Smart assessments with Third-party Risk Management

  • Release version: Australia
  • Updated June 2, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Smart assessments with Third-party Risk Management

    The integration of the Smart Assessment Engine (SAE) with Third-party Risk Management (TPRM) enhances the creation and management of risk assessments by supporting both Classic and SAE assessment engines. SAE enables creation of configurable, internal and external questionnaires with improved navigation, logical grouping, inline guidance, and automations within the Vendor Management Workspace.

    Show full answer Show less

    To activate SAE, the Smart Assessment Engine enabled property must be set, which disables creation of new assessments using the Classic engine. SAE templates must be created directly in the Vendor Management Workspace to include TPRM-specific attributes like risk area and previous responses.

    Key Features

    • Unified UI for Assessments: Conduct internal and external assessments via a single interface supporting extended TPRM attributes.
    • Organized Questionnaires: Questions can be grouped into sections/subsections, and attachments or reference information can be added to improve clarity for assessors and respondents.
    • Enhanced Usability: Features like auto-save, question filtering, continuous scroll layout, and conditional skipping of questions streamline the assessment process.
    • Standardized Risk Scoring: Flexible scoring settings, risk rating scale overrides at the template level, and score normalization enable consistent risk evaluations.
    • Collaboration Support: Question-level comments are accessible to users with read access; worknotes and flags require specific roles and are available to TPRM roles but restricted for vendor contacts.
    • Template Versioning: Templates are versioned with deep copies; published templates must be versioned rather than edited in place. Retired versions remain viewable but inactive for new assessments.
    • Portal Support: Internal assessors use the GRC portal; external assessors use the third-party portal to complete assessments.

    Limitations

    • New assessments must use SAE templates; Classic template creation is disabled.
    • Third-party risk assessors cannot create issues manually; issues must be generated automatically via rules.
    • Signature functionality is not supported.
    • Automatic questionnaire attachment based on inherent risk questionnaire responses or risk tiers is currently unsupported.
    • Unsupported question types include percentage, ranking, image scale, and custom metric; these must be converted or recreated using supported types.
    • Excel export from the third-party portal is unavailable for SAE assessments.
    • Templates with empty sections containing unsupported questions cannot be published; these sections must be corrected or removed.
    • Repeating assessments are not supported; event-driven management rules are recommended instead.
    • Duration data is not included in update sets during template transfer and must be manually exported/imported.
    • Migration of scoring only completes if no errors occur during template migration; errors prevent scoring migration.

    Practical Implications for ServiceNow Customers

    ServiceNow customers using TPRM should plan to transition fully to SAE for creating and managing assessments to leverage improved functionality and user experience. This includes recreating or migrating existing templates to SAE format and adjusting processes to accommodate unsupported question types and features. The enhanced risk scoring, collaboration, and template management capabilities provide a more standardized and efficient assessment workflow. Customers should also be aware of current limitations, especially regarding issue creation, signature support, and export options, and plan accordingly.

    For successful adoption, customers are encouraged to review detailed configuration guides, migration procedures, and best practices for creating SAE questionnaires to maximize the benefits of the Smart Assessment Engine within their TPRM environment.

    With the integration of Smart Assessment Engine (SAE), TPRM now supports both the Classic assessment engine and SAE. You can create questionnaire templates and add instructions, questions, and reference information by creating templates using SAE in the Vendor Management Workspace.

    SAE overview

    The Smart Assessment Engine in Vendor Management Workspace enables you to create both internal and external questionnaires using configurable templates, logical grouping of questions, inline guidance, and automations.

    For more information about the Smart Assessment Engine application, refer to Exploring Smart Assessment Engine.
    Note:
    To use Smart Assessment Engine, you must enable the Smart Assessment Engine enabled [sn_vdr_risk_asmt.sae_enabled] property. After setting this property, you can't create new assessments and questionnaire templates using the Classic assessment engine.

    Benefits of using the Smart Assessment Engine experience

    The new assessment experience offers the following benefits.

    • Enhanced navigation: Use the improved navigation for a better user experience.
    • Assessment support: Conduct assessments for both internal and external parties in one standard UI. TPRM SAE questionnaire templates are extended to include additional attributes such as the risk area and the option to include previous responses, which aren’t available in the base SAE templates. TPRM SAE templates must be created directly within the Vendor Management Workspace to ensure that they include the necessary attributes and can be used for TPRM assessments.
    • Organize questions: Group questions into subsections and sections for better organization.
    • Add attachments: Attach the files directly to the individual questions.
    • Add reference information: Add reference information to a questionnaire template to help ensure that assessors and respondents can access the necessary information they need while completing a questionnaire.
    • Filter questions: Quickly identify and filter unanswered questions.
    • Auto-save for questionnaires: Save your work automatically as you complete each question within a questionnaire.
    • Standardized risk rating scale definition: Override the default risk rating scales at the template level for both internal and external assessments.
    • Assessment duration: Define the duration of an assessment when creating a questionnaire template.
    • Combine assessments: Respond to questionnaires by using the same SAE template in a single, streamlined view.
    • Risk scoring and score normalization: Standardize the risk scores for a consistent evaluation using the more flexible scoring settings available in SAE.
    • Support for the GRC and third-party portals: Internal assessment responders can use the GRC portal to access and complete internal assessments and external assessment responders can use third-party portal to complete external assessments.

    Smart Assessment Engine limitations

    SAE with TPRM has the following limitations.
    • All new assessments must use SAE questionnaire templates.
    • Third-party risk assessors can no longer create issues from the View responses page. Issues generation rules can be used to create issues automatically.
    • The signature feature isn’t supported.
    • Automatic attachment of questionnaires to external assessments based on inherent risk questionnaire (IRQ) responses or IRQ-calculated risk tiers is currently not supported in Smart Assessment Engine.
    • The following question types aren’t supported: Percentage, ranking, image scale, and custom metric aren’t supported. You must either convert these question types to supported formats before migration or create new questions in the template designer after migration.
      Note:
      For the percentage and image scale question types, customers can use the Number type and Radio button type, respectively. Ranking and custom metric question types aren't supported.
    • In the Third‑party portal,the Excel export option available for Classic assessments is not supported for SAE assessments.
    • If a section in the classic template contains only unsupported questions, an empty section is created in the TPRM SAE template. TPRM SAE templates with empty sections can’t be published; therefore, you must either add replacement questions to these sections or delete the empty sections before publishing.

      For more information on migration results, migration limitations, and creating TPRM SAE questionnaires, see Results of migrating a template to a TPRM SAE template and Create a TPRM SAE questionnaire or document request template.

    • Repeating assessments aren’t supported. You can use Event-driven management rules.
    • When transferring TPRM SAE questionnaire templates between instances, the update set won’t include the duration information. Users must export the duration information manually from the sn_smart_asmt_duration table and import it into the target instances.
    • If an assessment template isn’t updated to support SAE assessments, the related tier-based, provider-based, and event-driven management rules won’t run as expected.
    • The TPRM scoring migration proceeds only if there were no errors during the template migration. If there were errors, the TPRM scoring migration doesn’t occur.
    Note:
    For more information on migration results and migration limitations, see Results of migrating a template to a TPRM SAE template.

    What to explore next

    To learn more about configuring and using SAE with Third-party Risk Management, see: