IRQ process management

Release version: Australia

Updated March 12, 2026

3 minutes to read

Summarize

Summarized using AI

Summary of IRQ process management

The IRQ process management in ServiceNow enables your organization to manage internal risk assessments related to third-party engagements. After an engagement request is approved, the IRQ process begins by scoping the risk through determining the third party’s risk score. This process is essential for identifying and evaluating risks associated with third-party vendors or partners efficiently and systematically.

Show full answer Show less

Accessing and Navigating the IRQ Process

You can access the IRQ process from the Due Diligence Management page by selecting a DDR number and then navigating to the Internal assessments tab. Each IRQ process is uniquely identified by an auto-assigned ID starting with "INA," which is used throughout the system for search and reference purposes.

Internal Assessments Tab: Displays IRQ processes with columns such as Number (INA ID), Name, Assigned to, Risk rating, State (e.g., Draft, Awaiting response, Closed), and Respondents.
Risk Overview Tab: Shows the state of each stage in the IRQ process, lists associated questionnaires, and tracks assessment statuses (Open, Overdue, Closed).
Details Tab: Contains general third-party information, assessment schedules, and communication records including private work notes and comments visible internally or to third parties.
Questionnaire Templates Tab: Lists open IRQ questionnaires for review.
Scales Tab: Defines rating and tier values used for risk scoring, which can be configured to suit your organization’s risk framework.
Questionnaire Requests Tab: Displays assessment instances related to questionnaires, each with unique IDs starting with "AINST," along with details like assigned user, due dates, current state, and internal risk scores.

Key Features

Unique Identification: Every assessment and questionnaire instance has a unique ID for easy tracking and filtering.
Status Tracking: Real-time insight into the stages of internal assessments and questionnaire completion statuses.
Communication Management: Ability to add private work notes and shared comments to maintain clear records of risk assessment discussions.
Risk Scoring: Engagement scoring rules enable automated selection of engagements for assessment based on criteria such as business value thresholds.
Customizable Templates: Create and manage assessment templates tailored to your third-party risk evaluation needs.

Practical Use and Next Steps

ServiceNow customers can use IRQ process management to systematically manage third-party risk assessments, ensuring timely responses and thorough documentation. The unique ID system enables efficient search and management of IRQ items, while scoring scales and engagement rules help prioritize high-risk engagements. To maximize value, configure your risk rating scales and engagement scoring rules according to your organizational policies. Additionally, utilize the internal assessment forms to capture all required information and respond promptly to assessments to maintain compliance and reduce risk exposure.

The first internal step after an engagement request is approved is to start the IRQ process to scope the risk by determining the third party's risk score.

Accessing the IRQ process

On the Due diligence management page, select the DDR number for any due diligence request and then select the Internal assessments tab.

The tab displays the list of all IRQ processes for the engagement request. For each IRQ process, the system auto-assigns a unique ID number that starts with the text INA.

Accessing the Vendor Management Workspace.

Viewing the list of internal risk assessments

Internal assessments tab

Table 1. Internal assessments tab
Column	Description
Number	For each IRQ process, the system auto-assigns a unique ID number that starts with the text INA. Select an INA number to work on the Internal assessments page to the Risk overview tab. The unique ID is used in all references to the item. You can use the ID to search or filter for the item that you want to work on.
Name, Assigned to, Risk rating	Data from the engagement request.
State	The current state of the internal assessment: Draft, Awaiting response, Response received, or Closed.
Respondents	Users who responded to the request.

Risk overview tab on the Internal assessments page

For each IRQ process, the system auto-assigns a unique ID number that starts with the text INA. Select an INA number to work on the IRQ process on the Internal assessments page.

Select the INA number to work on the Internal assessments page.

The symbols indicate the state of each stage in the IRQ process for the request.
Questionnaire requests section: List of questionnaires that are associated with the third party. You can view each questionnaire by selecting the Name.
Tracking section: Count of assessments associated with the third party that are in the Open, Overdue, and Closed state.

Details tab on the Internal assessments page

Internal assessment section: General information on the third party and schedules for the overall assessment and questionnaire due dates from the engagement due diligence request.
The Compose section on the Details tab enables you to permanently add text to the record. The Activity section is updated with any actions on issues and tasks, submissions to TP contacts, and also with work notes and comments that users add to the record. Add text in the following fields as needed:
- Work notes (Private): Information about the third-party risk assessment. Work notes are visible only to internal users who are assigned to the process.
- Comments: Comments about the third-party risk assessment are visible both to internal users and to third-party contacts.
The Third-party overview section provides key information on the third party that is associated with the engagement request.

Questionnaire templates tab on the Internal assessments page

The tab lists all open IRQs. Select a questionnaire name to view the details.

Scales tab on the Internal assessments page

The tab lists the definitions of the calculated rating and tier values. See Set up risk rating scales for scoring for instructions for defining the settings.

Questionnaire requests tab on the Internal assessments page

All values on the tab come from the internal assessments that have been conducted on the third part in the engagement.

Table 2. Questionnaire requests tab
Column	Description
Number	When a questionnaire template is added to an assessment and sent out, the system generates assessment instances for each template. Each of these instances is automatically assigned a unique ID number that starts with the text AINST. The unique ID is used in all references to the item. You can use the ID to search or filter for the item that you want to work on.
Assessment number	For each external risk assessment, the system auto-assigns a unique ID number that starts with the text VRA. The unique ID is used in all references to the item. You can use the ID to search or filter for the item that you want to work on.
Metric type	Questionnaire that determined the questionnaires used in the assessment.
Assigned to	User that is responsible for managing and responding to the IRQ.
Due date	Deadline for third party to respond to and return all questionnaires.
State	Current stage of the IRQ process for the engagement request.
Internal risk score	An engagement risk-scoring rule specifies component criteria that determine which engagements are selected for assessment. For example, a rule could enable assessments for engagements that involve more than $40,000 annual business. Engagement scoring rules apply only to engagements. See Define engagement risk scoring rules.