Third-party risk management data model

  • Release version: Washingtondc
  • Updated January 30, 2025
  • 7 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Third-party Risk Management Data Model

    The Third-party Risk Management (TPRM) data model provides a structured approach to assess, monitor, and mitigate risks associated with third-party engagements within the Governance, Risk, and Compliance framework. It encompasses various components and relationships designed to enhance risk management capabilities.

    Show full answer Show less

    Key Features

    • Core Components: Includes assessments, engagements, due diligence, scoring setups, and risk intelligence.
    • Relationships: Defines how components interact, such as one-to-many and many-to-one relationships, facilitating comprehensive risk evaluations.
    • Roles: Specific roles are assigned for managing assessments, approvals, and vendor interactions, ensuring appropriate governance.
    • Scoring Mechanism: Configurable scoring setups aggregate risk assessment scores, allowing for effective risk categorization and management.
    • Risk Intelligence: Incorporates risk intelligence scores and subfactors to provide a detailed understanding of potential risks from third-party providers.

    Key Outcomes

    By leveraging the TPRM data model, ServiceNow customers can expect to:

    • Streamline their third-party risk assessment processes.
    • Enhance decision-making through data-driven insights into vendor risks.
    • Improve compliance with governance standards and risk management practices.
    • Effectively manage and mitigate risks associated with third-party engagements.

    Use the Third-party Risk Management (TPRM) data model to assess, monitor, and mitigate the risks for your risk management program.

    TPRM data model overview

    The Third-party Risk Management application is one of the Governance, Risk, and Compliance products.

    The following model is used to support TPRM's capabilities.

    Figure 1. TPRM data model
    Relationship between due diligence, third-party management, policy and compliance, and risk main tables. For a text description, refer to the text that follows.

    The third-party risk assessment data model includes various components and relationships:

    Components:
    • Risk intelligence score [sn_vdr_risk_asmt_security _score]
    • Internal assessment [sn_vdr_asmt_internal_assessment]
    • Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • Event-driven management history [sn_tprm_dd_rule_execution_history]
    • Third-party due diligence request [sn_tprm_dd_request]
    • Company [core_company]
    • Event-driven management rule [sn_tprm_dd_generation_rule]
    • Third-party risk assessment [sn_vdr_risk_asmt_assessment]
    • Third-party engagement [sn_vdr_risk_asmt_vendor_engagement]
    • Vendor contact [vm_dr_contact]
    • Assessment metric type [asmt_metric_type]
    • Assessment template [sn_vdr_risk_asmt_assessment_template]
    • Third-party risk issue [sn_vdr_risk_asmt_issue]
    • Engagement risk scoring rule [sn_vdr_risk_asmt_engagement_risk_scoring_rule]
    • Engagement level risk rating [sn_vdr_risk_asmt_engagement_level_rating]
    • Risk [sn_risk_risk]
    • Control [sn_compliance_control]
    Relationships:
    • The third-party risk assessment component can have a one-to-many relationship with the following components:
      • Event-driven management histories
      • Third-party due diligence requests
      • Company
      • Third-party engagements
      • Third-party risk issues
      • Assessment templates
    • The Event-driven management histories component can have a many-to-one relationship with the Event-driven management rules component.
    • The Event-driven management rules component can have a one-to-many relationship with the Assessment metric type component and the Assessment template component.
    • The third-party engagement component can have a one-to-many relationship with the following components:
      • Company
      • Engagement risk scoring rule
      • Third-party risk issue
    • The Third-party engagement component can have a many-to-many relationship with the Vendor contact component.
    • The Vendor contact component can have a one-to-many relationship with the Company and a Third-party risk issue component.
    • The Engagement level risk rating component can have a one-to-many with the Third-party engagement component.
    • The Third-party engagement component is related to the Risk and Control component.
    • The Risk intelligence score component is related to the Third-party due diligence component.
    • The Tiering assessment component can have a one-to-many relationship with the following components:
      • Third-party due diligence
      • Third-party engagement
      • Company
    • The Tiering assessment component can have a many-to-many relationship with the Assessment metric type component.
    • The Third-party due diligence component can have one-to-many relationships with the following components:
      • Event-driven management history
      • Third-party risk assessment
      • Company
    • The following components are related to Risk due diligence:
      • Event-driven management rule
      • Event-driven management history
      • Third-party risk due diligence request
    • The following components are related to Third-party management:
      • Risk intelligence score
      • Internal assessment
      • Tiering assessment
      • Third-party risk assessment
      • Third-party engagement
      • Assessment template
      • Third-party risk issue
      • Engagement risk scoring rule
      • Engagement level risk rating
    • The internal assessment component is an extension of the tiering assessment component.
    • The Control component is related to Policy and Compliance Management.
    • The Risk component is related to Risk Management.
    • The following components are Global:
      • Vendor contact
      • Company
      • Assessment metric type
    The following table lists the roles that are required for the components in the TPRM data model.
    Table 1. Roles for the TPRM data model
    Role Description
    sn_vdr_risk_asmt.approver Approve due diligence requests in the third-party risk management process.
    sn_vdr_risk_asmt.contract_negotiator Work in the contract risk process stage of the onboarding process.
    sn_vdr_risk_asmt.vendor_assessment_reviewer Edit assessments.
    sn_vdr_risk_asmt.vendor_assessor Manage third parties, third-party contacts, third-party risk assessments, and issues, and complete third-party risk assessment requests.
    sn_vdr_risk_asmt.vendor_risk_admin Have full control over all vendor risk management data and assessment metric types.
    sn_vdr_risk_asmt.vendor_risk_manager Manage third parties, third-party contacts, third-party assessment templates, questionnaire templates, documentation request templates, and scheduled assessments.

    For more information on the roles, see Roles in Third-party Risk Management.

    Core components

    TPRM is based on sending assessments and calculating scores from the received responses.

    You can use these core components to perform assessments:
    • Third-party risk assessment
    • Third-party engagement
    • Third-party due diligence
    • Scoring setup
    • Risk intelligence

    The following diagram shows the main tables and flow for a third-party risk assessment of the TPRM data model.

    Figure 2. Third-party risk assessment data model
    Relationship between due diligence, third-party management, policy and compliance, and risk main tables or third-party risk assessments. For a text description, refer to the text that follows.

    Here are the components and relationships that make up the Third-party risk assessment data model.

    Components:
    • Internal assessments [sn_vdr_risk_asmt_internal_assessment]
    • Tiering assessments [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • External assessments [sn_vdr_risk_asmt_assessment]
    • Assessment template [sn_vdr_risk_asmt_template]
    • Questionnaire templates [asmt_metric_type]
    • Questionnaire instance [asmt_assessment_instance]
    • Category [asmt_metric_category]
    • Metric [asmt_metric]
    Relationships:
    • The Metric component can have a many-to-one relationship with the Category component.
    • The Category component can have a many-to-one relationship with the Questionnaire component.
    • The Questionnaire templates component can have a many-to-one relationship with the following components:
      • Assessment template
      • Tiering assessments
      • External assessments
    • The Questionnaire instance component can have a many-to-one relationship with the following components:
      • External assessments
      • Tiering assessments
    • The Assessment template component can have a one-to-many relationships with the following components:
      • Tiering assessments
      • External assessments
    • The Internal assessment component is an extension of the Tiering assessment component.
    • The Internal assessment components are related to Risk due diligence.
    • The following components are related to Third-party management:
      • Tiering assessments
      • External assessments
      • Assessment templates
    • The following components are Global:
      • Questionnaire templates
      • Category
      • Metric
      • Questionnaire instance

    For more information on assessments, see Assessing your third-party risk.

    The following diagram shows the main tables and flow that are used for the due diligence in the TPRM data model.

    Figure 3. Due diligence data model
    Relationship between the risk due diligence, third-party management, policy and compliance, and risk main tables used for due diligence. For a text description, refer to the text that follows.

    Here are the components and relationships that make up the due diligence data model.

    Components:
    • Third party [core_company]
    • Engagements [sn_vdr_risk_asmt_vendor_engagement]
    • Due diligence [sn_tprm_dd_request]
    • Issues [sn_vdr_risk_asmt_issue]
    • Tasks [sn_vdr_risk_asmt_task]
    • Vendor contacts [vm_vdr_contact]
    • Risk intelligence scores [sn_vdr_risk_asmt_security_score]
    • External assessments [sn_vdr_risk_asmt_assessment]
    • Tiering assessments [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • Internal assessments [sn_vdr_risk_asmt_vdr_internal_assessment]
    Relationships:
    • The Third party component has a one-to-many relationship with subsidiaries.
    • The Third party component has a one-to-many relationship with the following components:
      • Vendor contacts
      • Internal assessments
      • External assessments
      • Tiering assessments
      • Risk intelligence scores
      • Issues
      • Tasks
    • The Due diligence component has a one-to-many relationship with the following components:
      • Vendor contacts
      • Internal assessments
      • Tiering assessments
      • Risk intelligence scores
    • The Engagements component has a one-to-many relationship with the following components:
      • Vendor contacts
      • Internal assessments
      • External assessments
      • Tiering assessments
      • Issues
      • Tasks
    • The Third party component is related to the Due diligence component.
    • The Engagements component is related to the Due diligence component.
    • The External assessments component is related to the Due diligence component.
    • The Internal assessment component is an extension of the Tiering assessment component.
    • The following components are related to Risk due diligence:
      • Due diligence
      • Internal assessments
    • The following components are related to Third-party management:
      • Engagements
      • Issues
      • Tasks
      • Risk intelligence scores
      • External assessments
      • Tiering assessments
    • The following components are Global:
      • Third party
      • Vendor contact

    The following diagram shows the required roles, processes, and choices that are part of the due diligence workflow.

    Figure 4. Due diligence workflow
    Work flow that shows the required roles, processes, and choices that exist as part of the due diligence workflow.

    For more information on the due diligence workflow, see Due diligence workflow.

    The following diagram shows the main tables that are used for scoring the TPRM data model.

    Figure 5. Scoring data model
    Relationship between due diligence, third-party management, policy and compliance, and risk main tables that are used for scoring risk. For a text description, refer to the text that follows.

    Here are the components and relationships that make up the scoring data model.

    Components:
    • Third party [core_company]
    • Third-party risk scoring rule [sn_vdr_risk_asmt_vendor_risk_scoring _rule]
    • Component criteria [sn_vdr_risk_asmt_component_criteria]
    • Components [sn_vdr_risk_asmt_component]
    • Engagement [sn_vdr_risk_asmt_vendor_engagement]
    • Engagement risk scoring rule [sn_vdr_risk_asmt_engagement_risk_scoring_rule]
    • Risk area criteria [sn_vdr_risk_asmt__risk_area_criteria]
    • Risk domains [sn_vdr_risk_asmt_risk_area_definition]
    Relationships:
    • The Risk area criteria component has a one-to-many relationship with the Risk domain component.
    • The Risk area criteria component has a one-to-one relationship with the Engagement risk scoring rule component and the Third-party risk scoring rule component.
    • The Engagement risk scoring rule has a one-to-many relationship with the Engagement component.
    • The Component criteria has a one-to-many relationship with Components.
    • The Component criteria has a one-to-one relationship with the Third-party risk scoring rule component.
    • The Third-party risk scoring rule component has a one-to-many relationship with the Third-party component.
    • All of these components are related to Third-party management.

    Use the scoring setup in TPRM configure how the scores from the external risk assessments are aggregated to the engagements and third parties. The criteria tables have the information that is related to the aggregation of the scores of multiple records (MIN, MAX, AVG) or from multiple tables (weights for each table). Use the scoring rules to group third parties or engagements and assign criteria. You can configure all the records in these tables without any customization.

    For more information on scoring, see Third-party risk ratings and scoring calculations.

    The following model diagram shows the main tables that are used for risk intelligence in the TPRM data model.

    Figure 6. Risk intelligence model
    Relationship between the risk due diligence, third-party management, policy and compliance, and risk main tables. For a text description, refer to the text that follows.

    Here are the components and relationships that make up the Risk intelligence data model.

    Components:
    • Third party [core_company]
    • Provider Services [sn_vdr_risk_asmt_tpss_provider]
    • Risk intelligence scores [sn_vdr_risk_asmt_security_score]
    • Score subfactors [sn_vdr_risk_asmt_tpss_subfactor]
    Relationships:
    • The Risk intelligence providers component has a one-to-many relationship with the Providers Services component.
    • The Providers Services component has a one-to-many relationship with the Risk intelligence scores component.
    • The Risk intelligence scores component has a one-to-many relationship with the Scores subfactors component.
    • The Risk intelligence scores component is related to the Risk intelligence providers component.
    • All of these components are related to Third-party management.

    For more information on risk intelligence, see Risk intelligence report requests management.