Configuring Third-party Risk Management

  • Release version: Yokohama
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configuring Third-party Risk Management

    This guide details how ServiceNow customers can activate, upgrade, and configure the Third-party Risk Management (TPRM) application to effectively manage third-party risks. By following a structured checklist, you can install essential TPRM components, assign roles, set up secure external access, and tailor communication and interface elements to your organizational needs.

    Show full answer Show less

    Key Features

    • Application Activation: Install the core TPRM app, Due Diligence Request Workflow, and Vendor Risk Management Workspace from the ServiceNow Store. Optionally, load demo data containing sample questionnaires.
    • Security Configurations: Implement authentication policies to ensure secure external third-party access using platform post-authentication controls.
    • Role and Group Management: Assign TPRM roles to users and organize users into groups aligned with their responsibilities to optimize task notifications and process management.
    • TPRM Property Settings: Configure various operational properties to customize TPRM behavior according to your organizational requirements.
    • Risk Concentration Map: Optionally enable this feature to visualize risk concentrations, which requires a Google license after installation.
    • Email Configuration: Enable email communications with third-party contacts, including customizing header and footer images in notifications.
    • Data Import: Optionally import existing third-party, engagement, and assessment data from other platforms without additional charges.
    • Third-party Contact Setup: Create and manage external third-party users’ access and permissions within the Third-party portal for collaboration on assessments and issue tracking.
    • Language Activation: Optionally configure the application to support languages other than the default American English.
    • Testing and Workspace Customization: Run quick-start tests after upgrades or customizations to verify functionality and configure related lists in the Vendor Management Workspace for enhanced navigation.

    Practical Benefits

    By completing these setup tasks, ServiceNow customers can establish a robust third-party risk management environment that streamlines risk assessments, enhances security for external collaborators, and improves communication efficiency. The structured role and group assignments ensure accountability and timely notifications, while optional features like the Risk Concentration Map and language activation provide tailored insights and accessibility. Importing existing data facilitates smooth transitions from other systems.

    You can activate or upgrade TPRM, by downloading the applications from the ServiceNow Store and then configuring the settings to meet your needs.

    Configuration overview

    By performing the tasks in the Setup tasks for TPRM checklist, you can upgrade or install the TPRM application. After you’ve completed the tasks, you can perform additional configuration as described in Classic assessment configuration.

    Note:

    For any custom messages you create, it is your responsibility to generate the corresponding sys_ui_message records. This step is crucial if you want the custom messages to be extracted and translated.

    Initial setup and upgrade checklist for TPRM

    Table 1. Setup tasks for TPRM
    Task Description
    Activate the Third-party Risk Management app [com.sn_vdr_risk_asmt]. To see the instructions for downloading a GRC application from the ServiceNow® Store, see Download a GRC application from the ServiceNow Store for the first time.
    Important:
    The base system includes many sample questions that you can use in your question bank. To include sample questionnaires, select Load demo data while installing the app.

    Role required: admin
    Activate the Due diligence request workflow application [com.sn_tprm_dd]. To see the instructions for downloading a GRC application from the ServiceNow® Store, see Download a GRC application from the ServiceNow Store for the first time.

    Role required: admin
    Activate the Vendor Risk Management Workspace application [sn_vrm_ws]. To see the instructions for downloading a GRC application from the ServiceNow® Store, see Download a GRC application from the ServiceNow Store for the first time.

    Role required: admin
    Add an authentication policy to enable secure access for external third parties.

    For more information, see Add an authentication policy to enable secure access for external third parties.

    Role required: admin

    Use the platform post-authentication policies to enable third parties to secure access to your instance. For background information on this feature, see Post-authentication context.
    Assign TPRM roles to users and user groups.

    Assign roles to users before you implement or use the Third-party Risk Management application. Assigning roles in a well-organized manner simplifies and improves process management and helps to ensure that users are promptly notified of tasks in their areas of responsibility.

    For more information, see Assign TPRM roles to users and user groups.

    Role required: admin
    Add users to groups based on their responsibilities.

    Assign users to groups before you implement or use the Third-party Risk Management application. Each group contains users with particular roles. Well-organized user groups simplify and improve process management and help to ensure that users are promptly notified of tasks in their areas of responsibility.

    For more information, see Add users to groups based on responsibilities.

    Role required: admin
    Configure TPRM properties.

    Configure property settings for a variety of TPRM operations.

    For more information, see Configure TPRM properties.

    Role required: admin
    Enable the TPRM Risk concentration map.

    This task is optional. For more information, see Enable the TPRM Risk concentration map.

    Role required: admin

    After you install the Risk concentration map feature, you must install a Google license to enable the feature.
    Enable your emails with third-party contacts.

    Configure email communication with third-party contacts to enable email notification of assessments and issues.

    For more information, see Enable email with third-party contacts.

    Role required: admin
    Update header and footer images for email notifications. Update the header and footer images used in email notifications by modifying image records.

    For more information, see Update the header and footer for email notifications.

    Role required: admin
    Import the existing data from other systems.

    This task is optional. Import existing data (third parties, engagements, assessments, questionnaires, issues, and so on) from other systems (like the Aravo platform, the ProcessUnity platform, and so on). You aren’t charged for importing the data.

    For more information, see Import existing data from other systems.

    Role required: admin
    Set up third-party contacts.

    Third-party contacts are external users at the third-party organization. They use the Third-party portal to securely organize, prioritize, and perform tasks like responding to questionnaires for assessments, performing tasks, and communicating with your risk-assessment staff regarding issues. You grant access to the Third-party portal and specify the permissions for third-party contacts.

    For more information, see Set up third-party contacts.

    Role required: admin or sn_vdr_risk_asmt.vendor_risk_manager
    Activate a language.

    This task is optional. The ServiceNow AI Platform uses American English by default. You can configure TPRM to use a different language.

    For more information, see Activate a language.

    Role required: admin
    Run the quick-start tests for third-party risk management.

    This task is optional. Verify that TPRM still works after you make configuration changes such as applying an upgrade or developing an application. Copy and customize the quick-start tests to pass when using your instance-specific data.

    For more information, see Run the Quick Start tests for Third-party Risk Management.
    Configure related lists in the Vendor Management Workspace.

    This task is optional.

    Configure the related lists that appear in the vertical navigation layout on record pages in the Vendor Management Workspace.

    For more information, see Configure related lists for vertical navigation on record pages.