Third-party Risk Management upgrade information

  • Release version: Yokohama
  • Updated March 3, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Third-party Risk Management upgrade information

    This document provides essential upgrade guidance and changes for ServiceNow's Third-party Risk Management (TPRM) application, specifically for customers transitioning to the Yokohama release. It includes critical steps for upgrading from Vendor Risk Management (VRM) to TPRM, plugin activation requirements, and changes in data models and workflows.

    Show full answer Show less

    Upgrade Guidance

    If you are upgrading from an earlier VRM release to TPRM starting with the Vancouver release, it is mandatory to perform upgrades sequentially without skipping versions. This ensures all fix scripts execute properly, preventing data inconsistencies, broken functionality, and conflicts.

    Plugin Activation Requirements

    • For TPRM: Activate the Third-party Risk Management application [com.snvdrriskasmt], Third-party Risk Due Diligence [com.sntprmdd], and optionally the Vendor Risk Management Workspace [snvrmws] if using the workspace.
    • For VRM: Activate the Vendor Risk Management application [com.snvdrriskasmt] and optionally the Vendor Risk Management Workspace [snvrmws].

    For detailed licensing and metering information, refer to the respective TPRM and VRM licensing documentation.

    Key Changes from VRM to TPRM

    • The application name changed from Vendor Risk Management to Third-party Risk Management starting in the Vancouver release.
    • Introduction of the internal assessment table [snvdrasmtinternalassessment], extending the existing tiering assessment table.
    • New Due Diligence Review (DDR) workflow combines internal and external (VRA) assessments.
    • Risk Intelligence Scores have replaced the Third-party Scores label to clarify terminology.
    • User interface terminology changed from “vendor” to “third party” in most places, though some global terms may remain.
    • Customizations on tiering assessment and VRA tables may require updates to support the DDR workflow.
    • If you choose not to use the Due Diligence workflow, the original tiering and external assessments remain unchanged.

    Data Model Differences

    Vendor Risk Management (VRM) Data Model primarily uses “vendor” terminology and includes these core tables:

    • Tiering assessment
    • Company
    • Vendor risk assessment
    • Vendor engagement
    • Vendor contact
    • Assessment metric type
    • Assessment template
    • Engagement risk scoring rule
    • Engagement level risk rating

    Third-party Risk Management (TPRM) Data Model extends VRM by incorporating:

    • Risk intelligence scores
    • Internal assessment table
    • Event-driven management history and rules for due diligence
    • Third-party due diligence requests
    • Third-party risk issues
    • Use of “third-party” terminology in UI and data structures

    These enhancements enable a more comprehensive risk assessment process combining internal evaluations and due diligence reviews for third parties.

    ServiceNow® Third-party Risk Management application upgrade information for the Yokohama release.

    Important information for upgrading Vendor Risk Management to Yokohama

    Starting with the Vancouver release, if you’re a VRM user upgrading to TPRM, from an earlier release, you must run each upgrade sequentially to ensure that fix scripts run correctly. This means upgrading from one release to the next rather than skipping to the latest release. Not running scripts in the correct order can result in data inconsistencies, broken functionalities, and conflicts.

    Plugin requirements

    TPRM
    • Activate the Third-party Risk Management application [com.sn_vdr_risk_asmt].
    • Activate the Third-party Risk Due Diligence application [com.sn_tprm_dd].
    • Activate the Vendor Risk Management Workspace application [sn_vrm_ws] if you want to use the Vendor Risk Management workspace.
    VRM
    • Activate the Vendor Risk Management application [com.sn_vdr_risk_asmt].
    • Activate the Vendor Risk Management Workspace application [sn_vrm_ws] if you want to use the Vendor Risk Management workspace.

    For more information on licensing or metering, see Tracking a managed activity, Third-party Risk Management (TPRM) Licensing and Vendor Risk Management (VRM) Licensing.

    VRM to TPRM changes

    • The name of the application changed from Vendor Risk Management to Third-party Risk Management as part of the Vancouver release.
    • The internal assessment [sn_vdr_asmt_internal_assessment] table is introduced, extending the tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment] table.
    • The Due Diligence Review (DDR) workflow is introduced, which uses both the internal assessment and the external (VRA) assessment.
      Note:
      If you have customizations on the Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment] and VRA [sn_vdr_risk_asmt_assessment] tables, they might need modifications to work with the DDR workflow.
    • The Third-party Scores [sn_vdr_risk_asmt_security_score] table has been relabeled to Risk Intelligence Scores [sn_vdr_risk_asmt_security_score] to reduce confusion.
    • All instances of “vendor” are changed to “third party” in the user interface, though some global instances might remain unchanged.
      Note:
      If you don’t want to use the due diligence workflow, your original workflow (Tiering assessment and External assessments (VRAs) should be the same).

    VRM and TPRM data model

    The Vendor Risk Management data model primarily uses the term “vendor” and includes the Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment] and VRA [sn_vdr_risk_asmt_assessment] tables.

    The Third-party Risk Management data model uses the term “third-party” in most user interface elements and introduces the DDR workflow, which uses both internal [sn_vdr_asmt_internal_assessment] and [sn_vdr_risk_asmt_assessment] external assessments.

    The following models show VRM's and TPRM's capabilities.

    Figure 1. VRM data model
    Relationship Vendor risk management main tables. For a text description, see the text that preceded and follows this data model.

    The components included in the Vendor Risk Management data model are as follows:

    • Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • Company [core_company]
    • Vendor risk assessment [sn_vdr_risk_asmt_assessment]
    • Vendor engagement [sn_vdr_risk_asmt_vendor_engagement]
    • Vendor contact [vm_dr_contact]
    • Assessment metric type [asmt_metric_type]
    • Assessment template [sn_vdr_risk_asmt_assessment_template]
    • Engagement risk scoring rule [sn_vdr_risk_asmt_engagement_risk_scoring_rule]
    • Engagement level risk rating [sn_vdr_risk_asmt_engagement_level_rating]
    Figure 2. TPRM data model
    Relationship between due diligence, and third-party management main tables. For a text description, see the text that preceded and follows this data model.

    The components included in the Third-party Risk Management data model are as follows:

    • Risk intelligence score [sn_vdr_risk_asmt_security _score]
    • Internal assessment [sn_vdr_asmt_internal_assessment]
    • Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • Event-driven management history [sn_tprm_dd_rule_execution_history]
    • Third-party due diligence request [sn_tprm_dd_request]
    • Company [core_company]
    • Event-driven management rule [sn_tprm_dd_generation_rule]
    • Third-party risk assessment [sn_vdr_risk_asmt_assessment]
    • Third-party engagement [sn_vdr_risk_asmt_vendor_engagement]
    • Vendor contact [vm_dr_contact]
    • Assessment metric type [asmt_metric_type]
    • Assessment template [sn_vdr_risk_asmt_assessment_template]
    • Third-party risk issue [sn_vdr_risk_asmt_issue]
    • Engagement risk scoring rule [sn_vdr_risk_asmt_engagement_risk_scoring_rule]
    • Engagement level risk rating [sn_vdr_risk_asmt_engagement_level_rating]