Risk intelligence provider integrations

  • Release version: Australia
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Risk Intelligence Provider Integrations

    The Third-party Risk Management (TPRM) application facilitates integrations with external risk intelligence providers to streamline risk assessments and due diligence for third parties through Risk Intelligence Report (RIR) requests.

    Show full answer Show less

    Integration Requirements

    Roles such as TPR assessor and TPR manager can utilize the risk intelligence request form to request scores or reports. Before making requests, a team member with the TPR assessment reviewer role must register providers and set up the necessary configurations within the TPRM application.

    Integration Process

    RIR requests flow through various states managed by the integration API. Key steps include:

    • Nightly checks for RIR requests in the Order pending state.
    • Updating the request state to Order in progress upon sending packets to providers.
    • Receiving processed data from providers, which includes URLs, scores, and content.
    • Creating risk intelligence score records and attaching reports to RIR requests.

    If the integration fails at any point, the request state will change to Closed incomplete.

    Limitations

    The integration API cannot update existing score records; it creates new ones if data is missing. Customers need to manage API calls effectively to ensure scores are associated correctly.

    Risk Intelligence Report Request States

    RIR requests can be in one of several states:

    • Open: Request created and saved.
    • Order pending: Request submitted to the provider.
    • Order in progress: Provider has received the order.
    • Closed incomplete: Order processing failed.
    • Closed complete: Order processed successfully.
    • Canceled: Request canceled by the TPR manager, assessor, or negotiator.

    Cancellations can only occur in the Open or Order pending states, and once canceled, requests cannot be edited.

    The Third-party Risk Management application includes support for risk intelligence provider integrations. These guidelines can help your organization to develop a risk intelligence provider integration for Risk intelligence report (RIR) requests for third parties and due diligence requests.

    Integration requirements

    The TPRM application enables your organization to integrate with external risk intelligence content providers. If you have the Third-party risk (TPR) assessor [sn_vdr_risk_asmt.vendor_risk_assessor] or TPR manager [sn_vdr_risk_asmt.vendor_risk_manager] role, you can request the scores or reports for third parties by using the risk intelligence request form. After the reports are generated by the provider, the links to the reports are uploaded to the Third-party Risk Management application and associated with the relevant third party.
    Note:
    Before requesting reports and scores, a team member with the TPR assessment reviewer [sn_vdr_risk_asmt.vendor_assessment_reviewer] role must register the providers and set up both the providers and request types in the Third-party Risk Management application. For more information, see Register a risk intelligence provider, Set up a risk intelligence provider service, and Set up a request type for a provider.

    The following diagram shows the RIR request flow states and their relationship with the integration requirements for risk intelligence providers.

    Figure 1. RIR requests integration
    RIR integration flow diagram. For the text description, refer to the text that follows this diagram.

    Integration process:

    1. All RIR requests in the Order pending state are ready to be sent to the risk intelligence provider.
    2. A nightly job is set up by the integration API to check for the report request records that are in the Order pending state.
    3. The integration API updates the RIR request record state to Order in progress,

    4. The integration API sends a packet to the provider that includes the names of the records and their corresponding source tables:

      • rir_sysid [sn_tprm_dd_risk_intel_request]
      • provider_sysid [sn_vdr_risk_asmt_tpss_provider_basic]
      • third_party_sysid [core_company]
      • third_party_name [core_company]
      • request_type_sysid [sn_tprm_dd_risk_intel_request_type]
      • request_type_name [sn_tprm_dd_risk_intel_request_type]
      • provider_service_sysid [sn_vdr_risk_asmt_tpss_provider]
    5. If the packet isn’t sent successfully, the integration API updates the RIR request state to Closed incomplete.
    6. After receiving the RIR request, the risk intelligence provider processes it and gathers information including the URL, score, and content.
    7. The risk intelligence provider returns a packet for upload to the Third-party Risk Management application.

      The packet contains the following names of the records, their corresponding source tables, and content:

      • rir_sysid [sn_tprm_dd_risk_intel_request]
      • provider_sysid [sn_vdr_risk_asmt_tpss_provider_basic]
      • third_party_sysid [core_company]
      • request_type_sysid [sn_tprm_dd_risk_intel_request_type]
      • provider_service_sysid [sn_vdr_risk_asmt_tpss_provider]
      • URL
      • score
      • rating
      • content
      Note:
      The score or rating should be the provider's score or rating. The provider should have set up a mapping to convert the provider's score to a ServiceNow score through a Provider Service record.

    8. Using the packet information, the integration API creates a risk intelligence score record [sn_vdr_risk_asmt_security_score] and populates the URL field. This URL is used to download and attach the reports to the associated RIR request record [sn_tprm_dd_risk_intel_request].

    9. The integration API updates the state of the RIR request from Order in progress to Closed complete or Closed incomplete, depending on whether the risk intelligence provider completes the report or fails to send it and decides to close the order.

    Limitations

    The integration API doesn’t update the score record in the Score table. If the API fails to populate a field when it creates a score record, a new score record is created instead of updating the existing record. For example, if the API didn't associate a score with an RIR request, it has to call the API again to create a new score and associate it with the RIR request.

    Risk intelligence report request states

    The risk intelligence report requests have the following potential states:

    Open
    An RIR request enters this state after the record has been created and saved by the Third-party Risk (TPR) manager, TPR assessor, or contract negotiator that is assigned to the due diligence request. For each risk intelligence request, the system auto-assigns a unique ID number that starts with the text RIR.
    Order pending
    An RIR request enters this state after the record has been submitted by the Third-party Risk (TPR) manager, TPR assessor, or contract negotiator that is assigned to the due diligence request.

    The following changes take place:

    • The order has been submitted to the provider.
    • The Request date field has been populated with the date that this record was submitted on.
    • All fields in the Risk intelligence report request section are read-only.
    Order in progress
    An RIR request enters this state after the order has been received by the provider.

    The following changes take place:

    • The score records are generated with the report request.
    • The Score generated on field is updated.
    Closed incomplete
    An RIR request enters this state after the order was received by the provider but couldn’t be processed due to an error so the order was closed.
    Closed complete
    An RIR request enters this state after the order was received and processed by the provider.
    Canceled
    An RIR request enters this state after a TPR manager, TPR assessor, or contract negotiator cancels the report request. If a TPR manager, TPR assessor, or contract negotiator must cancel a request, it can be done while the request is in the Open or Order pending state. After an RIR request is canceled, that record can't be edited. You must create a record.