Third-party (external) risk assessment management

  • Release version: Zurich
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Third-party (external) risk assessment management

    The third-party (external) risk assessment management process in ServiceNow enables you to manage and monitor risk assessments for third-party organizations by coordinating questionnaires, document requests, and communications throughout the due diligence lifecycle. This process starts after the initial IRQ (Information Request Questionnaire) and facilitates accurate, complete responses from third-party contacts to identify potential risks effectively.

    Show full answer Show less

    Key Features

    • Accessing Assessments: View third-party risk assessments linked to due diligence requests on the Due diligence management page under the External assessments tab.
    • Unique Identification: Each risk assessment is auto-assigned a unique VRA number to differentiate engagements either for entire third-party organizations or sub-groups within them.
    • Actions and Collaboration: Use actions such as Discuss (messaging), Create (issues/tasks), Save, Submit to third party, and Delete to manage the risk assessment workflow collaboratively and maintain audit trails in the Activity section.
    • Attachments: Attach relevant documents directly to assessment records to support evidence collection and review.
    • Risk Overview Tab: Provides symbols indicating the current status of assessments, lists questionnaires, document requests, fourth-party questionnaires, and tracks open, overdue, and closed assessments.
    • Details Tab: Displays general third-party information, schedules, due dates, and enables internal work notes (private) and comments (visible to third-party contacts) for transparent communication.
    • Questionnaire and Document Templates: Manage and assign questionnaires and document requests to third parties. Configure permissions for TPR assessors to modify responses as needed.
    • Fourth-party Management: Include questionnaires and document requests for sub-parties to ensure comprehensive risk coverage.
    • Risk Areas: Define risk domains (e.g., security, financial) tailored to the type of third party to focus assessments on relevant risk factors.
    • Issue and Task Management: Create and manage issues and tasks iteratively during the assessment to address non-compliance or follow-up items, with communication through comments and reassignment capabilities.
    • Life Cycle States: Track assessment progress through defined states such as "Submitted to third party," reflecting the evolving status of data collection and response.
    • Template and Form Creation: Use specialized forms to create questionnaire templates, external assessment templates, and third-party element records, supporting customization and detailed risk capturing.

    Practical Application for ServiceNow Customers

    This framework empowers you to systematically manage third-party risk assessments by maintaining structured, transparent interactions with third-party contacts, tracking progress, and handling compliance issues efficiently. The integration of questionnaires, document requests, and issue/task management within a single platform ensures comprehensive risk oversight. By defining risk domains and configuring assessor permissions, you can adapt assessments to your organization's specific risk profiles and operational needs.

    Ultimately, this process supports informed decision-making and risk mitigation concerning third-party engagements, helping you maintain compliance and protect your enterprise from external risks in a streamlined, auditable manner.

    After the IRQ process is complete, you send questionnaires and document requests to the third-party contact. You manage the third-party risk assessment by working with the contacts to help ensure that the responses are complete and accurate.

    Accessing an external assessment

    On the Due diligence management page, select the DDR number for any engagement due diligence request and the select the External assessments tab. The tab displays the list of all third-party risk assessments (external due diligence processes) for the selected engagement request.

    List of third-party risks assessments.

    Working on a third-party risk assessment

    For each external risk assessment, the system auto-assigns a unique ID number that starts with the text VRA. A risk assessment can represent the work on an engagement request for a third-party organization or an engagement request for a group within the parent organization. Select a VRA number to work on the risk assessment on the External assessments tab.

    Overview of a third-party risk assessment— external due diligence — process.

    Actions on any tab

    Table 1. Actions
    Action Description
    Discuss Select Discuss to send a message to other users. The message is recorded in the Activity section of the Details tab.
    Create Create an issue or task as describe in the following sections.
    Save Select Save to save any change you made to a value on any tab.
    Submit to third party Submit all questionnaires and document requests to the TP contact. The action is recorded in the Activity section on the Details tab.
    … Delete Select Delete to delete the record of the engagement request.
    Adding an attachment

    Select Browse in the Attachments section or select the attachment icon to select and add an attachment.

    Working on third-party risk assessments

    Risk overview tab on the External assessments page
    • The symbols indicate the current state of the external assessment process for the engagement request. See Life cycle states of a external assessment for descriptions of the states.

      Symbols identify the state of the third-party risk assessment process.

    • Overview section: List of assessments that are associated with the engagement.
    • Questionnaires and document requests section: List of questionnaires and document requests for the engagement.
    • Fourth-party questionnaires section: List of questionnaires and document requests for fourth parties and their sub-parties that are associated with the engagement.
    • Tracking section: Count of assessments associated with the third party that are in the Open, Overdue, and Closed status.
    Details tab on the External assessments page
    • Third-party risk assessment section: General information on the third party plus schedules for the overall assessment and questionnaire due dates from the engagement due diligence request.
    • The Compose section on the Details tab enables you to permanently add text to the record. The Activity section is updated with any actions on issues and tasks, submissions to TP contacts, and also with work notes and comments that users add to the record. Add text in the following fields as needed:
      • Work notes (Private): Information about the third-party risk assessment. Work notes are visible only to internal users who are assigned to the process.
      • Comments: Comments about the third-party risk assessment are visible both to internal users and to third-party contacts.
    Questionnaire templates tab on the External assessments page
    The tab lists the questionnaires that the third-party contact will respond to. Select a name to view the details. For more information, see Create a questionnaire or document request template and Create a questionnaire or document request template using the Designer.
    To enable TPR assessors to modify responses, configure the Allow TPR assessors to modify responses in third-party questionnaires [sn_svdp.allow_assessor_edit] system property. You can set the following options:
    • Enable TPR assessors to answer questions or modify responses (default)
    • Enable TPR assessors to modify responses
    • Do not enable TPR assessors to answer questions or modify responses
    See Configure TPRM properties.
    Document templates tab on the External assessments page
    The tab lists the requests for documents that the third-party contact should return. The information in the columns helps you to prioritize your work in following up with third-party contact. In particular, the state and percent complete values are key indicators. Select a name to view the details. For more information, see Create a questionnaire or document request template and Create a questionnaire or document request template using the Designer.
    Fourth-party templates tab on the External assessments page
    The tab lists the fourth-party questionnaires that the third-party contact will respond to. Select a name to view the details. For more information, see Monitoring your fourth-nth parties.
    Third-party risk areas tab on the External assessments page
    A risk domain defines the type of risk to assess for a third party. For example, you might want to assess a data-management third party in terms of security risk and a bank in terms of financial risk. Security risk and financial risk are risk domains. Some platform applications refer to risk domains as "risk areas." See Define a third-party risk domain.
    Issues tab on the External assessments page

    In an iterative process, before the TPR manager closes an assessment, the TPR manager can generate non-compliance issues and tasks. The TPR manager communicates with the TP contacts and engagement contacts by using comments to close the issues and tasks. The TPR manager can also assign different contacts as needed. See Create an issue for a third party or engagement and Manage issues.

    Tasks tab on the External assessments page

    In an iterative process, before the TPR manager closes an assessment, the TPR manager can generate non-compliance issues and tasks. The TPR manager communicates with the TP contacts and engagement contacts by using comments to close the issues and tasks. The TPR manager can also assign different contacts as needed. See Create a task for a third party or engagement and Manage a task for a third party or engagement.