Roles in Third-party Risk Management

  • Release version: Washingtondc
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Roles in Third-party Risk Management

    This document outlines the various roles within Third-party Risk Management (TPRM) in ServiceNow, detailing their permissions and access levels. Understanding these roles is essential for effective governance, risk management, and compliance in managing third-party relationships.

    Show full answer Show less

    Key Features

    • Third-party Reader: Read access to third-party contact records.
    • Third-party Editor: Create, update, and delete third-party contact records.
    • Assessment Reviewer: View assessment data and leave comments on various assessments and issues.
    • TPR Assessor: Manage third parties and external assessments, with options to edit questionnaire responses.
    • TPR Approver: Approve Internal Risk Questions (IRQ) with permissions similar to the Assessment Reviewer.
    • TPR Manager: Manage assessment templates and engagements, with all permissions of the TPR Assessor.
    • TPR Admin: Create and edit templates for assessments, risk tiering, and more, with all permissions of the TPR Manager.
    • Contract Risk Negotiator: Manage contract statuses and dates, with permissions of the TPR Assessor.
    • Third-party Contact: Assigned to external contacts for questionnaire responses, limited to the Third-party portal.

    Key Outcomes

    By understanding and leveraging these roles, ServiceNow customers can effectively manage third-party risks, streamline compliance processes, and ensure appropriate access levels for team members and external contacts. Proper role assignment enhances collaboration and accountability throughout the risk management process.

    Roles determine permissions and access in TPRM.

    TPRM roles

    Friendly name [role name] Description Contains roles
    Third-party reader

    [vendor_reader]

    		 Read access to third-party contact records. None
    Third-party editor

    [vendor_editor]

    		 Create/update/delete third-party contact records. None
    Third-party assessment reviewer

    [sn_vdr_risk_asmt.vendor_assessment_reviewer]
    View assessment and questionnaire data. In addition to viewing, they can leave comments on the following tables:
    • Tiering assessment
    • Internal assessment
    • External assessment
    • Third-party risk issues
    • Third-party risk tasks
    • Third-party risk due diligence request

    Contains:

    • compliance_reader
    • risk_reader
    • task_editor
    • vendor_reader
    • sn_dora_accel.user

    TPR assessor (Third-party risk assessor)

    [sn_vdr_risk_asmt.vendor_assessor]
    • Includes all permissions of the Third-party assessment reviewer role plus: Manage third parties, third-party contacts, external risk assessments, and issues.
    • You can set the following options for the sn_svdp.allow_assessor_edit property:
      • Enable TPR assessors to answer questions or modify responses in third-party questionnaires (default).
      • Enable TPR assessors to modify responses.
      • Don’t enable TPR assessors to answer questions or modify responses.
      See Configure TPRM properties.
    		 Contains:
    • compliance_reader
    • vendor_assessment_reviewer
    • vendor_editor
    • vendor_reader
    • sn_dora_accel.manager

    TPR approver

    [sn_vdr_risk_asmt.approver]

    Includes all permissions of the Third-party assessment reviewer role plus: approve IRQs.
    Contains:
    • vendor_assessment_reviewer
    • sn_dora_accel.user
    TPR manager (Third-party risk manager)

    [sn_vdr_risk_asmt.vendor_risk_manager]

    Includes all permissions of the TPR assessor role plus:

    • Manage third-party assessment templates and scheduled assessments.
    • Manage engagements and engagement contacts.
    • Manage scoring rules for both third parties and engagements.
    Contains:
    • vendor_assessor
    • sn_dora_accel.manager
    TPR admin (Third-party risk admin)

    [sn_vdr_risk_asmt.vendor_risk_admin]

    Includes all permissions of the TPR manager role plus:

    Create and edit the following items:

    • Third-party assessment templates
    • Risk tiering templates
    • Risk tier questionnaire templates
    • Third-party questionnaire templates
    • Document request templates
    • Scheduled assessments
    Contains:
    • vendor_risk_manager
    • assessment_admin
    • sn_dora_accel.admin
    Contract risk negotiator

    [sn_vdr_risk_asmt.contract_negotiator]

    Includes all permissions of the TPR assessor role plus:

    Gives users in the legal department access to modify contract status and the start and expiration dates.

    You can add users with this role to the Contract risk negotiators user group. See Add users to groups based on responsibilities.
    Contains:
    • vendor_assessor
    • sn_dora_accel.manager
    [vendor_contact]
    • Called a third-party contact when responding to an external questionnaire/task/issue for a third party.
    • Called an engagement contact when responding to a questionnaire/task/issue for an engagement.

    You assign the third-party contact role to users at the third-party organization whose risk is being assessed. Third-party contacts are assigned the snc_external role to give them access to resources and actions in the Third-party portal.

    Important:
    The third-party contact role should be used only for external contacts. The role prohibits access to your ServiceNow AI Platform instance and grants access only to the Third-party portal.

    You assign the primary contact responsibility to the third-party contact who can directly answer assessment questions or assign another contact at the third party to answer the questions. Primary contacts can manage other contacts for the third party.

    Contains: snc_external

    Roles required for accessing the Digital resilience third-party registers

    A user with one of the following roles can access the Digital resilience third-party registers related modules in the Vendor Management Workspace:
    • TPRM DORA user [sn_dora_accel.user] role

      Third-party assessment reviewer and TPR approver contain this role.

    • TPRM DORA manager [sn_dora_accel.manager] role

      TPR assessor and TPR manager contain this role.

    • TPRM DORA admin [sn_dora_accel.admin]

      The TPR admin contains this role.

    For more information on DORA related roles, see Roles installed with Digital resilience third-party registers.