Your company probably uses a lot of third-party vendors - some provide IT or financial services, others deliver coffee supplies and food, while still others wash the windows and stock the restrooms. But all of these vendors are not the same in terms of risk.
Have you asked yourself:
- Which vendors have the potential to put our organization at risk for business disruption or any negative impact on our business performance?
- How do we evaluate and manage that risk? Can we automate that process?
- How do we collaborate with vendors to ensure their compliance with our requirements?
That's where Vendor Risk Management comes in!
In this installment of our NOWSupport best practices series, we run down the steps for getting started with Vendor Risk Management in your enterprise.
And don't miss our video below for more details, and to see product demos showing you how to:
- Create automated submission rules
- Collaborate with vendors via the Vendor Portal
What is Vendor Risk Management?
Vendor Risk Management is an application within the Governance, Risk, and Compliance (GRC) suite on the Now Platform®. This application provides a centralized process to continuously monitor, detect, assess, mitigate, and remediate risks in your vendor ecosystem.
How do I get started with Vendor Risk Management?
- Subscribe to Vendor Risk Management. Starting with the Madrid release, you can request Vendor Risk Management from the ServiceNow Store. If your instance is on a release prior to Madrid, activate the GRC: Vendor Risk Management plugin (com.sn_vdr_risk_asmt).
- Set up your vendor portfolio by importing vendors from an Excel spreadsheet or from your vendor table, or via an integration with a third-party onboarding system.
- Determine vendor risk via vendor tiering scores. This is a multi-step process, which takes into account internal assessments, input from external third-party security scores, and input from vendors themselves.
-
- Assign Vendor Tier Risk Assessments to internal stakeholders. The average score provides an initial vendor tier.
- Monitor third-party security scores. Based on this input, you may decide to manually adjust a vendor's tier, or you can set up automated security score rules to automatically send out new risk assessments when security performance changes are detected.
- Assign risk assessments to the primary vendor contact. These assessments can be scheduled to be sent on-demand, on a regular basis or automatically when a vendor's risk score or vendor tier changes.
- Generate issues and remediate them using the Vendor Portal. Assessments are delivered in the Vendor Portal, allowing vendors and risk assessors to collaborate on and resolve issues identified as gaps in a vendor's compliance.
For more information
Vendor Risk Management (product documentation)
--
Behind the scenes here at ServiceNow, the Knowledge Management and Multimedia teams work closely with subject matter experts to deliver critical information to our customers. We’ve found that certain topics come up frequently, in the form of best practices that can help you keep your ServiceNow instances running smoothly. This series targets those topics so that you and your organization can benefit from our collective expertise. If you have a best practices topic you'd like us to cover in this series, please let us know in the comments below.
To access all the blog posts in this series, see our NOWSupport best practices series list.
3 Comments
