Document Management system in Third-party Risk Management

  • Release version: Zurich
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Document Management system in Third-party Risk Management

    The Document Management System (DMS) in Third-party Risk Management (TPRM), introduced in version 21.1.x, provides a centralized repository to store, organize, and manage third-party documents throughout the vendor life cycle. It enhances collaboration between internal teams and third-party contacts while streamlining evidence tracking and improving audit readiness through document reuse across assessments, contracts, issues, and tasks.

    Show full answer Show less

    Users can access the DMS either via the Vendor Management Workspace for internal users or through the third-party portal for external users. Primary contacts control permissions in the portal, with role-based access enabling assessors, managers, and administrators to have write access, while reviewers have read-only access. The system supports metadata, version control, search, reporting, and audit tracking for all document activities.

    Key Features

    • Third-party Portal: External contacts can upload and manage documents directly.
    • Internal Access: Internal users can create, access, and manage document records within the Vendor Management Workspace.
    • Version Control and Metadata Management: Users can manage multiple document versions, download attachments, and track detailed metadata such as creation date, type, description, status, and version history.
    • Document Linking: Documents can be linked to multiple TPRM record types including tasks, issues, engagements, and assessments, with automatic rollup for traceability and reporting. Duplicate references on the same record are prevented.
    • Permissions Management: Role-based permissions allow control over document sharing between internal users and primary contacts.
    • Audit and Reporting: Full audit logs track all document actions (uploads, updates, approvals), accessible to authorized users. Advanced search and reporting features enable filtering by document type, risk category, expiration date, and third-party association.
    • AI-Powered Now Assist Skills: For organizations using Now Assist with DMS, AI-driven features help summarize risk issues, generate smart document summaries with Q&A capabilities, and extract specific data points from documents to reduce manual effort and improve accuracy.

    Document Life Cycle and Traceability

    Each document maintains comprehensive metadata to support classification, reporting, and workflow routing. Multiple versions are maintained and sorted by creation date, supporting lifecycle tracking. Linking documents to TPRM records ensures formal relationships that support auditability and traceability of document usage across third-party risk workflows.

    Limitations

    • External users cannot preview documents in the portal; they must download files to view them.
    • The third-party association field is optional for internal documents but mandatory for documents related to third parties.
    • Document creation and versioning must be done in separate steps.

    Practical Benefits for ServiceNow Customers

    • Centralizes and simplifies management of third-party documentation, reducing duplication and improving audit preparedness.
    • Facilitates secure collaboration with third parties via controlled permissions and portal access.
    • Enables comprehensive tracking of document versions and lifecycle events, supporting compliance and risk management processes.
    • Leverages AI capabilities to accelerate document-intensive tasks, increasing efficiency and accuracy in managing third-party risk.
    • Supports detailed reporting and analytics to provide insights into document usage, status, and relationships within TPRM.

    Learn how the enhanced Document Management system supports third-party collaboration and internal workflows in Third-party Risk Management (TPRM).

    Document Management Overview

    Starting with version 21.1.x, the Document Management System (DMS) in Third-party Risk Management (TPRM) provides a centralized repository for storing, organizing, and managing third-party documents throughout the vendor life cycle. DMS streamlines evidence tracking, reduces duplication, and improves audit readiness by enabling document reuse across assessments, contracts, issues, and tasks. Access DMS in the Vendor Management Workspace or third-party portal to create, manage, and reference documents. Primary contacts manage permissions in the portal. TPR assessors [sn_vdr_risk_asmt.vendor_assessor], TPR managers [sn_vdr_risk_asmt.vendor_risk_manager], and TPR administrators have write access, while third-party assessment reviewers [sn_vdr_risk_asmt.vendor_assessment_reviewer] have read-only access. DMS supports metadata, version control, search, reporting, and audit tracking for all document actions.

    The DMS is accessible for internal users through the Documents module in the Vendor Management Workspace as shown in the following example.
    Figure 1. Document Management System in Vendor Management Workspace
    Documents module in the Vendor Management Workspace.
    The DMS is accessible for external users through the Third-party portal as shown in the following example.
    Figure 2. Document Management System in the Third-party portal
    DMS in the third-party portal. For detailed descriptions refer to the paragraphs preceding and following this image.

    Key capabilities

    • Third-party contacts can upload and manage documents using the third-party portal.

      For more information, see Upload and manage documents in the third-party portal.

    • Internal users can create and access document records through the Documents module in the Vendor Management Workspace.

      For more information, see Create a document record.

    • Users can manage document versions, download attachments, and track their metadata.

      For more information, see Create a document version.

    • Documents can be linked to multiple TPRM record types with auto-rollup:
      • Tasks
      • Issues
      • Engagements
      • Assessments

      For more information, see Link documents to a TPRM record.

    • Internal users can manage role-based permissions for primary contacts and other internal users.

      For more information, see Define document sharing permissions.

    • Each document version supports download options, advanced search and reporting for metadata and relationships, and complete audit tracking of actions and version history.

    Document life cycle and traceability

    Each document captures metadata including creation date, type, description, version, and status. Metadata is used for classification, reporting, and workflow routing.

    Each document supports multiple versions. TPR assessors, managers, and administrators can upload new versions, view version history, and download attachments for any version. Versions are sorted by creation date in descending order.

    Documents can be linked to assessments, engagements, issues, and tasks. These references automatically roll up to related third-party records. Duplicate references aren’t allowed.
    Note:
    A linked document is a document record associated with another record (assessment, engagement, issue, or task) for traceability and reporting. Linking creates a formal relationship that supports life-cycle tracking. A reference is the entry that represents this link, shown in the document’s References tab and the related record’s Documents list. Each reference includes metadata like record type and ID. The key difference is that linking is the action and a reference is the result. Multiple references to one document are possible, but duplicate references to the same record aren’t allowed.

    All document actions including uploads and version updates are tracked for audit purposes. Audit logs are accessible to authorized users.

    Collaboration and insights

    All actions, including approvals and rejections, are tracked in the audit log for transparency and reporting. You can search documents by metadata fields and generate reports on document usage, status, and relationships. Filters include document type, risk category, expiration date, and third-party association. You can generate reports on document usage, version history, and linked records using the Reports module or Performance Analytics.

    Report types can include:
    • Document inventory report with metadata and version details.
    • Linkage report showing documents associated with assessments, engagements, and tasks.
    • Audit report for document actions and life-cycle events.

    Now Assist document skills

    If your organization uses DMS and Now Assist for TPRM, you can leverage AI-driven skills to streamline document-heavy workflows. These capabilities reduce manual effort, improve accuracy, and accelerate risk tasks. Now Assist for Document Management and Now Assist for TPRM offer the following key skills:

    • TPRM issue summarization– Condenses complex third-party risk issues into actionable summaries, helping risk analysts review and respond faster.

      For more information, see TPRM issue summarization skill.

    • Smart documents – Summarizes risk management documents and provides quick Q&A, reducing manual review and speeding up due diligence.

      For more information, see Smart Documents skill.

    • Extract information from documents – Uses AI to pull specific data points (such as risk indicators, compliance clauses, or contract terms) from large documents, reducing manual review time and improving accuracy.

      For more information, see Now Assist extract information from documents.

    For more information on Now Assist for Document Management skills, see Explore Now Assist in Document Management.

    Limitations

    • External users can’t preview documents due to restrictions; they must download documents from the portal to view them.
    • The third-party field is optional when creating a document. However, if the document is associated with a third party, this field is required. For internal documents with no third-party association, the field can remain empty.
    • Document creation and versioning currently require separate steps.