Third-party Risk Management upgrade information

  • Release version: Xanadu
  • Updated March 3, 2025
  • 2 minutes to read

    • ServiceNow® Third-party Risk Management application upgrade information for the Xanadu release.

    Important information for upgrading Vendor Risk Management to Xanadu

    Starting with the Vancouver release, if you’re a VRM user upgrading to TPRM, from an earlier release, you must run each upgrade sequentially to ensure that fix scripts run correctly. This means upgrading from one release to the next rather than skipping to the latest release. Not running scripts in the correct order can result in data inconsistencies, broken functionalities, and conflicts.

    Plugin requirements

    TPRM
    • Activate the Third-party Risk Management application [com.sn_vdr_risk_asmt].
    • Activate the Third-party Risk Due Diligence application [com.sn_tprm_dd].
    • Activate the Vendor Risk Management Workspace application [sn_vrm_ws] if you want to use the Vendor Risk Management workspace.
    VRM
    • Activate the Vendor Risk Management application [com.sn_vdr_risk_asmt].
    • Activate the Vendor Risk Management Workspace application [sn_vrm_ws] if you want to use the Vendor Risk Management workspace.

    For more information on licensing or metering, see , Third-party Risk Management (TPRM) Licensing and Vendor Risk Management (VRM) Licensing.

    VRM to TPRM changes

    • The name of the application changed from Vendor Risk Management to Third-party Risk Management as part of the Vancouver release.
    • The internal assessment [sn_vdr_asmt_internal_assessment] table is introduced, extending the tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment] table.
    • The Due Diligence Review (DDR) workflow is introduced, which uses both the internal assessment and the external (VRA) assessment.
      Note:
      If you have customizations on the Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment] and VRA [sn_vdr_risk_asmt_assessment] tables, they might need modifications to work with the DDR workflow.
    • The Third-party Scores [sn_vdr_risk_asmt_security_score] table has been relabeled to Risk Intelligence Scores [sn_vdr_risk_asmt_security_score] to reduce confusion.
    • All instances of “vendor” are changed to “third party” in the user interface, though some global instances might remain unchanged.
      Note:
      If you don’t want to use the due diligence workflow, your original workflow (Tiering assessment and External assessments (VRAs) should be the same).

    VRM and TPRM data model

    The Vendor Risk Management data model primarily uses the term “vendor” and includes the Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment] and VRA [sn_vdr_risk_asmt_assessment] tables.

    The Third-party Risk Management data model uses the term “third-party” in most user interface elements and introduces the DDR workflow, which uses both internal [sn_vdr_asmt_internal_assessment] and [sn_vdr_risk_asmt_assessment] external assessments.

    The following models show VRM's and TPRM's capabilities.

    Figure 1. VRM data model
    Relationship Vendor risk management main tables. For a text description, see the text that preceded and follows this data model.

    The components included in the Vendor Risk Management data model are as follows:

    • Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • Company [core_company]
    • Vendor risk assessment [sn_vdr_risk_asmt_assessment]
    • Vendor engagement [sn_vdr_risk_asmt_vendor_engagement]
    • Vendor contact [vm_dr_contact]
    • Assessment metric type [asmt_metric_type]
    • Assessment template [sn_vdr_risk_asmt_assessment_template]
    • Engagement risk scoring rule [sn_vdr_risk_asmt_engagement_risk_scoring_rule]
    • Engagement level risk rating [sn_vdr_risk_asmt_engagement_level_rating]
    Figure 2. TPRM data model
    Relationship between due diligence, and third-party management main tables. For a text description, see the text that preceded and follows this data model.

    The components included in the Third-party Risk Management data model are as follows:

    • Risk intelligence score [sn_vdr_risk_asmt_security _score]
    • Internal assessment [sn_vdr_asmt_internal_assessment]
    • Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • Event-driven management history [sn_tprm_dd_rule_execution_history]
    • Third-party due diligence request [sn_tprm_dd_request]
    • Company [core_company]
    • Event-driven management rule [sn_tprm_dd_generation_rule]
    • Third-party risk assessment [sn_vdr_risk_asmt_assessment]
    • Third-party engagement [sn_vdr_risk_asmt_vendor_engagement]
    • Vendor contact [vm_dr_contact]
    • Assessment metric type [asmt_metric_type]
    • Assessment template [sn_vdr_risk_asmt_assessment_template]
    • Third-party risk issue [sn_vdr_risk_asmt_issue]
    • Engagement risk scoring rule [sn_vdr_risk_asmt_engagement_risk_scoring_rule]
    • Engagement level risk rating [sn_vdr_risk_asmt_engagement_level_rating]