Document Management system in Third-party Risk Management

  • Release version: Australia
  • Updated May 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Document Management system in Third-party Risk Management

    The Document Management System (DMS) in Third-party Risk Management (TPRM) centralizes the storage, organization, and management of third-party documents throughout the vendor lifecycle starting with version 21.1.x. It streamlines evidence tracking, minimizes duplication, and enhances audit readiness by enabling document reuse across assessments, contracts, issues, and tasks. Users can access DMS via the Vendor Management Workspace or the third-party portal, with role-based permissions controlling write and read access.

    Show full answer Show less

    Key Features

    • Third-party Portal Access: External contacts can upload and manage documents directly in the portal, while internal users manage documents within the Vendor Management Workspace.
    • Document Versioning and Metadata: Supports multiple versions per document, metadata tracking for classification and reporting, and full audit trails of document actions.
    • Linking and Traceability: Documents can be linked to multiple TPRM records such as tasks, issues, engagements, and assessments. This linking creates formal relationships for lifecycle tracking and reporting, with automatic roll-up of references without duplication.
    • Role-Based Permissions: Internal users manage permissions for primary contacts and other users, ensuring appropriate access controls.
    • Advanced Search and Reporting: Users can perform metadata-based searches and generate comprehensive reports on document inventory, linkage, and audit history to support compliance and operational insight.
    • Integration with Smart Assessment and Now Assist: DMS integrates with Smart Assessment Engine (SAE) to provide document availability during assessments, reducing manual effort. Now Assist AI-driven skills enhance workflows by summarizing issues, extracting data, and enabling quick Q&A on documents.

    Document Life Cycle and Collaboration

    Each document captures essential metadata—such as creation date, type, description, version, and status—that supports classification and workflow routing. Users with appropriate roles can upload new versions, view version history, and download attachments. All document actions, including approvals and rejections, are logged for transparency and audit purposes. Collaboration is enhanced through searchable audit logs and reporting capabilities that track document usage and relationships.

    Limitations

    • External users must download documents to view them; inline preview is not supported.
    • The third-party association field is optional when creating documents but required if linking to a third party.
    • Document creation and versioning are separate actions requiring distinct steps.

    Practical Benefits for ServiceNow Customers

    • Centralizes and simplifies management of third-party documents, improving operational efficiency and reducing redundancy.
    • Enhances compliance and audit readiness with detailed tracking and reporting of document activities and relationships.
    • Supports secure collaboration between internal teams and third parties through controlled access and portal capabilities.
    • Integrates with AI-powered tools to accelerate risk assessments and due diligence processes.

    Learn how the enhanced Document Management system supports third-party collaboration and internal workflows in Third-party Risk Management (TPRM).

    Document Management Overview

    Starting with version 21.1.x, the Document Management System (DMS) in Third-party Risk Management (TPRM) provides a centralized repository for storing, organizing, and managing third-party documents throughout the vendor life cycle. DMS streamlines evidence tracking, reduces duplication, and improves audit readiness by enabling document reuse across assessments, contracts, issues, and tasks. Access DMS in the Vendor Management Workspace or third-party portal to create, manage, and reference documents. Primary contacts manage permissions in the portal. TPR assessors [sn_vdr_risk_asmt.vendor_assessor], TPR managers [sn_vdr_risk_asmt.vendor_risk_manager], and TPR administrators have write access, while third-party assessment reviewers [sn_vdr_risk_asmt.vendor_assessment_reviewer] have read-only access. DMS supports metadata, version control, search, reporting, and audit tracking for all document actions.

    The DMS is accessible for internal users through the Documents module in the Vendor Management Workspace as shown in the following example.
    Figure 1. Document Management System in Vendor Management Workspace
    Documents module in the Vendor Management Workspace.
    The DMS is accessible for external users through the Third-party portal as shown in the following example.
    Figure 2. Document Management System in the Third-party portal
    DMS in the third-party portal. For detailed descriptions refer to the paragraphs preceding and following this image.

    Key capabilities

    • Third-party contacts can upload and manage documents using the third-party portal.

      For more information, see Upload and manage documents in the third-party portal.

    • Internal users can create and access document records through the Documents module in the Vendor Management Workspace.

      For more information, see Create a document record.

    • Users can manage document versions, download attachments, and track their metadata.

      For more information, see Create a document version.

    • Documents can be linked to multiple TPRM record types with auto-rollup:
      • Tasks
      • Issues
      • Engagements
      • Assessments

      For more information, see Link documents to a TPRM record.

    • Internal users can manage role-based permissions for primary contacts and other internal users.

      For more information, see Define document sharing permissions.

    • Each document version supports download options, advanced search and reporting for metadata and relationships, and complete audit tracking of actions and version history.

    Document life cycle and traceability

    Each document captures metadata including creation date, type, description, version, and status. Metadata is used for classification, reporting, and workflow routing.

    Each document supports multiple versions. TPR assessors, managers, and administrators can upload new versions, view version history, and download attachments for any version. Versions are sorted by creation date in descending order.

    Documents can be linked to assessments, engagements, issues, and tasks. These references automatically roll up to related third-party records. Duplicate references aren’t allowed.
    Note:
    A linked document is a document record associated with another record (assessment, engagement, issue, or task) for traceability and reporting. Linking creates a formal relationship that supports life-cycle tracking. A reference is the entry that represents this link, shown in the document’s References tab and the related record’s Documents list. Each reference includes metadata like record type and ID. The key difference is that linking is the action and a reference is the result. Multiple references to one document are possible, but duplicate references to the same record aren’t allowed.

    All document actions including uploads and version updates are tracked for audit purposes. Audit logs are accessible to authorized users.

    Collaboration and insights

    All actions, including approvals and rejections, are tracked in the audit log for transparency and reporting. You can search documents by metadata fields and generate reports on document usage, status, and relationships. Filters include document type, risk category, expiration date, and third-party association. You can generate reports on document usage, version history, and linked records using the Reports module or Performance Analytics.

    Report types can include:
    • Document inventory report with metadata and version details.
    • Linkage report showing documents associated with assessments, engagements, and tasks.
    • Audit report for document actions and life-cycle events.

    Now Assist document skills

    If your organization uses DMS and Now Assist for TPRM, you can leverage AI-driven skills to streamline document-heavy workflows. These capabilities reduce manual effort, improve accuracy, and accelerate risk tasks. Now Assist for Document Management and Now Assist for TPRM offer the following key skills:

    • TPRM issue summarization– Condenses complex third-party risk issues into actionable summaries, helping risk analysts review and respond faster.

      For more information, see TPRM issue summarization skill.

    • Smart documents – Summarizes risk management documents and provides quick Q&A, reducing manual review and speeding up due diligence.

      For more information, see Smart Documents Skill.

    • Extract information from documents – Uses AI to pull specific data points (such as risk indicators, compliance clauses, or contract terms) from large documents, reducing manual review time and improving accuracy.

      For more information, see Now Assist extract information from documents.

    For more information on Now Assist for Document Management skills, see Explore Now Assist in Document Management.

    Limitations

    • External users can’t preview documents due to restrictions; they must download documents from the portal to view them.
    • The third-party field is optional when creating a document. However, if the document is associated with a third party, this field is required. For internal documents with no third-party association, the field can remain empty.
    • Document creation and versioning currently require separate steps.