Third-party risk assessment form
Use the third-party risk assessment form to capture all the information that you need to create an assessment using the Third-party Risk Management application. As a third-party risk assessor or manager, you can create an external assessment.
| Field | Description |
|---|---|
| Name | The name that identifies the third-party risk assessment on all forms and lists. |
| Description | A more detailed explanation of the purpose of the assessment. |
| Number |
For each external risk assessment, the system auto-assigns a unique ID number that starts with the text VRA. The unique ID is used in all references to the item. You can use the ID to search or filter for the item that you want to work on. |
| Applies to | The party to which the assessment applies: Third party, Engagement, Entity. |
| Third party | The assessed third party. Note: You can reactivate a third party that is in Terminated status. If such a request is accepted and closed, the third party's status is changed to
Active. |
| Engagement | Select the engagement to assess. The field is visible only if you selected Engagement from the Applies to field. |
| Entity | Select the entity to assess. The field is visible only if you selected Entity from the Applies to field. Note: This is an entity record created as part of the third-party element
collection process. For more information, see Monitoring third-party elements. |
| Repeating assessment | The assessment used to create the current assessment. Note: You can create repeating assessments if you’re using the classic assessment engine. You can configure rules that auto-generate and send questionnaires and doc requests to engagements and third parties
using the Event-driven management feature if you’re using the Smart Assessment Engine. For more information, see Configure a risk assessment to recur on a schedule and Event-driven management — automate assessment processes. |
| Assessment template |
Select an assessment template to create questionnaires or document requests for this assessment. To use multiple templates to create multiple questionnaires or document requests for the assessment, leave the field empty. |
| Due diligence request | If there’s an existing due diligence request associated with this assessment, it’s listed here. |
| Assessment Engine | The assessment engine used for the Third-party risk assessment. This field is set to Smart. This field is only visible if you have enabled the Smart Assessment Engine enabled
[ Note: When reviewing previous assessments, you can determine which engine was used by checking this field. If the assessment was created using the Classic assessment engine, the field
displays Classic. |
| State | The process of collecting assessment data from a third party transitions through several states. See Life cycle states of a external assessment for detailed descriptions. |
| Risk rating | The overall risk rating for the third party.
Note: The Risk rating is determined by finding a risk rating scale range in which the risk score falls. It defines how a minimum and maximum range of assessment scores maps to a qualitative risk
score. |
| Risk rating valid to | The date the risk rating expires. The date must be later than the Risk rating valid to date on any associated questionnaires or document requests. |
| Trigger by third-party tier | Select the check box to initiate the assessment when the risk tier changes for the third party. |
| Assigned to |
The individual who owns an assessment for audit purposes and monitors and manages overall assessment processes. The owner is responsible for confirming that the assessment is completed in a timely fashion by the third party, reviewing their responses, and creating and resolving issues. To drive the assessment to its completion, they are notified when an assessment reaches a particular milestone. They must have the TPR manager or TPR assessor role. |
| Watch list | Add users that should be notified when this record is modified. |
| Risk Scoring
Note: Risk ratings are calculated and displayed after assessment responses have been received. |
|
| Computed risk rating | Average of the third-party risk area risk ratings. |
| Issue risk rating | The risk rating for issues associated with the third parties being assessed. The issue risk rating is based on the priority of closed issues and how they were resolved.
Note: The Computed risk
rating isn’t affected by this calculation. |
| Override risk rating | Option to override the computed risk rating for the third party. When selected, any future changes made to the assessment risk rating affects only the computed risk rating, not the risk rating. Note: If the check box is
selected and then deselected, the computed risk rating is used. |
| Overridden risk rating | Risk rating to override the current computed risk rating. If you selected Override risk rating, enter the new risk rating. |
| Justification | Justification for overridden risk rating. If you selected Override risk rating, you must enter a reason for the override. |
| Assessment Schedule | |
| Planned duration (days) | Estimated duration of the assessment. Note: This estimate includes the amount of time needed to receive responses and for internal and external users to review. |
| Planned start date / Planned end date | Planned start and completion dates and times for work on the assessment. Note: The Planned end date is automatically set to one month from the Planned start date. After the
assessment is saved, this date can’t be changed. |
| Actual duration | The amount of time it took to complete the third-party risk assessment. This field is calculated using the Actual state date and Actual end date. |
| Actual start date | Date and time that work on the assessment began. |
| Actual end date | Completion date and time for the assessment. |
| Questionnaire Schedule | |
| Planned duration (days) | The amount of time given to the third party or engagement to complete all questionnaires. |
| Review duration (days) | Time allocated for the Assessment reviewer to review all questionnaires. Note: Users with the Third-party assessment reviewer [sn_vdr_risk_asmt.vendor_assessment_reviewer] role can review and leave comments for the following:
|
| Submitted to third party | Delivery date for third party questionnaires. |
| Due date | Deadline for third party to respond to and return all questionnaires. Note: The Due date is set to a duration of 10 days by default. You can extend the due date of a questionnaire by increasing the
Planned duration (days); however, the Planned end date of the assessment won’t be updated. |
| Completion date | Actual date when third party completed all questionnaires. |
| Responses expected by | The date that your organization expects the responses to be returned by the third-party contact. |
| Notes and Comments | |
| Work notes | Information about the assessment. Work notes are visible to users assigned to the issue. |
| Additional comments (Customer visible) | Public information about the assessment. |