Third-party Risk Management upgrade information

  • Release version: Washingtondc
  • Updated March 3, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Third-party Risk Management Upgrade Information Washington DC Release Notes

    The Washington DC release of the ServiceNow® Third-party Risk Management (TPRM) application includes essential upgrade information for users transitioning from the Vancouver release. It is crucial for customers to upgrade sequentially from each previous release to avoid data inconsistencies and broken functionalities.

    Show full answer Show less

    Key Features

    • Sequential Upgrades: Users must upgrade from one release to the next, starting from Vancouver, to ensure proper execution of fix scripts.
    • Plugin Activations:
      • For TPRM, activate the Third-party Risk Management and Due Diligence applications.
      • For Vendor Risk Management (VRM), activate the Vendor Risk Management application.
    • Application Name Change: The name has changed from Vendor Risk Management to Third-party Risk Management.
    • New Workflow: Introduction of the Due Diligence Review (DDR) workflow which involves both internal and external assessments.
    • Data Model Changes: Updates to terminology and the introduction of new tables for the TPRM data model.

    Key Outcomes

    By adhering to the upgrade process and utilizing the new features, ServiceNow customers can expect improved risk assessment capabilities, enhanced data integrity, and streamlined workflows for managing third-party risks. Customizations on existing assessment tables may require modifications to ensure compatibility with the new DDR workflow.

    ServiceNow® Third-party Risk Management application upgrade information for the Washington DC release.

    Important information for upgrading Vendor Risk Management to Washington DC

    Starting with the Vancouver release, if you’re a VRM user upgrading to TPRM, from an earlier release, you must run each upgrade sequentially to ensure that fix scripts run correctly. This means upgrading from one release to the next rather than skipping to the latest release. Not running scripts in the correct order can result in data inconsistencies, broken functionalities, and conflicts.

    Plugin requirements

    TPRM
    • Activate the Third-party Risk Management application [com.sn_vdr_risk_asmt].
    • Activate the Third-party Risk Due Diligence application [com.sn_tprm_dd].
    • Activate the Vendor Risk Management Workspace application [sn_vrm_ws] if you want to use the Vendor Risk Management workspace.
    VRM
    • Activate the Vendor Risk Management application [com.sn_vdr_risk_asmt].
    • Activate the Vendor Risk Management Workspace application [sn_vrm_ws] if you want to use the Vendor Risk Management workspace.

    For more information on licensing or metering, see Tracking a managed activity, Third-party Risk Management (TPRM) Licensing and Vendor Risk Management (VRM) Licensing.

    VRM to TPRM changes

    • The name of the application changed from Vendor Risk Management to Third-party Risk Management as part of the Vancouver release.
    • The internal assessment [sn_vdr_asmt_internal_assessment] table is introduced, extending the tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment] table.
    • The Due Diligence Review (DDR) workflow is introduced, which uses both the internal assessment and the external (VRA) assessment.
      Note:
      If you have customizations on the Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment] and VRA [sn_vdr_risk_asmt_assessment] tables, they might need modifications to work with the DDR workflow.
    • The Third-party Scores [sn_vdr_risk_asmt_security_score] table has been relabeled to Risk Intelligence Scores [sn_vdr_risk_asmt_security_score] to reduce confusion.
    • All instances of “vendor” are changed to “third party” in the user interface, though some global instances might remain unchanged.
      Note:
      If you don’t want to use the due diligence workflow, your original workflow (Tiering assessment and External assessments (VRAs) should be the same).

    VRM and TPRM data model

    The Vendor Risk Management data model primarily uses the term “vendor” and includes the Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment] and VRA [sn_vdr_risk_asmt_assessment] tables.

    The Third-party Risk Management data model uses the term “third-party” in most user interface elements and introduces the DDR workflow, which uses both internal [sn_vdr_asmt_internal_assessment] and [sn_vdr_risk_asmt_assessment] external assessments.

    The following models show VRM's and TPRM's capabilities.

    Figure 1. VRM data model
    Relationship Vendor risk management main tables. For a text description, see the text that preceded and follows this data model.

    The components included in the Vendor Risk Management data model are as follows:

    • Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • Company [core_company]
    • Vendor risk assessment [sn_vdr_risk_asmt_assessment]
    • Vendor engagement [sn_vdr_risk_asmt_vendor_engagement]
    • Vendor contact [vm_dr_contact]
    • Assessment metric type [asmt_metric_type]
    • Assessment template [sn_vdr_risk_asmt_assessment_template]
    • Engagement risk scoring rule [sn_vdr_risk_asmt_engagement_risk_scoring_rule]
    • Engagement level risk rating [sn_vdr_risk_asmt_engagement_level_rating]
    Figure 2. TPRM data model
    Relationship between due diligence, and third-party management main tables. For a text description, see the text that preceded and follows this data model.

    The components included in the Third-party Risk Management data model are as follows:

    • Risk intelligence score [sn_vdr_risk_asmt_security _score]
    • Internal assessment [sn_vdr_asmt_internal_assessment]
    • Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • Event-driven management history [sn_tprm_dd_rule_execution_history]
    • Third-party due diligence request [sn_tprm_dd_request]
    • Company [core_company]
    • Event-driven management rule [sn_tprm_dd_generation_rule]
    • Third-party risk assessment [sn_vdr_risk_asmt_assessment]
    • Third-party engagement [sn_vdr_risk_asmt_vendor_engagement]
    • Vendor contact [vm_dr_contact]
    • Assessment metric type [asmt_metric_type]
    • Assessment template [sn_vdr_risk_asmt_assessment_template]
    • Third-party risk issue [sn_vdr_risk_asmt_issue]
    • Engagement risk scoring rule [sn_vdr_risk_asmt_engagement_risk_scoring_rule]
    • Engagement level risk rating [sn_vdr_risk_asmt_engagement_level_rating]