Configuring Third-party Risk Management

  • Release version: Australia
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configuring Third-party Risk Management

    This guide helps ServiceNow customers activate, upgrade, and configure the Third-party Risk Management (TPRM) application to effectively manage third-party risks. By following a structured checklist, customers can set up essential components, assign roles, and customize settings that support secure collaboration with external third parties. The configuration also includes options for importing data, enabling communications, and enhancing assessment workflows.

    Show full answer Show less

    Setup and Configuration Process

    Customers activate or upgrade TPRM by downloading the application packages from the ServiceNow Store and completing a series of setup tasks. The core configuration tasks include:

    • Activating the TPRM app, Due Diligence Request workflow, and Vendor Risk Management Workspace applications.
    • Implementing authentication policies to secure external third-party access.
    • Assigning appropriate TPRM roles and grouping users based on responsibilities to streamline process management and task notifications.
    • Configuring TPRM system properties to tailor operations to organizational needs.
    • Optionally enabling the Risk Concentration Map feature, which requires a Google license for visualization.
    • Setting up email communication with third-party contacts, including customizing email headers and footers for notifications.
    • Importing existing third-party data from other platforms to consolidate risk information.
    • Establishing third-party contacts who access the secure Third-party portal to participate in assessments and task management.
    • Optionally activating additional languages to support localization beyond the default American English.
    • Running quick-start tests to ensure the application functions correctly after upgrades or customizations.
    • Configuring related lists in the Vendor Management Workspace for optimized navigation and record management.

    Key Outcomes

    • Customers gain a secure, organized, and role-based environment to manage third-party risk assessments and communications.
    • Improved collaboration with external third parties through the dedicated Third-party portal and email notifications.
    • Flexible configuration options allow tailoring the application to specific organizational requirements and workflows.
    • Seamless integration of existing third-party data enhances continuity and reduces manual data entry.
    • Support for risk visualization and localization enhances usability and decision-making.

    You can activate or upgrade TPRM, by downloading the applications from the ServiceNow Store and then configuring the settings to meet your needs.

    Configuration overview

    By performing the tasks in the Setup tasks for TPRM checklist, you can upgrade or install the TPRM application. After you’ve completed the tasks, you can perform additional configuration as described in Classic assessment configuration.

    Note:

    For any custom messages you create, it is your responsibility to generate the corresponding sys_ui_message records. This step is crucial if you want the custom messages to be extracted and translated.

    Initial setup and upgrade checklist for TPRM

    Table 1. Setup tasks for TPRM
    Task Description
    Activate the Third-party Risk Management app [com.sn_vdr_risk_asmt]. To see the instructions for downloading a GRC application from the ServiceNow® Store, see Download a GRC application from the ServiceNow Store for the first time.
    Important:
    The base system includes many sample questions that you can use in your question bank. To include sample questionnaires, select Load demo data while installing the app.

    Role required: admin
    Activate the Due diligence request workflow application [com.sn_tprm_dd]. To see the instructions for downloading a GRC application from the ServiceNow® Store, see Download a GRC application from the ServiceNow Store for the first time.

    Role required: admin
    Activate the Vendor Risk Management Workspace application [sn_vrm_ws]. To see the instructions for downloading a GRC application from the ServiceNow® Store, see Download a GRC application from the ServiceNow Store for the first time.

    Role required: admin
    Add an authentication policy to enable secure access for external third parties.

    For more information, see Add an authentication policy to enable secure access for external third parties.

    Role required: admin

    Use the platform post-authentication policies to enable third parties to secure access to your instance. For background information on this feature, see Post-authentication context.
    Assign TPRM roles to users and user groups.

    Assign roles to users before you implement or use the Third-party Risk Management application. Assigning roles in a well-organized manner simplifies and improves process management and helps to ensure that users are promptly notified of tasks in their areas of responsibility.

    For more information, see Assign TPRM roles to users and user groups.

    Role required: admin
    Add users to groups based on their responsibilities.

    Assign users to groups before you implement or use the Third-party Risk Management application. Each group contains users with particular roles. Well-organized user groups simplify and improve process management and help to ensure that users are promptly notified of tasks in their areas of responsibility.

    For more information, see Add users to groups based on responsibilities.

    Role required: admin
    Configure TPRM properties.

    Configure property settings for a variety of TPRM operations.

    For more information, see Configure TPRM properties.

    Role required: admin
    Enable the TPRM Risk concentration map.

    This task is optional. For more information, see Enable the TPRM Risk concentration map.

    Role required: admin

    After you install the Risk concentration map feature, you must install a Google license to enable the feature.
    Enable your emails with third-party contacts.

    Configure email communication with third-party contacts to enable email notification of assessments and issues.

    For more information, see Enable email with third-party contacts.

    Role required: admin
    Update header and footer images for email notifications. Update the header and footer images used in email notifications by modifying image records.

    For more information, see Update the header and footer for email notifications.

    Role required: admin
    Import the existing data from other systems.

    This task is optional. Import existing data (third parties, engagements, assessments, questionnaires, issues, and so on) from other systems (like the Aravo platform, the ProcessUnity platform, and so on). You aren’t charged for importing the data.

    For more information, see Import existing data from other systems.

    Role required: admin
    Set up third-party contacts.

    Third-party contacts are external users at the third-party organization. They use the Third-party portal to securely organize, prioritize, and perform tasks like responding to questionnaires for assessments, performing tasks, and communicating with your risk-assessment staff regarding issues. You grant access to the Third-party portal and specify the permissions for third-party contacts.

    For more information, see Set up third-party contacts.

    Role required: admin or sn_vdr_risk_asmt.vendor_risk_manager
    Activate a language.

    This task is optional. The ServiceNow AI Platform uses American English by default. You can configure TPRM to use a different language.

    For more information, see Activate a language.

    Role required: admin
    Run the quick-start tests for third-party risk management.

    This task is optional. Verify that TPRM still works after you make configuration changes such as applying an upgrade or developing an application. Copy and customize the quick-start tests to pass when using your instance-specific data.

    For more information, see Run the Quick Start tests for Third-party Risk Management.
    Configure related lists in the Vendor Management Workspace.

    This task is optional.

    Configure the related lists that appear in the vertical navigation layout on record pages in the Vendor Management Workspace.

    For more information, see Configure related lists for vertical navigation on record pages.