ServiceNow Third-Party Risk Management (TPRM)

Drivers

• Organisation relies increasingly on third parties, and their sub-contractors (fourth parties)
• Vendor information is currently collected via email and spreadsheet - hard to stay current, information goes missing, how to see full current picture (live dashboard?)

TPRM overview (ServiceNow)

Notes

• Replaces the previous Vendor Risk Management (VRM) module
• Launched with Vancouver release
• TPRM calculated score
• Fourth parties
• Risk intelligence feeds
• Tiering Assessment
• Due Diligence Record (DDR)
• Inherent Assessment (INA)
• Linked to Vendor Management module
• Transform map - set up one time or for recurring integration

Roles

• Third party reader
• Third party editor
• Third party contract negotiator
• Due diligence approver

Key Steps

• Initial onboarding
• AML / Sanctions / other onboarding steps
• Inherent Risk Questionnaire
• Risk assessment
• Issues & Task Management
• Internal assessment
• External assessment
• Approval of responses
• Contract risk
• Due diligence
• Assessment questions and Questionnaires

Further reading

• Third-Party Risk Management - ServiceNow UK
• What you need to know about ServiceNow’s new Third Party Risk Management (TPRM) - AC3
• Case Study on NTT - Implementation of ServiceNow Third-Party Risk Management - Nihilent (PDF)
• Trust but Verify: Streamlining Third-Party Risk with ServiceNow - Infocenter.io - provides good overview of TPRM module, benefits, features, implementation considerations