on - edited on by
Shimoli Gandhi
Welcome to the Speed Learning series for Third-Party Risk Management (TPRM), where you’ll find everything you need to succeed with ServiceNow TPRM and the IT Vendor Risk domain, which focuses on identifying and managing risks specific to your technology vendors.
ServiceNow released TPRM as part of the Vancouver release in August 2023. TPRM was built on its existing Vendor Risk Management (VRM) product. TPRM fundamentally expands the scope of the third parties that can be risk-assessed beyond IT vendors. Traditional VRM programs are designed to manage technology partner risk, while TPRM programs can also manage the risk presented by its suppliers, service providers, partners, facilities, contractors, and even customers. (You can learn more about moving from VRM to TPRM in this Product Success webinar.)
Also, be sure to watch the intro video on installing and validating the setup of TPRM Application and video is how to navigate in TPRM. This will help you get comfortable with TPRM. Here are some other key capabilities to help you get started with TPRM.
🆕 New in Zurich: Smart Assessment Engine makes it easier to navigate assessments, apply templates, and break down questions into sections. You can now collaborate on third-party assessments and normalize scores for consistent reporting. The third-party portal has also been upgraded to fully support Smart Assessments.
Features that help your organization centrally manage third parties, maintain an up-to-date inventory of third parties, their risk tiers, engagement details, and contact information. Third parties include your organization’s suppliers, service providers, IT vendors, customers, partners, facilities, and more.
Foundational Data Management >
Features that help your third parties easily respond to document requests and assessments and smoothly coordinate and collaborate with your risk team.
Respond to External Assessments Offline >
Features that help third-party risk teams collaborate across functions to initiate due diligence, gather information, tier third parties according to criticality, define the scope for external assessments, and flag emerging issues.
Inherent Risk Questionnaire (IRQ) and Risk Tiering Assessments >
Issue Management and Remediation >
Smart Assessment Engine (new in Zurich) >
Features that help third-party risk teams continuously monitor new or existing third parties — including 4th and Nth parties — or engagements throughout the due diligence lifecycle.
Risk Intelligence Insights >
Smart Assessment Engine (new in Zurich) >
-------------------------------------------------------------------------------------------------------------------------------------
Brand new, hands-on, free resources (videos, demos, resource links) that walk customers and
partners step by step on how to implement and mature TPRM in their environment
-------------------------------------------------------------------------------------------------------------------------------------
General TPRM Resources
Mastering TPRM terminology
Installing TPRM & Validating Setup (PPT below)
Navigation of the Third-Party Application (PPT below)
Playlist of getting started demos on YouTube
A PDF of this page to share with others is attached below.
ServiceNow University
- GRC: Third-party Risk Management (TPRM) Implementation - Instructor-Led
- GRC: Third-party Risk Management (TPRM) Implementation - On Demand (Xanadu)
- GRC: Third-party Risk Management (TPRM) Implementation Simulator (Xanadu)
- GRC: Third-party Risk Management (TPRM) Fundamentals (Xanadu)
- Certified Implementation Specialist - Third-Party Risk Management (CIS-TPRM) Delta Exam Study Guide
- Certification Implementation Specialist (CIS) – Third-party Risk Management (TPRM) Exam Study Guide
- Blog: GRC/IRM Training: What is available? What should I take?
FAQs
What is Third-Party Risk Management (TPRM) in ServiceNow?
TPRM in ServiceNow is a centralized solution designed to identify, assess, and mitigate risks associated with third-party relationships. It streamlines the risk lifecycle from onboarding to offboarding and ensures organizations can effectively manage their vendor risks.
How does TPRM handle the onboarding and offboarding of third parties?
TPRM provides automated workflows for due diligence during onboarding, periodic assessments during the relationship tenure, and structured processes for offboarding. This ensures consistent risk evaluations throughout the third-party lifecycle.
What is the Risk concentration map in TPRM?
The Risk concentration map provides a visual representation of all third parties, their engagements, and associated risk postures. This helps organizations pinpoint the geographical locations of active third parties and engagements and use filters to view particular risk ratings and engagement types.
What is the role of the TPRM data model?
The TPRM data model provides a structured framework for capturing and analyzing third-party risk data. It is the foundation of information that allows a variety of internal stakeholders to assess, monitor, and mitigate risks within a risk management program.
What are the benefits of using TPRM?
TPRM helps organizations strengthen risk mitigation, increase visibility into third-party activities, improve decision-making, and ensure compliance by embedding risk practices into business workflows.
How does the Employee Center facilitate policy acknowledgment related to third-party engagements?
Your employees can access and acknowledge policies related to third-party engagements in the Employee Center. By embedding TPRM capabilities within the Employee Center, you can enable business users to initiate and monitor due diligence requests directly, thereby enhancing user engagement and streamlining workflows.
Can employees initiate a third-party risk assessment through the Employee Center?
Employees can request due diligence for new or existing third-party engagements by using the Employee Center catalog. When they select the appropriate type of due diligence, the relevant workflows and assessments are triggered
Can users track the status of their due diligence requests in the Employee Center?
Users can request and receive real-time status updates on their due diligence requests through the Employee Center. This ensures transparency and timely decision-making.
Which personas are part of a third-party risk management process?
Three key personas play a role in gathering and using foundational data for your TPRM program: your ServiceNow admin, business users, and third-party risk manager. TPRM offers a centralized place to capture, analyze, and report on data that can be tailored to the different persona requirements.
