Integrating Third-party Risk Management with GRC: Policy and Compliance Management
Summarize
Summary of Integrating Third-party Risk Management with GRC: Policy and Compliance Management
The integration between Third-party Risk Management and GRC: Policy and Compliance Management enables automated and dynamic compliance assessment of third parties and engagements through questionnaire responses. Compliance managers with the appropriate role can associate controls and control objectives with specific questions, third parties, and engagements to streamline compliance monitoring in a unified environment.
Show less
Key Features
- Control and Control Objective Association: Compliance managers can link controls and control objectives to specific questionnaire questions, third parties, and engagements. This association ensures controls are applied to relevant third parties or engagements.
- Questionnaire-Driven Compliance Status Updates: Responses from third parties to questionnaires automatically update the compliance status of linked controls. Correct answers maintain compliance, while incorrect answers mark controls as non-compliant.
- Multiple Control Objectives per Question: Each question in a questionnaire template can be linked to multiple control objectives, enabling granular compliance assessment.
- Entity Categorization: All third parties are categorized as Vendors, ensuring consistent representation as entities within the system.
- Read-Only Consumption in Third-party Risk Management: Compliance objects such as controls and control objectives are authored and managed within Policy and Compliance Management and consumed in a read-only manner by Third-party Risk Management.
- Manual Associations: Users can manually add controls to third parties or engagements and associate control objectives with questionnaire questions to customize compliance assessments.
- Monitoring Capability: Both Policy and Compliance Management users and Third-party Risk assessors can monitor the compliance status of controls in real time.
- SAE Questionnaires Note: Although direct mapping of control objectives to questions is not supported in SAE questionnaires, compliance can be flagged post-assessment.
Practical Benefits for ServiceNow Customers
- Automates compliance status updates based on real-time questionnaire responses from third parties, reducing manual effort and errors.
- Enables detailed and granular compliance assessments by linking multiple control objectives per question.
- Enhances visibility and monitoring of third-party compliance through integrated dashboards accessible to compliance managers and risk assessors.
- Supports tailored compliance management by allowing manual control associations tailored to specific third parties and engagements.
- Ensures consistent entity categorization for accurate tracking and reporting of third-party risk.
The GRC: Policy and Compliance Management integration updates the compliance status of controls and control objectives based on the questionnaire responses from a third party or engagement. Compliance managers [sn_compliance.manager] can associate controls and control objectives with specific questions, third parties, and engagements used in Third-party Risk Management.
If you have the Policy and Compliance Management application installed, users with the Compliance Manager role can perform several key tasks that help manage and assess Third-party compliance.
- You can associate third parties and engagements to specific control objectives. This association results in controls being applied to the third party or engagement
For more information, see Manually add a control to a third party or engagement.
- You can individually link the question to multiple control objectives for each question in a questionnaire template. This enables for a granular and detailed assessment of compliance.
For more information, see Manually add a control objective to a question.
- When third parties and engagements respond to questionnaires, the system automatically updates the compliance status of the linked controls. If they provide an incorrect answer, the associated controls are marked as non-compliant. Conversely, correct answers keep the controls compliant.
All third parties are automatically categorized into an entity type called Vendors. This helps ensure that each third party and engagement is represented as an entity.
When an entity, such as a third party or engagement, is associated with a control objective a corresponding control is created for that entity. This association links the third party or engagement with the control, which can influence the compliance status of the control.
In the context of Third-party Risk Management, each question in a questionnaire template can be individually linked to multiple control objectives through a related list. When a questionnaire is sent to a third party and the third party responds with an incorrect answer, the controls associated with the linked control objectives are marked as non-compliant. Conversely, if the third party provides the correct answer, the controls remain compliant.
This feature helps ensure that the compliance status of controls is dynamically updated based on the third party or engagements responses, providing a real-time and accurate assessment of their compliance. Both Policy and Compliance Management users and Third-party risk assessors [sn_vdr_risk_asmt.vendor_assessor] can monitor the status of a control.
Third-party Risk Management consumes compliance objects in a read-only capacity. Controls and control objectives are authored and managed in GRC: Policy and Compliance Management.
For more information on implementing Policy and Compliance Management, see Implementing Policy and Compliance Management.