Sourcing and Procurement Operations integration with Third-party Risk Management

  • Release version: Yokohama
  • Updated January 30, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Sourcing and Procurement Operations integration with Third-party Risk Management

    This integration enables ServiceNow customers to leverage supplier risk assessment capabilities by connecting the Sourcing and Procurement Operations (SPO) application with Third-party Risk Management (TPRM). It requires both SPO and TPRM applications to be installed alongside the Risk Assessments Integration for Sourcing and Procurement Operations application. This setup enhances supplier risk visibility, automates risk assessment workflows, and improves governance around procurement risk management.

    Show full answer Show less

    Key Features

    • Company and Supplier Table Linkage: Establishes a connection between Company and Supplier tables via a new Related company field, allowing synchronized data management and automatic creation of vendor records.
    • Risk and Tiering Assessments Visibility: Tiering and risk assessments created in TPRM are visible as related lists in the Supplier table within SPO, enabling procurement specialists with the Vendor Risk Reviewer role to access vendor risk data directly.
    • Valid Risk Assessment Automation: A scheduled job updates the Valid risk assessment field in the Supplier table based on the validity dates of existing risk assessments, helping ensure ongoing supplier risk compliance.
    • Enhanced Risk Assessment Cases: The existing Conduct a Supplier Risk Assessment case includes new roles (Purchasing Task Owner) and improved visibility through related risk assessments, facilitating streamlined risk validation.
    • New Tiering Assessment Case: A new Conduct a Supplier Tiering Assessment case can be automatically triggered based on supplier tiering needs or manually created, with configurable templates controlling sourcing request workflows based on case status.

    Practical Benefits for ServiceNow Customers

    • Direct integration between procurement and risk management data improves accuracy and timeliness in supplier risk evaluation.
    • Automated validation and case management reduce manual effort and enhance compliance with risk policies.
    • Visibility into both valid and expired risk assessments supports informed decision-making during sourcing and procurement activities.
    • Flexible case triggering and workflow configuration enable alignment with your organization's procurement governance and risk appetite.

    Additional Information

    This integration is unique to the combined SPO and TPRM environment and is not available when using Sourcing and Procurement Operations alone. The integration extends to roles, tables, scheduled jobs, and case types specifically designed to enhance procurement risk management workflows within ServiceNow.

    Leverage relevant supplier risk assessment capabilities by integrating Sourcing and Procurement Operations with Third-party Risk Management.

    The following capabilities can be leveraged by customers if they have both the Sourcing and Procurement Operations and Third-party Risk Management applications installed:
    • Connection between the Company and Supplier tables through the Related company field. Also, leverage properties in the tables to synchronize other fields between the two tables at your own discretion.
    • Viewing tiering assessments and risk assessments for a vendor in the Supplier table.
    • Vendor Risk Reviewer role as a procurement specialist.
    • Adding members to the Governance, Risk, and Compliance (GRC) group, containing the new Purchasing Task Owner role.
    • Automation of the Valid risk assessment field in the Supplier table.
    • Enhancements to the existing Conduct a Supplier Risk Assessment case.
    • Creating a new Conduct a Supplier Tiering Assessment case. This is automatically triggered based on its requirement specified in the Tiering assessment needed? field in the Supplier table.
      Note:
      This is unique to the Risk Assessments Integration for Sourcing and Procurement Operations application and is not available if the customer has Sourcing and Procurement Operations alone.

    Risk Assessments Integration for Sourcing and Procurement Operations application

    Customers can use the Risk Assessments Integration for Sourcing and Procurement Operations application for leveraging certain capabilities if they have both the Sourcing and Procurement Operations and Third-party Risk Management applications installed.

    With this application, the Related company field is defaulted from the current application. This new reference field displays under the Global company field as a reference to the Company table. This field is only available when the Third-party Risk Management and Sourcing and Procurement Operations applications are installed. Also, the Tiering Assessments and Risk Assessments related lists in the Supplier table are only available when the Third-party Risk Management and Sourcing and Procurement Operations applications are installed.

    Company table connection

    Two new fields are added, one in the Supplier table named Related company, and another in the Company table named Supplier that references the Supplier table.

    When you open any existing supplier record in the Supplier table, you can link it to an existing record in the Company table with the Related company field. If that record does not exist, the procurement administrator creates a record in the Company table to establish the connection.

    When you create a new supplier record in the Supplier table, a new vendor record is automatically created in the Company table with read-only reference to the Supplier table.

    Valid risk assessment visibility in the Supplier table

    Tiering and risk assessments on a vendor can be created on the vendor record in the Third-party Risk Management application. These assessments are made visible in the Supplier table as related lists, to validate any supplier in Sourcing and Procurement Operations. A procurement specialist, containing the Vendor Assessment Reviewer role can read any vendor risk assessment data.

    For information on tiering and risk assessments on a vendor, see Manage vendor tiering assessments and Manage vendor risk assessments.

    Valid supplier risk assessment

    To determine if a supplier has a valid risk assessment, a scheduled job is run, and the customer’s system administrator can configure its frequency. This job keeps the Valid risk assessment field in the Supplier table up-to-date, based on the Risk rating valid to field on risk assessments in the Vendor Risk Assessments table.

    A risk assessment is considered valid when:
    • Today's date is on or before the date defined in the Risk rating valid to field.
    • The value in the Valid risk assessment field in the Supplier table is Yes.

    A Conduct a Supplier Risk Assessment case is created if a risk assessment is invalid. Risk assessments can be triggered manually by the Vendor Risk Manager, or automatically from any change in vendor tier rating.

    Enhancing the Conduct a Supplier Risk Assessment case

    A Vendor Risk Manager can be assigned the Conduct a Supplier Risk Assessment case to validate a supplier's risks and to ensure that the supplier does not pose risks to the company.

    The existing Conduct a Supplier Risk Assessment case is enhanced such that:
    • The GRC group contains the Purchasing Task Owner role, with visibility and access to the case.
    • The case has a related list of the risk assessments, both valid and expired, for better visibility.

    Creating a new Conduct a Supplier Tiering Assessment case

    A new Conduct a Supplier Tiering Assessment case can be created in either of these methods, and assigned to the manager of the GRC group:
    • Automatically, triggered based on its requirement specified in the Tiering assessment needed? field in the Supplier table. If the risk rating of the related supplier is critical, high, or empty, a Conduct a Supplier Tiering Assessment case is auto-triggered.
      Note:
      This is unique to the Risk Assessments Integration for Sourcing and Procurement Operations application and is not available if the customer has Sourcing and Procurement Operations alone.
    • Manually, by a customer.

    You can customize this case through the Supplier Tiering Assessment case templates, by defining the Sourcing decision dependent on case field to decide if this case should stop the sourcing request from moving into the Requires Decision state. The default value of this field is Yes. In this scenario, if all purchase requisition lines are in the Pricing Obtained state, and there are other cases still open, the sourcing request moves to the Awaiting Task Completion state. When the open cases are closed, the sourcing request moves to the Requires decision state. When the Sourcing decision dependent on case field is set to No, and if all purchase requisition lines are in the Pricing Obtained state, then the sourcing request will be in the same Pricing Obtained state even if other cases are open.

    If the sourcing request gets converted to a purchase request, the case is available to be completed in the purchase requisition.

    Note:
    All tiering assessments for a supplier are displayed in related lists.

    For more information on sourcing requests, purchasing tasks, and procurement cases, see Sourcing request and Purchasing tasks and procurement cases.