Risk Scoring Recommendations (Third-party Risk Management)

AK54 · ‎08-30-2024

ServiceNow TPRM provides configuration options for setting up risk rating scales and scoring.

1. What are the implications if the risk rating scale and scoring are not set up at all?

2. How would you define third-party risk area criteria (mandatory for risk scoring rules) if you don't have third-party types and you only want to use assessment results as a component for risk scoring?

kevinluo · ‎09-27-2024

1. Out of the box, the third-party risk assessment has a set of default risk rating scales and a default scoring rule. If you don't setup your own scales and/or rules, the default ones are used for risk calculations. For the risk rating scales, it will take risk scores between 0 and 100, and map to 1 - Very High to 5 - Very Low. For the default scoring rule, it will only take "default risk criteria" and "default component criteria". The default component criteria only takes the third-party risk assessment results into calculation.

2. If you don't want to define your third-party risk area criteria, the default risk area criteria is used, when you design your questionnaire templates, please ensure only use "default" risk area.

If you only want to use assessment results as a component for risk scoring, you should be fine with the out of box setting (refer to point 1 above).