Example: Onboarding a third party

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Example: Onboarding a third party

    This example demonstrates how a large manufacturing company, Acme, uses the Third-Party Risk Management (TPRM) application to onboard a new third-party supplier. The process ensures reliability and mitigates risks through a structured workflow from request initiation to ongoing monitoring.

    Show full answer Show less

    Onboarding Workflow

    • Request Process: An employee initiates a third-party due diligence request via the Employee Center. A Third-Party Risk (TPR) manager approves the request and starts the due diligence workflow.
    • Inherent Risk Questionnaire (IRQ): An IRQ assessor completes an inherent risk assessment by answering relevant questions in the Vendor Management Workspace, which calculates the third party’s inherent risk level.
    • Due Diligence: The TPR manager or assessor submits questionnaires and document requests to the third party via the third-party portal, where the third party responds. Acme uses assessment templates to streamline questionnaires and document requests. Responses are reviewed for compliance, regulatory, and security requirements.
    • Contractual Agreements and Risk Mitigation: Post-due diligence, the contract negotiator reviews findings to ensure all necessary contractual clauses addressing risk are included in the third-party agreement.
    • Ongoing Monitoring and Review: After onboarding, Acme continuously monitors the third party throughout the engagement lifecycle by reviewing assessments, monitoring results, and periodic reviews to track changes in risk posture.

    Key Benefits for ServiceNow Customers

    • Provides a clear, step-by-step third-party onboarding process within the TPRM application.
    • Supports thorough risk assessments and regulatory compliance through automated questionnaires and documentation requests.
    • Enables contract risk management by linking assessment outcomes to contractual clauses.
    • Facilitates ongoing risk monitoring to maintain visibility into third-party risk throughout the engagement.

    Acme, a large manufacturing company, is in the process of onboarding a new third party to supply critical components for their production line. To help ensure the third party's reliability and to mitigate potential risks, Acme starts a thorough third-party risk management onboarding process.

    Onboarding process example

    This example illustrates a typical third-party onboarding flow in the TPRM application, from initiating a request through ongoing monitoring.

    Request process

    An employee initiates onboarding by submitting a third-party due diligence request in the Employee Center.

    A Third-party Risk (TPR) manager opens the request record from the Requests list and selects Approve.

    After approval, the TPR manager selects Start due diligence to move the request into the due diligence workflow.

    For more information, see Requesting third-party risk due diligence and Request due diligence for a third-party engagement.

    Inherent Risk Questionnaire (IRQ) process

    After due diligence starts, an inherent risk assessment is generated.

    On the Tasks page of the Vendor Management Workspace, the IRQ assessor opens the request record, navigates to the associated assessment, and opens the Inherent Risk Questionnaire.

    The assessor answers the IRQ questions and submits the assessment to calculate the third party’s inherent risk level.

    For more information, see Assessing your third-party risk and Respond to an internal assessment.

    Due diligence process: Compliance verification and data security and privacy assessment

    When the IRQ is complete, the assessment continues through the due diligence phase.

    From the assessment record, the TPR manager or TPR assessor selects Submit to third party to send questionnaires and document requests.

    Third-party contacts receive and respond to questionnaires and document requests in the third-party portal.

    For more information, see Assessing your third-party risk, Create an external assessment, Respond to a questionnaire for a third party or engagement, and Review responses to external questionnaires.

    Note:
    To streamline this step, Acme uses assessment templates, which group predefined questionnaire and document request templates for reuse.

    Acme reviews the submitted responses and uploaded documents from the assessment record to verify regulatory, compliance, and security requirements.

    Contractual agreements and risk mitigation

    After due diligence is complete, contract risk requirements are finalized.

    The TPR contract negotiator reviews assessment findings and confirms that required contractual clauses are included in the third-party agreement.

    For more information, see Managing the contract risk process and Accessing DD requests that are in the contract risk process.

    Ongoing monitoring and review

    Once onboarding is complete, Acme monitors the third party throughout the engagement lifecycle.

    Stakeholders review ongoing assessments, monitoring results, and periodic reviews from the third-party record to track changes in risk posture.

    For more information, see Monitoring your third-party risk.