Third-party Risk Management upgrade information

  • Release version: Zurich
  • Updated July 31, 2025
  • 7 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Third-party Risk Management Upgrade Information

    The Zurich release of ServiceNow® Third-party Risk Management (TPRM) introduces essential upgrades, including the Smart Assessment Engine (SAE). This upgrade enhances assessment consistency, scalability, and innovation. Customers are encouraged to enable the SAE by setting thesnvdrriskasmt.saeenabledproperty, ensuring future-proofing of their assessment strategy.

    Show full answer Show less

    Key Features

    • Smart Assessment Engine Activation: Once enabled, SAE becomes the default assessment engine, replacing legacy systems.
    • Automatic Plugin Installations: Essential applications and plugins are installed automatically post-upgrade, including Vendor Risk Management Workspace and various Smart Assessment plugins.
    • Template Migration: All TPRM assessments will utilize SAE templates, with the ability to migrate existing templates in draft state for review and publication.
    • Assessment Automation: New assessments will leverage SAE-specific automation rules, enhancing efficiency in assessment processes.
    • Comparative Features: A clear comparison between the Classic Assessment Engine and Smart Assessment Engine highlights improved functionalities.

    Key Outcomes

    Post-upgrade, customers can expect:

    • Transition to SAE templates for all new assessments, with in-flight assessments remaining active until completion.
    • Integration of event-driven management rules for streamlined assessment scheduling.
    • A comprehensive review process for migrated templates and automation rules to ensure they meet the new standards.
    • Understanding of limitations associated with the SAE, including restrictions on certain question types and the signature feature.
    • Awareness of the sequential upgrade requirement for Vendor Risk Management users transitioning to TPRM, ensuring all fix scripts run correctly.

    For a successful transition, customers should conduct thorough testing in non-production instances before implementing changes in production environments.

    ServiceNow® Third-party Risk Management application upgrade information for the Zurich release.

    Important information for upgrading Third-party Risk Management to Zurich

    After upgrading to Zurich, you can enable the Smart Assessment Engine (SAE) by setting the Smart Assessment Engine enabled (sn_vdr_risk_asmt.sae_enabled) property. After setting this property, SAE becomes the default assessment engine and replaces the legacy experience to ensure consistency, scalability, and innovation moving forward. While this transition isn’t reversible, it empowers customers to future-proof their assessment strategy with an engine built to evolve with emerging needs.

    Warning:

    Set this property in your non-production instances and conduct thorough testing before changing your production instances. Failure to do so may result in unexpected issues.

    Plugin dependencies

    After upgrading to Zurich and setting the Smart Assessment Engine enabled (sn_vdr_risk_asmt.sae_enabled) property, the following applications and plugins are installed automatically:
    • The Vendor Risk Management Workspace application [sn_vrm_ws] is automatically installed so you can use the Vendor Risk Management workspace where you can access SAE questionnaires and features.
    • The Smart Assessment Engine application and plugins are automatically installed enabling you to use the features of the Smart Assessment Engine for your assessments.

      Smart Assessment Engine application package that includes the following:

      • Smart Assessment Core plugin [com.sn_smart_asmt]
      • Smart Assessment Designer plugin [com.sn_smart_asmt_desg]
      • Smart Assessment Connected plugin [com.sn_smart_asmt_conn]
      • Smart Assessment Migration Tools plugin [com.sn_smart_asmt_mig]
      • Smart Assessment Dependencies plugin [com.sn_smart_asmt_dep]
      • Smart Assessment Post-assessment Actions plugin [com.sn_impact_fwk] and [com.sn_smart_imp_auto]
      • Smart Assessment Response Automation plugin [com.sn_smart_resp_auto]
      • Smart Assessment Scoring plugin [com.sn_smart_scoring]
    Note:
    For more information on these plugins, see Configuring Smart Assessment Engine and Smart assessment configuration.

    Migrating to Smart Assessment Engine

    After setting the Smart Assessment Engine enabled (sn_vdr_risk_asmt.sae_enabled) property, all TPRM assessments will automatically use SAE templates and automation rules (tier-based rules, provider-based rules, event-driven rules and issue generation rules) that support SAE only. You will be able to continue any in-flight assessment until they are completed. You will not be able to create any new assessments with classic questionnaire templates.

    The following diagram shows the questionnaire to TPRM SAE template migration workflow.

    Figure 1. SAE migration workflow
    Questionnaire to TPRM SAE template migration workflow. For a text description, see the text that preceded and follows this diagram.
    1. Migrate templates either one by one or in bulk. After migration, all templates are in the Draft state by default.
    2. Review each migrated questionnaire template individually to confirm that they’re accurate and complete.
    3. Publish TPRM SAE questionnaire templates. After publishing, the following actions occur automatically:
      • All the related assessment templates are updated to use the migrated questionnaire template. If all the questionnaire templates in an assessment template are published, the assessment template is automatically marked as Support smart assessment.
      • All issue generation rules are automatically marked as Support smart assessment if their related questionnaire template is published.
      • All automation rules (tier-based rules, provider-based rules, event-driven rules and issue generation rules) are automatically marked as Support smart assessment after their related assessment template is marked as Support smart assessment.
      Note:
      For Issue-generation rules to work as expected when applied to an TPRM SAE questionnaire template, at least one question must have the option, Enable preferred response, set to true.
    4. Review each assessment template to confirm it’s marked as Supports smart assessment. If an assessment template isn’t marked as Supports smart assessment, manually adding a new TPRM SAE questionnaire template to it updates its status.

    For more information, see Migrate a template to an SAE template, Create a TPRM SAE questionnaire or document request template, Create an external assessment template, and Create an issue generation rule.

    Classic assessment engine to Smart Assessment Engine comparison

    The following table shows the comparable features between the Classic assessment engine and Smart Assessment Engine.

    Table 1. Comparable features
    Classic assessment engine features Smart assessment engine features
    Metric Type​ Template
    Metric Category Section
    Metrics Questions
    Additional Information​ Justification
    Assessable Record Scope
    Multiple Assessable Records in one Assessment Combined Assessments
    Schedule and Trigger Assessments Trigger Assessment Flow Action
    Domain Separation Domain Separation
    Question Dependency Conditional Visibility
    Correct Answer Preferred Answer
    Scoring Scoring
    Automated response Response Automation

    The following diagram shows the relationship between assessment templates and questionnaires after upgrading.

    Figure 2. Assessment templates post-upgrade
    Assessment template impact after upgrading. For a text description, see the text that preceded and follows this diagram.
    • Before setting the Smart Assessment Engine enabled (sn_vdr_risk_asmt.sae_enabled) property, the following are used by default.
      • Existing questionnaire templates
      • Existing assessments
    • After setting the Smart Assessment Engine enabled (sn_vdr_risk_asmt.sae_enabled) property, the following are used by default.
      • SAE questionnaire templates (New or migrated).
      • Assessments marked as Supports smart assessment.
      • Tier-based, Provider-based, and Event-driven management rules only work with assessments marked as Supports smart assessment.
    Note:
    All questionnaire templates must be reviewed and published. All assessment templates and automation rules must be reviewed to confirm they’re marked as Supports smart assessment.

    Smart Assessment Engine limitations

    The TPRM SAE questionnaire template has the following limitations.
    • All new assessments must use SAE questionnaire templates.
    • Third-party risk assessors can no longer create issues from the View responses page. Issues generation rules can be used to create issues automatically.
    • Third-party risk assessors can no longer create comments on individual questions. They can only use the comment section at the questionnaire level.
    • The signature feature isn’t supported.
    • Automatic attachment of questionnaires to external assessments based on inherent risk questionnaire (IRQ) responses or IRQ-calculated risk tiers is currently not supported in Smart Assessment Engine.
    • The following question types aren’t supported: percentage, ranking, image scale, and custom metric. You must either convert these question types to supported formats before migration or create new questions in the template designer after migration.
      Note:
      For the percentage and image scale question types, customers can use the Number type and Radio button type, respectively. Ranking and custom metric question types aren't supported. You must either convert these question types to supported formats before migration or create new questions in the template designer after migration.
    • If a section in the classic template contains only unsupported questions, an empty section is created in the TPRM SAE template. TPRM SAE templates with empty sections can’t be published; therefore, you must either add replacement questions to these sections or delete the empty sections before publishing.

      For more information on migration results, migration limitations, and creating TPRM SAE questionnaires, see Results of migrating a template to a TPRM SAE template and Create a TPRM SAE questionnaire or document request template.

    • The TPRM scoring migration proceeds only if there were no errors during the template migration. If there were errors, the TPRM scoring migration doesn’t occur.

      For more information, see Configure scoring for an assessment and Normalization in assessment.

    • Event-driven management rules are the default option for scheduling assessments and replaces Repeating assessments.

    Important information for upgrading Vendor Risk Management to Zurich

    Starting with the Vancouver release, if you’re a VRM user upgrading to TPRM, from an earlier release, you must run each upgrade sequentially to ensure that fix scripts run correctly. This means upgrading from one release to the next rather than skipping to the latest release. Not running scripts in the correct order can result in data inconsistencies, broken functionalities, and conflicts.

    Plugin requirements

    TPRM
    • Activate the Third-party Risk Management application [com.sn_vdr_risk_asmt].
    • Activate the Third-party Risk Due Diligence application [com.sn_tprm_dd].
    • Activate the Vendor Risk Management Workspace application [sn_vrm_ws] if you want to use the Vendor Risk Management workspace.
    VRM
    • Activate the Vendor Risk Management application [com.sn_vdr_risk_asmt].
    • Activate the Vendor Risk Management Workspace application [sn_vrm_ws] if you want to use the Vendor Risk Management workspace.

    For more information on licensing or metering, see Tracking a managed activity, Third-party Risk Management (TPRM) Licensing, and Vendor Risk Management (VRM) Licensing.

    VRM to TPRM changes

    • The name of the application changed from Vendor Risk Management to Third-party Risk Management as part of the Vancouver release.
    • The internal assessment [sn_vdr_asmt_internal_assessment] table is introduced, extending the tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment] table.
    • The Due Diligence Review (DDR) workflow is introduced, which uses both the internal assessment and the external (VRA) assessment.
      Note:
      If you have customizations on the Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment] and VRA [sn_vdr_risk_asmt_assessment] tables, they might need modifications to work with the DDR workflow.
    • The Third-party Scores [sn_vdr_risk_asmt_security_score] table has been relabeled to Risk Intelligence Scores [sn_vdr_risk_asmt_security_score] to reduce confusion.
    • All instances of “vendor” are changed to “third party” in the user interface, though some global instances might remain unchanged.
      Note:
      If you don’t want to use the due diligence workflow, your original workflow (Tiering assessment and External assessments (VRAs) should be the same).

    VRM and TPRM data model

    The Vendor Risk Management data model primarily uses the term “vendor” and includes the Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment] and VRA [sn_vdr_risk_asmt_assessment] tables.

    The Third-party Risk Management data model uses the term “third-party” in most user interface elements and introduces the DDR workflow, which uses both internal [sn_vdr_asmt_internal_assessment] and [sn_vdr_risk_asmt_assessment] external assessments.

    The following models show VRM's and TPRM's capabilities.

    Figure 3. VRM data model
    Relationship Vendor risk management main tables. For a text description, see the text that preceded and follows this data model.

    The components included in the Vendor Risk Management data model are as follows:

    • Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • Company [core_company]
    • Vendor risk assessment [sn_vdr_risk_asmt_assessment]
    • Vendor engagement [sn_vdr_risk_asmt_vendor_engagement]
    • Vendor contact [vm_dr_contact]
    • Assessment metric type [asmt_metric_type]
    • Assessment template [sn_vdr_risk_asmt_assessment_template]
    • Engagement risk scoring rule [sn_vdr_risk_asmt_engagement_risk_scoring_rule]
    • Engagement level risk rating [sn_vdr_risk_asmt_engagement_level_rating]
    Figure 4. TPRM data model
    Relationship between due diligence, and third-party management main tables. For a text description, see the text that preceded and follows this data model.

    The components included in the Third-party Risk Management data model are as follows:

    • Risk intelligence score [sn_vdr_risk_asmt_security _score]
    • Internal assessment [sn_vdr_asmt_internal_assessment]
    • Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • Event-driven management history [sn_tprm_dd_rule_execution_history]
    • Third-party due diligence request [sn_tprm_dd_request]
    • Company [core_company]
    • Event-driven management rule [sn_tprm_dd_generation_rule]
    • Third-party risk assessment [sn_vdr_risk_asmt_assessment]
    • Third-party engagement [sn_vdr_risk_asmt_vendor_engagement]
    • Vendor contact [vm_dr_contact]
    • Assessment metric type [asmt_metric_type]
    • Assessment template [sn_vdr_risk_asmt_assessment_template]
    • Third-party risk issue [sn_vdr_risk_asmt_issue]
    • Engagement risk scoring rule [sn_vdr_risk_asmt_engagement_risk_scoring_rule]
    • Engagement level risk rating [sn_vdr_risk_asmt_engagement_level_rating]