Monitoring your third-party risk

  • Release version: Zurich
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Monitoring your third-party risk

    The Third-party Risk Management (TPRM) application in ServiceNow enables you to continuously monitor and assess risks associated with your third-party relationships. By using this application, you can evaluate third-party performance, compliance with agreed terms, and overall risk exposure to protect your organization effectively.

    Show full answer Show less

    Key Features

    • Ongoing Monitoring and Review: Utilize the Vendor Management Workspace to regularly assess third parties’ adherence to terms and performance. Access is designed for users with specific TPR roles such as vendor risk manager, assessor, and assessment reviewer.
    • Improved Navigation and Reporting: From version 21.1.x, the workspace features a vertical navigation panel grouping related lists and workflows for easier management of risk data. Risk reports and detailed third-party or engagement statuses are accessible via the Risk tab and home page.
    • Personalized Dashboards: TPR managers and assessors can create, customize, and share dashboards and reports focused on key metrics, improving decision-making with tailored insights. These dashboards are available in the Vendor Management Workspace.
    • Due Diligence Process Tracking: Monitor various due diligence stages—request, inherent risk questionnaire, risk assessment, approval, and contract risk—through the Due Diligence Request record page for better process visibility.
    • Management of Fourth-nth Parties: Extend risk monitoring to fourth-nth parties (subcontractors or dependencies of third parties) to ensure they meet your security and compliance standards.
    • Third-party Elements Monitoring: Use scoring models, relationship analysis, and integrated workflows to track third-party elements, enhancing the accuracy and depth of your risk assessments.
    • Smart Assessment Templates: After upgrading to version 22.0.1 with Unified Content Management, TPR managers can centrally manage smart assessment templates aligned to global regulations and standards, facilitating consistent assessments.
    • Managed Activities Tracking: Track managed activities linked to engagements through a dedicated analytics table, supporting license management and activity verification. Access requires specific roles and purchased applications.

    Key Outcomes

    • Improved visibility and control over third-party risk exposure through structured monitoring workflows and accessible risk reports.
    • Enhanced ability to customize risk insights and dashboards to meet specific organizational needs and roles.
    • Comprehensive tracking of due diligence and risk assessment processes to ensure compliance and timely risk mitigation.
    • Expanded risk management to include dependent parties beyond primary third parties, strengthening the overall supply chain security.
    • Streamlined assessment processes with centralized, updatable templates aligned with industry best practices, boosting assessment quality and consistency.

    You can monitor the potential risks that are associated with your third-party relationships by using the Third-party Risk Management application. An ongoing monitoring process can help you regularly assess the third party's performance and adherence to the agreed-upon terms.

    Ongoing monitoring and review

    You can monitor and review the performance of your third parties with Vendor Management Workspace. For example, you can regularly assess whether the third party is adhering to the agreed-upon terms.

    Note:
    The Vendor Management Workspace is designed for users with the Third-party risk (TPR) manager [sn_vdr_risk_asmt.vendor_risk_manager], TPR assessor [sn_vdr_risk_asmt.vendor_assessor], and Third-party assessment reviewer [sn_vdr_risk_asmt.vendor_assessment_reviewer] roles.

    Viewing risk reports and other information

    Starting with version 21.1.x, the legacy horizontal tab-based layout in the Vendor Management Workspace has been replaced by a structured vertical navigation panel. This design introduces:
    • Grouped Related Lists: Organizes access to third-party records, assessments, and dashboards into logical sections.
    • Clearer Workflows: Navigation is streamlined to support risk management processes and dependency tracking for third parties and engagements.
    • Consistent Availability: The vertical panel is accessible across all internal user roles, ensuring a unified experience for managing vendor risk and resilience.
    For more information on configuring related lists, see Configure related lists for vertical navigation on record pages.

    You can view the risk reports for all third parties and engagements by navigating to Workspaces > Vendor Management Workspace and then selecting the Risk tab to open the workspace to the home page. For more information, see Viewing third-party risk reports.

    You can also view the status and all current information for a third party or engagement by navigating to Workspaces > Vendor Management Workspace. On the Risk tab, select the home page icon .

    As shown in the following example, you can select any number in the Third-party risk overview section to open a list of third parties or engagements with that risk rating value. You can then select a third party or engagement.
    Figure 1. How to open a third party or engagement page by risk rating
    Sequence showing the selections needed to view a third party or engagement. For the text description, refer to the text that preceded this example.
    For more information, see Get an overview of a third party.

    TPRM personalized dashboards

    Monitor and analyze your assessment data at various levels using the Third-party insights dashboard and TPRM custom analytics dashboard. If you have the TPR manager [sn_vdr_risk_asmt.vendor_risk_manager] or TPR assessor [sn_vdr_risk_asmt.vendor_assessor] role, you can create and share your own dashboards and reports. TPR managers can also customize report layouts, widgets, and data views to prioritize key metrics and workflows that align with your individual roles and risk programs. These dashboards provide you and your team with tailored insights and deliver relevant information at a glance, improving your decision-making process. You can view TPRM personalized dashboards by navigating to Workspaces > Vendor Management Workspace and selecting the dashboard page icon . For more information, see Monitoring assessment data using TPRM dashboards.

    Due diligence processes

    You can view the status of the following due diligence processes from the Due diligence request record page:
    • Request process
    • Inherent Risk Questionnaire (IRQ) process
    • Third-party risk assessment process
    • Approval process
    • Contract risk process
    To access the Due diligence request record page, you can select the DDR number for any due diligence request. For more information about the due diligence process, see Monitoring the due diligence request process.

    Managing fourth-nth parties

    You can use Third-party Risk Management to help identify, understand, and manage risks that are related to third parties dependent on the services of fourth-nth parties. Monitoring fourth-nth parties can help ensure that they adhere to the same security and compliance standards as the primary third party. For more information about fourth-nth parties, see Monitoring your fourth-nth parties.

    Managing third-party elements

    You can monitor third-party elements through scalable scoring models, relationship analysis, and due diligence workflow integration as part of the third-party element collection process. Monitoring third-party elements and leveraging that information can help with conducting more informed risk assessments as part of your third-party risk program. For more information about third-party elements, Monitoring third-party elements.

    Managing Smart assessment templates

    After upgrading to version 22.0.1 and installing the Unified Content Management application, TPR managers [sn_vdr_risk_asmt.vendor_risk_manager] can view a centralized library of smart assessment templates aligned with global regulations and industry standards. From the unified content management module in the Vendor Management Workspace you can activate and update templates. You can access the unified content module by navigating to Workspaces > Vendor Management Workspace, select the unified content management icon and then navigate to Smart assessment templates. For more information, see Managing TPRM SAE templates with Unified Content Management and Sample questionnaires.

    Viewing managed activities

    An engagement only consumes one license, regardless of whether there’s one managed activity or many managed activities per contract year. Managed activity usage is triggered only when an activity is initiated. You can view your managed activities for verification purposes with the Usage analytics activities [sn_vdr_risk_asmt_ua_activity] table. This read-only table stores a record whenever a managed activity occurs. You must have the Third-party assessment reviewer [sn_vdr_risk_asmt.vendor_assessment_reviewer] role to view this table. You can access the Usage analytics activities table by navigating to All > Third Party Risk Management > Administration > Managed Activity Analytics. For more information, see Tracking a managed activity.

    Note:
    The Usage analytics activities [sn_vdr_risk_asmt_ua_activity] table is only available to those users that have purchased the Third-party Risk Management application and have access to the Due diligence management application. To see the instructions for downloading a GRC application from the ServiceNow® Store, see Download a GRC application from the ServiceNow Store for the first time.