Read the Q&A below from this on demand webinar...
Break free from your inefficient vendor risk management processes
If you're not managing your vendor risk as part of your risk and security policy, it should be top of your list. If you do have a process in place, how efficient is it? How many emails, phone calls, and spreadsheets does it involve? Are you able to assess all the vendors you'd like?
Join GRC expert, Cliff Huntington, and Lucky Johnson, Solution Consultant Security and Risk, as they present the transformative aspects of ServiceNow Vendor Risk Management. Whether you're investigating vendor risk solutions or already a victim of cumbersome manual processes or rudimentary tools we can show you a better way.
Please Register to Watch on Demand
Discover how you can:
- Gain visibility for you and your vendors, even between assessments
- Easily prioritize risks and drive them to closure, without hundreds of emails
- Replace unstructured work patterns with intelligent workflows, so you have time to assess the vendors you should
Q. Can we see ServiceNow using blockchain technology for vendor risk management in future.?
A. Blockchain is a promising technology whose use is being explored in various areas of ServiceNow including Security Operations. We may consider adoption in the future if it lends itself well to addressing essential problems our customer are trying to address with vendor risk.
Q. What are the current available KPIs in VRM module.?
A. We don't currently provide KPIs with the vendor risk application.
Q. We track our apps and vendors in the Business Applications table in SN. Does Vendor Portfolio import or make use of that?
A. We don't make use of the business applications table out of the box, but may be configured to. The current VRM app doesn't support application assessments.
Q. Is the Assessment Management is based on business portfolio...?
A. Assessment management allows you to create assessments either by developing your own template or by using a standard template like the SIG.
Q. Is there any interaction between Vendor Risk Management and CMDB? For example, would we be able to identify applications at risk based on a vendor service outage?
A. Yes we use the CMDB to assess the impact of a vendor or application. You can associate applications with vendors and use indicators to alert you of events such as service outages that would affect compliance or risk of a vendor or application.
Q. Would internal assessment templates just be used for vendors? I.e., an application assessment is an application assessment whether internal or external. So if we don't buy the 3rd party module we can still get 3rd party assessment results into our database for reporting.
A. You would still be able to do assessments, but you wouldn't have the vendor portal to facilitate communication or collaboration on assessments. Your vendor wouldn't be able to upload standardized questionnaires like the SIG and you wouldn't be able to track progress on the assessments you send out.
Q. what type of licensing needed for vendor portal.?
A. You can load an unlimited number of vendors into your catalog and you can have an unlimited number of users touching the application - it is licensed by the number of assessed vendors. So as your program scales and grows and you get value from our product, we share in that prosperity with you. We worked very hard to align the licensing model with the value curve clients will see from this product.
Q. Can Vendor Risk Management stand-alone if we don't have GRC installed?
A. You do not need to buy the other GRC applications to use Vendor Risk, however there are some benefits. Policy & Compliance allows you to trace questions in a vendor questionnaire back to the authority document, and Risk Management allows you to roll vendor risk into your overall enterprise risk score.
Q. is there any integration between vendor portal & procurement module.?
A. There absolutely can be integrations between procurement systems and Vendor Risk. If you're talking about integration between the ServiceNow Procurement module and Vendor - all information on the ServiceNow platform can be referenced across the entire platform.
Q. The solution we use today has a custom questionnaire that we have created that is used to assess a potential new vendor. It gives us a initial risk score on the security of the app. Would your solution be able to provide that?
A. Yes, we would add your questionnaire into the questionnaire catalog via the questionnaire builder (configuration not customization).
Q. Why is the same vendor checklist results being received from multiple customers of yours and are you considering "sharing" common vendor assessment results across your customer base? This would pertain for basic vendor assessment templates/questions; customization your customers add/change to basic template would not apply/be provided. This vendor results sharing is occurring with vendors Prevalent, etc. You could make more money signing up vendors to place their risk assessment data on the SvcNow portal; would save them money too A. This is a good observation/suggestion. For preliminary vendor evaluations, the approach outlined above makes sense. We have some ideas we are evaluating to facilitate "outbound" assessments, and we hope to add capabilities such as the one described above in future releases.
Q. How multiple vendors with different specialization will be assessed....?
A. Any number of vendors with any number of specializations can be addressed via the catalog and the portal. Types of assessments and types of vendors are not limited in any way.
Q. Just to clarify...do SN users have access the full Shared Assessments SIG? We would not need to obtain a separate license from Shared Assessments?
A. If you purchase Vendor Risk from ServiceNow you have access to the latest SIG content built into our offering.
Q. Does SNow provide the assessments (questionnaires) out of the box?
A. yes, all the questionnaires you'll see are the SIG content provided OOB. Not only do we provide this content but keep an eye on the demo for when Lucky shows where your vendors can UPLOAD a completed XLS SIG - even an older version. It's a huge time saver.
Q. Are future versions of the SIG included with the vendor management module?
A. The license for Vendor Risk includes the license for the SIG. As the SIG is updated we (and you) will have access to the most current version.
Q. Are vendors able keep a copy of the SIG questionnaire?
A. Yes vendors can keep a copy of the SIG. Many of your vendors will already have one filled out - but if they don't they can keep their filled out XLS for reference. Obviously as long as they are your vendor they'll have a full historical audit trail within the portal as well.
Q. What templates exist for PCI? Especially for Level 2 Merchant internal assessments.
A. We integrate with the UCF, which includes many PCI standards.
Q. Is the vendor responsible for removing people from their account if they are no longer employed by that company?
A. Making the vendor responsible for removing people form their account is optional. Obviously you'd want vendors to do this for you, but should they EVER not be adding / removing people as you see fit, you can override who does and does not have access to the portal.
Q. Can issues with the vendor be created automatically from INCs, or does it require manual intervention?
A. Yes if you setup a workflow that says to automatically generate an issue if a condition is not met or indicator comes back non-compliant then there will automatically be an issue generated and assigned to the vendor. It will automatically pop up in the vendor portal, then you and your vendor can begin collaborating on it. That type of automation is what really delivers a big time savings.
Q. ok, guess customer can also create his own questionnaires? or modify existing ones
A. There is no limit on the number or variety / type of questionnaires a customer can create.
Q. Are the Vendors listed in the VR module being shown right now from the Vendor Table? We currently use the Contract management Module and have populated the Vendor table in depth.
A. Hi We can import vendors into the vendor risk catalog from the vendor table - if you've got that populated we can bring it all in.
Q. remind me of the cost of adding this module to our Jakarta which we are moving to by EOY (I think)
A. Cost will vary based on size and scope of your program. We can get your account rep involved to pull some pricing together for you by EOY!
Q. Is there conditionality functionality on the assessments? In other words an assessment that drives other risk assessments?
A. Yes, you can configure the ability to have an assessment drive other risk assessments.
Q. If a vendor is a vendor for more than one ServiceNow customer, can they simplify their workflow by giving access to multiple customers?
A. At this time the vendor portal is accessible by one customer it can't be shared across customers.
Q. What is the license model, are the questionnaires such as SIG Full/Light, Cloud Security etc included?
A. The SIG is included in the license price of the Vendor Risk application.
Q. how are the business processes defined? can be fetched from another system?
A. We can do business service mapping. It could be configured and then populated into the CMDB.
Q. Can you modify the SIG questions? We have updated some of our SIG questions to make it more clear to read for our vendors. A. You can edit the SIG questionnaire if you desire.
Q. Are the vendors required to have a SN license?
A. Your vendors do not need a ServiceNow license. You provide them with the URL to your vendor portal and they are good to go.
Q. Is the vendor SPOC can reassign the workflow to their internal team...?
A. In the vendor portal the vendor can assign specific questions or sections to any internal stakeholders. Any issues or tasks are tracked and also displayed in the vendor portal.
Q. Can the vendor download a offline copy of the questionnaire and then upload the responses later?
A. The vendor portal is the repository for all communications, questionnaires, issues, tasks, etc. If you have an older Excel file with the responses to a standardized questionnaire like the SIG you can upload that. However, you can't download an offline copy of a questionnaire.
Q. Can the vendor assign specific questions or sections within a single questionnaire to different people? A. Yes the vendor can assign specific questions or sections to any internal stakeholders. Then track any issues or tasks within the vendor portal.
Q. What other templates are available? ISO 27001, PCI DSS, NIST?
A. We don't provide these specific templates but you can easily add them if they are in an Excel spreadsheet and we integrate with the UCF, which includes many different standards.
Q. does your tool address ongoing monitoring?
A. Yes we provide continuous monitoring using indicators and real-time dashboards.
Q. Can you customize the questionnaires to answer multiple questions at once instead of sequentially
A. Hi You currently can't answer multiple questions at once in a questionnaire.
Q. Is your cost simply the upgrade to Jakarta?
A. If you are under maintenance the upgrade is free. However, the vendor risk application is sold separately and licensed by number of assessed vendors. You can load an unlimited number of vendors into your catalog and you can have an unlimited number of users touching the application. We worked very hard to align the licensing model with the value curve clients will see from this product.
Q. Who will initiate the vendor assessment? ServiceNow or me?
A. Your team that assesses vendor risk would initiate the vendor assessment. We provide you with a solution that will scale as you need and let you control the usage.
Q. Can questions answered by the vendor be used to update vendor profile data after its been reviewed?
A. Absolutely. You have access to the vendor tables in ServiceNow. If the vendor itself has not updated the information you can populate it yourself.
Q. Do the files that are uploaded flow up to GRC Vendor?
A. The GRC Vendor Risk application is part of the GRC portfolio and tightly integrates with the other GRC applications. Policy & Compliance allows you to trace questions in a vendor questionnaire back to the authority document and mark any as compliant or non-compliant, and Risk Management allows you to roll vendor risk into your overall enterprise risk score. All of the information is displayed on the real-time dashboards.
Q. Are follow-up emails/notifications automatic?
A. Yes, follow-up notifications can be scheduled for an assessment so meeting SLAs is easier. You also define the assessment frequency so the vendor will automatically get a new assessment populated in his/her vendor portal when it is due again.
Q. will this be a separate subscription like HR module? A. The vendor risk application is sold separately and licensed by number of assessed vendors. You can load an unlimited number of vendors into your catalog and you can have an unlimited number of users touching the application. We worked very hard to align the licensing model with the value curve clients will see from this product.
Q. Is there a Final Vendor Risk Report that can be pulled for distribution outside of SN?
A. There are real-time dashboards and a variety of reports that can be generated based on your specifications.
Q. Besides vendor assessment, can application assessments, penetration assessments etc be included in this module?
A. Application assessments, penetration assessments, etc are not included at this time.
Q. Does the data interface with other modules such as Vendor Performance? Also, can you please explain the licensing require for the vendor contact to access the portal.
A. All information on the ServiceNow platform can be referenced across the entire platform. Risk calculated for the vendor can be made up of several factors includes controls based on vendor performance. The vendor risk application is sold separately and licensed by number of assessed vendors. You can load an unlimited number of vendors into your catalog and you can have an unlimited number of users touching the application. We worked very hard to align the licensing model with the value curve clients will see from this product. The vendors do not need licenses, you simply provide a URL to the vendor portal for them to access.
Q. what about biomedical device questionnaires such as the MDS2 form?
A. We don't provide specific biomedical device questionnaires but you can easily create them in the questionnaire designer or add them if they are in an Excel spreadsheet. We also integrate with the UCF, which includes many different standards.
Q. What is the cost for this module?
A. The vendor risk application is sold separately and licensed by number of assessed vendors. You can load an unlimited number of vendors into your catalog and you can have an unlimited number of users touching the application. We worked very hard to align the licensing model with the value curve clients will see from this product. One of our sales reps or partners can provide you with pricing based on your needs.
Q. How do you handle turnover during the workflow?
A. Assignment of the assessment is standard functionality; this can be changed at anytime.
Q. This module is more targeted to GRC not so much to Procurement, will you have at some point the ability to integrate to vendor portals to load catalogs?
A. There absolutely can be integrations between procurement systems and Vendor Risk. If you're talking about integration between the ServiceNow Procurement module and Vendor - all information on the ServiceNow platform can be referenced across the entire platform.
Q. Are there any workflow reports or dashboards that allows an assessor to see the assessments ready to be assessed? A. Seeing assessment ready to be assessed can be configured based on criteria defined in the reports and then applied to the dashboards.
Q. What is the best way to know if I have access to this module in my current enrollment?
A. The vendor risk module is sold separately and licensed by number of assessed vendors. You can load an unlimited number of vendors into your catalog and you can have an unlimited number of users touching the application. We worked very hard to align the licensing model with the value curve clients will see from this product. We can have one of our sales rep or partners work up pricing based on your needs.
Q. Do you allow SIG sharing? So if a company has already filled out the SIG for another person, can it just be shared with my company or do they have to fill it out again?
A. The vendor would need to fill out a unique SIG for each of their customers. However, with the SIG they can save the responses in an Excel file and upload them for the next assessment. Although it's not sharing it still saves lots of time.
Q. if you decide to do an onsite how does this track? Also do you have a dashboard view of all outstanding?
A. No linkage is available for an onsite; although, if you are using the audit application this may be available in configuration. For a dashboard view of any outstanding it can be configured based on criteria defined in the reports and then applied to the dashboards.
Q. Can I setup a dashboard to show me what vendors are not compliant to PCI?
A. Yes you can setup a dashboard to show which vendors are not compliant to PCI, it would require configuration and the ServiceNow Policy & Compliance application.
Q. Can vendor listing be loaded from an existing spreadsheet for submission to the platform A. You can load the vendor portfolio in a variety of ways: from the vendor table in the platform or import it from a supplier application or a spreadsheet.
Q. Is there a way to chat with a vendor through VRM? Don't want to deal with emails
A. Yes there is a way to chat with a vendor. One of the biggest benefits of the vendor portal is it takes you out of email while consolidating all your communications.
Q. Internally when a survey is submitted, can certain questions be assigned to different people for review? IE.. internally if one person should review questions on privacy, those responses are assigned to them, and another person is responsible for encryption, etc...
A. Yes in the vendor portal the vendor can assign specific questions or sections to any internal stakeholders. Any issues or tasks and communication to or from those stakeholders are tracked and also displayed in the vendor portal.
Q. can you tie the vendors in this module back to discovery to show for the vendor what applications are in use that are supplied by the vendor?
A. There is no circular way to accomplish what you ask. You would need to use discovery to load the data regarding the vendor or load the application information manually.
Q. Does the Questionnaire directly rate us on the Standards like ISO27001, PCI, others and show how compliant we are
A. We integrate with the UCF, which includes many different standards. You can apply those to assess your vendors or through our other GRC applications to ensure your company is compliant. It will definitely show how compliant you are. It's easy to keep track of changes on the real-time dashboard where you can interactively drill down for more details about where the issue is. Issues can also be automatically generated using the appropriate contact to make sure they are addressed as quickly as possible.
Q. Can you track additional vendor related areas: demand, savings, EBR/QBR,, etc
A. Anything you can collect information on in the CMDB you can track.
Q. Can a contract agreement be uploaded so that when INCs are pegged to the vendor, any agreement violations are available to Procurement when it's time for re-negotiation?
A. We would be using multiple applications to do this: Asset, Policy & Compliance, and realistically Vendor Performance. Based on the question it might be that Vendor Performance is better suited for this request than Vendor Risk Management.
Q. Can you take into account vendor-related Incidents in the risk rating?
A. The risk rating is calculated based on several factors - and is continuously updated. One of those factors is indicators of risk based on an assessment, others are based on monitoring indicators for change or disruption.
Q. can I do raw & pack qualification? for example map my supply network, tier 1, 2, 3, n and for specific materials verify they comply with requirement like those for GMP
A. Yes, it is possible to do raw & pack qualification based on some configuration. You would need to define some additional fields and there is also some logic that would need to be added for this to work properly. Basically it's all configuration.
Q. does this support vendor hierarchies? so I can do this at parent company level, then it applies to its subsidiaries
A. This function is not available; and we would not recommend a configuration item either.
Q. Is a Vendor limited to seeing their stuff only?
A. Yes, a vendor can only see their assessments and communications.
