Integrating Third-party Risk Management with GRC: Policy and Compliance Management
Summarize
Summary of Integrating Third-party Risk Management with GRC: Policy and Compliance Management
The integration between Third-party Risk Management (TPRM) and GRC: Policy and Compliance Management enables dynamic compliance tracking of controls and control objectives based on questionnaire responses from third parties or engagements. This integration is available for users with the Compliance Manager role and helps organizations assess and manage third-party compliance effectively by linking third parties, engagements, controls, and questionnaire responses.
Show less
Key Features
- Control Association: TPR managers can associate controls with specific questions, third parties, and engagements, creating a direct link between these entities and the compliance management process.
- Granular Compliance Assessment: Each question in a questionnaire template can be linked to multiple control objectives, allowing detailed and precise compliance evaluations.
- Automated Compliance Status Updates: When third parties or engagements respond to questionnaires, the system automatically updates the compliance status of linked controls based on the accuracy of their answers. Incorrect answers mark controls as non-compliant, while correct answers maintain compliance.
- Entity Categorization: All third parties are automatically categorized as Vendors, ensuring consistent representation and enabling control creation linked to these entities.
- Role Access: Both Policy and Compliance Management users and Third-party Risk Assessors can monitor control statuses and compliance progress.
- Manual Control and Control Objective Linking: Users can manually add controls to third parties or engagements and link control objectives to questions, supporting tailored compliance tracking.
- Post-assessment Flagging for SAE: Although direct question-to-control objective mapping is unavailable in SAE questionnaires, compliance status can still be flagged through post-assessment actions.
Practical Benefits for ServiceNow Customers
By integrating TPRM with Policy and Compliance Management, ServiceNow customers can:
- Ensure real-time, accurate tracking of third-party compliance based on questionnaire responses.
- Establish clear accountability and traceability between controls, control objectives, and third-party engagements.
- Improve compliance assessment granularity and response-driven status updates to reduce manual effort and increase reliability.
- Leverage role-based access to monitor and manage compliance status across teams involved in risk and compliance management.
- Customize compliance tracking by manually linking controls and control objectives to third parties and questionnaire questions.
Next Steps
To maximize the integration benefits, customers should:
- Assign the Compliance Manager role to TPR managers responsible for control and questionnaire management.
- Associate relevant controls and control objectives with third parties, engagements, and questionnaire questions.
- Utilize automated compliance status updates to monitor third-party risk continuously.
- Refer to guidance on manually adding controls and control objectives for customized compliance workflows.
The GRC: Policy and Compliance Management integration updates the compliance status of controls and control objectives based on the questionnaire responses from a third party or engagement. Third-party risk (TPR) managers with the Compliance Manager [sn_compliance.manager] role can associate controls with specific questions, third parties, and engagements.
If you have the Policy and Compliance Management application installed, TPR managers with the Compliance Manager role can perform several key tasks that help manage and assess Third-party compliance.
- You can associate third parties and engagements to specific control objectives. This association creates controls for the third party or engagement, establishing a direct connection between them and the compliance
management process.
For more information, see Manually add a control to a third party or engagement.
- You can individually link the question to multiple control objectives for each question in a questionnaire template. This enables for a granular and detailed assessment of compliance.
For more information, see Manually add a control objective to a question.
- When third parties and engagements respond to questionnaires, the system automatically updates the compliance status of the linked controls. If they provide an incorrect answer, the associated controls are marked as non-compliant. Conversely, correct answers keep the controls compliant.
All third parties are automatically categorized into an entity type called Vendors. This helps ensure that each third party and engagement is represented as an entity.
When an entity, such as a third party or engagement, is associated with a control objective a corresponding control is created for that entity. This association links the third party or engagement with the control, which can influence the compliance status of the control.
In the context of Third-party Risk Management, each question in a questionnaire template can be individually linked to multiple control objectives through a related list. When a questionnaire is sent to a third party and the third party responds with an incorrect answer, the controls associated with the linked control objectives are marked as non-compliant. Conversely, if the third party provides the correct answer, the controls remain compliant.
This feature helps ensure that the compliance status of controls is dynamically updated based on the third party or engagements responses, providing a real-time and accurate assessment of their compliance. Both Policy and Compliance Management users and Third-party risk assessors [sn_vdr_risk_asmt.vendor_assessor] can monitor the status of a control.
For more information on implementing Policy and Compliance Management, see Implementing Policy and Compliance Management.