VaranAwesomenow
Mega Sage
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
08-15-2022
10:17 PM
Vendor risk management (VRM) is a very interesting and great application with lot of benefits and functionality in this blog and video series I unpack and provide deep dive of all the features of VRM.
Notes
***************************
Risk tolerance can be determined by internal policy and guided by regulatory compliance obligations.
Six key capabilities for ServiceNow VRM
Vendor Portfolio
Vendor Tiering
Assessment management
Vendor Portal
Issues and Remediation
GRC Integration
Fictitious company : Varan Electric provides green energy in varan awesomeland.
Vendor Risk Management (VRM) is part of the ServiceNow Governance, Risk, and Compliance (GRC) portfolio.
Targeted to address concerns that comes with Vendor.
Assessments is the highly focused area.
Vendor portal is a great feature which provides vendors ability to answer assessments, remediate issues.
Benefits
Efficiencies through automation
Reduce risk exposure
response to high risk vendors
increase communication
leverage a unified platform
Ongoing Vendor assessment Process
Outside scope of VRM app Request process : A request comes to the risk management team
An initial tiering process is performed
An assessment that matches the vendor tier is chosen and is sent to the vendor
When the vendor responses are received, the risk analyst generates findings
Issues are shared with the vendor for confirmation and remediation
Based on the findings and status of those issues, the residual risk of the third-party is determined and reported
The third-party is monitored
The assessment process repeats periodically
Outside scope of VRM app Retire process : The process continues until the company no longer does business with the third-party
Tiering -> Referencing internal process, who is vendor what is he going to be doing for us.
Vendor Risk overview Dashboard
******************************
VRA -> uniqueness occurences of (copy of document + questionnaire template) for a vendor
Reputation
security
Network security
patching cadence
Hacking chatter
3rd party vendor score
TransUnion
Equifax -> Interos
Experian
GRC Integration
VRM
Control specific to a vendor -> makes vendor compliant and non-compliant
Policy and compliance management
Control for vendor
Risk management
Risk for vendor
Primary contact -> Sriti
Vendor risk assessor -> JanyaSau
Impersonate VR assessor
Look at vendors find a vendor called Varan Electric
Look for Vendor contacts in related lists
Look for vendor assessments -> Filtered out submitted to vendor
Look for a VRA record
questionnaire
document request
Impersonate as primary contact (vm_vdr_contact) (snc_external, vendor_contact)
Vendor level
Engagement level
complete assessment
Vendor assessment (sn_vdr_risk_asmt_assessment)
Draft
Response received
questionnaire
document
100% complete
Verify vendor response
Include when creating an issue / follow up
Comment back to vendor
Internal Comment
Questionnaire -> Reviewer comments -> Create an issue / return to vendor / export responses
Returned in red color
Issue state -> New
Primary contact
Vendor portal
Questionnaire -> Returned
Make changes and exit -> Resubmit Assessment
Issue not sent to contact since its in New
Issue states -> New, Analyze, Sumbmitted to vendor (appears in portal), response received,
Recommendation -> Drop down, explanation
Issue -> question related
Resolve issue.
Show follow ups , show unanswered questions
Document request
Response recieved
Generating observations
Finalizing with Vendor
Closed
Risk rating Calculation
Triggered by vendor tier
Modules
Vendor portfolio
Submission Rules and Admin
Assessments
Issues and tasks
Assessment and tiering Setup
3rd party provider
Vendor management workspace
Vendor risk overview
vendors
engagements
quick actions
vendor population overview
VRM architecture
Internal vendor portal External
Assessment template -> vendor record -> vendor contacts (for assessments or engagements) vendor
assessment instance or engagements child vendor
GRC -> Risk, audit, compliance Response
Issues/ tasks
ServiceNow store releases
Released outside family releases
Release Notes
New
Added support for third-party scores to roll up in risk rating calculation.
Fixed
Inaccurate message sometimes seen on Vendor Risk Assessment page due to missing Advanced Risk plugin.
Missing translations in Risk Assessment Designer.
Improved translation support throughout application.
Risk area field and mapping fields could not be changed for single domain third-party provider services after it has been created.
Improved performance of saving Fourth-Party Questionnaires in the Vendor Portal.
When Vendor Risk Assessment is deleted, the issues and tasks are moved to a closed cancelled state.
Removed the incorrect role condition on Business Rule "Copy vendor tiering to engagement", as it was too restrictive.
Frequently backwards compatable with prior releases
Store release version numbers
GRC : P&C 12.0.1 (15.0.1)
GRC : Risk 15.0.2
When instance is upgraded we get MVP for store releases
14.1.3 San Diego, Rome, Quebec Major Release Mar 23, 2022
New
4th-Party Management feature
Fixed
An issue where some names caused ESignatures to fail was fixed
Minor WCAG 2.1 fixes
Removed
VRM is scoped application
sn_vdr_risk_asmt
Updatesets, add to updateset utility to capture data in an updateset.
Components of risk management
Dont customize base script includes
Vendor assessment portal
vendor management workspace
sys_metadata
Scriptincludes -> if name as base dont modify it
Internal roles(snc_internal) and external roles (sn_external)
vendor risk primary contact(s) -> sn_external auto assigned as vendor contact
department
venro risk manager (configure)
assessor (bulk of work)
reviewer ()
sn_vdr_risk_asmt.vendor_risk_manager
sn_vdr_risk_asmt.vendor_assessor
sn_vdr_risk_asmt.vendor_assessment_reviewer
when you activate Vendor risk application
snc_internal gets assigned to all internal users
recap
key capabilities, key concepts, roles,navigation
Core configuration
Vendor portfolio is key for VRM
Core_company table
list view (vendor risk view)
form view (vendor risk view)
Vendor checkbox
New fields that may need to be added as part of GRC VRM
VAT registration, Supplier ID, Tax payer ID, Account payable ID, Sponsoring department, date of first contract, geo service area, date company established,
reason for using vendor
Loading vendors
Integration, file based load, manual creation
Clean Data
Field normalization Rules (no code)
Data import or data source transform (low code)
Fix scripts (pro code)
Vendor overview page
Vendor summary
risk rating based on components
risk rating based on risk areas
Rank Tier
Strategic partner, valued partner, tactical partner, excluded partner, other
Vendor tier
Very low, low, moderate, high, very high
Vendor risk rating
Vendor hierarchy
Subsidiaries
parent / child relationship feature -> RM can engage with diff subsidiaries of a particular vendor and need to tier and assess subsidiary
Rollup of risk ratings full visilibity as to how a vendor company is performing across its many branches
Assigning products or services with engagements
Vendor engagements
Contacts, Remediation, Business services, Tiering assessments, assessments, issues and tasks.
Vendor hierarchy
includes engagements (crude oil, scrum methodology consulting) as well as child vendor records
Custom fields
supplier id, tax payer id, vat registration number
Field normalization -> change scope to Global so core_company table is available in table list.
Field normalization or script
Vendor contact configuration
Primary vendor contacts can view all assessments and create vendor contacts
vm_vdr_contact extends sys_user
form view (vendor risk view)
list view (vendor risk view)
choice list changes
roles list, titles
potential new fields
manager and manager contact info
populate vendor contacts
Integration, file based load, manual creation
Setup single primary contact for vendor and Primary vendor contacts can view all assessments and create vendor contacts
Vendor contact list view
group by on vendor
primary vs non-primary vendor Contacts
snc_external gets assigned to all contacts
Primary vendor contact can setup other additional primaries or non primary contacts
primary vendor contact vs primary engagement contact
manage team -> invite contact -> first name, last name, email, primary contact (checkbox)
user id becomes email address
Engagement contacts for engagement
primary contact can add any contact to engagement as engagement contact
Vendor contact and license ?
application is licensed based on number of vendors that are being licensed, it doesnt matter how many contacts are there for a vendor.
If a vendor that support many products or services ?
Engagements are used to manage this.
**Vendor tiering assessment
vendor risk manager or vendor risk assessor setups up vendor tiering assessment by matching tiering questionnaire template and the vendor and assign
internal assessors to complete tiering assessment questionnaire
score is calculated based on average
different sections of assessment are assigned to users
internal assessors complete assessment.
Tiering assessments
my open
all open
all tiering
Tiering questionnaire, vendor tiering scale, assessment instance
States : Draft, awaiting response, tiering assignment, closed
awaiting response -> until all assessors have submitted their response
Setting up vendor tiering assessment
tiering questionnaire template (asmt_metric_type) + vendor (core_company) + internal user (sys_user) = sn_vdr_risk_asmt_vdr_tiering_assessment
Metric category -> role
section in assessment is controlled by role
if no role is assigned everyone can see.
Tier-Based assessment submission Rules
Module -> assessment submission rules
Tier-Based assessment submission Rules
Auto submit to vendor -> if tier changes it will not only create a assessment instance and submit it to vendor if there is a primary contact,
if not then there will be error
alerts -> questionnaire / document request not associated to any risk scoring rules
Only active questionnaire / document request have been added to assessment
**External monitoring vendor scoring configuration
vendor -> Vendor tier, risk scoring -> external risk rating
Setup
Find Store app -> vendor risk
Bitsight, upguard, recorded future, security scorecard
Need subscription with scoring company
3rd party setup
Role : vendor manager
create 3rd party provider record
3rd party services record (reputational or security)
ability for submission rule (optional)
Module -> 3rd party provider setup
3rd party services record -> score type, risk area, mapping section
when 3rd party does their scoring it wil go into 3rd party score table (sn_vdr_asmt_security_score) -> provider based
normalized score -> multiple 3rd parties may score differently (mapping in services does normalization)
***Assessment configuration
VRA created based on templates which define questionnaire, doc requests and frequency of assessment
Why -> capture information to assess risk
How -> created by risk managers, reusable questionnaires, can be created from a vendor record or all VRM list view
Benefits -> open line of comms, consistency in assessing vendors
Template designer overview
Questions / categories from question bank.
designer canvas
controls palette
Module : Assessment -> Metric Definition -> Templates
To add template to a template designer then you can add template as type of control and select a template.
Option to weight questions or sections is not available in the template designer.
vendor risk manager may add a new category from question bank or individual question into a questionnaire or document request
Load questionnaire template using excel import method
Global tables
Assessment metric type (asmt_metric_type), related lists ( assessment categories -> asmt_metric_category), assessment metrics (individual questions) asmt_metric,
assessment metric definition(asmt_metric_definition)
records in questionnaire template and document request template modules are derived from Assessment metric type table
condition is not one of document request template / tiering questionnaire template
Hierarchical lists
Weight of questions in assessment metric, weights cant be changed in deigner, need to do from platform record.
Some question types can be scored and cant be scored, correct answer can be provided
Data types for assessments shows which ones can be scored and cant be scored.
Assessment templates -> sn_vdr_risk_asmt_template
Questionnaire template -> datatype is attachment
Module -> Assessment setup
Document request template designer -> New document request template
do you have document name is only used to score others are not scored.
tables :
asmt_metric_type -> sn_vdr_risk_asmet_m2m_asmt_template_questionnaire_template
-> sn_vdr_risk_asmet_m2m_asmt_doc_questionnaire_template
vendor risk assessment
sn_vdr_risk_asmt_assessment
Related list for questionnaire request instance
sn_vdr_risk_asmet_m2m_asmt_doc_questionnaire_template
Related list for doc request instance
sn_vdr_risk_asmt_m2m_asmt_doc_req
Create vendor risk assessment
1. Manual submission
2. Vendor Tiering (None, minor, low, Mod, High, Critical)
3. 3rd party scoring
Risk manager role is needed to create a template
risk assessor can assign a template to a vendor to create VRA
Vendor -> assessment -> New
If template is not used, then select questionnaire and or document request
Assessments -> All open assessments -> New
Vendor tier submission
vendor tiering assessment -> tiering assessment -> vendor tier
tier-based assessment submission rules -> vendor -> vendor tier -> assessment template -> auto submit to vendor
vendor risk assessment -> assessment template (if there is a primary contact)
3rd party score
Bitsight -1000, security scorecard - 600
provider-based submission rules -> score provider -> vendor -> security score -> vendor tier -> assessment template -> auto-submit to vendor
vendor risk assessment -> assessment template (if there is a primary contact)
**Risk scoring rule
scoring components for vendor risk rating
assessments assigned directly to vendor
risk rating on the assessment
external monitoring
3rd party score normalized rating
child vendors
risk rating on child vendor
engagements
risk rating on engagement
engagement risk scoring rule
Risk rating fields
risk rating on vendor
risk rating on VRA
questionnaire risk rating
document request risk rating
risk rating on engagement
calculations
question level
metric scale high
question rating = (value-minValue)/(maxValue - minValue)
metric scale low
question rating = 1- {(value-minValue)/(maxValue - minValue)}
questionpercentagecontribution
= questionweight / sumofAllQuestionweightswithincategory
category level
questionnormalizedvalue = 100*questionrating*questionpercentagecontribution
categoryrating = sumofallquestionnormalizedvalueswithincategory
categorynormalizedvalue = categoryrating * (category weight / sum of all category weights)
assessment level
questionnairequantitativescore = sumofallCategoryNormalizedValues
assessmentRating = AVG ((Questionnaire + DocRequest for risk area) * weightassigned to risk area + (questionnaire + DocRequest for another risk area)
* weight assigned to risk area) / sum of weights
If there are 18 categories and if they have same weight then normalized value will be 100/18 for all correct answers = 5.56
Vendor risk rating - breakdown
risk rating
risk area breakdown
risk rating component breakdown
resiliency risk
financial risk
security risk
Vendor risk scoring rules
vendor risk area criteria
vendor risk component criteria
scoring setup
component definition
engagement
external monitoring
subsidiaries
vendor risk assessments
default scoring method
average risk
default weight
100 (same)
component criteria
all vendor criteria
has association to components
scoring method = average
weight (can be different)
default
scoring method = average
weight = 100 ( from vendor risk assessment)
Risk area definition
vendor risk area definition = Financial
assessment metric type = vendor risk area (Financial risk)
Risk area criteria - examples
Raw materials criteria
risk area scoring method weight
health avg 40
labor min 40
IT Vendor criteria
Consulting partner criteria
Strategic partner criteria
Company record
Rank Tier -> strategic partner
Risk area criteria -> strategic parnter criteria
vendor risk scoring rule -> Strategic partner rule
Vendor risk assessment lifecycle
Draft = assessment is created
-> Submitted to vendor = assessment is available in vendor assessment portal
-> responses received = assessor can review results, return questionnaire to vendor
-> generating observations = assessor may begin generating observations such as creating Issues
-> Finalizing with vendor = oustanding issues and tasks are addressed with vendor
-> closed = assessment is complete and risk evaluation is documented in the closed state
Resubmital to vendor
return to vendor
return questionnaire -> give more time to complete
resubmit counter indicates how many times assessment is returned
platform assessment egine
questionnaire and document request template
identify calculations on assessment forms
**Vendor risk Issue configuration
Vendor risk life cycle = New -> Analyze -> Submitted to Vendor -> Finalize with Vendor -> Review -> Closed Complete
For internal use Submitted to Vendor -> Finalize with Vendor can be bypassed
Maual issue creation at question level
Vendor wont see until issue state is in Submitted to Vendor
Explanation is mandatory field before submitting to vendor
visible in vendor portal is checkbox used to display issue in vendor portal
Automated issue creation
vendor risk assessment
questionnaire
incorrect response
1. question
2. question
Issue generation rule
vendor risk assessment
questionnaire / document request template
questions
issue template
task template -> tasks
Vendor risk assessment
issue -> question
-> tasks
Module = Issues -> Issue generation rules
assessment setup -> Issue templates and task templates
Vendor issue remediation
vendor risk issue -> Create task
-> Accept issue
-> Request additional information
-> Vendor to remediate
Role : vendor risk manager or assessor
Vendor risk management workspace
Risk and Exception handling
Policy exception tab appears if GRC: Policy and compliance management is installed.
Table structure
task ->planned_task -> sn_grc_issue -> sn_vdr_risk_asmt_issue --> Issue to question (sn_vdr_asmt_m2m_issue)
vendor risk assessment (sn_vdr_risk_asmt_assessment), assessment instance (asmt_assessment_instance), Assessment Instance Question (asmt_assessment_instance_question)
Common requirements
1. new workflows
accept risk approval
issue review
standard task generation based on an action
new fields
specific to accepting a risk
Vendor risk task configuration
can be created from issue, assessment or vendor record to bring issue or assessment to close
role :sn_vdr_risk_asmt.vendor_assessment_reviewer can create task from related list of an issue
role : sn_vdr_risk_asmt.vendor_assessor has option to create task from system navigator menu option
Life cycle
Open = risk tasks are created
-> submitted to vendor = vendor can see tasks in vendor portal
-> work in progress = work has begun
-> review = vendor risk team completes a final review and a final recommendation is made.
-> closed = task is updated and moved to closed status.
Table structure -> task -> planned_task -> sn_vdr_risk_asmt_task -> risk reviewer or above can raise task
-> core_company
-> sn_vdr_risk_asmt_assessment
-> sn_vdr_risk_asmt_issue
Vendor risk process Workflows
Vendor assessment reminders workflow contains various reminders to vendors based on duedate of questionnaire.
Events
system policy ->Events -> Registry
sn_vdr_risk_asmt_assessment table has events -> email notifications
7 days prior to due date
3 days prior to due date
1 day after due date
**Vendor portal configuration
contact configuration
system property = sn_vdr_risk_asmt.vendor_portal_endpoint = svdp
vendor portal and sso
/vdp => bypass sso by default to true
/svdp => bypass sso by default to false
page svdp_login {bypass_sso = true}
Manage vendor contacts
primary contact can create additional contacts for assessments or for particular assessments
can create additional contacts and view their profiles
Menu options -> Manage team, Tour
Assign vendor contacts
once an assessment nd or document request is submitted to vendor primary contact can
invite others to collaborate
assign to another contact entirely
contacts cant be assigned after assessment is already been submitted
vendor contact support process
when a vendor is proposed they are assigned to a dept, tat dept is responsible for maintaining the contacts
on a regular frequency if we recieve a bounced email .. update primary contact
Full load is complete
First incremental load which covers data from Jul-22 to Aug-02 are getting loaded, we have completed parent and child loads
we will be loading install base item and characteristics tonight at 8 PM MT
From tomorrow we will continue to do daily incrementals
**Application relationships
erviceNow Governance, Risk, and Compliance (GRC) helps transform inefficient processes across the extended enterprise into an integrated risk program.
Through continuous monitoring and automation, the GRC applications deliver a real time view of compliance and risk, improve decision making,
and increase performance across the organization and with vendors.
Primary applications in GRC
policy and compliance
Ex : PCI
Risk
Common entity type from VRM perpsective is vendor
control -> passwords
Scoping an organization
entity types * control objective -> entity (control) -> control attestation
entity types * risk statement -> entity (control) -> risk assessment
eal Time Metrics
Vendor Risk Management integrates with the Policy and Compliance and Risk applications in ServiceNow to provide real time metrics
which affect an organization’s risk and compliance posture.
question (assessment metric) -> control objective -> control
vendor response -> control status will be compliant / non compliant
vendor risk assessment state dependency
control status is automatically updated after VRA state moved to finalizing with vendor or Closed
adjust risk values
calcualted ALE
calculated score
control -> registered risk (classic risk assessment process)
Other application integration
asset management
vulnerability response
SIR
PPM
CMDB
Procurement
Vendor manager workspace
Contract Management
Control objective -> relate to assessment metric
-> associate entity type
-> controls for each Vendor
-> vendor risk assessment questions
Analytics for assessor, risk manager, executive
- 4,064 Views
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.