Third-party (external) risk assessment management

  • Release version: Australia
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Third-party (External) Risk Assessment Management

    The Third-party (External) Risk Assessment Management feature facilitates the management of risk assessments for third-party engagements. After completing the IRQ process, users can send questionnaires and document requests to the designated third-party contacts, ensuring that responses are complete and accurate. Access to external assessments can be found on the Due Diligence Management page under the External Assessments tab.

    Show full answer Show less

    Key Features

    • Unique ID Assignment: Each external risk assessment is assigned a unique ID starting with "VRA."
    • Actions on Assessments: Users can discuss, create issues or tasks, save changes, submit requests, and delete records directly from the assessment tabs.
    • Risk Overview: The Risk Overview tab provides a snapshot of assessments, questionnaires, and tracking status (Open, Overdue, Closed).
    • Questionnaire and Document Templates: Users can manage questionnaire and document requests, allowing third-party contacts to respond. Configurable options are available for TPR assessors regarding response modifications.
    • Risk Domains: Each assessment can focus on specific risk domains, such as security or financial risk, allowing for tailored evaluations.
    • Issues and Tasks Management: The system enables the generation of non-compliance issues and tasks, facilitating communication and resolution with third-party contacts.
    • Lifecycle States: The assessments progress through various states, providing visibility into the status of responses and submissions.

    Key Outcomes

    By utilizing Third-party (External) Risk Assessment Management, customers can effectively manage and assess risks associated with third-party engagements. This streamlined process promotes accurate data collection, enhances communication, and helps maintain compliance. Ultimately, this feature supports informed decision-making regarding third-party relationships, ensuring that potential risks are identified and addressed promptly.

    After the IRQ process is complete, you send questionnaires and document requests to the third-party contact. You manage the third-party risk assessment by working with the contacts to help ensure that the responses are complete and accurate.

    Accessing an external assessment

    On the Due diligence management page, select the DDR number for any engagement due diligence request and the select the External assessments tab. The tab displays the list of all third-party risk assessments (external due diligence processes) for the selected engagement request.

    List of third-party risks assessments.

    Working on a third-party risk assessment

    For each external risk assessment, the system auto-assigns a unique ID number that starts with the text VRA. A risk assessment can represent the work on an engagement request for a third-party organization or an engagement request for a group within the parent organization. Select a VRA number to work on the risk assessment on the External assessments tab.

    Overview of a third-party risk assessment— external due diligence — process.

    Actions on any tab

    Table 1. Actions
    Action Description
    Discuss Select Discuss to send a message to other users. The message is recorded in the Activity section of the Details tab.
    Create Create an issue or task as describe in the following sections.
    Save Select Save to save any change you made to a value on any tab.
    Submit to third party Submit all questionnaires and document requests to the TP contact. The action is recorded in the Activity section on the Details tab.
    … Delete Select Delete to delete the record of the engagement request.
    Adding an attachment

    Select Browse in the Attachments section or select the attachment icon to select and add an attachment.

    Working on third-party risk assessments

    Risk overview tab on the External assessments page
    • The symbols indicate the current state of the external assessment process for the engagement request. See Life cycle states of a external assessment for descriptions of the states.

      Symbols identify the state of the third-party risk assessment process.

    • Overview section: List of assessments that are associated with the engagement.
    • Questionnaires and document requests section: List of questionnaires and document requests for the engagement.
    • Fourth-party questionnaires section: List of questionnaires and document requests for fourth parties and their sub-parties that are associated with the engagement.
    • Tracking section: Count of assessments associated with the third party that are in the Open, Overdue, and Closed status.
    Details tab on the External assessments page
    • Third-party risk assessment section: General information on the third party plus schedules for the overall assessment and questionnaire due dates from the engagement due diligence request.
    • The Compose section on the Details tab enables you to permanently add text to the record. The Activity section is updated with any actions on issues and tasks, submissions to TP contacts, and also with work notes and comments that users add to the record. Add text in the following fields as needed:
      • Work notes (Private): Information about the third-party risk assessment. Work notes are visible only to internal users who are assigned to the process.
      • Comments: Comments about the third-party risk assessment are visible both to internal users and to third-party contacts.
    Questionnaire templates tab on the External assessments page
    The tab lists the questionnaires that the third-party contact will respond to. Select a name to view the details. For more information, see Create a questionnaire or document request template and Create a questionnaire or document request template using the Designer.
    To enable TPR assessors to modify responses, configure the Allow TPR assessors to modify responses in third-party questionnaires [sn_svdp.allow_assessor_edit] system property. You can set the following options:
    • Enable TPR assessors to answer questions or modify responses (default)
    • Enable TPR assessors to modify responses
    • Do not enable TPR assessors to answer questions or modify responses
    See Configure TPRM properties.
    Document templates tab on the External assessments page
    The tab lists the requests for documents that the third-party contact should return. The information in the columns helps you to prioritize your work in following up with third-party contact. In particular, the state and percent complete values are key indicators. Select a name to view the details. For more information, see Create a questionnaire or document request template and Create a questionnaire or document request template using the Designer.
    Fourth-party templates tab on the External assessments page
    The tab lists the fourth-party questionnaires that the third-party contact will respond to. Select a name to view the details. For more information, see Monitoring your fourth-nth parties.
    Third-party risk areas tab on the External assessments page
    A risk domain defines the type of risk to assess for a third party. For example, you might want to assess a data-management third party in terms of security risk and a bank in terms of financial risk. Security risk and financial risk are risk domains. Some platform applications refer to risk domains as "risk areas." See Define a third-party risk domain.
    Issues tab on the External assessments page

    In an iterative process, before the TPR manager closes an assessment, the TPR manager can generate non-compliance issues and tasks. The TPR manager communicates with the TP contacts and engagement contacts by using comments to close the issues and tasks. The TPR manager can also assign different contacts as needed. See Create an issue for a third party or engagement and Manage issues.

    Tasks tab on the External assessments page

    In an iterative process, before the TPR manager closes an assessment, the TPR manager can generate non-compliance issues and tasks. The TPR manager communicates with the TP contacts and engagement contacts by using comments to close the issues and tasks. The TPR manager can also assign different contacts as needed. See Create a task for a third party or engagement and Manage a task for a third party or engagement.