Combined Third-party Risk Management release notes for upgrades from Yokohama to Australia

How to use this page

To help you prepare for your upgrade, we have combined the cross-family Third-party Risk Management release notes onto one page. Read this summary of the new features, changes, and updated information for your product from Yokohama to Australia.

Tip:

If there were no updates for a release notes section in a certain family release, we included a short note for your reference. For example, if a product did not have any updates in Tokyo, the row says "No updates for this release."

Important information for upgrading Third-party Risk Management to Australia

Before you upgrade to Australia, review these pre- and post-upgrade tasks and complete the tasks as needed.


Release	Release notes
Yokohama	Starting with the Vancouver release, if you’re a VRM user upgrading to TPRM, from an earlier release, you must run each upgrade sequentially to ensure that fix scripts run correctly. This means upgrading from one release to the next rather than skipping to the latest release. Not running scripts in the correct order can result in data inconsistencies, broken functionalities, and conflicts. For more information on upgrading from VRM to TPRM, see Third-party Risk Management upgrade information. For existing TPRM customers, after upgrading to version 20.2.4, data from the Industry column in the Company [core_company] table is automatically migrated to the tprm_industry column. Migration can take several hours depending on the number of records in the Company [core_company] table. After migration, a system log message confirms that the migration is complete. Review the Company [core_company] table content and update any customizations referencing the Industry field to use tprm_industry. After verifying the migration and updating customizations, you can drop the Industry column.
Zurich	If you’re a VRM user upgrading to TPRM and upgrading to Vancouver or a later release from an earlier release, you must run each upgrade sequentially to ensure that fix scripts run correctly. For example, you must upgrade from Utah to Vancouver, Vancouver to Washington DC, and so on. If the scripts don’t run in the correct order, you can get data inconsistencies, broken functionalities, and conflicts. After upgrading to version 21.0.x, you can enable the Smart Assessment Engine (SAE) by setting the Smart Assessment Engine enabled (sn_vdr_risk_asmt.sae_enabled) property. After setting this property, Smart Assessment Engine (SAE) becomes the default assessment engine and replaces the legacy experience. The transition isn’t reversible. Warning: Set this property in your non-production instances and conduct thorough testing before changing your production instances. Failure to do so may result in unexpected issues. For more information on upgrading from VRM to TPRM and the differences between the Smart and Classic Assessment engines, see Third-party Risk Management upgrade information. For existing TPRM customers, after upgrading to version 21.0.3, data from the Industry column in the Company [core_company] table is automatically migrated to the tprm_industry column. Migration can take several hours depending on the number of records in the Company [core_company] table. After migration, a system log message confirms that the migration is complete. Review the Company [core_company] table content and update any customizations referencing the Industry field to use tprm_industry. After verifying the migration and updating customizations, you can drop the Industry column.
Australia	If you’re a VRM user upgrading to TPRM and upgrading to Australia from an earlier release, you must run each upgrade sequentially to ensure that fix scripts run correctly. For example, you must upgrade from Xanadu to Yokohama, Yokohama to Zurich, and so on. If the scripts don’t run in the correct order, you can get data inconsistencies, broken functionalities, and conflicts. After upgrading to version 21.0.x, you can enable the Smart Assessment Engine (SAE) by setting the Smart Assessment Engine enabled (sn_vdr_risk_asmt.sae_enabled) property. After setting this property, Smart Assessment Engine (SAE) becomes the default assessment engine and replaces the legacy experience. The transition isn’t reversible. Warning: Set this property in your non-production instances and conduct thorough testing before changing your production instances. Failure to do so may result in unexpected issues. For more information on upgrading from VRM to TPRM and the differences between the Smart and Classic Assessment engines, see Third-party Risk Management upgrade information. For existing TPRM customers, after upgrading to version 21.0.3, data from the Industry column in the Company [core_company] table is automatically migrated to the tprm_industry column. Migration can take several hours depending on the number of records in the Company [core_company] table. After migration, a system log message confirms that the migration is complete. Review the Company [core_company] table content and update any customizations referencing the Industry field to use tprm_industry. After verifying the migration and updating customizations, you can drop the Industry column.

New features

Between your current release family and Australia, new features were introduced for Third-party Risk Management.


Release	Release notes
Yokohama	TPRM personalized dashboards Improve your decision-making process by exploring and analyzing your assessment data at various levels by using the Third-party insights dashboard and the TPRM custom analytics dashboard. If you have the Third-party risk manager [sn_vdr_risk_asmt.vendor_risk_manager] or Third-party risk assessor [sn_vdr_risk_asmt.vendor_assessor] role, you can create and share your own dashboards and reports. If you're a third-party risk manager, you can also customize the report layouts, widgets, and data views to prioritize key metrics and workflows that align with your individual roles and risk programs. New Standardized Information Gathering (SIG) questionnaire content Use the updated SIG templates for 2025 after upgrading to version 20.1.x as part of the Third-party Risk Management application. The latest SIG questionnaires help your organization stay aligned with stricter regulatory compliance and emerging third-party risk governance, covering a wide range of security and privacy concerns. Quick start tests for TPRM Verify that TPRM works as expected after upgrades and deployments of new applications or integrations by running quick start tests. If you customized TPRM, copy the quick start tests and configure them for your customizations.
Zurich	Now Assist for Third-party Risk Management (TPRM) release notes Review the Now Assist for Third-party Risk Management (TPRM) (TPRM) release notes for full descriptions of the features. Document Management system Starting with version 21.1.x, you can use the Document Management System (DMS) in TPRM, which provides a centralized repository for storing, organizing, and managing third-party documents throughout the vendor life cycle. It can be used by third-party risk managers [sn_vdr_risk_asmt.vendor_manager], third-party assessors [sn_vdr_risk_asmt.vendor_assessor], and third parties to upload, categorize, track, and review documents with metadata, version control, and access permissions. This feature streamlines evidence tracking, reduces duplication, and improves audit readiness by enabling document reuse across assessments, contracts, issues, and tasks. For information on Now Assist skills for TPRM and Document Management, see Now Assist for Third-party Risk Management (TPRM) release notes and Now Assist in Document Intelligence release notes. Register of information regulatory packages After upgrading the Digital Resilience Third-party Information Register application to version 21.1.x, third-party assessors [sn_vdr_risk_asmt.vendor_assessor] can now generate regulator-ready Register of Information packages using the Plain-CSV Report Package option on the download page. The ZIP file includes metadata and report folders structured to regulator specifications, with file names containing LEI, entity ID, and release version. This format helps ensure EU DORA compliance and supports automated validation workflows. You can follow the user guide on the Download/Upload request page for suggested steps and permissions. Validation framework for RoI After upgrading the Digital Resilience Third-party Information Register application to version 21.1.x, third-party risk managers [sn_vdr_risk_asmt.vendor_manager] can now validate downloaded Register of Information packages using the Plain-CSV Report Package option on the download page against requirements. File format, structure, encoding, naming conventions, and field-level data are validated across multiple tables. If any validation warnings are detected, a validation report is automatically attached, including mappings to regulator fields such as Template Code, Row Code, and Column Code. Validation reports include real-world field labels, rule expressions, and record identifiers. You can cross-reference validation errors using a downloadable Excel master template that mirrors the CSV structure, making it easier to locate and address issues. Additional enhancements include support for “Not applicable” values, enforcement of file size limits, and clearer error messages for malformed data. New sn_vdr_risk_asmt.sae_enabled property Use the new and improved Smart Assessment experience after you upgrade to version 21.0.x and set the Smart Assessment Engine enabled (sn_vdr_risk_asmt.sae_enabled) property. Smart Assessment Engine Create Smart Assessment Engine assessments for your organization: Enhanced navigation: Use the improved navigation for a better user experience. Assessment support: Conduct assessments for both internal and external parties. TPRM questionnaire templates include additional attributes such as the risk area and the option to include previous responses, which aren’t available in SAE. TPRM templates must be created directly within the Vendor Management Workspace to ensure that they include the necessary attributes. Organize questions: Group questions into subsections for better organization. Add attachments: Attach the files directly to the individual questions. Add reference information: Add reference information to a questionnaire template to help ensure that assessors can access the information they need while responding. Filter questions: Quickly identify and filter unanswered questions. Auto-save for questionnaires: Auto-save each question automatically after changes are made to them. Standardized risk rating scale definition: Define the risk rating scales at the template level for both internal and external assessments. Assessment duration: Define the duration of an assessment when creating a questionnaire template. Combine assessments: Respond to questionnaires by using the same SAE template in a single, streamlined view. Bulk template migration: Migrate classic templates in bulk to the Smart Assessment format. To ensure the templates work correctly in TPRM, you must migrate them by using the Third-party Risk Management application. Risk score normalization: Standardize the risk scores for a consistent evaluation. Support for the GRC and third-party portals: Use the GRC portal to access and complete internal assessments and the third-party portal to complete external assessments.
Australia	Generate aggregate regulatory reports in local currencies After upgrading the Digital Resilience Third-party Information Register application to version 22.0.3, third‑party risk (TPR) managers  [sn_vdr_risk_asmt.vendor_manager] can standardize annual expense values during Register of Information report generation by enabling currency conversion and third‑party total expense aggregation. To support this process, the generated reporting package includes summary and detail reports that indicate successful conversions, aggregation results, and any skipped providers. Centralized repository for TPRM SAE templates After upgrading to version 22.0.2 and installing the Unified Content Management application, TPR managers [sn_vdr_risk_asmt.vendor_risk_manager] can help ensure consistent and comprehensive assessments by activating and updating ready‑to‑use Smart Assessment Engine questionnaire templates through a single, managed repository in the Vendor Management Workspace. Early availability Generate TPRM issue recommendations After upgrading to version 22.0.8 if you have the third‑party assessment reviewer role [sn_vdr_risk_asmt.vendor_assessment_reviewer] and have installed the Now Assist for Third-party Risk Management (TPRM) application, you can use generative AI to automatically identify and recommend issues based on assessment responses. The TPRM issue management recommendation skill recommends issues with rationalized summaries. Recommended issues are presented for review and are created as standard TPRM issues only after user confirmation.

Changes

Between your current release family and Australia, some changes were made to existing Third-party Risk Management features.


Release	Release notes
Yokohama	Pre-populate responses using questionnaires If you have the Third-party risk assessor [sn_vdr_risk_asmt.vendor_assessor] or Third-party risk manager [sn_vdr_risk_asmt.vendor_risk_manager] role, you can enable third-party and engagement contacts to review and update responses only if necessary by pre-populating questionnaires for engagements and entities with responses from completed questionnaires that are associated with the same third party. The attachment, duration, and signature type responses are excluded. This feature also helps ensure data consistency and accuracy. Microsoft Excel questionnaire template Streamline the due diligence process by enabling third-party and engagement contacts to respond to questionnaires using a Microsoft Excel template by downloading the questionnaire as a template, completing it according to the included instructions, and importing the final version into the Third-party portal. This feature update enhances flexibility by enabling third-party and engagement contacts to provide information outside the third-party portal. Third-party risk assessors [sn_vdr_risk_asmt.vendor_assessor] and Third-party risk managers [sn_vdr_risk_asmt.vendor_risk_manager] can access this feature and respond to questionnaires on behalf of Third-party and engagement contacts through the Vendor Management Workspace. Codes and additional identification information for ICT third-party service providers If you have the third-party assessor role [sn_vdr_risk_asmt.vendor_assessor], help ensure compliance with DORA regulations by adding additional code types and a legal name to third-party and third-party engagement records in the digital resilience third-party registers within the Vendor Management Workspace. Include this information when the legal name of a third party differs from its commonly recognized name, or when you need to record multiple identification codes like a EUID, LEI, or Country code. When supply chain, assessment, or contract records are associated with a third party or third-party engagement using the EUID code type, all relevant fields will be automatically populated. Function types for ICT third-party service providers If you have the third-party assessor role [sn_vdr_risk_asmt.vendor_assessor], help ensure compliance with DORA regulations by using Business capability as an additional function type for function records in the digital resilience third-party registers within the Vendor Management Workspace. Multiple legal entities making use of the services for contracts If you have the third-party assessor role [sn_vdr_risk_asmt.vendor_assessor], add multiple legal entities that are using services as part of a contract record in the digital resilience third-party registers within the Vendor Management Workspace. Including all entities that are using services associated with a contract is essential for maintaining transparency, helping ensure compliance, and enhancing operational resilience.
Zurich	Risk areas extended to internal assessments Starting with version 21.1.x, if you have the third-party risk admin [sn_vdr_risk_asmt.vendor_admin] role, you can now configure risk areas with weighted questions and scored responses for internal assessments using the Smart Assessment Engine in the Vendor Management Workspace. Risk scores can be aggregated at the engagement level using customizable methods such as max, min, or average, and mapped to risk ratings based on business rules. Risk managers can override system-generated ratings with required justification, enabling expert judgment and helping ensure transparency in risk decisions. Smart Assessment Engine advanced plugins Starting with version 21.1.x, the following Smart Assessment Engine advanced plugins are automatically installed: Post Assessment Actions for Smart Assessments [com.sn_smart_imp_auto and com.sn_impact_fwk] and Advanced Response Automation for Smart assessments [sn_smart_resp_auto]. The Post Assessment Actions for Smart Assessments plugin lets Third-party risk admins [sn_vdr_risk_asmt.vendor_admin] automate follow-up tasks, like notifications or workflow launches, after an assessment is completed. The Advanced Response Automation for Smart Assessments plugin automatically fills in assessment responses based on prior data or logic, streamlining and standardizing the assessment process. Feature-specific administrator role enhancements Starting with version 21.1.x, if you have a feature admin role you can now complete tasks that were initially reserved for users with the broader administrator role. Assign sn_vdr_risk_asmt.vendor_risk_admin to users who need to configure and manage vendor risk features. Assign sn_vdr_risk_asmt.vendor_assessment_reviewer to users who perform assessments, manage dashboards, and require operational access. Assign sn_vdr_risk_asmt.external_assessment_responder to users who need access to the third-party portal and to complete assessments. Note: Administrator privileges no longer grant access to TPRM features. Users must be assigned an appropriate feature-specific role to access relevant functionality. Read-only field enhancements Starting with version 21.1.x, the following Third-party Risk Management plugins have security enhancements for read-only fields in this release: Third-party Risk Due Diligence [com.sn_tprm_onboarding] Third-party Risk Management [com.sn_vdr_risk_asmt] GRC: Vendor Portal [com.sn_grc_vendor_portal] GRC: Profiles [com.sn_grc] GRC: Compliance Assessment [com.sn_comp_asmt] GRC: SIG Questionnaire Integration [com.sn_sig_asmt] GRC: Performance Analytics Premium Integration [com.sn_grc_pa] Vendor Risk Management integration with EcoVadis [com.sn_app_grc_ecovadis] ITAM applications [com.snc.vendor_core] Fourth-party assessment support in SAE Starting with version 21.1.x, Fourth-party assessments are now supported after you enable the Smart Assessment Engine enabled (sn_vdr_risk_asmt.sae_enabled) property. Enhanced contract records for Digital Resilience Third-party Information Register in Vendor Management Workspace If you have the third-party assessor role [sn_vdr_risk_asmt.vendor_assessor], you can now associate multiple entities with a single contract record. This association indicates that all entities have signed the contract and are providing services that are associated with the contract. You can also configure contracts that are based on the supply chain and assessment, upload contract records, and generate reports in Microsoft Excel. To better track these entities and help ensure compliance with Digital Operational Resilience Management (DORA) regulations, related lists have been added to the existing contract records, and existing fields have been reorganized for better usability.
Australia	Simplified third-party element process After upgrading to version 22.0.1, third‑party elements are now linked to a single third party and can no longer be shared across third parties. Scoring rollups calculate results from element‑level assessments rather than entity records. Australia Patch 1 ServiceNow product tiers The ServiceNow AI Platform now brings you a new AI experience with three licensing tiers available: Foundation: AI basics to deliver insights Advanced: AI to boost productivity across relevant use cases Prime: Act autonomously with all AI assets, and create your own Depending on your license, you will have access to certain application features, generative AI skills, agentic workflows, and AI agents.

Removed

Between your current release family and Australia, some Third-party Risk Management features or functionality were removed.


Release	Release notes
Yokohama	No updates for this release.
Zurich	No updates for this release.
Australia	Assessments using entities are no longer supported.

Deprecations

Between your current release family and Australia, some Third-party Risk Management features or functionality were deprecated.


Release	Release notes
Yokohama	No updates for this release.
Zurich	No updates for this release.
Australia	No updates for this release.

Activation information

Review information on how to activate Third-party Risk Management.


Release	Release notes
Yokohama	Install Third-party Risk Management by requesting it from ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
Zurich	Install Third-party Risk Management by requesting it from ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
Australia	Install Third-party Risk Management by requesting it from ServiceNow Store.

Additional requirements

If any additional requirements were introduced or changed for Third-party Risk Management we have noted them here.


Release	Release notes
Yokohama	No updates for this release.
Zurich	No updates for this release.
Australia	No updates for this release.

Browser requirements

If any specific browser requirements were introduced or changed for Third-party Risk Management we have noted them here.


Release	Release notes
Yokohama	No updates for this release.
Zurich	No updates for this release.
Australia	No updates for this release.

Accessibility information

Review details on accessibility information for Third-party Risk Management, such as specific requirements or compliance levels.


Release	Release notes
Yokohama	No updates for this release.
Zurich	Dark theme The new Coral theme includes a dark theme option for the Vendor Management Workspace and mobile experiences. This option is commonly used to alleviate eye strain and improve readability.
Australia	No updates for this release.

Localization information

If there are specific localization considerations for Third-party Risk Management we have noted them here.


Release	Release notes
Yokohama	No updates for this release.
Zurich	No updates for this release.
Australia	No updates for this release.

Highlight information

If there are specific highlight considerations for Third-party Risk Management we have noted them here.


Release	Release notes
Yokohama	Pre-populate questionnaires for entities and engagements that are associated with the same active third party by using responses from complete questionnaires. Respond to questionnaires by using a Microsoft Excel questionnaire template. Explore and analyze assessment data at various levels by using the Third-party insights dashboard and the TPRM custom analytics dashboard. Stay aligned with stricter regulatory compliance and emerging third-party risk governance by using the new Standardized Information Gathering (SIG) questionnaire content available for 2025. See Third-party Risk Management for more information.
Zurich	Use the Document Management system in TPRM to centralize third-party documentation in a searchable repository with metadata, and versioning, access controls. Use vertical navigation in the Vendor Management Workspace through a customizable panel grouped by related lists for improved access to third-party records, assessments, and performance pages. Configure risk areas with weighted questions and scored responses for internal assessments using the Smart Assessment Engine in the Vendor Management Workspace. Use the latest Smart Assessment Engine questionnaire templates to perform internal and external assessments. Use the enhanced Digital Resilience Third-party Information Register features in the Vendor Management Workspace. See Third-party Risk Management for more information.
Australia	Enhance DORA Register of Information reporting with optional currency conversion and third‑party expense aggregation to generate consistent, regulator‑ready reports. Review the simplified third‑party elements process in the due diligence workflow. Access the unified content management module in the Vendor Management Workspace to view a centralized library of smart assessment templates. Early availability Use generative AI to recommend TPRM issues for reviewer validation. Australia Patch 1 Review the updated AI experience with three licensing tiers. See Third-party Risk Management for more information.