Requesting third-party risk due diligence

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Requesting third-party risk due diligence

    The Requesting third-party risk due diligence process in ServiceNow’s Third-party Risk Management enables your organization to evaluate and manage risks associated with business engagements involving third parties, including their subsidiaries and downstream parties (fourth parties and beyond). This due diligence is crucial for making informed decisions, establishing controls, and mitigating risks when interacting with external organizations or individuals.

    Show full answer Show less

    Any employee can initiate a due diligence request for an engagement, which is the formal or informal relationship outlining the services or products provided by a third party. The process ensures visibility into risks throughout the supply chain and supports ongoing risk management.

    Due Diligence Request Process

    • An employee submits a due diligence request for a third-party engagement.
    • Email notifications are sent to the requester and the due diligence request assignment group.
    • A member of the group assigns a Third-party Risk (TPR) manager or assessor to own the request.
    • The assigned owner is notified and reviews the request.
    • The TPR manager approves or rejects the request based on the sufficiency of information and feasibility.
    • Upon approval, the Inherent Risk Questionnaire (IRQ) process begins, possibly including additional assessments like Software Bill of Materials (SBOM) collection depending on your organization’s configuration.

    Request Options

    When creating a due diligence request, you can:

    • Onboard a new engagement: Start onboarding a new engagement with an existing third party.
    • Reassess an existing engagement: Conduct additional due diligence when conditions change, such as adverse news or supply chain shifts.
    • Reassess for contract renewal: Evaluate risk before renewing contracts with third parties.
    • Offboard an engagement with due diligence: Determine if terminating the relationship is optimal by assessing risks, especially when switching third parties may introduce higher risks or costs.
    • Offboard an engagement without due diligence: Request permanent termination when no further risk assessment is needed, typically followed by the IRQ process to confirm service discontinuation.

    Practical Use and Tracking

    Each due diligence request is assigned a unique ID starting with "DDR" for easy tracking. Requesters can communicate with reviewers and add attachments directly within the system. This structured workflow helps maintain transparency and accountability throughout the third-party risk assessment lifecycle.

    Request third-party risk due diligence to determine the level of risk for interactions with a third party, engagement, or fourth party by using Third-party Risk Management. You conduct due diligence to become aware of the associated risks so that you can make informed decisions, establish appropriate controls, and mitigate the potential negative impact when working with external parties.

    Any employee at your organization can request due diligence, which is an investigation or examination of business relationship risk, for an engagement.
    • An engagement is the informal or contracted relationship that you intend to form with a third party that could potentially expose your organization to risk. The engagement outlines the services or products to be provided by the third party and other details of the relationship.
    • A third party is any organization or individual that you have interacted or entered into a business relationship with. Third parties can have subsidiaries and can contract with fourth parties. For example, departments are subsidiaries.
    • A fourth party can contract with further parties. All downstream parties, such as the fourth through the nth parties, carry risk in the same ways as third parties.

    For more information about the terms that are used in these sections or why you might conduct due diligence, see Terminology and Why you conduct due diligence.

    The following infographic shows the due diligence request process.


    Infographic that shows the due diligence request process in the due diligence workflow. For the text description, refer to the process steps that follow.
    The following are the steps of the due diligence request process.
    1. An employee at your organization requests due diligence for a third-party engagement.
    2. The system sends an email notification to the employee who made the request.
    3. The system sends an email notification to the Due diligence request assignment group.
    4. A member of the group can assign a Third-party risk (TPR) manager [sn_vdr_risk_asmt.vendor_risk_manager] or TPR assessor [sn_vdr_risk_asmt.vendor_assessor] to act as the owner of the request.
    5. The system sends an email notification to the assigned owner of the due diligence request.
    6. The TPR manager reviews the request for due diligence for the engagement and approves it. If the information provided by the requester was insufficient or the engagement is not possible for your organization, the TPR manager rejects it.
    7. The IRQ process starts after the TPR manager approves the request for due diligence.

    When creating a due diligence request, the following options are available:

    • Onboard a new engagement Start the onboarding process for a new engagement with an existing third party. For more information about this type of onboarding, see Example: Onboarding a third party.
    • Reassess an existing engagement Reassess an existing engagement when the conditions change. For example, let's say that you hear adverse news or have changes in your third-party's supply lines. You might want to reassess the risk by conducting additional due diligence.
    • Reassess an existing engagement for contract renewal Reassess the risk before your organization renews the contract with a current third party or engagement by conducting due diligence.
    • Offboard an engagement with due diligence Determine if offboarding (terminating the relationship) with an engagement is the optimal course of action by conducting due diligence. For example, it might be too risky to switch third parties or engagements even if their current performance doesn’t meet expectations.

      Extenuating circumstances can contribute to the decision. For example, if the third party is sourcing materials that are difficult to obtain, switching providers might be costly and introduce additional risks. In such cases, continuing with the existing third party, with whom a long-term relationship exists, might be preferable to mitigate potential disruptions and higher risks.

    • Offboard an engagement with no due diligence Request that an engagement be permanently terminated when an engagement ends or you want to switch to a different third party for other reasons. In this case, you typically don't need to conduct additional due diligence. The process does, however, include the normal Inherent Risk Questionnaire (IRQ) process to confirm that the services provided by the engagement will no longer continue. For more information about this type of offboarding, see Offboarding an engagement without conducting due diligence.

    To learn more about creating or monitoring a due diligence request, see Request due diligence for a third-party engagement and Monitoring the due diligence request process.

    For each due diligence request, the system auto-assigns a unique ID number that starts with the text DDR. Use the ID to track your request. You can post a message to reviewers and add attachments from the page.

    The following example shows how a new due diligence request appears.

    Figure 1. Due diligence request tracking example
    Due diligence request view from the activity tab in Employee Service Center.

    For more information on the different processes that make up the overall due diligence workflow, see Due diligence workflow and Assessing your third-party risk.