Assessing your third-party risk

  • Release version: Australia
  • Updated March 12, 2026
  • 9 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Assessing your third-party risk

    Third-party risk management in ServiceNow enables your organization to identify, assess, and mitigate risks associated with third-party relationships through a structured due diligence process. This process involves gathering information via internal and external questionnaires, collecting third-party elements, verifying compliance, and managing any issues or tasks that arise.

    Show full answer Show less

    Questionnaire Processes

    The inherent risk questionnaire (IRQ) process begins with approval from the Third-party Risk (TPR) manager or assessor, who assigns an internal assessor to respond. Questionnaire templates should not be modified after distribution; instead, duplicate templates should be used to maintain version integrity. This process helps evaluate the third party’s risk profile, covering financial, operational, quality, compliance, and delivery aspects.

    The third-party (TP) element collection process follows the IRQ and involves gathering additional information from third-party engagements through external assessments. Responses are reviewed and manually recorded as third-party element records. This step is optional but enhances the overall due diligence workflow.

    Due Diligence and Compliance Verification

    After collecting questionnaires and TP elements, the TPR manager or owner sends external assessments, including questionnaires and document requests, to third parties or engagements. If required, software bill of materials (SBOM) questionnaires are automatically included. Similar to internal questionnaires, templates must not be changed after distribution without reissuing.

    Responses are reviewed to verify compliance with laws, regulations, and internal policies, including data security and privacy practices. The TPR team may require cybersecurity audits or evidence of data protection measures when proprietary or customer data access is involved.

    Pre-populating questionnaires with previous responses is supported to streamline assessments, with certain question types excluded from pre-population. AI-assisted response drafting is available when enabled, leveraging past assessments and documentation.

    Managing Issues, Tasks, and Assessment Actions

    TPR assessors manage issues and tasks to address concerns from questionnaire responses or documentation reviews, ensuring timely remediation. Assessments can be reopened to gather additional information or canceled if quick closure is necessary, though due diligence requests still proceed to approval.

    Key Benefits for ServiceNow Customers

    • Standardized and efficient third-party risk assessment workflow using automated notifications and role assignments.
    • Maintains version control of questionnaires to ensure consistency and auditability.
    • Supports compliance verification with regulatory and organizational requirements, including cybersecurity and data privacy.
    • Enables reuse of questionnaire responses and AI-assisted drafting to accelerate assessments.
    • Facilitates issue tracking and task management to ensure effective risk mitigation.
    • Flexible assessment management with options to reopen or cancel assessments as business needs evolve.

    Use Third-party Risk Management to identify and assess potential risks that are associated with your third-party relationships. The information gathered from internal questionnaires, external questionnaires, and documentation requests helps you to understand the third party's risk profile, determine the appropriate risk mitigation strategies, and determine whether the third party or engagement meets all necessary compliance requirements.

    Responding to questionnaires

    The following processes outline the timing and methods for responding to internal and external questionnaires:

    Inherent Risk Questionnaire (IRQ) process

    The following infographic shows the IRQ process.


    Infographic that shows the IRQ process in the due diligence workflow. For the text description, refer to the process steps that follows.
    The following are the steps of the IRQ process.
    1. After the due diligence request is approved by the Third-party risk (TPR) manager [sn_vdr_risk_asmt.vendor_risk_manager] or TPR assessor [sn_vdr_risk_asmt.vendor_assessor] that has been assigned as the owner of the due diligence request, they select an IRQ and attach it to an internal assessment.
    2. The system sends out an email notification to the employee that has been assigned as the IRQ assessor [snc_internal].
    3. The IRQ assessor completes the internal assessment by responding to the IRQ.
    4. After the IRQ assessor submits their responses and the TPR manager or owner reviews and closes the IRQ, the due diligence request state updates from IRQ in progress to IRQ in review.
    Note:
    Don’t change a questionnaire template after it has been sent out as part of an internal assessment. Instead, duplicate the template by making a copy and make your changes in the new copy. If you update a questionnaire after it has been sent out, the changes won't appear in the version shown to the IRQ assessor. To send an updated version, you must cancel the existing questionnaire by deassociating it from the internal assessment and then add the questionnaire using the updated template. For more information, see Create a questionnaire or document request template, Create a questionnaire or document request template using the Designer, Create a TPRM SAE questionnaire or document request template.

    Based on the information gathered, the TPR manager and their team assess the potential risks that are associated with the engagement. They evaluate factors such as the financial stability, the operational capacity, the adherence to quality standards, the compliance with regulations, and the third party's ability to meet delivery timelines. This assessment helps the team to understand the third party's risk profile and to determine the appropriate risk mitigation strategies.

    For more information about IRQs or internal assessments, see Create an internal assessment and Respond to an internal assessment.

    Third-party (TP) element collection process: Collect TP element information

    The following infographic shows the TP element collection process.


    Infographic that shows the TP element collection process in the due diligence workflow. For the text description, refer to the process steps that follow.
    The following are the steps of the TP element collection process.
    1. After your due diligence request has completed the IRQ process, if TP elements are needed, the TPR manager or due diligence request owner selects Start collection and a collection task is created.
    2. The TPR manager or owner assigns TP element questionnaires to an external assessment for collecting elements and sends that assessment to a third-party engagement to collect required information for TP elements.
    3. The system sends out an email notification to the third-party engagement contact that has been assigned the TP element questionnaire.
    4. After the third-party engagement contact submits their responses, the TPR manager or owner reviews and verifies all the required information was provided in the questionnaires.
    5. The TPR manager or owner then navigates to the list of third-party elements and manually creates a third-party element record for each set of responses in each questionnaire.

      For more information, see Create a third-party element record.

    6. After all TP elements are created, the TPR manager or owner closes the collection task assessment. The system changes the state of the request from Collection in progress to Collection in review.
    7. The internal stakeholders (TPR assessor, TPR approver, TPR manager, or TPR administrator) review and approve the element records.

    This is an optional process for collecting TP elements and assigning them to engagements so that they can be assessed as part of the overall due diligence workflow. For more information on TP elements, see Monitoring third-party elements.

    Due diligence process: Compliance verification

    The following infographic shows the due diligence process.


    Infographic that shows the due diligence process in the due diligence workflow. For the text description, refer to the process steps that follows.
    The following are the steps of the Due diligence process.
    1. After the IRQ process or TP element collection process is completed, the TPR manager or owner selects questionnaires and requests for documentation to attach to external assessments for sending to the third party or engagement. For more information on creating assessments, see Create an external assessment and Third-party risk assessment form.
      Note:
      • If you completed the optional TP element collection process, a questionnaire must be selected and assigned as part of an assessment for each third-party element you created. The TP element questionnaires are completed by the engagement contact.
    2. The system sends out an email notification to the third-party and engagement contact that has been assigned each assessment.
      Note:
      Don’t change a questionnaire template after it has been sent out as part of an external assessment. Instead, duplicate the template by making a copy and make your changes in the new copy. If you update a questionnaire after it has been sent out, the changes won't appear in the version shown in the third-party portal. To send an updated version, you must cancel the existing questionnaire by deassociating it from the external assessment and then add the questionnaire using the updated template. For more information, see Create a questionnaire or document request template, Create a questionnaire or document request template using the Designer, Create a TPRM SAE questionnaire or document request template.
    3. After the third-party and engagement contacts submit their responses, the TPR manager or owner reviews and verifies all the required information was provided in the assessments. Issues and tasks are created if remediation or additional information is required.
    4. The TPR manager or owner approves and closes each assessment.

    The TPR manager can develop assessment templates to simplify and automate the process of determining which questionnaires and document requests to send to a third party of this type. The TPR administrator can define questionnaire templates, document request templates, and then the TPR manager can group them into an assessment template. Your organization can reuse the template to send the questionnaires and document requests to similar third parties in future assessments. For more information about templates, see Create an external assessment template, Create a questionnaire or document request template, and Create a questionnaire or document request template using the Designer.

    The TPR manager and their team use the third party's responses and internal analysis to determine whether the third party meets all the necessary compliance requirements. These requirements could include verifying the third party's compliance with applicable laws and regulations, such as environmental regulations, labor laws, and anti-corruption policies.

    Note:
    The third-party risk assessor, manager, or admin can answer questions, modify responses, and submit external questionnaires on behalf of third parties or engagements. For more information, see Respond to a questionnaire for a third party or engagement.

    Due to the sensitive nature of the items involved, the TPR manager and their team evaluate the third party's data security and privacy practices. They assess the third party's information security measures, data protection policies, access controls, and vulnerability management processes. If the third party has access to proprietary information or customer data, they might require the third party to undergo a cybersecurity audit or provide evidence of their data protection measures.

    For more information about reviewing responses, see Review responses to external questionnaires.
    Note:
    Your TPR assessor can export received or returned questionnaires to Microsoft Excel spreadsheets. This option enables your organization to use the spreadsheet environment to review the questions and answers. For more information about exporting questionnaire responses, see Export questionnaire responses to a spreadsheet.

    Pre-populate questionnaires with responses

    The TPR manager or TPR assessor can pre-populate questionnaires for third parties and engagements with responses from complete questionnaires associated with the same third party. After sending out the assessment, the questionnaire is pre-populated with all responses from the most recent completed version of that questionnaire, regardless of whether the original associated assessment is completed. This is helpful for questionnaires where responses are expected to remain consistent, expediting the process and enabling third-party contacts to review and update responses only if necessary. For more information on creating assessments, see Create an external assessment.
    Important:
    When the TPR manager or TPR assessor adds a questionnaire to an assessment, they have the option to select or deselect the Include previous responses option on the questionnaire page. The option can’t be changed after the questionnaire is sent to the third party. For more information, see Create a questionnaire or document request template and Assessment metric type form.

    When a third-party or engagement contact opens a pre-populated questionnaire in the Third-party portal, they receive a notification that the responses were copied from an earlier questionnaire. The notification includes a link to the assessment that supplied the responses and its last updated date as shown in the following example.

    Notification that the responses are copied from an earlier questionnaire.

    Limitations:
    • Some question types and their responses can’t be pre-populated such as the attachment, duration, and signature question types. These question responses remain blank and previous responses aren’t included.
    • Responses are copied from the original assessment (Assessment A) to the newer assessment (Assessment B) one time. This copying occurs when Assessment B is submitted to a third party or an engagement. Any changes you make to Assessment A afterward won't be reflected in Assessment B. Both assessments remain separate.

    Issues and tasks

    The role of TPR assessor [sn_vdr_risk_asmt.vendor_assessor] is required to create and manage both tasks and issues.

    The TPR manager, TPR assessor, or contract negotiator can create tasks to help ensure that a team member or the third-party contact responds to concerns about the questionnaire responses or requested documents. They can manage existing tasks to verify that the assigned team member or third-party contact responds to a task and updates it as needed. For more information about creating and managing issues, see Create a task for a third party or engagement and Manage a task for a third party or engagement.

    The TPR manager, TPR assessor, or contract negotiator can create an issue to help ensure the teams concerns about a third party or engagement are remediated. They can also manage the existing issues to verify that they’re understood, shared with the correct persons, and are acted on as needed. For more information about creating and managing tasks, see Create an issue for a third party or engagement and Manage issues.

    Additional assessment actions

    The TPR manager, due-diligence request owner, or contract negotiator may need to reopen an assessment because there’s new information available that impacts the engagement or some other change has occurred. For more information, see Why you conduct due diligence.

    If the TPR manager, due-diligence request owner, or contract negotiator must gather more information from an engagement, they can send out an additional questionnaire or document request by reopening an assessment and doing the following actions:
    1. Navigate to the Due diligence request record page by selecting the relevant DDR number.
    2. View the related third-party risk assessment by selecting the VRA number on the External assessments tab.
    3. Select Re-open.

    The due diligence request state updates from Ready for TPRM approval to Due diligence. The TPR manager, owner, or contract negotiator can request questionnaires and document requests as needed. For more information, see Reopen an assessment.

    If the TPR manager, due-diligence request owner, or contract negotiator doesn’t require an assessment for an ongoing engagement or requires a quick close for onboarding or renewing an engagement, they can cancel an assessment by doing the following actions:
    1. Navigate to the Due diligence request record page by selecting the relevant DDR number.
    2. View the related third-party risk assessment by selecting the VRA number on the External assessments tab.
    3. Select Cancel.
    Even if one or all assessments are canceled, the due diligence request proceeds to the Approval process.