Integrating scores from risk intelligence providers
Summarize
Summary of Integrating Scores from Risk Intelligence Providers
Organizations can leverage risk intelligence providers to obtain scores that assess the trustworthiness of third parties, similar to personal credit scores. This integration helps enhance third-party risk management (TPRM) by providing critical insights into potential risks associated with third-party engagements.
Show less
Key Features
- Registration of Providers: Register each risk intelligence provider to request their reports and specify which scoring services to use, mapping their scores to your TPRM ratings.
- Score Normalization: After obtaining raw scores, the system normalizes these values to align with your TPRM ratings for consistency.
- Automation of Actions: Set up provider-based submission rules to automate responses, such as generating assessments or tasks based on updates from risk intelligence providers.
- Integration Types: ServiceNow supports various integration types, including ISV, content, data, and ESG integrations, facilitating comprehensive risk assessments.
Key Outcomes
By integrating scores from risk intelligence providers, organizations can enhance their risk assessment processes, automate responses to risk changes, and improve overall third-party risk management. This proactive approach allows for better-informed decisions regarding third-party partnerships and compliance with industry standards.
Risk intelligence providers generate risk scores for a variety of third-party risk domains. Your organization can purchase services from providers that return data that is analogous to personal credit scores. The scores provide insight on how trustworthy and safe a particular third party can be.
Working with data from risk intelligence providers
- After you register a risk intelligence provider, you specify which of the provider's scoring or rating services you’ll use. You also specify how their scores or ratings map to your TPRM ratings. For more information, see Register a risk intelligence provider, Set up a risk intelligence provider service, and Set up a request type for a provider.
- You add a raw score from a provider to the provider service record for a third party. The system uses the mapping that you specified to normalize the value to the appropriate TPRM rating. For more information, see Add a risk intelligence score to risk data for a third party.
- A provider-based submission rule is a set of conditions and actions. In a rule, you can specify that an update to a rating from a risk intelligence provider is the condition that triggers the action that is specified in the rule. The action might be to create and send a third-party risk assessment, issue, task, or email. For more information, see Automate actions upon risk intelligence updates.
Integration types
Here are some examples of the types of integrations supported by ServiceNow and ServiceNow partners:
-
Independent software vendor (ISV) integration types involve integrating ISV services such as EcoVadis or Black Kite.
-
Content integration types involve integrating external content sources such as regulatory databases or industry standards.
-
Data integration types involve integrating external data sources to gather and analyze relevant data such as data from financial systems, security tools, or vendor management systems.
-
Environmental, social, and governance (ESG) integration types involve incorporating ESG factors into the TPRM process.
Integrations supported by ServiceNow
| Provider | Product name | Content | Service provided | Type |
|---|---|---|---|---|
| Shared Assessments | Standard information-gathering (SIG) questionnaire | Standard assessment | Industry standard questionnaire for use in assessments. | Content |
| EcoVadis | EcoVadis | Sustainability ratings | Sustainability scores in support of assessments and continuous monitoring. | ISV, data, ESG |
Integrations supported by ServiceNow partners
| Provider | Product name | Content | Use case | Type |
|---|---|---|---|---|
| BitSight | BitSight | Cyber risk ratings | Cyber risk scores in support of assessments and continuous third-party risk monitoring. | ISV, data |
| Security Scorecard | Security Scorecard | Cyber risk ratings | Cyber risk scores in support of assessments and continuous third-party risk monitoring. | ISV, data |
| RiskRecon | Risk Recon | Cyber risk ratings | Cyber risk scores in support of assessments and continuous third-party risk monitoring. | ISV, data |
| Upguard | Upguard Vendor Risk | Cyber risk | Cyber risk scores in support of assessments and continuous third-party risk monitoring. | ISV, data |
| Recorded Future | Recorded Future Intelligence | Cyber risk ratings | Cyber risk scores in support of assessments and continuous third-party risk monitoring. | ISV, data |
| Black Kite | Black Kite | Third-party risk management | Technical security, financial risk, ransomware susceptibility index, and compliance scores in addition to overall security ratings. |
ISV |
| Interos | Interos | Supply chain and multiple domain ratings | Cyber, financial, ESG, geopolitical, operations, and restrictions ratings to support risk assessments and monitoring. |
ISV, content |
| TruSight | TruSight | Third-party risk assessments | Access to TruSight-validated third-party risk assessments. |
ISV |
| ISS Corporate Solutions | ISS ESG Cyber Risk Score for Vendor Risk Management | ESG ratings | Access to a comprehensive view of ISS Corporate Solutions' cyber risk management program through cyber risk and supply chain. | ISV |
| Securitybricks | CMMC - NIST-800-171 - Vendor Compliance Assessment | Template | Access to an automated assessment for Federal organizations. | data, content |
| Templarshield | HECVAT-Questionnaire for Higher Education | Content | Access to an automated questionnaire for Higher education organizations. | ISV, content |