Using risk intelligence reports and scores

  • Release version: Australia
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Using risk intelligence reports and scores

    The Third-party Risk Management (TPRM) application in ServiceNow enables organizations to request and manage risk intelligence reports and scores from external providers. These reports help assess the trustworthiness and risk level of third parties by analyzing geopolitical, economic, compliance, and industry-specific factors. The process supports better-informed decision-making in third-party risk management programs.

    Show full answer Show less

    Key Features

    • Role-based Access: Users with roles such as TPR manager, TPR assessor (due diligence request owner), and contract negotiator can request risk intelligence reports or scores.
    • Request Process: Risk Intelligence Report (RIR) requests are submitted via a form, linked to third parties or due diligence requests to consolidate all related risk data.
    • Provider Setup: Providers and request types must be registered and configured by users with the TPR assessment reviewer role before reports can be requested.
    • Report Types: Reports can include credit risk, compliance, strategic risk, and other categories based on organizational needs.
    • Request Management: Requests move through defined states (Open, Order pending, Closed complete), with fields locked post-submission to prevent errors, and the option to cancel requests if necessary.
    • Duplicate Prevention: The system prevents duplicate report requests for the same provider, request type, or third party to avoid redundant orders.
    • Manual Score Addition: Users can manually add risk intelligence scores to third parties and review existing scores and related background information.
    • Sanctions Tracking: The application supports logging and updating sanctions-related information to ensure compliance with government restrictions during third-party evaluations.

    Key Outcomes

    By using the risk intelligence reports and scores functionality, ServiceNow customers can:

    • Enhance due diligence processes with external validated risk data tailored to specific third parties.
    • Streamline risk assessment workflows by associating reports with due diligence requests and enabling easier access for reviewers and approvers.
    • Maintain accurate and up-to-date risk profiles that incorporate various risk domains including sanctions compliance.
    • Prevent unnecessary or duplicate report requests, optimizing resource usage and reducing provider costs.
    • Improve risk decision-making with comprehensive insights into third-party risks, helping to protect organizational interests.

    Request risk intelligence reports or scores directly from your external risk intelligence content providers by using the Third-party Risk Management application. This information can be requested and managed based on the importance or risk level of the individual third party.

    Risk intelligence overview

    Risk intelligence providers are companies that specialize in analyzing and generating risk scores for various third-party risk domains. These providers offer services that are similar to personal credit scoring systems, delivering data that helps organizations assess third parties.

    If you have the third-party risk (TPR) assessor [sn_vdr_risk_asmt.vendor_risk_assessor] and are the due diligence request owner or the TPR manager [sn_vdr_risk_asmt.vendor_risk_manager] role, you can use the TPRM application to request scores or reports for third parties by using the risk intelligence request form. After the reports and scores are generated by the risk intelligence provider, the links to these reports are delivered and associated with that risk intelligence report record.

    The information in these reports can cover various topics, including the geopolitical risks, economic stability, industry-specific trends, and regulatory changes that could affect your third-party interaction. You can order different types of reports, such as credit risk reports, compliance reports, strategic risk reports, and more, for your specific risk management program requirements.

    The Risk Intelligence Report framework provides a common way to request reports, but it does not enforce provider‑specific requirements. Each risk intelligence provider decides whether a request can be fulfilled based on its own integration and the your organization's agreement with that provider. A report is returned only if the provider’s requirements are met.

    Setting up risk intelligence providers and request types

    If you have the TPR assessment reviewer [sn_vdr_risk_asmt.vendor_assessment_reviewer] role, you must register the providers and set up both the providers and request types in the Third-party Risk Management application before you can request a report. For more information, see Register a risk intelligence provider, Set up a risk intelligence provider service, and Set up a request type for a provider.
    Note:
    You can request risk reports for third parties but not for engagements.

    Requesting risk intelligence

    As a TPR manager [sn_vdr_risk_asmt.vendor_risk_manager], TPR assessor [sn_vdr_risk_asmt.vendor_risk_assessor] that is the due diligence request owner, or contract negotiator [sn_vdr_risk_asmt.contract_negotiator] that is assigned to the due diligence request, you can request a Risk Intelligence Report (RIR) or score to gain insight on how trustworthy a particular third party can be. You would follow this process to request risk intelligence reports or scores:

    1. Fill out the RIR request form. An RIR request can be associated with a third party or due diligence request. When you associate a RIR request with a due diligence request, reviewers and approvers can more easily access all the related activity, scores, reports, and details through the Risk Intelligence report request tab in the Vendor Management Workspace[var.vendor-management-ws]. For more information, see Request a risk intelligence report and Request a risk intelligence report associated with a due diligence request.
      Note:
      If you want to associate an RIR request with a due diligence request, it must be after the inherent risk questionnaire (IRQ) has been completed (that is, when the due diligence request has entered the IRQ in progress state).
    2. The TPR manager [sn_vdr_risk_asmt.vendor_risk_manager] and their team reviews the request.
    3. The TPR manager [sn_vdr_risk_asmt.vendor_risk_manager], TPR assessor [sn_vdr_risk_asmt.vendor_risk_assessor] that is the due diligence request owner, or contract negotiator [sn_vdr_risk_asmt.contract_negotiator] that is assigned to the due diligence request can submit it if it’s approved. After the request has been submitted and has entered the Order pending state, all fields in the Risk intelligence report request section are read-only to help to prevent incorrect orders from being submitted to the provider.
      Note:
      The TPR manager, TPR assessor, or contract negotiator can cancel a RIR request while the request is in the Open or Order pending state. An RIR request can also be canceled if the report is no longer needed due to new information that impacts the third party or some other change.
    4. After the reports and scores are generated by the risk intelligence provider, the links to these reports and the scores are delivered and associated with the risk intelligence report request. The RIR request then enters the Closed complete state.

    After a request is submitted, the risk intelligence provider determines whether the request can be fulfilled based on its own requirements. The platform submits the request and records the outcome, but does not validate provider-specific prerequisites.

    For more information on RIR requests and their process states, see Risk intelligence report requests management.

    Note:
    You can’t have multiple RIR requests with the same provider, request type, or third party. For example, if you have already associated an RIR request with a third party, you can’t request the same report from the same provider as part of a due diligence request for an engagement. This process helps with preventing duplicate orders from being submitted to the provider.

    You can manually add scores to third parties and use the Risk intelligence scores related list to review the background information on the existing scores for a third party. For more information, see Add a risk intelligence score to risk data for a third party.

    Tracking sanctions-related information

    By tracking sanction-related information about your third parties, you can check if that third party is involved in any activities that are prohibited or restricted by government sanctions or regulations. Logging and updating sanctions-related information for third parties keeps your team informed as you review and approve a due diligence request as part of your third-party risk program. For more information about tracking sanctions-related information, see Track sanctions-related information.