Risk intelligence provider integrations

  • Release version: Washingtondc
  • Updated January 30, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Risk Intelligence Provider Integrations

    The Third-party Risk Management (TPRM) application supports integrations with risk intelligence providers, enabling organizations to request and manage risk intelligence reports (RIR) for third parties. This integration helps streamline due diligence processes and enhance risk assessment efforts.

    Show full answer Show less

    Key Features

    • Role-based Access: Users with the TPR assessor or TPR manager role can submit requests for scores and reports using the risk intelligence request form.
    • Integration Setup: A TPR assessment reviewer must register providers and configure request types within the TPRM application before requests can be made.
    • Request Flow: The integration API facilitates a series of states for RIR requests, including Order pending, Order in progress, Closed complete, and Closed incomplete.
    • Packet Processing: The API sends and receives detailed packets containing essential data from both the request and response phases, including URLs and scores for risk assessments.

    Key Outcomes

    Successful integration allows for:

    • Efficient processing of risk intelligence requests, enhancing the accuracy of third-party assessments.
    • Automated updates on the status of RIR requests, providing visibility into processing stages.
    • Streamlined management of reports with direct links to generated content for easy access.

    Limitations include that the integration API does not automatically update score records and may create new records if fields are not populated correctly.

    The Third-party Risk Management application includes support for risk intelligence provider integrations. These guidelines can help your organization to develop a risk intelligence provider integration for Risk intelligence report (RIR) requests for third parties and due diligence requests.

    Integration requirements

    The TPRM application enables your organization to integrate with external risk intelligence content providers. If you have the Third-party risk (TPR) assessor [sn_vdr_risk_asmt.vendor_risk_assessor] or TPR manager [sn_vdr_risk_asmt.vendor_risk_manager] role, you can request the scores or reports for third parties by using the risk intelligence request form. After the reports are generated by the provider, the links to the reports are uploaded to the Third-party Risk Management application and associated with the relevant third party.
    Note:
    Before requesting reports and scores, a team member with the TPR assessment reviewer [sn_vdr_risk_asmt.vendor_assessment_reviewer] role must register the providers and set up both the providers and request types in the Third-party Risk Management application. For more information, see Register a risk intelligence provider, Set up a risk intelligence provider service, and Set up a request type for a provider.

    The following diagram shows the RIR request flow states and their relationship with the integration requirements for risk intelligence providers.

    Figure 1. RIR requests integration
    RIR integration flow diagram. For the text description, refer to the text that follows this diagram.

    Integration process:

    1. All RIR requests in the Order pending state are ready to be sent to the risk intelligence provider.
    2. A nightly job is set up by the integration API to check for the report request records that are in the Order pending state.
    3. The integration API updates the RIR request record state to Order in progress,

    4. The integration API sends a packet to the provider that includes the names of the records and their corresponding source tables:

      • rir_sysid [sn_tprm_dd_risk_intel_request]
      • provider_sysid [sn_vdr_risk_asmt_tpss_provider_basic]
      • third_party_sysid [core_company]
      • third_party_name [core_company]
      • request_type_sysid [sn_tprm_dd_risk_intel_request_type]
      • request_type_name [sn_tprm_dd_risk_intel_request_type]
      • provider_service_sysid [sn_vdr_risk_asmt_tpss_provider]
    5. If the packet isn’t sent successfully, the integration API updates the RIR request state to Closed incomplete.
    6. After receiving the RIR request, the risk intelligence provider processes it and gathers information including the URL, score, and content.
    7. The risk intelligence provider returns a packet for upload to the Third-party Risk Management application.

      The packet contains the following names of the records, their corresponding source tables, and content:

      • rir_sysid [sn_tprm_dd_risk_intel_request]
      • provider_sysid [sn_vdr_risk_asmt_tpss_provider_basic]
      • third_party_sysid [core_company]
      • request_type_sysid [sn_tprm_dd_risk_intel_request_type]
      • provider_service_sysid [sn_vdr_risk_asmt_tpss_provider]
      • URL
      • score
      • rating
      • content
      Note:
      The score or rating should be the provider's score or rating. The provider should have set up a mapping to convert the provider's score to a ServiceNow score through a Provider Service record.

    8. Using the packet information, the integration API creates a risk intelligence score record [sn_vdr_risk_asmt_security_score] and populates the URL field. This URL is used to download and attach the reports to the associated RIR request record [sn_tprm_dd_risk_intel_request].

    9. The integration API updates the state of the RIR request from Order in progress to Closed complete or Closed incomplete, depending on whether the risk intelligence provider completes the report or fails to send it and decides to close the order.

    Limitations

    The integration API doesn’t update the score record in the Score table. If the API fails to populate a field when it creates a score record, a new score record is created instead of updating the existing record. For example, if the API didn't associate a score with an RIR request, it has to call the API again to create a new score and associate it with the RIR request.

    Risk intelligence report request states

    The risk intelligence report requests have the following potential states:

    Open
    An RIR request enters this state after the record has been created and saved by the Third-party Risk (TPR) manager, TPR assessor, or contract negotiator that is assigned to the due diligence request. For each risk intelligence request, the system auto-assigns a unique ID number that starts with the text RIR.
    Order pending
    An RIR request enters this state after the record has been submitted by the Third-party Risk (TPR) manager, TPR assessor, or contract negotiator that is assigned to the due diligence request.

    The following changes take place:

    • The order has been submitted to the provider.
    • The Request date field has been populated with the date that this record was submitted on.
    • All fields in the Risk intelligence report request section are read-only.
    Order in progress
    An RIR request enters this state after the order has been received by the provider.

    The following changes take place:

    • The score records are generated with the report request.
    • The Score generated on field is updated.
    Closed incomplete
    An RIR request enters this state after the order was received by the provider but couldn’t be processed due to an error so the order was closed.
    Closed complete
    An RIR request enters this state after the order was received and processed by the provider.
    Canceled
    An RIR request enters this state after a TPR manager, TPR assessor, or contract negotiator cancels the report request. If a TPR manager, TPR assessor, or contract negotiator must cancel a request, it can be done while the request is in the Open or Order pending state. After an RIR request is canceled, that record can't be edited. You must create a record.