Using risk intelligence reports and scores

  • Release version: Zurich
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Using risk intelligence reports and scores

    The Third-party Risk Management (TPRM) application in ServiceNow enables you to request and manage risk intelligence reports and scores from external risk intelligence providers. These providers analyze and generate risk scores for third parties, similar to credit scoring systems, to help you assess risks related to geopolitical factors, economic stability, compliance, and other relevant domains. This functionality supports informed decision-making regarding third-party relationships based on their risk profiles.

    Show full answer Show less

    Setting Up Providers and Request Types

    Before requesting reports, users with the TPR assessment reviewer role must register risk intelligence providers and configure appropriate request types within the TPR application. This setup is essential to establish the connection and parameters for requesting reports but does not enforce provider-specific requirements, which depend on each provider’s integration and agreements with your organization.

    Requesting Risk Intelligence Reports and Scores

    • Who can request: TPR managers, TPR assessors (due diligence request owners), and contract negotiators assigned to due diligence requests.
    • Process: Submit a Risk Intelligence Report (RIR) request form associated with a third party or a due diligence request (only after the inherent risk questionnaire is in progress).
    • Review and approval: The TPR manager and team review requests; approved requests are submitted to the provider.
    • Request states: Once submitted, requests enter an Order pending state where fields are read-only to prevent errors. Requests can be canceled while Open or Order pending if no longer needed.
    • Delivery and closure: Providers generate reports and scores, which are linked to the RIR record. The request then moves to Closed complete.
    • Duplicate prevention: The system prevents multiple identical requests (same provider, request type, and third party) to avoid redundant orders.

    Managing Risk Intelligence Scores

    You can manually add risk intelligence scores to third parties and review existing scores via the Risk intelligence scores related list. This helps maintain comprehensive risk data for ongoing third-party assessments.

    Tracking Sanctions-Related Information

    The application also supports logging and updating sanctions-related data for third parties, ensuring that your team stays informed about any government-restricted or prohibited activities. This tracking is crucial during due diligence reviews and approvals within your third-party risk program.

    Request risk intelligence reports or scores directly from your external risk intelligence content providers by using the Third-party Risk Management application. This information can be requested and managed based on the importance or risk level of the individual third party.

    Risk intelligence overview

    Risk intelligence providers are companies that specialize in analyzing and generating risk scores for various third-party risk domains. These providers offer services that are similar to personal credit scoring systems, delivering data that helps organizations assess third parties.

    If you have the third-party risk (TPR) assessor [sn_vdr_risk_asmt.vendor_risk_assessor] and are the due diligence request owner or the TPR manager [sn_vdr_risk_asmt.vendor_risk_manager] role, you can use the TPRM application to request scores or reports for third parties by using the risk intelligence request form. After the reports and scores are generated by the risk intelligence provider, the links to these reports are delivered and associated with that risk intelligence report record.

    The information in these reports can cover various topics, including the geopolitical risks, economic stability, industry-specific trends, and regulatory changes that could affect your third-party interaction. You can order different types of reports, such as credit risk reports, compliance reports, strategic risk reports, and more, for your specific risk management program requirements.

    The Risk Intelligence Report framework provides a common way to request reports, but it does not enforce provider‑specific requirements. Each risk intelligence provider decides whether a request can be fulfilled based on its own integration and the your organization's agreement with that provider. A report is returned only if the provider’s requirements are met.

    Setting up risk intelligence providers and request types

    If you have the TPR assessment reviewer [sn_vdr_risk_asmt.vendor_assessment_reviewer] role, you must register the providers and set up both the providers and request types in the Third-party Risk Management application before you can request a report. For more information, see Register a risk intelligence provider, Set up a risk intelligence provider service, and Set up a request type for a provider.
    Note:
    You can request risk reports for third parties but not for engagements.

    Requesting risk intelligence

    As a TPR manager [sn_vdr_risk_asmt.vendor_risk_manager], TPR assessor [sn_vdr_risk_asmt.vendor_risk_assessor] that is the due diligence request owner, or contract negotiator [sn_vdr_risk_asmt.contract_negotiator] that is assigned to the due diligence request, you can request a Risk Intelligence Report (RIR) or score to gain insight on how trustworthy a particular third party can be. You would follow this process to request risk intelligence reports or scores:

    1. Fill out the RIR request form. An RIR request can be associated with a third party or due diligence request. When you associate a RIR request with a due diligence request, reviewers and approvers can more easily access all the related activity, scores, reports, and details through the Risk Intelligence report request tab in the Vendor Management Workspace[var.vendor-management-ws]. For more information, see Request a risk intelligence report and Request a risk intelligence report associated with a due diligence request.
      Note:
      If you want to associate an RIR request with a due diligence request, it must be after the inherent risk questionnaire (IRQ) has been completed (that is, when the due diligence request has entered the IRQ in progress state).
    2. The TPR manager [sn_vdr_risk_asmt.vendor_risk_manager] and their team reviews the request.
    3. The TPR manager [sn_vdr_risk_asmt.vendor_risk_manager], TPR assessor [sn_vdr_risk_asmt.vendor_risk_assessor] that is the due diligence request owner, or contract negotiator [sn_vdr_risk_asmt.contract_negotiator] that is assigned to the due diligence request can submit it if it’s approved. After the request has been submitted and has entered the Order pending state, all fields in the Risk intelligence report request section are read-only to help to prevent incorrect orders from being submitted to the provider.
      Note:
      The TPR manager, TPR assessor, or contract negotiator can cancel a RIR request while the request is in the Open or Order pending state. An RIR request can also be canceled if the report is no longer needed due to new information that impacts the third party or some other change.
    4. After the reports and scores are generated by the risk intelligence provider, the links to these reports and the scores are delivered and associated with the risk intelligence report request. The RIR request then enters the Closed complete state.

    After a request is submitted, the risk intelligence provider determines whether the request can be fulfilled based on its own requirements. The platform submits the request and records the outcome, but does not validate provider-specific prerequisites.

    For more information on RIR requests and their process states, see Risk intelligence report requests management.

    Note:
    You can’t have multiple RIR requests with the same provider, request type, or third party. For example, if you have already associated an RIR request with a third party, you can’t request the same report from the same provider as part of a due diligence request for an engagement. This process helps with preventing duplicate orders from being submitted to the provider.

    You can manually add scores to third parties and use the Risk intelligence scores related list to review the background information on the existing scores for a third party. For more information, see Add a risk intelligence score to risk data for a third party.

    Tracking sanctions-related information

    By tracking sanction-related information about your third parties, you can check if that third party is involved in any activities that are prohibited or restricted by government sanctions or regulations. Logging and updating sanctions-related information for third parties keeps your team informed as you review and approve a due diligence request as part of your third-party risk program. For more information about tracking sanctions-related information, see Track sanctions-related information.