Using risk intelligence reports and scores

  • Release version: Washingtondc
  • Updated January 30, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Using Risk Intelligence Reports and Scores

    The Third-party Risk Management (TPRM) application enables ServiceNow customers to request and manage risk intelligence reports and scores from external risk intelligence providers. This is essential for assessing the risk associated with individual third parties based on their importance or risk level.

    Show full answer Show less

    Key Features

    • Risk Intelligence Providers: These specialized companies analyze and generate risk scores across various domains, similar to personal credit scoring, helping organizations evaluate third-party reliability.
    • Request Process: Users in specific roles (TPR manager, TPR assessor, contract negotiator) can request reports using the risk intelligence request form. Reports can cover geopolitical risks, economic stability, and compliance, among others.
    • Setup Requirements: TPR assessment reviewers are responsible for registering risk intelligence providers and configuring request types before initiating requests.
    • Report Management: After submission, the status of requests can be tracked, and reports are delivered with links associated with the request record.
    • Sanctions Tracking: Users can log and update sanctions-related information to ensure third parties are compliant with government regulations.

    Key Outcomes

    By utilizing risk intelligence reports, ServiceNow customers can enhance their due diligence processes, prevent duplicate orders, and maintain updated information on third-party risks. This leads to informed decision-making regarding third-party engagements and compliance management. Proper tracking of sanctions-related information further strengthens risk management efforts.

    Request risk intelligence reports or scores directly from your external risk intelligence content providers by using the Third-party Risk Management application. This information can be requested and managed based on the importance or risk level of the individual third party.

    Risk intelligence overview

    Risk intelligence providers are companies that specialize in analyzing and generating risk scores for various third-party risk domains. These providers offer services that are similar to personal credit scoring systems, delivering data that helps organizations assess third parties.

    If you have the third-party risk (TPR) assessor [sn_vdr_risk_asmt.vendor_risk_assessor] and are the due diligence request owner or the TPR manager [sn_vdr_risk_asmt.vendor_risk_manager] role, you can use the TPRM application to request scores or reports for third parties by using the risk intelligence request form. After the reports and scores are generated by the risk intelligence provider, the links to these reports are delivered and associated with that risk intelligence report record.

    The information in these reports can cover various topics, including the geopolitical risks, economic stability, industry-specific trends, and regulatory changes that could affect your third-party interaction. You can order different types of reports, such as credit risk reports, compliance reports, strategic risk reports, and more, for your specific risk management program requirements.

    Setting up risk intelligence providers and request types

    If you have the TPR assessment reviewer [sn_vdr_risk_asmt.vendor_assessment_reviewer] role, you must register the providers and set up both the providers and request types in the Third-party Risk Management application before you can request a report. For more information, see Register a risk intelligence provider, Set up a risk intelligence provider service, and Set up a request type for a provider.
    Note:
    You can request risk reports for third parties but not for engagements.

    Requesting risk intelligence

    As a TPR manager [sn_vdr_risk_asmt.vendor_risk_manager], TPR assessor [sn_vdr_risk_asmt.vendor_risk_assessor] that is the due diligence request owner, or contract negotiator [sn_vdr_risk_asmt.contract_negotiator] that is assigned to the due diligence request, you can request a Risk Intelligence Report (RIR) or score to gain insight on how trustworthy a particular third party can be. You would follow this process to request risk intelligence reports or scores:

    1. Fill out the RIR request form. An RIR request can be associated with a third party or due diligence request. When you associate a RIR request with a due diligence request, reviewers and approvers can more easily access all the related activity, scores, reports, and details through the Risk Intelligence report request tab in the Vendor Management Workspace[var.vendor-management-ws]. For more information, see Request a risk intelligence report and Request a risk intelligence report associated with a due diligence request.
      Note:
      If you want to associate an RIR request with a due diligence request, it must be after the inherent risk questionnaire (IRQ) has been completed (that is, when the due diligence request has entered the IRQ in progress state).
    2. The TPR manager [sn_vdr_risk_asmt.vendor_risk_manager] and their team reviews the request.
    3. The TPR manager [sn_vdr_risk_asmt.vendor_risk_manager], TPR assessor [sn_vdr_risk_asmt.vendor_risk_assessor] that is the due diligence request owner, or contract negotiator [sn_vdr_risk_asmt.contract_negotiator] that is assigned to the due diligence request can submit it if it’s approved. After the request has been submitted and has entered the Order pending state, all fields in the Risk intelligence report request section are read-only to help to prevent incorrect orders from being submitted to the provider.
      Note:
      The TPR manager, TPR assessor, or contract negotiator can cancel a RIR request while the request is in the Open or Order pending state. An RIR request can also be canceled if the report is no longer needed due to new information that impacts the third party or some other change.
    4. After the reports and scores are generated by the risk intelligence provider, the links to these reports and the scores are delivered and associated with the risk intelligence report request. The RIR request then enters the Closed complete state.

    For more information on RIR requests and their process states, see Risk intelligence report requests management.

    Note:
    You can’t have multiple RIR requests with the same provider, request type, or third party. For example if you have already associated an RIR request with a third party, you can’t request the same report from the same provider as part of a due diligence request for an engagement. This process helps with preventing duplicate orders from being submitted to the provider.

    You can manually add scores to third parties and use the Risk intelligence scores related list to review the background information on the existing scores for a third party. For more information, see Add a risk intelligence score to risk data for a third party.

    Tracking sanctions-related information

    By tracking sanction-related information about your third parties, you can check if that third party is involved in any activities that are prohibited or restricted by government sanctions or regulations. Logging and updating sanctions-related information for third parties keeps your team informed as you review and approve a due diligence request as part of your third-party risk program. For more information about tracking sanctions-related information, see Track sanctions-related information.