vendor Risk Assessment page due to missing Advanced Risk plugin.
Missing translations in Risk Assessment Designer.
Improved translation support throughout application.
Risk area field and mapping fields could not be changed for single domain third-party provider services after it has been created.
Improved performance of saving Fourth-Party Questionnaires in the Vendor Portal.
When Vendor Risk Assessment is deleted, the issues and tasks are moved to a closed cancelled state.
Removed the incorrect role condition on Business Rule "Copy vendor tiering to engagement", as it was too restrictive.
    Frequently backwards compatable with prior releases
Store release version numbers
    GRC : P&C 12.0.1 (15.0.1)
    GRC : Risk 15.0.2
    When instance is upgraded we get MVP for store releases
    14.1.3 San Diego, Rome, Quebec Major Release Mar 23, 2022
New
4th-Party Management feature
Fixed
An issue where some names caused ESignatures to fail was fixed
Minor WCAG 2.1 fixes
Removed

 

VRM is scoped application
    sn_vdr_risk_asmt

 

Updatesets, add to updateset utility to capture data in an updateset.

 

Components of risk management
    Dont customize base script includes
    Vendor assessment portal
    vendor management workspace
    sys_metadata
    Scriptincludes -> if name as base dont modify it

 

Internal roles(snc_internal)           and            external roles (sn_external)
vendor risk                                            primary contact(s) -> sn_external auto assigned as vendor contact
department                                          
venro risk manager (configure)
assessor (bulk of work)
reviewer ()
sn_vdr_risk_asmt.vendor_risk_manager
sn_vdr_risk_asmt.vendor_assessor
sn_vdr_risk_asmt.vendor_assessment_reviewer

 

when you activate Vendor risk application
    snc_internal gets assigned to all internal users

 

recap
    key capabilities, key concepts, roles,navigation

 

Core configuration
Vendor portfolio is key for VRM
Core_company table
    list view (vendor risk view)
    form view (vendor risk view)
    Vendor checkbox
New fields that may need to be added as part of GRC VRM
    VAT registration, Supplier ID, Tax payer ID, Account payable ID, Sponsoring department, date of first contract, geo service area, date company established,
    reason for using vendor

 

Loading vendors
    Integration, file based load, manual creation

 

Clean Data
    Field normalization Rules (no code)
    Data import or data source transform (low code)
    Fix scripts (pro code)

 

Vendor overview page
    Vendor summary
    risk rating based on components
    risk rating based on risk areas
Rank Tier
    Strategic partner, valued partner, tactical partner, excluded partner, other
Vendor tier
    Very low, low, moderate, high, very high
Vendor risk rating
Vendor hierarchy
    Subsidiaries
    parent / child relationship feature -> RM can engage with diff subsidiaries of a particular vendor and need to tier and assess subsidiary
    Rollup of risk ratings full visilibity as to how a vendor company is performing across its many branches
Assigning products or services with engagements

 

Vendor engagements
    Contacts, Remediation, Business services, Tiering assessments, assessments, issues and tasks.
Vendor hierarchy
    includes engagements (crude oil, scrum methodology consulting) as well as child vendor records

 

Custom fields
    supplier id, tax payer id, vat registration number
Field normalization -> change scope to Global so core_company table is available in table list.
Field normalization or script

 

Vendor contact configuration
    Primary vendor contacts can view all assessments and create vendor contacts
    vm_vdr_contact extends sys_user
    form view (vendor risk view)
    list view (vendor risk view)
    choice list changes
        roles list, titles
    potential new fields
        manager and manager contact info
    populate vendor contacts
        Integration, file based load, manual creation
        Setup single primary contact for vendor and Primary vendor contacts can view all assessments and create vendor contacts
Vendor contact list view
    group by on vendor
primary vs non-primary vendor Contacts
    snc_external gets assigned to all contacts
Primary vendor contact can setup other additional primaries or non primary contacts
primary vendor contact vs primary engagement contact
manage team -> invite contact -> first name, last name, email, primary contact (checkbox)
                                    user id becomes email address
Engagement contacts for engagement
    primary contact can add any contact to engagement as engagement contact
Vendor contact and license ?
    application is licensed based on number of vendors that are being licensed, it doesnt matter how many contacts are there for a vendor.
If a vendor that support many products or services ?
    Engagements are used to manage this.

 

**Vendor tiering assessment
    vendor risk manager or vendor risk assessor setups up vendor tiering assessment by matching tiering questionnaire template and the vendor and assign
    internal assessors to complete tiering assessment questionnaire
score is calculated based on average
different sections of assessment are assigned to users
internal assessors complete assessment.
Tiering assessments
    my open
    all open
    all tiering
        Tiering questionnaire, vendor tiering scale, assessment instance
    States : Draft, awaiting response, tiering assignment, closed
    awaiting response -> until all assessors have submitted their response

 

Setting up vendor tiering assessment
    tiering questionnaire template (asmt_metric_type) +  vendor (core_company) + internal user (sys_user) = sn_vdr_risk_asmt_vdr_tiering_assessment

 

Metric category -> role
    section in assessment is controlled by role
    if no role is assigned everyone can see.

 

Tier-Based assessment submission Rules

 

Module -> assessment submission rules
    Tier-Based assessment submission Rules
        Auto submit to vendor -> if tier changes it will not only create a assessment instance and submit it to vendor if there is a primary contact,
                                if not then there will be error
alerts -> questionnaire / document request not associated to any risk scoring rules
          Only active questionnaire / document request have been added to assessment

 

**External monitoring vendor scoring configuration
    vendor -> Vendor tier, risk scoring -> external risk rating

 

        Setup
            Find Store app -> vendor risk
                Bitsight, upguard, recorded future, security scorecard
                    Need subscription with scoring company
            3rd party setup
                Role : vendor manager
                    create 3rd party provider record
                    3rd party services record (reputational or security)
                    ability for submission rule (optional)
    Module -> 3rd party provider setup
                        3rd party services record -> score type, risk area, mapping section
    when 3rd party does their scoring it wil go into 3rd party score table (sn_vdr_asmt_security_score) -> provider based
    normalized score -> multiple 3rd parties may score differently (mapping in services does normalization)

 

***Assessment configuration
VRA created based on templates which define questionnaire, doc requests and frequency of assessment
Why -> capture information to assess risk
How -> created by risk managers, reusable questionnaires, can be created from a vendor record or all VRM list view
Benefits -> open line of comms, consistency in assessing vendors

 

Template designer overview
    Questions / categories from question bank.
    designer canvas
    controls palette

 

    Module : Assessment -> Metric Definition -> Templates
To add template to a template designer then you can add template as type of control and select a template.
Option to weight questions or sections is not available in the template designer.
vendor risk manager may add a new category from question bank or individual question into a questionnaire or document request
Load questionnaire template using excel import method

 

Global tables
    Assessment metric type (asmt_metric_type), related lists ( assessment categories -> asmt_metric_category), assessment metrics (individual questions) asmt_metric,
    assessment metric definition(asmt_metric_definition)
    records in  questionnaire template and document request template modules are derived from Assessment metric type table
        condition is not one of document request template / tiering questionnaire template
   
    Hierarchical lists
    Weight of questions in assessment metric, weights cant be changed in deigner, need to do from platform record.
    Some question types can be scored and cant be scored, correct answer can be provided
    Data types for assessments shows which ones can be scored and cant be scored.
Assessment templates -> sn_vdr_risk_asmt_template
    Questionnaire template -> datatype is attachment

 

Module -> Assessment setup
    Document request template designer -> New document request template
        do you have document name is only used to score others are not scored.

 

tables :
    asmt_metric_type -> sn_vdr_risk_asmet_m2m_asmt_template_questionnaire_template
                     -> sn_vdr_risk_asmet_m2m_asmt_doc_questionnaire_template
            vendor risk assessment
                sn_vdr_risk_asmt_assessment
                    Related list for questionnaire request instance
                        sn_vdr_risk_asmet_m2m_asmt_doc_questionnaire_template
                    Related list for doc request instance
                        sn_vdr_risk_asmt_m2m_asmt_doc_req



Create vendor risk assessment
    1. Manual submission
    2. Vendor Tiering (None, minor, low, Mod, High, Critical)
    3. 3rd party scoring

 

Risk manager role is needed to create a template
risk assessor can assign a template to a vendor to create VRA
    Vendor -> assessment -> New
        If template is not used, then select questionnaire and or document request
    Assessments -> All open assessments -> New
Vendor tier submission
    vendor tiering assessment -> tiering assessment -> vendor tier
    tier-based assessment submission rules -> vendor -> vendor tier -> assessment template -> auto submit to vendor
    vendor risk assessment -> assessment template (if there is a primary contact)
3rd party score
    Bitsight -1000, security scorecard - 600
        provider-based submission rules -> score provider -> vendor -> security score -> vendor tier -> assessment template ->  auto-submit to vendor
            vendor risk assessment -> assessment template (if there is a primary contact)

 

**Risk scoring rule
scoring components for vendor risk rating
    assessments assigned directly to vendor
        risk rating on the assessment
    external monitoring
        3rd party score normalized rating
    child vendors
        risk rating on child vendor
    engagements
        risk rating on engagement
            engagement risk scoring rule
   
Risk rating fields
    risk rating on vendor
    risk rating on VRA
        questionnaire risk rating
        document request risk rating
    risk rating on engagement

 

calculations
    question level
        metric scale high
            question rating = (value-minValue)/(maxValue - minValue)
        metric scale low
            question rating = 1- {(value-minValue)/(maxValue - minValue)}
        questionpercentagecontribution
            = questionweight / sumofAllQuestionweightswithincategory
    category level
        questionnormalizedvalue = 100*questionrating*questionpercentagecontribution
        categoryrating = sumofallquestionnormalizedvalueswithincategory
        categorynormalizedvalue = categoryrating * (category weight / sum of all category weights)
    assessment level
        questionnairequantitativescore = sumofallCategoryNormalizedValues
        assessmentRating = AVG ((Questionnaire + DocRequest for risk area) * weightassigned to risk area + (questionnaire + DocRequest for another risk area)
                                                                                * weight assigned to risk area) / sum of weights
   
    If there are 18 categories and if they have same weight then normalized value will be 100/18 for all correct answers = 5.56

 

Vendor risk rating - breakdown
    risk rating
    risk area breakdown
    risk rating component breakdown
        resiliency risk
        financial risk
        security risk

 

Vendor risk scoring rules
    vendor risk area criteria
    vendor risk component criteria

 

    scoring setup
        component definition
            engagement
            external monitoring
            subsidiaries
            vendor risk assessments
                default scoring method
                    average risk
                default weight
                    100 (same)
            component criteria
                all vendor criteria
                    has association to components
                        scoring method = average
                        weight (can be different)
                default
                    scoring method = average
                    weight = 100 ( from vendor risk assessment)

 

Risk area definition
    vendor risk area definition = Financial
    assessment metric type = vendor risk area (Financial risk)

 

Risk area criteria - examples
Raw materials criteria
risk area scoring method weight
health      avg          40
labor       min          40
IT Vendor criteria
Consulting partner criteria
Strategic partner criteria

 

Company record
    Rank Tier -> strategic partner
    Risk area criteria -> strategic parnter criteria
    vendor risk scoring rule -> Strategic partner rule

 

Vendor risk assessment lifecycle
    Draft  = assessment is created
        -> Submitted to vendor = assessment is available in vendor assessment portal
            -> responses received = assessor can review results, return questionnaire to vendor
                -> generating observations = assessor may begin generating observations such as creating Issues
                     -> Finalizing with vendor = oustanding issues and tasks are addressed with vendor
                          -> closed = assessment is complete and risk evaluation is documented in the closed state

 

Resubmital to vendor
    return to vendor
        return questionnaire -> give more time to complete
            resubmit counter indicates how many times assessment is returned

 

platform assessment egine
questionnaire and document request template
identify calculations on assessment forms

 

**Vendor risk Issue configuration
    Vendor risk life cycle = New -> Analyze -> Submitted to Vendor -> Finalize with Vendor -> Review -> Closed Complete
    For internal use Submitted to Vendor -> Finalize with Vendor can be bypassed
    Maual issue creation at question level
        Vendor wont see until issue state is in Submitted to Vendor
            Explanation is mandatory field before submitting to vendor
            visible in vendor portal is checkbox used to display issue in vendor portal
    Automated issue creation
        vendor risk assessment
        questionnaire
            incorrect response
                1. question
                2. question
        Issue generation rule
            vendor risk assessment
            questionnaire / document request template
            questions
            issue template
            task template -> tasks
        Vendor risk assessment
            issue -> question
                  -> tasks
       
    Module = Issues -> Issue generation rules
            assessment setup -> Issue templates and task templates
    Vendor issue remediation
        vendor risk issue -> Create task
                          -> Accept issue
                          -> Request additional information
                          -> Vendor to remediate
    Role : vendor risk manager or assessor
    Vendor risk management workspace

 

    Risk and Exception handling
        Policy exception tab appears if GRC: Policy and compliance management is installed.
   
    Table structure
        task ->planned_task -> sn_grc_issue -> sn_vdr_risk_asmt_issue --> Issue to question (sn_vdr_asmt_m2m_issue)
        vendor risk assessment (sn_vdr_risk_asmt_assessment), assessment instance (asmt_assessment_instance), Assessment Instance Question (asmt_assessment_instance_question)
   
    Common requirements
        1. new workflows
            accept risk approval
            issue review
            standard task generation based on an action
        new fields
            specific to accepting a risk
   
    Vendor risk task configuration
        can be created from issue, assessment or vendor record to bring issue or assessment to close
        role :sn_vdr_risk_asmt.vendor_assessment_reviewer can create task from related list of an issue
        role : sn_vdr_risk_asmt.vendor_assessor has option to create task from system navigator menu option
        Life cycle
            Open = risk tasks are created
                -> submitted to vendor = vendor can see tasks in vendor portal
                    -> work in progress = work has begun
                        -> review = vendor risk team completes a final review and a final recommendation is made.
                            -> closed = task is updated and moved to closed status.
        Table structure -> task -> planned_task -> sn_vdr_risk_asmt_task -> risk reviewer or above can raise task
                                                            -> core_company
                                                            -> sn_vdr_risk_asmt_assessment
                                                            -> sn_vdr_risk_asmt_issue

 

Vendor risk process Workflows
    Vendor assessment reminders workflow contains various reminders to vendors based on duedate of questionnaire.
Events
    system policy ->Events -> Registry
    sn_vdr_risk_asmt_assessment table has events -> email notifications

 

    7 days prior to due date
    3 days prior to due date
    1 day after due date

 

**Vendor portal configuration
    contact configuration
 system property = sn_vdr_risk_asmt.vendor_portal_endpoint = svdp
 vendor portal and sso
    /vdp => bypass sso by default to true
    /svdp => bypass sso by default to false
    page svdp_login {bypass_sso = true}

 

 Manage vendor contacts
    primary contact can create additional contacts for assessments or for particular assessments
                    can create additional contacts and view their profiles
    Menu options -> Manage team, Tour
    Assign vendor contacts
        once an assessment nd or document request is submitted to vendor primary contact can
            invite others to collaborate
            assign to another contact entirely
        contacts cant be assigned after assessment is already been submitted
   
    vendor contact support process
        when a vendor is proposed they are assigned to a dept, tat dept is responsible for maintaining the contacts
        on a regular frequency if we recieve a bounced email .. update primary contact

 

        Full load is complete
        First incremental load which covers data from Jul-22 to Aug-02 are getting loaded, we have completed parent and child loads
        we will be loading install base item and characteristics tonight at 8 PM MT
        From tomorrow we will continue to do daily incrementals

 

**Application relationships
erviceNow Governance, Risk, and Compliance (GRC) helps transform inefficient processes across the extended enterprise into an integrated risk program.
Through continuous monitoring and automation, the GRC applications deliver a real time view of compliance and risk, improve decision making,
and increase performance across the organization and with vendors.

 

Primary applications in GRC
    policy and compliance
        Ex : PCI
    Risk
   
    Common entity type from VRM perpsective is vendor
    control -> passwords
Scoping an organization
    entity types * control objective -> entity (control) -> control attestation
    entity types * risk statement -> entity (control) -> risk assessment
    eal Time Metrics

 

    Vendor Risk Management integrates with the Policy and Compliance and Risk applications in ServiceNow to provide real time metrics
    which affect an organization’s risk and compliance posture.
question (assessment metric) -> control objective -> control
    vendor response  -> control status will be compliant / non compliant

 

vendor risk assessment state dependency
    control status is automatically updated after VRA state moved to finalizing with vendor or Closed
        adjust risk values
            calcualted ALE
            calculated score
        control -> registered risk (classic risk assessment process)

 

Other application integration
    asset management
    vulnerability response
    SIR
    PPM
    CMDB
    Procurement
    Vendor manager workspace
    Contract Management

 

Control objective -> relate to assessment metric
    -> associate entity type
        -> controls for each Vendor
            -> vendor risk assessment questions
Analytics for assessor, risk manager, executive