Exploring Third-party Risk Management

  • Release version: Australia
  • Updated March 12, 2026
  • 9 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Third-party Risk Management

    The Third-party Risk Management (TPRM) application centralizes and standardizes the management of risks related to external parties such as suppliers, partners, and outsourced providers. It helps ServiceNow customers protect organizational assets, reputation, and operations by identifying, assessing, and mitigating third-party risks. By automating risk assessment processes, TPRM reduces manual efforts and costs while providing a unified environment to manage third-party risk information.

    Show full answer Show less

    Key Features

    • Risk Assessment Workflows: Manage onboarding, offboarding, renewals, and additional due diligence through structured workflows.
    • Assessment Management: Utilize internal Inherent Risk Questionnaires (IRQ) and external assessments to evaluate third-party risks thoroughly.
    • Continuous Risk Monitoring: Track third-party risk performance and issues over time using dashboards and Vendor Management Workspace.
    • Role-based Access: Distinct user roles including Due Diligence Requesters, Assessors (Compliance, Cybersecurity, Operational), Approvers (Senior Risk Manager, Legal, Compliance), Contract Negotiators, Risk Managers, and Administrators support clear responsibilities throughout the risk management lifecycle.
    • Risk Intelligence Integration: Incorporate risk scores and reports from external intelligence providers to enhance risk insights.
    • Third-party Portal: Enable third parties to respond to assessments, delegate tasks, and manage their information efficiently.
    • Contract Risk Process: Facilitate contract negotiation and execution based on due diligence findings, with options to approve, reject, or skip contract risk workflows.
    • Data Import: Import existing third-party data from platforms like Aravo and ProcessUnity without incurring charges.

    Third-party Risk Management Workflow

    The TPRM workflow includes these steps:

    • Request due diligence for a third-party engagement.
    • Conduct internal risk assessments using IRQs, optionally requesting risk intelligence reports.
    • Collect third-party element data via questionnaires if needed.
    • Perform external assessments by sending questionnaires and documentation requests to third parties.
    • Review and integrate risk intelligence scores.
    • Approve due diligence requests by designated approvers before contract negotiation.
    • Negotiate and execute contracts, with automated notifications to stakeholders.
    • Continuously monitor third-party risk and performance post-engagement.
    • Manage third-party contacts and engagement progress through the Third-party portal.

    Benefits

    • Centralized Risk Information: Access consolidated views of third-party risk data, enabling fast, informed decision-making.
    • Efficient Management: Track and prioritize due diligence, assessments, and tasks with role-specific dashboards and reports.
    • Improved Risk Visibility: Visualize risk concentration geographically and across engagement types.
    • Streamlined Collaboration: Facilitate interaction between internal users and third parties through the portal.
    • Flexibility in Process Management: Customize workflows, including skipping contract risk steps when applicable.

    Practical Application for ServiceNow Customers

    ServiceNow customers can leverage TPRM to reduce manual overhead in managing third-party risks, ensure compliance with legal and industry standards, and maintain operational resilience. The application supports comprehensive risk assessment, collaboration among multiple stakeholders, and ongoing monitoring to mitigate disruptions caused by third parties. Integration with external risk intelligence further strengthens decision-making. Customers should consider configuring roles, workflows, and portals to align with their specific organizational policies and use the available reports and dashboards to maintain strong third-party risk oversight.

    The Third-party Risk Management application centralizes and standardizes the processes, source materials, responsible persons, and methods of your third-party risk management program. You can improve your operations by managing your portfolio of third parties and by identifying, tracking, and mitigating the issues that arise with third parties.

    Third-party Risk Management overview

    To protect your organization's assets, reputation, and operations, your third-party risk management program must identify, assess, and mitigate the risks that are associated with external parties. The TPRM application helps you to prevent your outsourced providers, partners, and suppliers from creating a business disruption or a negative impact on your business performance. By using the TPRM application, you can reduce the manual burden and costs of your risk assessment process through automation.

    TPRM brings all third-party risk information into one environment.

    The following key capabilities can help you to assess risk more effectively:
    • Onboarding, Offboarding, Renewals, and additional due diligence workflows
    • Assessment management
    • Continuous risk monitoring
    • Risk performance management

    Third-party Risk Management Users

    Table 1. Users
    User Description
    Due diligence requesters Requesters can be any employee at your organization interested in onboarding, reassessing, or offboarding an engagement.

    For more information on the different types of due diligence requests, see Requesting third-party risk due diligence.
    TPRM Assessors TPRM Assessors are members of the Risk manager's team that help with mitigating the risk of a potential engagement by reviewing information collected through the due diligence process. They could be potentially assigned as owners of due diligence requests based on their expertise or knowledge of the engagement.
    Here are some examples of different types of assessors and how they would impact the due diligence process for TPRM:

    • Compliance Risk Assessor: Confirms that engagements comply with industry standards, legal requirements, and contractual obligations. They regularly review engagement processes and activities to help ensure compliance.

    • Cybersecurity Risk Assessor: Evaluates the cybersecurity practices and infrastructures of engagements to protect against data breaches and cyber threats. They regularly review the engagement's security measures and suggest necessary enhancements.

    • Operational Risk Assessor: Analyzes the existing operational practices of engagements, focusing on aspects such as business continuity, supply chain logistics, and quality of service. They regularly review the engagement's operational practices to help ensure they are in alignment with the organization's standards and that appropriate contingencies are in place for potential disruptions.
    TPRM Approvers

    TPRM approvers are typically a senior member within the organization. They’re responsible for the final review and approval of the due diligence findings. They help confirm that all risk management requirements have been satisfactorily addressed before proceeding with any third-party engagement, whether it involves onboarding, continuing, or offboarding an engagement.

    Here are some examples of different types of approvers:

    • Senior Risk Manager: Oversees risk management strategies and alignment with organizational goals.
    • Chief Compliance Officer: Responsible for the company adhering to legal standards and internal policies.
    • Legal Executive: A senior member of the legal team who ensures that all contractual and regulatory requirements are met.
    Contract negotiator Contract negotiators orchestrate and finalize agreements between your organization and potential engagements. They use all the information collected through the due diligence process to help ensure that all contracts reflect your strategic interests and adhere to your risk management protocols.
    Risk Manager Risk managers lead thorough risk assessments of third parties and engagements. Based on the information collected and reviewed by the Risk manager and their team, they prioritize risks, develop mitigation strategies, and use TPRM to monitor and manage ongoing third-party relationships effectively.
    TPRM Admin Administrators manage user roles, permissions, and system settings to set up TPRM to meet your organization's specific risk management needs and compliance requirements.

    For more information on TPRM roles, see Roles in Third-party Risk Management.

    Third-party Risk Management workflow

    The following infographic shows the workflow of the most important processes that you can use to manage risk.


    Infographic that shows where the processes in the due diligence workflow are performed. For the text description, refer to the workflow steps that follow.
    Request due diligence for an engagement

    An employee at your organization requests due diligence for a third-party engagement. The due diligence request is reviewed and approved by the Third-party risk (TPR) manager [sn_vdr_risk_asmt.vendor_risk_manager].

    For more information, see Requesting third-party risk due diligence.
    Assess risk using an internal assessment containing an Inherent Risk Questionnaire (IRQ)

    An IRQ is a set of questions that scores and scopes the required due diligence on the third parties or engagements. After the due diligence request is approved by the TPR manager or TPR assessor [sn_vdr_risk_asmt.vendor_assessor] that has been assigned as the owner of the due diligence request, they select an IRQ and attach it to an internal assessment.

    Note:
    After the IRQ process enters the IRQ in progress state, you can request risk intelligence reports associated with your due diligence request. For more information, see Using risk intelligence reports and scores and Request a risk intelligence report associated with a due diligence request.

    For more information, see Assessing your third-party risk.

    Create third-party elements

    After your due diligence request has completed the IRQ process, if TP elements are needed, the TPR manager or due diligence request owner selects Start collection and a collection task is created. A third-party element questionnaire is sent to the third-party engagement contact. The TPR manager or owner manually creates third-party element records based on the responses.

    For more information, see Assessing your third-party risk and Monitoring third-party elements.

    Assess risk using an external assessment
    After the IRQ process or TP element collection process is completed, the TPR manager or owner selects questionnaires and requests for documentation to attach to external assessments for sending to the third party or engagement. For more information on creating assessments, see Create an external assessment and Third-party risk assessment form.

    For more information on this process, see Assessing your third-party risk and Monitoring third-party elements.

    Note:
    If you have any integrated risk intelligence, relevant information is pulled at this time.
    Integrate scores using risk intelligence providers

    Your organization can purchase services from providers that return data that is analogous to personal credit scores. The scores provide insight on how trustworthy and safe a particular third party can be.

    For more information, see Integrating scores from risk intelligence providers.

    Request risk intelligence reports and scores

    If you are the TPR assessor and are the due diligence request owner or have the TPR manager role, you can use the TPRM application to request scores or reports for third parties by using the risk intelligence request form. After the reports and scores are generated by the risk intelligence provider, the links to these reports are delivered and associated with that risk intelligence report record. If you have any integrated risk intelligence, relevant information is pulled at this time. For more information, see Using risk intelligence reports and scores.

    View scores and related information

    The information gathered is scored and combined into a single view of the due diligence process to display all scores, completed questionnaires, issues, approvals, and comments.

    For more information on scoring, see Scoring calculations using the classic assessment engine and Verifying scoring calculations using the classic assessment engine. See Classic assessment configuration for information on how scoring can be configured at the assessment and questionnaire level.

    Approve due diligence requests

    All approvers can review due diligence and see the detailed information before making an approval. After all approvers approve the due diligence request, all the due diligence information can be made available for the person that is negotiating the contract. The contract risk process only applies if a contract is required.

    For more information, see Approving or rejecting requests for due diligence.

    Negotiate a contract

    The contract negotiator can see the detailed information of all the scores and questionnaires. If additional due diligence is required, they can request it. If the contract negotiator successfully executes a contract with the third party, they can upload it and specify that the contract is executed. This action automatically notifies all key stakeholders of the contract's status. The contract negotiator can also skip the contract risk process, reject the due diligence request, or specify that the contract isn’t executed and that the third party isn't engaged for business.

    Note:
    If the third-party risk manager or owner selects the Skip contract risk process option during the due diligence process, the assigned contract negotiator isn’t notified and the Contract risk process state is skipped. An approver and owner can update the Skip contract risk process selection up until the approval process is completed. For more information about this process, see Due diligence request process management.

    For more information on this process, see Managing the contract risk process.

    Monitor third-party risk
    TPR managers, TPR assessors, and Third-party assessment reviewers [sn_vdr_risk_asmt.vendor_assessment_reviewer] can monitor and review the performance of third parties with Vendor Management Workspace.

    For more information, see Monitoring your third-party risk.

    Manage the Third-party portal

    TPR managers can manage third-party contacts, including creating logins, assigning roles, and tracking progress on questionnaires and tasks through the Third-party portal. Third-party contacts can use the portal to respond to assessments, delegate tasks, and manage their information, with options to use Microsoft Excel templates or the SIG questionnaire for responses.

    For more information, see Managing the contract risk process.

    For an in-depth description of the TPRM Due diligence workflow, see Due diligence workflow.

    Note:
    Starting with version 19.1.x of the Third-party Risk Management application, the tiering questionnaire and external assessment reminders workflows are deprecated and migrated to Workflow Studio. If you have customized these workflows, they won’t be deprecated or migrated as part of this change.

    Third-party Risk Management benefits

    The following table shows the benefits of the Third-party Risk Management application.

    Benefit Feature Users
    View important risk information and quickly access actions. TPRM Home page All TPRM users
    Use due diligence management reports to track, prioritize, and manage responsibilities. TPRM Due diligence management reports All TPRM users
    Identify and assess the potential risk that is associated with your third-party relationship. TPRM Risk activity page All TPRM users
    Pinpoint the geographical locations of active third parties and engagements. You can configure filters to view particular risk ratings and engagement types. TPRM Risk concentration map All TPRM users
    Prioritize assessments, issues, and tasks that need attention. TPRM Risk activity page All TPRM users
    Access tasks that are assigned to you and to members of your group. TPRM Task page All TPRM users
    Access all items that you can view or act on in TPRM. TPRM List page All TPRM users
    Use the engagement page to access all current information and status for a third party or engagement. Get an overview of a third party All internal users
    Import existing data (third parties, engagements, assessments, questionnaires, issues, and so on) from other systems (like the Aravo platform, the ProcessUnity platform, and so on). You aren’t charged for importing the data. Import existing data from other systems TPR Managers and TPR Admins
    Work on all processes in the workflow for a due diligence request: IRQs, external due diligence, approval, contract risk, and closed requests. Monitoring the due diligence request process TPR Managers and TPR Admins
    Use the third-party portal as a primary point of interaction for third parties and risk assessors. Managing the Third-party portal TPR Managers, TPR Assessors, and Third parties

    For more information on the terminology used in TPRM, see Terminology.

    What to explore next

    To learn more about configuring and using Third-party Risk Management, see: