Manually add a risk to a third party or engagement

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • If you’re using both Risk Management and Third-party Risk Management, you can associate risks and risk statements with third parties and engagements. These associations influence risk posture and scoring.

    Before you begin

    Role required: admin or sn_vdr_risk_asmt.vendor_risk_admin

    About this task

    When you associate a risk with a third party or engagement, the risk becomes part of the entity’s risk profile and can be included in scoring calculations. This does not automatically trigger assessments unless configured through TPRM rules.

    Controls are automatically generated when you associate a policy with an entity type or an entity type with a control objective. A control is created for each entity listed in the entity type for the control objective. Controls can also be manually created.

    For more information on creating risk statements and risks in Risk Management, see Create a risk statement, Create a risk manually, and Generate a risk from a risk statement.

    To understand the difference between a control objective and a control, see Relationship between risks, risk events, and risk statements.

    Procedure

    1. Navigate to Workspaces > Vendor Management Workspace.
    2. Select the list icon (List icon.) and then navigate to Third parties > All third parties or Engagements > All engagements.
    3. Select the third party or engagement that you want.
    4. Navigate to the Risks tab of the third party or engagement.
    5. Assign a risk to the engagement by selecting New.
    6. On the form, fill in the fields.
      For descriptions of all these fields, see Create new risk form.
    7. Select Submit.
      For more information on managing risks, see Manage risks, risk statements, and risk frameworks.
      The risk is created and all related lists are visible.