ServiceNow – VRM vs TPRM Licensing Structure (Overview, no pricing)

Background
-----------
ServiceNow’s **Vendor Risk Management (VRM)** module has been replaced by **Third‑Party Risk Management (TPRM)** as of the latest Integrated Risk Management (IRM) suite releases. Both are licensed as part of the **IRM family**, but their licensing logic evolved over time.

---

1️⃣ VRM (Legacy)
----------------
VRM followed the **standard IRM / GRC licensing model**, *not* the transaction‑based model.
- **License types:**
- **VRM Fulfiller (GRC/IRM Fulfiller)** — required for internal users who create, manage, or assess vendor risk activities.
- **VRM Business Stakeholder (Respondent)** — extended role for vendors or business users who respond to assessments or attestations.
- **When the license applies:**
- Fulfiller license: internal risk/compliance staff who configure VRM, issue questionnaires, perform scoring, or review vendor responses.
- Business stakeholder license: external vendors or business contacts using the Vendor Portal / Assessment Portal to complete questionnaires, upload evidence, or attest to controls.
- **Underlying logic:** same as ITSM — counted per named user with assigned roles. No “transaction‑based” model existed in VRM.

---

2️⃣ TPRM (Current model)
------------------------
TPRM introduced a **transaction‑based licensing** model under IRM.
This model aligns cost with actual third‑party interactions rather than named users.

- **Core concept: “Transaction”**
- A *transaction* represents a full assessment or engagement cycle with a third party (e.g., vendor, supplier, partner) during a contract or review period.
- Each third‑party engagement processed through TPRM consumes 1 transaction credit (subject to your contract terms).
- **Who can use TPRM under this model**
- Internal users (risk/compliance staff) — covered by your IRM Fulfiller entitlements.
- External vendors (respondents) — do **not** consume named licenses; they’re covered through transactions.
- System/automation users — included in base IRM entitlements.

---

3️⃣ Key differences between VRM and TPRM licensing
--------------------------------------------------
| Aspect | VRM (Legacy) | TPRM (Current) |
|---------|--------------|----------------|
| Licensing basis | Named user (fulfiller + stakeholder) | Transaction-based |
| Vendor participation | Each vendor respondent needed access (business stakeholder license) | Vendor responses included per transaction, no per‑user license |
| Consumption model | Per user / role | Per transaction (per vendor engagement) |
| Internal fulfiller roles | GRC/IRM fulfiller license | IRM fulfiller license (shared across IRM apps) |
| External respondents | Business stakeholder license | Covered by transaction pool |
| Counting logic | Role-based | Assessment / lifecycle-based |
| Alignment | ITSM-style | Modern IRM suite alignment |

---

4️⃣ When licenses “come into picture”
-------------------------------------
**For VRM (legacy):**
- When an internal user (fulfiller) creates or manages vendor assessments → requires Fulfiller license.
- When an external vendor accesses the assessment via Vendor Portal → consumes Business Stakeholder license.
- Business Stakeholder license was typically bundled or limited by count per subscription.

**For TPRM (new):**
- When a vendor assessment is initiated (new engagement or periodic review) → consumes one transaction.
- Multiple vendor users responding to the same assessment do *not* increase license count.
- Internal staff using IRM fulfillers continue to require fulfiller licenses.

---

5️⃣ Migration and co‑existence
------------------------------
- VRM licenses are honored only in instances still running the legacy VRM plugin (pre‑TPRM).
- When migrating to TPRM, existing fulfillers remain covered under IRM fulfiller licensing.
- Vendors/third parties no longer require Business Stakeholder licenses—transactions cover them.
- Old VRM “assessment respondents” user roles (`sn_vrm.vendor_user`) become obsolete.

---

6️⃣ Summary
-----------
| Category | VRM | TPRM |
|-----------|-----|------|
| Model | Named user (Fulfiller + Stakeholder) | Transaction‑based |
| Internal users | IRM/VRM Fulfiller license | IRM Fulfiller license |
| External vendors | Business Stakeholder license | Covered via transaction |
| Trigger event | Creating/responding to vendor assessments | Initiating vendor engagement |
| Typical scope | Vendor assessments & questionnaires | Full lifecycle of third‑party risk and performance |

---

TL;DR
------
- **VRM** used the classic named‑user licensing (like ITSM): fulfillers and business stakeholders.
- **TPRM** replaces that with a **transaction‑based model**, where each third‑party engagement (assessment) consumes one transaction, and vendors no longer need individual licenses.
- Internal risk/compliance users continue to require **IRM fulfiller** licenses.

This structure helps organizations scale TPRM without managing hundreds of external vendor user licenses.