Third-party risk assessment form

  • Release version: Australia
  • Updated March 12, 2026
  • 5 minutes to read

    • Use the third-party risk assessment form to capture all the information that you need to create an assessment using the Third-party Risk Management application. As a third-party risk assessor or manager, you can create an external assessment.

    Table 1. Third-party risk assessment form
    Field Description
    Name The name that identifies the third-party risk assessment on all forms and lists.
    Description A more detailed explanation of the purpose of the assessment.
    Number

    For each external risk assessment, the system auto-assigns a unique ID number that starts with the text VRA.

    The unique ID is used in all references to the item. You can use the ID to search or filter for the item that you want to work on.
    Applies to The party to which the assessment applies: Third party, Engagement, Entity.
    Third party The assessed third party.
    Note:
    You can reactivate a third party that is in Terminated status. If such a request is accepted and closed, the third party's status is changed to Active.
    Engagement Select the engagement to assess. The field is visible only if you selected Engagement from the Applies to field.
    Entity Select the entity to assess. The field is visible only if you selected Entity from the Applies to field.
    Note:
    This is an entity record created as part of the third-party element collection process. For more information, see Monitoring third-party elements.
    Repeating assessment The assessment used to create the current assessment.
    Note:
    You can create repeating assessments if you’re using the classic assessment engine. You can configure rules that auto-generate and send questionnaires and doc requests to engagements and third parties using the Event-driven management feature if you’re using the Smart Assessment Engine. For more information, see Configure a risk assessment to recur on a schedule and Event-driven management — automate assessment processes.
    Assessment template

    Select an assessment template to create questionnaires or document requests for this assessment.

    To use multiple templates to create multiple questionnaires or document requests for the assessment, leave the field empty.
    Due diligence request If there’s an existing due diligence request associated with this assessment, it’s listed here.
    Assessment Engine The assessment engine used for the Third-party risk assessment.

    This field is set to Smart.

    This field is only visible if you have enabled the Smart Assessment Engine enabled [sn_vdr_risk_asmt.sae_enabled] property. For more information about this property, see Configure TPRM properties.

    Note:
    When reviewing previous assessments, you can determine which engine was used by checking this field. If the assessment was created using the Classic assessment engine, the field displays Classic.
    State The process of collecting assessment data from a third party transitions through several states. See Life cycle states of a external assessment for detailed descriptions.
    Risk rating The overall risk rating for the third party.
    • Critical
    • High
    • Moderate
    • Low
    • Minor
    Note:
    The Risk rating is determined by finding a risk rating scale range in which the risk score falls. It defines how a minimum and maximum range of assessment scores maps to a qualitative risk score.
    Risk rating valid to The date the risk rating expires. The date must be later than the Risk rating valid to date on any associated questionnaires or document requests.
    Trigger by third-party tier Select the check box to initiate the assessment when the risk tier changes for the third party.
    Assigned to

    The individual who owns an assessment for audit purposes and monitors and manages overall assessment processes. The owner is responsible for confirming that the assessment is completed in a timely fashion by the third party, reviewing their responses, and creating and resolving issues. To drive the assessment to its completion, they are notified when an assessment reaches a particular milestone. They must have the TPR manager or TPR assessor role.
    Watch list Add users that should be notified when this record is modified.
    Risk Scoring
    Note:
    Risk ratings are calculated and displayed after assessment responses have been received.
    Computed risk rating Average of the third-party risk area risk ratings.
    Issue risk rating The risk rating for issues associated with the third parties being assessed. The issue risk rating is based on the priority of closed issues and how they were resolved.
    • If the issue was Closed Completed, it indicates that the issue was resolved.
    • If the issue was Closed Incomplete, it indicates that the third party failed to complete the associated questions.
    • If the issue was Closed Cancelled, it indicates that the issue didn’t need to be resolved.
    If the issue is closed and the State of the assessment isn’t closed or canceled, the Issue risk rating is recalculated and displayed.
    Note:
    The Computed risk rating isn’t affected by this calculation.
    Override risk rating Option to override the computed risk rating for the third party. When selected, any future changes made to the assessment risk rating affects only the computed risk rating, not the risk rating.
    Note:
    If the check box is selected and then deselected, the computed risk rating is used.
    Overridden risk rating Risk rating to override the current computed risk rating.

    If you selected Override risk rating, enter the new risk rating.
    Justification Justification for overridden risk rating.

    If you selected Override risk rating, you must enter a reason for the override.
    Assessment Schedule
    Planned duration (days) Estimated duration of the assessment.
    Note:
    This estimate includes the amount of time needed to receive responses and for internal and external users to review.
    Planned start date / Planned end date Planned start and completion dates and times for work on the assessment.
    Note:
    The Planned end date is automatically set to one month from the Planned start date. After the assessment is saved, this date can’t be changed.
    Actual duration The amount of time it took to complete the third-party risk assessment. This field is calculated using the Actual state date and Actual end date.
    Actual start date Date and time that work on the assessment began.
    Actual end date Completion date and time for the assessment.
    Questionnaire Schedule
    Planned duration (days) The amount of time given to the third party or engagement to complete all questionnaires.
    Review duration (days) Time allocated for the Assessment reviewer to review all questionnaires.
    Note:
    Users with the Third-party assessment reviewer [sn_vdr_risk_asmt.vendor_assessment_reviewer] role can review and leave comments for the following:
    • Tiering assessments
    • Internal assessments
    • External assessments
    • Third-party risk issues
    • Third-party risk tasks
    • Third-party risk due diligence requests
    Submitted to third party Delivery date for third party questionnaires.
    Due date Deadline for third party to respond to and return all questionnaires.
    Note:
    The Due date is set to a duration of 10 days by default. You can extend the due date of a questionnaire by increasing the Planned duration (days); however, the Planned end date of the assessment won’t be updated.
    Completion date Actual date when third party completed all questionnaires.
    Responses expected by The date that your organization expects the responses to be returned by the third-party contact.
    Notes and Comments
    Work notes Information about the assessment. Work notes are visible to users assigned to the issue.
    Additional comments (Customer visible) Public information about the assessment.