Sourcing and Procurement Operations integration with Third-party Risk Management

  • Release version: Zurich
  • Updated July 31, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Sourcing and Procurement Operations integration with Third-party Risk Management

    This integration enhances Sourcing and Procurement Operations by leveraging supplier risk assessment capabilities from the Third-party Risk Management application. Customers with both applications installed can synchronize supplier and company data, view risk assessments directly within procurement records, and automate risk-related workflows to improve supplier risk visibility and management.

    Show full answer Show less

    Key Features

    • Company and Supplier Table Connection: A new Related company field links supplier records with company records, enabling synchronized data and automatic creation of company records when new suppliers are added.
    • Risk and Tiering Assessments Visibility: Vendor risk and tiering assessments created in Third-party Risk Management are visible as related lists in the Supplier table, providing procurement specialists with direct access to supplier risk data.
    • Valid Risk Assessment Automation: A scheduled job updates the Valid risk assessment field in the Supplier table based on risk assessment expiry, helping identify suppliers needing risk reassessment.
    • Enhanced Risk Assessment Cases: The existing Conduct a Supplier Risk Assessment case now includes the Purchasing Task Owner role within the GRC group and shows related risk assessments for improved case visibility.
    • New Supplier Tiering Assessment Case: Automatically or manually triggered based on supplier tiering criteria, this case supports decision-making in sourcing requests and can be customized to control sourcing workflow states.
    • Roles and Governance: Introduction of the Vendor Risk Reviewer role for procurement specialists and addition of the Purchasing Task Owner role within the Governance, Risk, and Compliance (GRC) group for enhanced access control.

    Practical Benefits for ServiceNow Customers

    • Streamlined supplier risk management by integrating risk data into procurement workflows.
    • Automated tracking of supplier risk assessment validity reduces manual monitoring efforts.
    • Improved collaboration between procurement and risk management teams through shared cases and roles.
    • Enhanced decision-making in sourcing processes by linking risk tiering assessments to procurement actions.
    • Greater data consistency and synchronization between supplier and company records.

    Additional Information

    This integration is part of the Risk Assessments Integration for Sourcing and Procurement Operations application and requires both Sourcing and Procurement Operations and Third-party Risk Management applications to be installed. It offers unique capabilities not available with Sourcing and Procurement Operations alone.

    Leverage relevant supplier risk assessment capabilities by integrating Sourcing and Procurement Operations with Third-party Risk Management.

    The following capabilities can be leveraged by customers if they have both the Sourcing and Procurement Operations and Third-party Risk Management applications installed:
    • Connection between the Company and Supplier tables through the Related company field. Also, leverage properties in the tables to synchronize other fields between the two tables at your own discretion.
    • Viewing tiering assessments and risk assessments for a vendor in the Supplier table.
    • Vendor Risk Reviewer role as a procurement specialist.
    • Adding members to the Governance, Risk, and Compliance (GRC) group, containing the new Purchasing Task Owner role.
    • Automation of the Valid risk assessment field in the Supplier table.
    • Enhancements to the existing Conduct a Supplier Risk Assessment case.
    • Creating a new Conduct a Supplier Tiering Assessment case. This is automatically triggered based on its requirement specified in the Tiering assessment needed? field in the Supplier table.
      Note:
      This is unique to the Risk Assessments Integration for Sourcing and Procurement Operations application and is not available if the customer has Sourcing and Procurement Operations alone.

    Risk Assessments Integration for Sourcing and Procurement Operations application

    Customers can use the Risk Assessments Integration for Sourcing and Procurement Operations application for leveraging certain capabilities if they have both the Sourcing and Procurement Operations and Third-party Risk Management applications installed.

    With this application, the Related company field is defaulted from the current application. This new reference field displays under the Global company field as a reference to the Company table. This field is only available when the Third-party Risk Management and Sourcing and Procurement Operations applications are installed. Also, the Tiering Assessments and Risk Assessments related lists in the Supplier table are only available when the Third-party Risk Management and Sourcing and Procurement Operations applications are installed.

    Company table connection

    Two new fields are added, one in the Supplier table named Related company, and another in the Company table named Supplier that references the Supplier table.

    When you open any existing supplier record in the Supplier table, you can link it to an existing record in the Company table with the Related company field. If that record does not exist, the procurement administrator creates a record in the Company table to establish the connection.

    When you create a new supplier record in the Supplier table, a new vendor record is automatically created in the Company table with read-only reference to the Supplier table.

    Valid risk assessment visibility in the Supplier table

    Tiering and risk assessments on a vendor can be created on the vendor record in the Third-party Risk Management application. These assessments are made visible in the Supplier table as related lists, to validate any supplier in Sourcing and Procurement Operations. A procurement specialist, containing the Vendor Assessment Reviewer role can read any vendor risk assessment data.

    For information, see Third-party Risk Management.

    Valid supplier risk assessment

    To determine if a supplier has a valid risk assessment, a scheduled job is run, and the customer’s system administrator can configure its frequency. This job keeps the Valid risk assessment field in the Supplier table up-to-date, based on the Risk rating valid to field on risk assessments in the Vendor Risk Assessments table.

    A risk assessment is considered valid when:
    • Today's date is on or before the date defined in the Risk rating valid to field.
    • The value in the Valid risk assessment field in the Supplier table is Yes.

    A Conduct a Supplier Risk Assessment case is created if a risk assessment is invalid. Risk assessments can be triggered manually by the Vendor Risk Manager, or automatically from any change in vendor tier rating.

    Enhancing the Conduct a Supplier Risk Assessment case

    A Vendor Risk Manager can be assigned the Conduct a Supplier Risk Assessment case to validate a supplier's risks and to ensure that the supplier does not pose risks to the company.

    The existing Conduct a Supplier Risk Assessment case is enhanced such that:
    • The GRC group contains the Purchasing Task Owner role, with visibility and access to the case.
    • The case has a related list of the risk assessments, both valid and expired, for better visibility.

    Creating a new Conduct a Supplier Tiering Assessment case

    A new Conduct a Supplier Tiering Assessment case can be created in either of these methods, and assigned to the manager of the GRC group:
    • Automatically, triggered based on its requirement specified in the Tiering assessment needed? field in the Supplier table. If the risk rating of the related supplier is critical, high, or empty, a Conduct a Supplier Tiering Assessment case is auto-triggered.
      Note:
      This is unique to the Risk Assessments Integration for Sourcing and Procurement Operations application and is not available if the customer has Sourcing and Procurement Operations alone.
    • Manually, by a customer.

    You can customize this case through the Supplier Tiering Assessment case templates, by defining the Sourcing decision dependent on case field to decide if this case should stop the sourcing request from moving into the Requires Decision state. The default value of this field is Yes. In this scenario, if all purchase requisition lines are in the Pricing Obtained state, and there are other cases still open, the sourcing request moves to the Awaiting Task Completion state. When the open cases are closed, the sourcing request moves to the Requires decision state. When the Sourcing decision dependent on case field is set to No, and if all purchase requisition lines are in the Pricing Obtained state, then the sourcing request will be in the same Pricing Obtained state even if other cases are open.

    If the sourcing request gets converted to a purchase request, the case is available to be completed in the purchase requisition.

    Note:
    All tiering assessments for a supplier are displayed in related lists.

    For more information on sourcing requests, purchasing tasks, and procurement cases, see Sourcing request and Purchasing tasks and procurement cases.