Integrating scores from risk intelligence providers
Summarize
Summary of Integrating scores from risk intelligence providers
Risk intelligence providers generate scores that evaluate the trustworthiness and safety of third parties, similar to personal credit scores. ServiceNow enables organizations to integrate these risk scores into their Third-Party Risk Management (TPRM) processes, helping customers gain insights on third-party risks and automate related workflows.
Show less
Working with Risk Intelligence Data
- You can request risk data for third parties (not engagements) by registering risk intelligence providers and specifying which of their scoring services to use.
- Scores from providers are mapped to your organization’s TPRM rating scale, allowing normalized risk assessments.
- Raw scores are added to provider service records for third parties, enabling the system to translate these into actionable ratings.
- Provider-based submission rules let you automate responses when risk scores update, such as triggering assessments, issues, tasks, or notifications.
Integration Types Supported
- ISV integrations: Direct integration with independent software vendors like EcoVadis or Black Kite for risk scores and sustainability ratings.
- Content integrations: Incorporate external content such as regulatory databases or industry standards.
- Data integrations: Pull data from external sources like financial systems, security tools, or vendor management systems.
- Environmental, Social, and Governance (ESG) integrations: Include ESG factors in risk management processes.
Supported Integrations by ServiceNow and Partners
ServiceNow offers integration apps available on the ServiceNow Store, including:
- ServiceNow-provided: Shared Assessments SIG questionnaire, EcoVadis sustainability ratings.
- Partner-provided: Cyber risk ratings from BitSight, Security Scorecard, RiskRecon, Upguard, Recorded Future; multi-domain risk ratings from Black Kite, Interos; specialized assessments from TruSight, ISS Corporate Solutions, Securitybricks, and Templarshield.
Key Configuration Steps
- Register a risk intelligence provider: Create records for each provider from which you will request risk reports.
- Set up provider services: Define which scoring or rating services to use and how their scores map to your TPRM ratings.
- Set up request types: Specify the request types your organization will use to obtain risk data from providers.
- Add risk intelligence scores: Enter raw scores for third parties to enable normalized TPRM ratings.
- Automate actions: Use provider-based submission rules to trigger workflows based on updates to risk intelligence ratings.
Benefits for ServiceNow Customers
- Gain reliable, normalized risk scores from trusted providers to enhance third-party risk visibility.
- Streamline risk data integration and automate risk assessment processes, improving operational efficiency.
- Leverage a broad ecosystem of providers and integrations tailored for diverse risk domains including cyber, financial, ESG, and compliance.
- Customize risk workflows based on real-time provider score updates to proactively manage third-party risk.
Risk intelligence providers generate risk scores for a variety of third-party risk domains. Your organization can purchase services from providers that return data that is analogous to personal credit scores. The scores provide insight on how trustworthy and safe a particular third party can be.
Working with data from risk intelligence providers
- After you register a risk intelligence provider, you specify which of the provider's scoring or rating services you’ll use. You also specify how their scores or ratings map to your TPRM ratings. For more information, see Register a risk intelligence provider, Set up a risk intelligence provider service, and Set up a request type for a provider.
- You add a raw score from a provider to the provider service record for a third party. The system uses the mapping that you specified to normalize the value to the appropriate TPRM rating. For more information, see Add a risk intelligence score to risk data for a third party.
- A provider-based submission rule is a set of conditions and actions. In a rule, you can specify that an update to a rating from a risk intelligence provider is the condition that triggers the action that is specified in the rule. The action might be to create and send a third-party risk assessment, issue, task, or email. For more information, see Automate actions upon risk intelligence updates.
Integration types
Here are some examples of the types of integrations supported by ServiceNow and ServiceNow partners:
-
Independent software vendor (ISV) integration types involve integrating ISV services such as EcoVadis or Black Kite.
-
Content integration types involve integrating external content sources such as regulatory databases or industry standards.
-
Data integration types involve integrating external data sources to gather and analyze relevant data such as data from financial systems, security tools, or vendor management systems.
-
Environmental, social, and governance (ESG) integration types involve incorporating ESG factors into the TPRM process.
Integrations supported by ServiceNow
| Provider | Product name | Content | Service provided | Type |
|---|---|---|---|---|
| Shared Assessments | Standard information-gathering (SIG) questionnaire | Standard assessment | Industry standard questionnaire for use in assessments. | Content |
| EcoVadis | EcoVadis | Sustainability ratings | Sustainability scores in support of assessments and continuous monitoring. | ISV, data, ESG |
Integrations supported by ServiceNow partners
| Provider | Product name | Content | Use case | Type |
|---|---|---|---|---|
| BitSight | BitSight | Cyber risk ratings | Cyber risk scores in support of assessments and continuous third-party risk monitoring. | ISV, data |
| Security Scorecard | Security Scorecard | Cyber risk ratings | Cyber risk scores in support of assessments and continuous third-party risk monitoring. | ISV, data |
| RiskRecon | Risk Recon | Cyber risk ratings | Cyber risk scores in support of assessments and continuous third-party risk monitoring. | ISV, data |
| Upguard | Upguard Vendor Risk | Cyber risk | Cyber risk scores in support of assessments and continuous third-party risk monitoring. | ISV, data |
| Recorded Future | Recorded Future Intelligence | Cyber risk ratings | Cyber risk scores in support of assessments and continuous third-party risk monitoring. | ISV, data |
| Black Kite | Black Kite | Third-party risk management | Technical security, financial risk, ransomware susceptibility index, and compliance scores in addition to overall security ratings. |
ISV |
| Interos | Interos | Supply chain and multiple domain ratings | Cyber, financial, ESG, geopolitical, operations, and restrictions ratings to support risk assessments and monitoring. |
ISV, content |
| TruSight | TruSight | Third-party risk assessments | Access to TruSight-validated third-party risk assessments. |
ISV |
| ISS Corporate Solutions | ISS ESG Cyber Risk Score for Vendor Risk Management | ESG ratings | Access to a comprehensive view of ISS Corporate Solutions' cyber risk management program through cyber risk and supply chain. | ISV |
| Securitybricks | CMMC - NIST-800-171 - Vendor Compliance Assessment | Template | Access to an automated assessment for Federal organizations. | data, content |
| Templarshield | HECVAT-Questionnaire for Higher Education | Content | Access to an automated questionnaire for Higher education organizations. | ISV, content |