The ServiceNow® Third-party Risk Management application provides a centralized process for managing your third-party portfolio and completing the third-party assessment and remediation life cycle. Integration with other GRC applications provides additional traceability for compliance with controls and risks.
Note: In version 17.x, Vendor Risk Management was renamed to Third-party Risk Management.
The Third-party Risk Management application includes the following features:
- Third-party portfolio - third-party hierarchy and third-party contacts
- Third-party engagements
- Tiering setup, tiering assessments, and IRQs
- Risk assessment setup, and risk assessments, including risk domains (risk areas)
- Configurable risk calculation
- Automated tiering and risk assessment submission rules
- Security score integration
- Issue management
- Support for third-party scores roll up to risk rating
- Reports and dashboards
- GRC Integration: associate policies and controls to questions in a third-party risk assessment
- GRC Integration: roll-up third-party risk information to an enterprise risk program
New
- Added Software Bill of Materials (SBOM) Smart Assessment template and automation rules.
- Added Now Assist response generation for Smart Assessment questionnaires.
- Added comment and work notes read access for vendor assessment reviewer role on Smart Assessment template categories.
Changed
- Enhanced role-based access controls by replacing GRC uber roles with feature-specific roles.
- Updated Smart Assessment template versioning to support template evolution and migration.
- Improved vendor risk scoring calculation to include assessment-level normalization for Smart Assessments.
Fixed
- Resolved usage analytics duplicate record creation (PRB1967479).
- Fixed reassignment filter issues for internal and external assessments (PRB2020935).
- Added table allowlist validation to prevent unauthorized access (PRB1997560).
- Fixed Smart Assessment template migration when TPRM Due Diligence not installed (PRB2013668).
- Corrected risk rating scale deletion during migration (PRB2016123).
- Fixed email notification trigger for internal assessment state changes (PRB2016087).
- Resolved SAE questionnaire setup errors with async business rules (PRB2014774).
- Corrected external assessment questionnaire due date calculation (PRB2011825).
- Fixed Smart Assessment count display in SVDP homepage for engagements (PRB2008813).
- Corrected assessment level normalization in risk rating calculations (PRB1990558).
- Fixed IRQ/tiering template scale reversal from classic to SAE (PRB1998195).
- Prevented editing of "Include previous responses" after draft state (PRB2007197).
- Filtered inactive metrics when copying assessment responses (PRB2004261).
- Fixed SAE assessment instance state when templates removed (PRB2004521).
- Corrected IRQ questionnaire validation for non-English customers (PRB2000693).
- Updated "Responses expected by" field on external assessments (PRB1999504).
- Enabled "Supports smart assessment" field for issue generation rules (PRB1996346).
- Updated ACL roles for issue-to-SAE questions (PRB1996731).
- Resolved duplicate audit creation in scoring rule updates (PRB1992222).
- Fixed missing audit entries for state changes in SAEUtilsBase (PRB1994299).
The following applications are automatically installed when the Third-party Risk Management application is activated:
- GRC: Profiles
- GRC: Compliance Assessment
- GRC: Vendor Portal
Permissions and roles:
- Role required to install the app: System admin (admin)
When you upgrade the Third-party Risk Management application, make sure to upgrade the Vendor Risk Management Workspace and any other installed GRC applications to the equivalent release version. For example, Third-party Risk Management version 18.x is certified to work with Vendor Risk Management Workspace version 18.x and other version 18.x GRC applications.