What you need to know about ServiceNow’s new Third Party Risk Management (TPRM)

TPRM is a whole new product that replaces Vendor Risk Mgmt (VRM)

For customers already licensed for VRM, the new TPRM is a different product with its own licensing and was launched in the Vancouver version of ServiceNow. TPRM replaces VRM moving forward so it will be worthwhile reviewing TPRM to see if your organisation should adopt the newer solution for managing third party risks.

Licensing for TPRM is structured as a base charge for the module and then 1 license count for the third party during a billing cycle if there is any subsequent ‘managed activity’ beyond the initial onboarding and risk assessment of a third party and new engagement.

The metering is aimed at determining whether a third party is being managed or not, and so the managed activities broadly includes:

• Questionnaires – whether initiated ad hoc, scheduled, event based or bulk assessment.
• Issues & Task Management– ad hoc or automatic
• Custom workflow
• Internal and External communications between users
• TPRM calculated score updates
• Information updates on the Third Party or Engagement (excluding Risk intelligence feeds)
• 4th Parties or Nth party activity
• Advanced risk assessments
• Audits

Have a chat to your ServiceNow Account Manager for pricing information and to discuss what the license counts might be based on your existing usage patterns in VRM.

Expect a lot of re-naming from ‘Vendor’ to ‘Third Party’

For those customers moving from the legacy VRM product you can expect many of the menu items you have gotten familiar with to be renamed to start with ”Third Party”. It might initially come as a shock that you can no longer find the same application menu items but you’ll very quickly adjust to the new term.

The good news is that most of the core VRM tables remain unchanged: Engagement, Tiering Assessment templates, Risk Assessment Templates, Issues, Tasks.

New TPRM roles

Most of the application roles from VRM continue to have TPRM equivalents, although some new roles have been introduced:

• Third party reader
• Third party editor
• Third party contract negotiator
• Due diligence approver

Assessments remain at the core of the solution

The TPRM product still leverages the platform’s assessment and surveys functionality as a core part of the solution. The flexibility in being able to define your organisation’s own Tiering assessment, or any risk assessing questions suited to a particular risk area continues to be a major strength of the product. TPRM still uses Questionnaire templates along with Document Requests templates to construct an assessment template.

OOTB comes with some pre-defined assessments as part of the demo data, however the ability for an assessment administrator to design the questions; question format; right/wrong answers; dependent questions based on chosen answer and ultimately the scoring of the questions and overall score evaluation remains the key area of definition work.

When combining the flexibility of tailored questions within questionnaires with Flow capabilities of ServiceNow, the risk evaluation experience can feel quite intuitive from a risk assessor’s perspective when the responses to particular risk assessment questions logically trigger additional follow-on assessments.

The TPRM process flow has evolved significantly from VRM, and is much more reflective of the commonly recognised business process steps you would expect to see involving due diligence

New to TPRM is now a clear distinction between an overarching ‘due diligence’ being performed by the business for a third party/engagement from the assessments. This due diligence record (DDR) holds together the evaluations being conducted by the business between: Inherent Assessments (INAs) – which are assessments performed on the Engagement/Third party that are conducted internally within your organisation and Vendor Risk Assessments (VRAs) which are external assessments that are assigned to the third party to perform.

The key features of the TPRM process are:

• A request to conduct due diligence – this is done via Employee Center, catalogue request.
• An internal assessment stage – where any number of assessments can be scoped and assigned to users within your business to evaluate areas of risk.
• An approval - before moving forward to external assessments.
• An external assessment stage – where the third party is asked to provide responses and documents
• Approval(s) of external responses
• An optional checkpoint for contract risk

As a result of these key changes, the Vendor Management Workspace has also be uplifted to present the information across these layers of records.

TPRM’s Third Party portal functionality remains largely the same from VRM

The Third Party portal (previously Vendor Portal) is still located at the same URL: https://yourCompany.service-now.com/svdp

It continues to focus on providing a centralised place for third party contacts to action assigned assessments, supply response to questionnaires and upload requested documentation to your organisation.

Third party contacts have visibility of Issues raised with them for resolution as well as any Tasks assigned for completion. Collaboration between risk assessors from your organisation and the third party contact is made possible through the Comments thread against the assigned records as well as the follow-up and notes left beside the question answers that are visible to the contact.

Primary contacts continue to have a level of self management by being able to invite additional contacts from their organisation to work from TPRM, update contact details and also assigning open tasks to other contacts within their organisation to action.