Third-party Risk Management upgrade information

  • Release version: Australia
  • Updated June 2, 2026
  • 7 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Third-party Risk Management Upgrade Information

    This document outlines key information for ServiceNow customers upgrading the Third-party Risk Management (TPRM) application to the Australia release, with references to important changes starting from the Zurich and Vancouver releases. The upgrade introduces the Smart Assessment Engine (SAE), new plugin dependencies, data model updates, and important considerations for migration from Vendor Risk Management (VRM) to TPRM.

    Show full answer Show less

    Smart Assessment Engine (SAE) Upgrade

    • After upgrading to Zurich, customers can enable SAE by setting the snvdrriskasmt.saeenabled property. This replaces the legacy assessment engine with a scalable, innovative engine designed for future adaptability.
    • Enabling SAE is irreversible and should be first tested in non-production instances to avoid unexpected issues in production.
    • Enabling SAE automatically installs several related plugins including Vendor Risk Management Workspace and multiple Smart Assessment Engine plugins to support assessments.
    • All new and migrated assessments will use SAE templates and automation rules; classic questionnaire templates cannot be used for new assessments after migration.
    • Templates can be migrated individually or in bulk; migrated templates default to Draft state and require review and publishing before use.
    • Publishing a SAE questionnaire template updates related assessment templates and automation rules to support SAE automatically.

    Migration and Configuration Guidance

    • Customers must review and publish all migrated questionnaire templates and confirm assessment templates are marked as “Supports smart assessment” to fully leverage SAE automation features.
    • Issue generation rules require at least one question to have “Enable preferred response” enabled for proper functioning.
    • Some classic question types (percentage, ranking, image scale, and custom metric) are unsupported in SAE; these must be converted or redesigned before or after migration.
    • Empty sections resulting from unsupported questions prevent template publishing and must be addressed by editing or removing those sections.
    • TPRM scoring migration only proceeds without errors during template migration.
    • Event-driven management rules replace repeating assessments as the default scheduling method.

    Vendor Risk Management to Third-party Risk Management (VRM to TPRM) Upgrade

    • Starting from Vancouver release, upgrades from VRM to TPRM must be performed sequentially by release to ensure upgrade scripts execute correctly.
    • Application names and terminology have changed from “Vendor Risk Management” to “Third-party Risk Management.”
    • The upgrade introduces the Due Diligence Review (DDR) workflow, utilizing both internal and external assessment tables.
    • Customers with customizations on tiering or assessment tables may need to update them to be compatible with the DDR workflow.
    • Risk scoring tables and UI labels have been updated for clarity, replacing “vendor” with “third party” in most interfaces.

    Plugin and Application Activation Requirements

    • For TPRM functionality, customers must activate the Third-party Risk Management application and Third-party Risk Due Diligence application.
    • The Vendor Risk Management Workspace application is installed or activated automatically when enabling SAE or can be manually activated for workspace access.
    • For VRM users, the Vendor Risk Management application and workspace must be activated accordingly.

    Data Model Changes

    The upgrade introduces new and extended data models reflecting the shift from vendor-centric to third-party-centric management:

    • VRM Data Model focuses on vendors with tables for tiering assessment, vendor engagement, and vendor contacts.
    • TPRM Data Model uses third-party terminology, adds internal assessments, and supports the DDR workflow with additional event-driven management rules and requests.

    Key Outcomes for ServiceNow Customers

    • Enabling SAE empowers customers with a modern, flexible assessment engine that supports advanced automation and scoring.
    • Migration requires careful review and updating of templates and rules to ensure smooth transition to SAE capabilities.
    • Sequential upgrades and plugin activations ensure data integrity and access to new features.
    • Understanding the data model changes facilitates integration and customization aligned with the new third-party risk management approach.
    • Awareness of SAE limitations and unsupported features enables proactive planning during migration and template creation.

    ServiceNow® Third-party Risk Management application upgrade information for the Australia release.

    Important information for upgrading Third-party Risk Management to Australia

    After upgrading to Zurich, you can enable the Smart Assessment Engine (SAE) by setting the Smart Assessment Engine enabled (sn_vdr_risk_asmt.sae_enabled) property. After setting this property, SAE becomes the default assessment engine and replaces the legacy experience to ensure consistency, scalability, and innovation moving forward. While this transition isn’t reversible, it empowers customers to future-proof their assessment strategy with an engine built to evolve with emerging needs.

    Warning:

    Set this property in your non-production instances and conduct thorough testing before changing your production instances. Failure to do so may result in unexpected issues.

    Plugin dependencies

    After upgrading to Zurich and setting the Smart Assessment Engine enabled (sn_vdr_risk_asmt.sae_enabled) property, the following applications and plugins are installed automatically:
    • The Vendor Risk Management Workspace application [sn_vrm_ws] is automatically installed so you can use the Vendor Risk Management workspace where you can access SAE questionnaires and features.
    • The Smart Assessment Engine application and plugins are automatically installed enabling you to use the features of the Smart Assessment Engine for your assessments.

      Smart Assessment Engine application package that includes the following:

      • Smart Assessment Core plugin [com.sn_smart_asmt]
      • Smart Assessment Designer plugin [com.sn_smart_asmt_desg]
      • Smart Assessment Connected plugin [com.sn_smart_asmt_conn]
      • Smart Assessment Migration Tools plugin [com.sn_smart_asmt_mig]
      • Smart Assessment Dependencies plugin [com.sn_smart_asmt_dep]
      • Smart Assessment Post-assessment Actions plugin [com.sn_impact_fwk] and [com.sn_smart_imp_auto]
      • Smart Assessment Response Automation plugin [com.sn_smart_resp_auto]
      • Smart Assessment Scoring plugin [com.sn_smart_scoring]
    Note:
    For more information on these plugins, see Configuring Smart Assessment Engine and Smart assessment configuration.

    Migrating to Smart Assessment Engine

    After setting the Smart Assessment Engine enabled (sn_vdr_risk_asmt.sae_enabled) property, all TPRM assessments will automatically use SAE templates and automation rules (tier-based rules, provider-based rules, event-driven rules and issue generation rules) that support SAE only. You will be able to continue any in-flight assessment until they are completed. You will not be able to create any new assessments with classic questionnaire templates.

    The following diagram shows the questionnaire to TPRM SAE template migration workflow.

    Figure 1. SAE migration workflow
    Questionnaire to TPRM SAE template migration workflow. For a text description, see the text that preceded and follows this diagram.
    1. Migrate templates either one by one or in bulk. After migration, all templates are in the Draft state by default.
    2. Review each migrated questionnaire template individually to confirm that they’re accurate and complete.
    3. Publish TPRM SAE questionnaire templates. After publishing, the following actions occur automatically:
      • All the related assessment templates are updated to use the migrated questionnaire template. If all the questionnaire templates in an assessment template are published, the assessment template is automatically marked as Support smart assessment.
      • All issue generation rules are automatically marked as Support smart assessment if their related questionnaire template is published.
      • All automation rules (tier-based rules, provider-based rules, event-driven rules and issue generation rules) are automatically marked as Support smart assessment after their related assessment template is marked as Support smart assessment.
      Note:
      For Issue-generation rules to work as expected when applied to an TPRM SAE questionnaire template, at least one question must have the option, Enable preferred response, set to true.
    4. Review each assessment template to confirm it’s marked as Supports smart assessment. If an assessment template isn’t marked as Supports smart assessment, manually adding a new TPRM SAE questionnaire template to it updates its status.

    For more information, see Migrate a template to an SAE template, Create a TPRM SAE questionnaire or document request template, Create an external assessment template, and Create an issue generation rule.

    Classic assessment engine to Smart Assessment Engine comparison

    The following table shows the comparable features between the Classic assessment engine and Smart Assessment Engine.

    Table 1. Comparable features
    Classic assessment engine features Smart assessment engine features
    Metric Type​ Template
    Metric Category Section
    Metrics Questions
    Additional Information​ Justification
    Assessable Record Scope
    Multiple Assessable Records in one Assessment Combined Assessments
    Schedule and Trigger Assessments Trigger Assessment Flow Action
    Domain Separation Domain Separation
    Question Dependency Conditional Visibility
    Correct Answer Preferred Answer
    Scoring Scoring
    Automated response Response Automation

    The following diagram shows the relationship between assessment templates and questionnaires after upgrading.

    Figure 2. Assessment templates post-upgrade
    Assessment template impact after upgrading. For a text description, see the text that preceded and follows this diagram.
    • Before setting the Smart Assessment Engine enabled (sn_vdr_risk_asmt.sae_enabled) property, the following are used by default.
      • Existing questionnaire templates
      • Existing assessments
    • After setting the Smart Assessment Engine enabled (sn_vdr_risk_asmt.sae_enabled) property, the following are used by default.
      • SAE questionnaire templates (New or migrated).
      • Assessments marked as Supports smart assessment.
      • Tier-based, Provider-based, and Event-driven management rules only work with assessments marked as Supports smart assessment.
    Note:
    All questionnaire templates must be reviewed and published. All assessment templates and automation rules must be reviewed to confirm they’re marked as Supports smart assessment.

    Smart Assessment Engine limitations

    The TPRM SAE questionnaire template has the following limitations.
    • All new assessments must use SAE questionnaire templates.
    • Third-party risk assessors can no longer create issues from the View responses page. Issues generation rules can be used to create issues automatically.
    • The signature feature isn’t supported.
    • Automatic attachment of questionnaires to external assessments based on inherent risk questionnaire (IRQ) responses or IRQ-calculated risk tiers is currently not supported in Smart Assessment Engine.
    • The following question types aren’t supported: percentage, ranking, image scale, and custom metric. You must either convert these question types to supported formats before migration or create new questions in the template designer after migration.
      Note:
      For the percentage and image scale question types, customers can use the Number type and Radio button type, respectively. Ranking and custom metric question types aren't supported. You must either convert these question types to supported formats before migration or create new questions in the template designer after migration.
    • If a section in the classic template contains only unsupported questions, an empty section is created in the TPRM SAE template. TPRM SAE templates with empty sections can’t be published; therefore, you must either add replacement questions to these sections or delete the empty sections before publishing.

      For more information on migration results, migration limitations, and creating TPRM SAE questionnaires, see Results of migrating a template to a TPRM SAE template and Create a TPRM SAE questionnaire or document request template.

    • The TPRM scoring migration proceeds only if there were no errors during the template migration. If there were errors, the TPRM scoring migration doesn’t occur.

      For more information, see Configure scoring for an assessment and Normalization in assessment.

    • Event-driven management rules are the default option for scheduling assessments and replaces Repeating assessments.

    Important information for upgrading Vendor Risk Management to Australia

    Starting with the Vancouver release, if you’re a VRM user upgrading to TPRM, from an earlier release, you must run each upgrade sequentially to ensure that fix scripts run correctly. This means upgrading from one release to the next rather than skipping to the latest release. Not running scripts in the correct order can result in data inconsistencies, broken functionalities, and conflicts.

    Plugin requirements

    TPRM
    • Activate the Third-party Risk Management application [com.sn_vdr_risk_asmt].
    • Activate the Third-party Risk Due Diligence application [com.sn_tprm_dd].
    • Activate the Vendor Risk Management Workspace application [sn_vrm_ws] if you want to use the Vendor Risk Management workspace.
    VRM
    • Activate the Vendor Risk Management application [com.sn_vdr_risk_asmt].
    • Activate the Vendor Risk Management Workspace application [sn_vrm_ws] if you want to use the Vendor Risk Management workspace.

    For more information on licensing or metering, see Tracking a managed activity, Third-party Risk Management (TPRM) Licensing, and Vendor Risk Management (VRM) Licensing.

    VRM to TPRM changes

    • The name of the application changed from Vendor Risk Management to Third-party Risk Management as part of the Vancouver release.
    • The internal assessment [sn_vdr_asmt_internal_assessment] table is introduced, extending the tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment] table.
    • The Due Diligence Review (DDR) workflow is introduced, which uses both the internal assessment and the external (VRA) assessment.
      Note:
      If you have customizations on the Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment] and VRA [sn_vdr_risk_asmt_assessment] tables, they might need modifications to work with the DDR workflow.
    • The Third-party Scores [sn_vdr_risk_asmt_security_score] table has been relabeled to Risk Intelligence Scores [sn_vdr_risk_asmt_security_score] to reduce confusion.
    • All instances of “vendor” are changed to “third party” in the user interface, though some global instances might remain unchanged.
      Note:
      If you don’t want to use the due diligence workflow, your original workflow (Tiering assessment and External assessments (VRAs) should be the same).

    VRM and TPRM data model

    The Vendor Risk Management data model primarily uses the term “vendor” and includes the Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment] and VRA [sn_vdr_risk_asmt_assessment] tables.

    The Third-party Risk Management data model uses the term “third-party” in most user interface elements and introduces the DDR workflow, which uses both internal [sn_vdr_asmt_internal_assessment] and [sn_vdr_risk_asmt_assessment] external assessments.

    The following models show VRM's and TPRM's capabilities.

    Figure 3. VRM data model
    Relationship Vendor risk management main tables. For a text description, see the text that preceded and follows this data model.

    The components included in the Vendor Risk Management data model are as follows:

    • Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • Company [core_company]
    • Vendor risk assessment [sn_vdr_risk_asmt_assessment]
    • Vendor engagement [sn_vdr_risk_asmt_vendor_engagement]
    • Vendor contact [vm_dr_contact]
    • Assessment metric type [asmt_metric_type]
    • Assessment template [sn_vdr_risk_asmt_assessment_template]
    • Engagement risk scoring rule [sn_vdr_risk_asmt_engagement_risk_scoring_rule]
    • Engagement level risk rating [sn_vdr_risk_asmt_engagement_level_rating]
    Figure 4. TPRM data model
    Relationship between due diligence, and third-party management main tables. For a text description, see the text that preceded and follows this data model.

    The components included in the Third-party Risk Management data model are as follows:

    • Risk intelligence score [sn_vdr_risk_asmt_security _score]
    • Internal assessment [sn_vdr_asmt_internal_assessment]
    • Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • Event-driven management history [sn_tprm_dd_rule_execution_history]
    • Third-party due diligence request [sn_tprm_dd_request]
    • Company [core_company]
    • Event-driven management rule [sn_tprm_dd_generation_rule]
    • Third-party risk assessment [sn_vdr_risk_asmt_assessment]
    • Third-party engagement [sn_vdr_risk_asmt_vendor_engagement]
    • Vendor contact [vm_dr_contact]
    • Assessment metric type [asmt_metric_type]
    • Assessment template [sn_vdr_risk_asmt_assessment_template]
    • Third-party risk issue [sn_vdr_risk_asmt_issue]
    • Engagement risk scoring rule [sn_vdr_risk_asmt_engagement_risk_scoring_rule]
    • Engagement level risk rating [sn_vdr_risk_asmt_engagement_level_rating]