Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Manage vendor risk assessments

Manage vendor risk assessments

The vendor risk analyst assigns risk assessments to vendors as needed. The vendor primary contact views their assessments on the vendor portal. The vendor risk manager and the vendor use comments to communicate. Before the vendor risk manager closes the assessment, issues and tasks are created on-demand, usually during the Generating Observations state.

Vendor Risk Assessment workflow

  1. Most organizations import their vendor portfolio through an excel spreadsheet or an integration with another onboarding solution. Vendor risk managers make on-going updates to the vendor information.
  2. If Vendor Risk Management is integrated with other GRC applications, the vendor risk manager maps controls to the assessment questions.
  3. The vendor risk manager creates assessment templates, questionnaire templates, document request templates, and creates the notifications associated with the workflow.
  4. The vendor risk manager sends out assessments to the primary contact assigned to that vendor.
  5. The vendor signs into the Vendor Portal to complete the risk assessment.
    • The Vendor Portal provides a list of assessments and the status of each. From the Vendor Portal, the primary contact can invite other collaborators to complete portions of the assessments. Once complete, the primary contact submits the assessment.
  6. The Vendor Risk analyst reviews the results of the vendor risk assessments and closes each vendor assessment, creating issues for remediation, as necessary.

Remediating an issue means the underlying issue causing the control failure or risk exposure will be fixed. Accepting an issue means you will create an exception for a known control failure or risk. Controls that are Accepted remain in a non-compliant state until the control is reassessed. In this way, the issue can be used to document observations during audits.

Vendor Assessment Portal

The vendor assessment portal is a web interface providing a primary point of interaction for vendors and risk assessors, with a centralized workflow for those involved in the assessment. All remediations that result from those assessments are also coordinated through the Vendor Portal.

To customize this portal, navigate to Service Portal > Portals, and click Vendor Portal. See Now Platform Service Portal Now Platform for more information.

Change the sn_vdr_risk_asmt.company.name property to display your company name in the portal.

Vendor Assessment Portal - Assessments
Role Purpose
Vendors Uses the Vendor Assessment Portal to:
  • View and respond to current assessments.
  • Delegate responses to other contacts.
  • View or update contact information.
  • Update notification preferences.
  • Change a password or request a new password.
Vendor risk assessor Uses the Vendor Risk Management instance to:
  • Create a login for a new contact.
  • Enable or disable a contact login.
  • Reset a password for a contact.
  • Assign a user role to a contact.
  • Assign a contact to an assessment.
  • View and update customer contact information.
  • Access completed assessments.