Third-party risk management data model

  • Release version: Australia
  • Updated March 12, 2026
  • 8 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Third-party risk management data model

    The Third-party Risk Management (TPRM) data model in ServiceNow supports assessing, monitoring, and mitigating risks related to third parties within your risk management program. It is part of the Governance, Risk, and Compliance suite and enables comprehensive management of third-party risk through structured data components, relationships, and workflows.

    Show full answer Show less

    Key Components and Relationships

    • Core Data Entities: Includes third parties (companies), engagements, risk assessments (internal, tiering, external), due diligence requests, risk intelligence scores, issues, and contacts.
    • Assessment Structure: Uses assessment templates, questionnaire templates, and metrics organized by categories to facilitate risk evaluations.
    • Risk Scoring: Configurable scoring rules aggregate external risk assessment scores to engagements and third parties using criteria such as minimum, maximum, average, and weighted scores.
    • Risk Intelligence: Integrates provider services and risk intelligence scores with subfactors to enhance risk insight.
    • Smart Assessment Engine (SAE): Supports advanced assessments using SAE questionnaire templates, scoring normalization, and post-assessment automation like issue generation and workflow triggers.
    • SBOM Integration: Tracks Software Bill of Materials (SBOM) records linked to third parties and engagements for enhanced risk visibility.

    Roles and Permissions

    TPRM defines specific roles to manage third-party risk processes effectively:

    • Approver: Approves due diligence requests.
    • Contract Negotiator: Handles contract risk during onboarding.
    • Assessment Reviewer: Edits assessments.
    • Vendor Assessor: Manages third parties, contacts, assessments, and issues.
    • Vendor Risk Manager: Oversees third-party contacts, assessment and questionnaire templates, documentation requests, and scheduled assessments.
    • Vendor Risk Admin: Has full control over vendor risk data and assessment metrics.

    Practical Benefits for ServiceNow Customers

    • Comprehensive Risk Management: The data model enables detailed risk assessments, due diligence, and scoring for third parties, facilitating continuous risk monitoring.
    • Configurable and Extensible: Customers can customize scoring rules, assessment templates, and workflows without code changes to fit organizational needs.
    • Integrated Risk Intelligence: Incorporates external risk data to enhance decision-making related to vendor risk.
    • Streamlined Assessments: Supports automated workflows and advanced assessment capabilities via the Smart Assessment Engine.
    • Role-based Access: Ensures appropriate governance by assigning clear responsibilities and permissions across the risk management lifecycle.
    • SBOM Tracking: Provides visibility into software components within third-party engagements, aiding in supply chain risk management.

    Next Steps

    To effectively leverage the TPRM data model, ServiceNow customers should:

    • Assign relevant roles to team members to manage permissions and responsibilities.
    • Configure assessment templates and scoring rules to reflect your organization’s risk criteria.
    • Utilize the Smart Assessment Engine to enhance assessment precision and automate risk workflows.
    • Incorporate risk intelligence provider data to supplement internal assessments.
    • Integrate SBOM data collection to strengthen supply chain risk visibility.

    Use the Third-party Risk Management (TPRM) data model to assess, monitor, and mitigate the risks for your risk management program.

    TPRM data model overview

    The Third-party Risk Management application is one of the Governance, Risk, and Compliance products.

    The following model is used to support TPRM's capabilities.

    Figure 1. TPRM data model
    Relationship between due diligence, third-party management, policy and compliance, and risk main tables. For a text description, refer to the text that follows.

    The third-party risk assessment data model includes various components and relationships:

    Components:
    • Risk intelligence score [sn_vdr_risk_asmt_security _score]
    • Internal assessment [sn_vdr_asmt_internal_assessment]
    • Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • Event-driven management history [sn_tprm_dd_rule_execution_history]
    • Third-party due diligence request [sn_tprm_dd_request]
    • Company [core_company]
    • Event-driven management rule [sn_tprm_dd_generation_rule]
    • Third-party risk assessment [sn_vdr_risk_asmt_assessment]
    • Third-party engagement [sn_vdr_risk_asmt_vendor_engagement]
    • Vendor contact [vm_dr_contact]
    • Assessment metric type [asmt_metric_type]
    • Assessment template [sn_vdr_risk_asmt_assessment_template]
    • Third-party risk issue [sn_vdr_risk_asmt_issue]
    • Engagement risk scoring rule [sn_vdr_risk_asmt_engagement_risk_scoring_rule]
    • Engagement level risk rating [sn_vdr_risk_asmt_engagement_level_rating]
    • Risk [sn_risk_risk]
    • Control [sn_compliance_control]
    Relationships:
    • The third-party risk assessment component can have a one-to-many relationship with the following components:
      • Event-driven management histories
      • Third-party due diligence requests
      • Company
      • Third-party engagements
      • Third-party risk issues
      • Assessment templates
    • The Event-driven management histories component can have a many-to-one relationship with the Event-driven management rules component.
    • The Event-driven management rules component can have a one-to-many relationship with the Assessment metric type component and the Assessment template component.
    • The third-party engagement component can have a one-to-many relationship with the following components:
      • Company
      • Engagement risk scoring rule
      • Third-party risk issue
    • The Third-party engagement component can have a many-to-many relationship with the Vendor contact component.
    • The Vendor contact component can have a one-to-many relationship with the Company and a Third-party risk issue component.
    • The Engagement level risk rating component can have a one-to-many with the Third-party engagement component.
    • The Third-party engagement component is related to the Risk and Control component.
    • The Risk intelligence score component is related to the Third-party due diligence component.
    • The Tiering assessment component can have a one-to-many relationship with the following components:
      • Third-party due diligence
      • Third-party engagement
      • Company
    • The Tiering assessment component can have a many-to-many relationship with the Assessment metric type component.
    • The Third-party due diligence component can have one-to-many relationships with the following components:
      • Event-driven management history
      • Third-party risk assessment
      • Company
    • The following components are related to Risk due diligence:
      • Event-driven management rule
      • Event-driven management history
      • Third-party risk due diligence request
    • The following components are related to Third-party management:
      • Risk intelligence score
      • Internal assessment
      • Tiering assessment
      • Third-party risk assessment
      • Third-party engagement
      • Assessment template
      • Third-party risk issue
      • Engagement risk scoring rule
      • Engagement level risk rating
    • The internal assessment component is an extension of the tiering assessment component.
    • The Control component is related to Policy and Compliance Management.
    • The Risk component is related to Risk Management.
    • The following components are Global:
      • Vendor contact
      • Company
      • Assessment metric type
    The following table lists the roles that are required for the components in the TPRM data model.
    Table 1. Roles for the TPRM data model
    Role Description
    sn_vdr_risk_asmt.approver Approve due diligence requests in the third-party risk management process.
    sn_vdr_risk_asmt.contract_negotiator Work in the contract risk process stage of the onboarding process.
    sn_vdr_risk_asmt.vendor_assessment_reviewer Edit assessments.
    sn_vdr_risk_asmt.vendor_assessor Manage third parties, third-party contacts, third-party risk assessments, and issues, and complete third-party risk assessment requests.
    sn_vdr_risk_asmt.vendor_risk_admin Have full control over all vendor risk management data and assessment metric types.
    sn_vdr_risk_asmt.vendor_risk_manager Manage third parties, third-party contacts, third-party assessment templates, questionnaire templates, documentation request templates, and scheduled assessments.

    For more information on the roles, see Roles in Third-party Risk Management.

    Core components

    TPRM is based on sending assessments and calculating scores from the received responses.

    You can use these core components to perform assessments:
    • Third-party risk assessment
    • Third-party engagement
    • Third-party due diligence
    • Scoring setup
    • Risk intelligence

    The following diagram shows the main tables and flow for a third-party risk assessment of the TPRM data model.

    Figure 2. Third-party risk assessment data model
    Relationship between due diligence, third-party management, policy and compliance, and risk main tables or third-party risk assessments. For a text description, refer to the text that follows.

    Here are the components and relationships that make up the Third-party risk assessment data model.

    Components:
    • Internal assessments [sn_vdr_risk_asmt_internal_assessment]
    • Tiering assessments [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • External assessments [sn_vdr_risk_asmt_assessment]
    • Assessment template [sn_vdr_risk_asmt_template]
    • Questionnaire templates [asmt_metric_type]
    • Questionnaire instance [asmt_assessment_instance]
    • Category [asmt_metric_category]
    • Metric [asmt_metric]
    Relationships:
    • The Metric component can have a many-to-one relationship with the Category component.
    • The Category component can have a many-to-one relationship with the Questionnaire component.
    • The Questionnaire templates component can have a many-to-one relationship with the following components:
      • Assessment template
      • Tiering assessments
      • External assessments
    • The Questionnaire instance component can have a many-to-one relationship with the following components:
      • External assessments
      • Tiering assessments
    • The Assessment template component can have a one-to-many relationships with the following components:
      • Tiering assessments
      • External assessments
    • The Internal assessment component is an extension of the Tiering assessment component.
    • The Internal assessment components are related to Risk due diligence.
    • The following components are related to Third-party management:
      • Tiering assessments
      • External assessments
      • Assessment templates
    • The following components are Global:
      • Questionnaire templates
      • Category
      • Metric
      • Questionnaire instance

    For more information on assessments, see Assessing your third-party risk.

    The following diagram shows the main tables and flow that are used for the due diligence in the TPRM data model.

    Figure 3. Due diligence data model
    Relationship between the risk due diligence, third-party management, policy and compliance, and risk main tables used for due diligence. For a text description, refer to the text that follows.

    Here are the components and relationships that make up the due diligence data model.

    Components:
    • Third party [core_company]
    • Engagements [sn_vdr_risk_asmt_vendor_engagement]
    • Due diligence [sn_tprm_dd_request]
    • Issues [sn_vdr_risk_asmt_issue]
    • Tasks [sn_vdr_risk_asmt_task]
    • Vendor contacts [vm_vdr_contact]
    • Risk intelligence scores [sn_vdr_risk_asmt_security_score]
    • External assessments [sn_vdr_risk_asmt_assessment]
    • Tiering assessments [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • Internal assessments [sn_vdr_risk_asmt_vdr_internal_assessment]
    Relationships:
    • The Third party component has a one-to-many relationship with subsidiaries.
    • The Third party component has a one-to-many relationship with the following components:
      • Vendor contacts
      • Internal assessments
      • External assessments
      • Tiering assessments
      • Risk intelligence scores
      • Issues
      • Tasks
    • The Due diligence component has a one-to-many relationship with the following components:
      • Vendor contacts
      • Internal assessments
      • Tiering assessments
      • Risk intelligence scores
    • The Engagements component has a one-to-many relationship with the following components:
      • Vendor contacts
      • Internal assessments
      • External assessments
      • Tiering assessments
      • Issues
      • Tasks
    • The Third party component is related to the Due diligence component.
    • The Engagements component is related to the Due diligence component.
    • The External assessments component is related to the Due diligence component.
    • The Internal assessment component is an extension of the Tiering assessment component.
    • The following components are related to Risk due diligence:
      • Due diligence
      • Internal assessments
    • The following components are related to Third-party management:
      • Engagements
      • Issues
      • Tasks
      • Risk intelligence scores
      • External assessments
      • Tiering assessments
    • The following components are Global:
      • Third party
      • Vendor contact

    The following diagram shows the required roles, processes, and choices that are part of the due diligence workflow.

    Figure 4. Due diligence workflow
    Work flow that shows the required roles, processes, and choices that exist as part of the due diligence workflow.

    For more information on the due diligence workflow, see Due diligence workflow.

    The following diagram shows the main tables that are used for scoring the TPRM data model.

    Figure 5. Scoring data model
    Relationship between due diligence, third-party management, policy and compliance, and risk main tables that are used for scoring risk. For a text description, refer to the text that follows.

    Here are the components and relationships that make up the scoring data model.

    Components:
    • Third party [core_company]
    • Third-party risk scoring rule [sn_vdr_risk_asmt_vendor_risk_scoring _rule]
    • Component criteria [sn_vdr_risk_asmt_component_criteria]
    • Components [sn_vdr_risk_asmt_component]
    • Engagement [sn_vdr_risk_asmt_vendor_engagement]
    • Engagement risk scoring rule [sn_vdr_risk_asmt_engagement_risk_scoring_rule]
    • Risk area criteria [sn_vdr_risk_asmt__risk_area_criteria]
    • Risk domains [sn_vdr_risk_asmt_risk_area_definition]
    Relationships:
    • The Risk area criteria component has a one-to-many relationship with the Risk domain component.
    • The Risk area criteria component has a one-to-one relationship with the Engagement risk scoring rule component and the Third-party risk scoring rule component.
    • The Engagement risk scoring rule has a one-to-many relationship with the Engagement component.
    • The Component criteria has a one-to-many relationship with Components.
    • The Component criteria has a one-to-one relationship with the Third-party risk scoring rule component.
    • The Third-party risk scoring rule component has a one-to-many relationship with the Third-party component.
    • All of these components are related to Third-party management.

    Use the scoring setup in TPRM configure how the scores from the external risk assessments are aggregated to the engagements and third parties. The criteria tables have the information that is related to the aggregation of the scores of multiple records (MIN, MAX, AVG) or from multiple tables (weights for each table). Use the scoring rules to group third parties or engagements and assign criteria. You can configure all the records in these tables without any customization.

    For more information on scoring, see Scoring calculations using the classic assessment engine.

    The following model diagram shows the main tables that are used for risk intelligence in the TPRM data model.

    Figure 6. Risk intelligence model
    Relationship between the risk due diligence, third-party management, policy and compliance, and risk main tables. For a text description, refer to the text that follows.

    Here are the components and relationships that make up the Risk intelligence data model.

    Components:
    • Third party [core_company]
    • Provider Services [sn_vdr_risk_asmt_tpss_provider]
    • Risk intelligence scores [sn_vdr_risk_asmt_security_score]
    • Score subfactors [sn_vdr_risk_asmt_tpss_subfactor]
    Relationships:
    • The Risk intelligence providers component has a one-to-many relationship with the Providers Services component.
    • The Providers Services component has a one-to-many relationship with the Risk intelligence scores component.
    • The Risk intelligence scores component has a one-to-many relationship with the Scores subfactors component.
    • The Risk intelligence scores component is related to the Risk intelligence providers component.
    • All of these components are related to Third-party management.

    For more information on risk intelligence, see Risk intelligence report requests management.

    SAE TPRM data model

    The following model diagram shows the main tables that are used for Smart Assessment Engine in TPRM.

    Figure 7. SAE TPRM data model
    For a text description, refer to the text that follows.

    Here are the components and relationships that make up the SAE TPRM data model.

    Components:
    • Assessment to SAE Questionnaire Templates [sn_vdr_risk_asmt_m2m_tiering_sae_template, sn_vdr_risk_asmt_m2m_tpra_sae_template]
    • TPRM Assessments [sn_vdr_risk_asmt_assessment, sn_vdr_risk_asmt_internal_assessment]
    • Engagement [sn_vdr_risk_asmt_vendor_engagement]
    • Scoring Rules [sn_vdr_risk_asmt_vendor_risk_scoring_rule, sn_vdr_risk_asmt_engagement_risk_scoring_rule]
    • SAE Instance [sn_smart_asmt_instance]
    • SAE Questionnaire Template [sn_vdr_risk_asmt_sae_questionnaire_template]
    • SAE Rating Scale [sn_vdr_risk_asmt_sae_rating_scale]
    • Scoring Normalization (represented by SAE rating scale and score‑mapping tables: sn_vdr_risk_asmt_sae_rating_scale, sn_vdr_risk_asmt_score_mapping)
    • Issue-generation rule [sn_vdr_risk_asmt_issue_generation_rule]
    • Post-assessment Automation (issue generation, workflow triggers)
    Relationships:
    • The Assessment to SAE Questionnaire Templates component has a many-to-one relationship with TPRM assessments.
    • The Assessment to SAE Questionnaire Templates component has a one-to-one relationship with the SAE instance component.
    • The TPRM Assessments component has a many-to-one relationship with the Engagement component.
    • The Engagement component has a many-to-one relationship with the Scoring Rules component.
    • The SAE Questionnaire Template component has a many-to-many relationship with the SAE Rating Scale component.
    • The SAE Rating Scale component has a one‑to‑many relationship with the Scoring Normalization component.
    • The SAE Questionnaire Template component has a many-to-one relationship with the Issue-generation rule component.
    • The SAE Questionnaire Template component has a one-to-many relationship with the Post-assessment Automation component.

    For more information on Smart Assessment Engine and TPRM, see Smart assessments with Third-party Risk Management.