Combined Third-party Risk Management release notes for upgrades from Vancouver to Xanadu

How to use this page

To help you prepare for your upgrade, we have combined the cross-family Third-party Risk Management release notes onto one page. Read this summary of the new features, changes, and updated information for your product from Vancouver to Xanadu.

Tip:

If there were no updates for a release notes section in a certain family release, we included a short note for your reference. For example, if a product did not have any updates in Tokyo, the row says "No updates for this release."

Important information for upgrading Third-party Risk Management to Xanadu

Before you upgrade to Xanadu, review these pre- and post-upgrade tasks and complete the tasks as needed.


Release	Release notes
Vancouver
Washington DC	If you are a VRM user upgrading to TPRM, when upgrading to Vancouver or later from an earlier release, you must run each upgrade sequentially to ensure that fix scripts run correctly. This means upgrading from Utah to Vancouver, Vancouver to Washington DC, and so on. If the scripts do not run in the correct order, it can result in data inconsistencies, broken functionalities, and conflicts. For more information on upgrading from VRM to TPRM, see Third-party Risk Management upgrade information.
Xanadu	If you are a VRM user upgrading to TPRM, when upgrading to Vancouver or later from an earlier release, you must run each upgrade sequentially to ensure that fix scripts run correctly. This means upgrading from Utah to Vancouver, Vancouver to Washington DC, and so on. If the scripts do not run in the correct order, it can result in data inconsistencies, broken functionalities, and conflicts. For more information on upgrading from VRM to TPRM, see Third-party Risk Management upgrade information.

New features

Between your current release family and Xanadu, new features were introduced for Third-party Risk Management.


Release	Release notes
Vancouver	Due Diligence Management in the Vendor Risk Management workspace Use workflows for due diligence requests—onboarding, engagements, reevaluation, reviewing contracts, and offboarding. The workflow environment enables you to customize the approval process. The workflow can auto-trigger third-party risk assessments based on answers in the tiering assessment questionnaire. TPRM Risk concentration map View third parties and engagements pinpointed on a global geographic map. Filter the entities that appear on the map. Policy and Compliance supports Common Controls The Policy and Compliance integration now supports the Common Controls feature. Policy and Compliance enables third parties to answer questions. The answers determine control compliance. The integration now supports the update of common control compliance as well as non-common controls via this process. Run the Quick Start tests for Third-party Risk Management After upgrades and deployments of new applications or integrations, run quick start tests to verify that Third-party Risk Management works as expected. If you customized Vendor Risk Management, copy the quick start tests and configure them for your customizations.
Washington DC	Event-driven management — automate assessment processes Configure the rules that auto-generate and send questionnaires and document requests to engagements and third parties. For engagements and third parties that meet the criteria you define, you specify the schedule, questionnaire, and document request templates. You can automate all assessment types except onboarding. New user group: Due diligence request assigners Enable each member of the Due diligence request assigners group to receive an email notification of the new requests for due diligence. For requests that are in the New or Unassigned state, you need to specify the owner. Any group member can assign the owner. New reports on the Due diligence management dashboard Use the Due diligence management dashboard, as a third-party risk manager or assessor, to track, prioritize, and manage your responsibilities. Tracking a managed activity View managed activities in the usage analytics activities table for tracking and verification purposes in the Third-party Risk Management application. New Standardized Information Gathering (SIG) questionnaire content Use the updated SIG templates for 2024 after upgrading to version 18.x as part of the Third-party Risk Management application.
Xanadu	Third-party element collection Confirm that third-party elements adhere to the same security and compliance standards as an engagement by monitoring them through TPRM. Use this data to help identify, assess, and manage the risks that are related to your engagements that depend on third-party elements. Risk intelligence report requests Make informed decisions about working with an engagement or third party by requesting and managing risk intelligence reports or scores from external risk intelligence content providers using the Third-party Risk Management application. Third-party risk management data model Take full advantage of Third-party Risk Management by viewing its data model to see how you can best use it to assess, monitor, and mitigate the risks that are required for your risk management program. Digital resilience third-party registers Create, update, and track records for digital resilience third-party registers by using the Digital resilience third-party registers application within the Vendor Management Workspace Vendor Management Workspace. You can bulk create or edit individual records for assessments, branches, contracts, functions, legal entities, supply chains, third parties, or third-party engagements using the Excel download/upload requests feature. This application helps you maintain records with information and communication technology (ICT) third-party service providers, helping ensure compliance with the Digital Operational Resilience Act (DORA).

Changes

Between your current release family and Xanadu, some changes were made to existing Third-party Risk Management features.


Release	Release notes
Vancouver	New Vendor Management workspace experience The new Vendor Management workspace provides a more efficient, modernized way for you to work. The Vendor Risk Overview reports — Legacy view page is still supported in this release. The name of the application changed from Vendor Risk Management to Third-party Risk Management The word "vendor" is replaced with "third-party" on most of the user interface. In some cases (workspace name, field name, and so on), the word "vendor" did not change because it is shared globally across several applications. To reduce confusion, the Third-party Scores table was relabeled to Risk Intelligence Scores. New [sn_svdp.allow_assessor_edit] property of Third-Party Risk Assessor role The default setting for the [sn_svdp.allow_assessor_edit] property enables Third-party risk assessors [sn_vdr_risk_asmt.vendor_assessor] to answer questions or modify responses in third-party questionnaires. For instructions on setting this property, see Configure TPRM properties. New [sn_vdr_risk_asmt.vendor_risk_admin] role The new [sn_vdr_risk_asmt.vendor_risk_admin] role can create and edit questionnaire templates and contains all the permissions of the [vendor_risk _manager] and [assessment_admin] roles. The permissions for creating and editing questionnaire templates have been removed from the [sn_vdr_risk_asmt.vendor_risk_manager]. See Roles in Third-party Risk Management. New Active option The new Active option enables Third-party risk managers [sn_vdr_risk_asmt.vendor_risk_manager] to turn a tier-based assessment submission rule on or off. When all rules are turned off, third-party risk assessments are not automatically generated by tier changes. For more information, see Create an automated risk assessment when the assigned risk tier changes—Legacy process.
Washington DC	Terminated third parties are now available for new DD requests for onboarding You can now reactivate a third party that is in the Terminated status. You can select a terminated third party when you’re creating due diligence requests for onboarding new engagements. If such a request is accepted and closed, the third party's status is changed to Active. New [sn_svdp.allow_assessor_edit] property of Third-Party Risk Assessor role The default setting for the [sn_svdp.allow_assessor_edit] property enables Third-party risk assessors [sn_vdr_risk_asmt.vendor_assessor] to answer questions or modify responses in third-party questionnaires. For instructions on setting this property, see Configure TPRM properties. New [sn_vdr_risk_asmt.vendor_risk_admin] role The new [sn_vdr_risk_asmt.vendor_risk_admin] role can create and edit questionnaire templates and contains all the permissions of the [vendor_risk _manager] and [assessment_admin] roles. The permissions for creating and editing questionnaire templates have been removed from the [sn_vdr_risk_asmt.vendor_risk_manager]. For more information, see Roles in Third-party Risk Management. New Active option The new Active option enables Third-party risk managers [sn_vdr_risk_asmt.vendor_risk_manager] to turn a tier-based assessment submission rule on or off. When all rules are turned off, third-party risk assessments aren’t automatically generated by tier changes. For more information, see Create an automated risk assessment when the assigned risk tier changes—Legacy process. New configurations automatically attach external questionnaires to assessments You can now add questionnaires automatically to third-party risk assessments based on the final risk tiers that are calculated at the IRQ assessment or engagement level. This change is in addition to the existing feature that adds questionnaires to the third-party risk assessments in the due diligence workflow based on the responses from the IRQ questionnaire. The level at which the risk tier is calculated can be configured. Vendor Risk dashboard in Next Experience UI Framework Starting with version 18.1.3 of the Third-party Risk Management application, the Vendor Risk dashboard is no longer supported as part of the Next Experience UI Framework. The Vendor Risk dashboard is available for existing users that have installed Third-party Risk Management prior to 18.1.3.
Xanadu	No updates for this release.

Removed

Between your current release family and Xanadu, some Third-party Risk Management features or functionality were removed.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.
Xanadu	No updates for this release.

Deprecations

Between your current release family and Xanadu, some Third-party Risk Management features or functionality were deprecated.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.
Xanadu	Reminder workflows Starting with version 19.1.x of the Third-party Risk Management application, the tiering questionnaire and external assessment reminders workflows are deprecated and migrated to Workflow Studio. If you have customized these workflows, they won’t be deprecated or migrated as part of this change.

Activation information

Review information on how to activate Third-party Risk Management.


Release	Release notes
Vancouver	Install and activate the TPRM application (com.sn_vdr_risk_asmt). See Configuring Third-party Risk Management and Download a GRC application from the ServiceNow Store for the first time.
Washington DC	Install TPRM by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes. Quick start tests for TPRM. After upgrades and deployments of new applications or integrations, run quick start tests to verify that TPRM works as expected. If you customized TPRM, copy the quick start tests and configure them for your customizations.
Xanadu	Install Third-party Risk Management by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes. Quick start tests for TPRM. After upgrades and deployments of new applications or integrations, run quick start tests to verify that TPRM works as expected. If you customized TPRM, copy the quick start tests and configure them for your customizations.

Additional requirements

If any additional requirements were introduced or changed for Third-party Risk Management we have noted them here.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.
Xanadu	No updates for this release.

Browser requirements

If any specific browser requirements were introduced or changed for Third-party Risk Management we have noted them here.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.
Xanadu	No updates for this release.

Accessibility information

Review details on accessibility information for Third-party Risk Management, such as specific requirements or compliance levels.


Release	Release notes
Vancouver	Third-party Risk Management uses enhanced color contrast in certain areas and includes improved keyboard navigation.
Washington DC	No updates for this release.
Xanadu	Accessibility improvements for the Third-party Risk Management application include the following updates. Keyboard focus: Improved visual accessibility in the Third-party portal by increasing contrast between the focus border and white background. Screen reader support has been extended to announce the following: Completed status after all questions have been completed in a section of an external questionnaire in the Third-party portal. Correct labels and other relevant information for controls, images, card regions, menu items, and links in the Vendor Management Workspace.

Localization information

If there are specific localization considerations for Third-party Risk Management we have noted them here.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.
Xanadu	No updates for this release.

Highlight information

If there are specific highlight considerations for Third-party Risk Management we have noted them here.


Release	Release notes
Vancouver	View engagements pinpointed on a global geographic map using the Risk concentration map. Filter data based on key criteria. Use workflows for due diligence requests—onboarding, engagements, reevaluation, reviewing contracts, and offboarding. The workflow environment enables you to customize the approval process. The workflow can auto-trigger third-party risk assessments based on answers in the tiering assessment questionnaire. The Policy and Compliance integration now supports the Common Controls feature. Policy and Compliance enables third parties to answer questions. The answers determine control compliance. The integration now supports the update of common control compliance as well as non-common controls via this process. See Third-party Risk Management for more information.
Washington DC	Automate assessments with the event-driven management feature. View new reports on the Due diligence management dashboard. Track and verify a managed activity. Use the new Standardized Information Gathering (SIG) questionnaire content available for 2024. Add questionnaires to third-party risk assessments based on the final risk tiers that were calculated at the IRQ assessment or engagement level. See Third-party Risk Management for more information.
Xanadu	Collect, monitor, and assess third-party elements for engagements. Request risk intelligence reports (RIR) and scores so that you can manage and monitor your RIR requests all within TPRM. View the Third-party Risk Management data model. Use the Digital resilience third-party registers application to create, update, and track records for digital resilience third-party registers. See Third-party Risk Management for more information.