Requesting third-party risk due diligence

  • Release version: Zurich
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Requesting third-party risk due diligence

    ServiceNow’s Third-party Risk Management enables any employee to request third-party risk due diligence to assess risks associated with engagements involving third parties or their downstream entities (fourth parties and beyond). Conducting due diligence helps your organization make informed decisions, implement appropriate controls, and mitigate potential negative impacts when working with external parties.

    Show full answer Show less

    An engagement refers to the informal or contracted relationship with a third party, outlining services or products provided that may expose your organization to risk. Third parties may have subsidiaries and contract with fourth parties, all of which carry similar risks.

    Due Diligence Request Process

    • An employee submits a due diligence request for a third-party engagement.
    • The requester and the Due Diligence Request assignment group receive email notifications.
    • A group member assigns a Third-party Risk (TPR) manager or assessor as the request owner, who is notified by email.
    • The TPR manager reviews and either approves or rejects the due diligence request based on the provided information or organizational feasibility.
    • If approved, the Inherent Risk Questionnaire (IRQ) process initiates to assess risk further.

    Request Options

    • Onboard a new engagement: Start onboarding a new engagement with an existing third party.
    • Reassess an existing engagement: Conduct additional due diligence when conditions change, such as adverse news or supply chain shifts.
    • Reassess before contract renewal: Evaluate risks prior to renewing contracts with current third parties.
    • Offboard with due diligence: Determine if terminating the relationship is optimal, considering factors like risk and supply challenges.
    • Offboard without due diligence: Request permanent termination of an engagement without additional due diligence, using the IRQ process to confirm cessation of services.

    Practical Use and Tracking

    Each due diligence request is assigned a unique ID starting with "DDR" to facilitate tracking. Requesters can communicate with reviewers and add attachments within the request interface. This process ensures transparency, accountability, and structured management of third-party risk assessments.

    Request third-party risk due diligence to determine the level of risk for interactions with a third party, engagement, or fourth party by using Third-party Risk Management. You conduct due diligence to become aware of the associated risks so that you can make informed decisions, establish appropriate controls, and mitigate the potential negative impact when working with external parties.

    Any employee at your organization can request due diligence, which is an investigation or examination of business relationship risk, for an engagement.
    • An engagement is the informal or contracted relationship that you intend to form with a third party that could potentially expose your organization to risk. The engagement outlines the services or products to be provided by the third party and other details of the relationship.
    • A third party is any organization or individual that you’ve interacted or entered into a business relationship with. Third parties can have subsidiaries and can contract with fourth parties. For example, departments are subsidiaries.
    • A fourth party can contract with further parties. All downstream parties, such as the fourth through the nth parties, carry risk in the same ways as third parties.

    For more information about the terms that are used in these sections or why you might conduct due diligence, see Terminology and Why you conduct due diligence.

    The following infographic shows the due diligence request process.


    Infographic that shows the due diligence request process in the due diligence workflow. For the text description, refer to the process steps that follows.
    The following are the steps of the due diligence request process.
    1. An employee at your organization requests due diligence for a third-party engagement.
    2. The system sends out an email notification to the employee who made the request.
    3. The system sends out an email notification to the Due diligence request assignment group.
    4. A member of the group can assign a Third-party risk (TPR) manager [sn_vdr_risk_asmt.vendor_risk_manager] or TPR assessor [sn_vdr_risk_asmt.vendor_assessor] to act as the owner of the request.
    5. The system sends out an email notification to the assigned owner of the due diligence request.
    6. The TPR manager reviews the request for due diligence for the engagement and approves it. If the information provided by the requester was insufficient or the engagement isn’t possible for your organization, the TPR manager rejects it.
    7. The IRQ process starts after the TPR manager approves the request for due diligence.

    To learn more about creating or monitoring a due diligence request, see Request due diligence for a third-party engagement and Monitoring the due diligence request process.

    When creating a due diligence request, the following options are available:

    • Onboard a new engagement Start the onboarding process for a new engagement with an existing third party. For more information about this type of onboarding, see Example: Onboarding a third party.
    • Reassess an existing engagement Reassess an existing engagement when the conditions change. For example, let's say that you hear adverse news or have changes in your third-party's supply lines. You might want to reassess the risk by conducting additional due diligence.
    • Reassess an existing engagement for contract renewal Reassess the risk before your organization renews the contract with a current third party or engagement by conducting due diligence.
    • Offboard an engagement with due diligence Determine if offboarding (terminating the relationship) with an engagement is the optimal course of action by conducting due diligence. For example, it might be too risky to switch third parties or engagements even if their current performance doesn’t meet expectations.

      Extenuating circumstances can contribute to the decision. For example, if the third party is sourcing materials that are difficult to obtain, switching providers might be costly and introduce additional risks. In such cases, continuing with the existing third party, with whom a long-term relationship exists, might be preferable to mitigate potential disruptions and higher risks.

    • Offboard an engagement with no due diligence Request that an engagement be permanently terminated when an engagement ends or you want to switch to a different third party for other reasons. In this case, you typically don't need to conduct additional due diligence. The process does, however, include the normal Inherent Risk Questionnaire (IRQ) process to confirm that the services provided by the engagement will no longer continue. For more information about this type of offboarding, see Offboarding an engagement without conducting due diligence.
    For each due diligence request, the system auto-assigns a unique ID number that starts with the text DDR. Use the ID to track your request. You can post a message to reviewers and add attachments from the page.

    The following example shows how a new due diligence request appears.

    Figure 1. Due diligence request tracking example
    Due diligence request view from the activity tab in Employee Service Center.

    For more information on the different processes that make up the overall due diligence workflow, see Due diligence workflow and Assessing your third-party risk.