Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Manage vendor risk assessments

Manage vendor risk assessments

The vendor primary contact uses the Vendor Portal to view all assessments. Before the vendor risk manager closes the assessment, issues and tasks are created on-demand, usually during the Generating Observations state. The vendor risk analyst assigns vendors as needed and communicates using comment streams to achieve closure on non-compliance.

Vendor Risk Assessment workflow

  1. Most organizations import their vendor portfolio through an excel spreadsheet or an integration with another onboarding solution. Vendor risk managers make on-going updates to the vendor information.
  2. If Vendor Risk Management is integrated with other GRC applications, the vendor risk manager maps controls to the assessment questions.
  3. The vendor risk manager creates assessment templates, questionnaire templates, document request templates, and creates the notifications associated with the workflow.
  4. Next, the vendor risk manager sends out vendor risk assessments to the primary contact assigned to that vendor. Vendor risk assessments can be sent automatically based on changes to a risk score or vendor tier.
  5. The vendor signs into the Vendor Portal to complete the risk assessment.
    • The Vendor Portal provides a list of assessments and the status of each. From the Vendor Portal, the primary contact can invite other collaborators to complete portions of the assessments. Once complete, the primary contact submits the assessment.
  6. The Vendor Risk analyst reviews the results of the vendor risk assessments and closes each vendor assessment, creating issues for remediation, as necessary.

Remediating an issue means the underlying issue causing the control failure or risk exposure will be fixed. Accepting an issue means you will create an exception for a known control failure or risk. Controls that are Accepted remain in a non-compliant state until the control is reassessed. In this way, the issue can be used to document observations during audits.

Vendor Assessment Portal

The vendor assessment portal is a web interface providing a primary point of interaction for vendors and risk assessors, with a centralized workflow for those involved in the assessment. All remediations that result from those assessments are also coordinated through the Vendor Portal.

To customize this portal, navigate to Service Portal > Portals, and click Vendor Portal. See Now Platform Service Portal for more information.

Change the sn_vdr_risk_asmt.company.name property to display your company name in the portal.

Vendor Assessment Portal - Assessments
Role Purpose
Vendors Uses the Vendor Assessment Portal to:
  • View and respond to current assessments.
  • Delegate responses to other contacts.
  • View or update contact information.
  • Update notification preferences.
  • Change a password or request a new password.
Vendor risk assessor Uses the Vendor Risk Management instance to:
  • Create a login for a new contact.
  • Enable or disable a contact login.
  • Reset a password for a contact.
  • Assign a user role to a contact.
  • Assign a contact to an assessment.
  • View and update customer contact information.
  • Access completed assessments.

Define vendor assessment templates

When defining an assessment template, the vendor risk manager provides scheduling information for the vendor risk assessment.

Before you begin

Role required: [sn_vdr_risk_admin]

Procedure

  1. Navigate to Vendor Risk > Assessment Setup > Assessment Templates.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Table 1. Vendor Assessment Template
    Field Description
    Name The name of the assessment template.
    Assessment duration (days) The time provided for the entire vendor risk assessment to be completed.
    Questionnaire duration (days) The time allocated for the assessor to complete the questionnaire portion of the assessment.
    Questionnaire review duration (days) The time allocated for the vendor risk admin to review the responses provided to questionnaire.
    Created by Read-only. User who created the template.
    Created Read-only. Time when the template was created.
    Updated Read-only. Time when the template was last updated.
    Description A more detailed description of the assessment.
  4. Click Submit.

Create vendor questionnaire templates

Vendor risk managers use the Questionnaire Template Designer to create and edit questionnaire templates which can be used as a basis for other templates.

Before you begin

Role required: vendor risk manager
Note: A questionnaire template must have at least one category and that category must contain at least one question.

Procedure

  1. Navigate to Vendor Risk > Assessment Setup > Assessment Templates.
  2. Click New or New (Designer).
    The designer contains the following elements:
    Element Description
    Controls Controls for the supported question data types are available in the Controls palette. Drag a control onto the designer canvas to create a question of that type.
    Header bar The header bar contains a menu of various functions. The availability of each option depends on the status of the assessment that is opened in the designer.
    Design canvas New assessment open in the Design view. The questionnaire Name field appears above the first category in the canvas.
  3. Enter a name in the Name field.
  4. Drag a control onto the designer canvas to create a question of that type.
    Table 2. Question controls
    Data type Scored Description
    Attachment No Question with a Manage Attachments icon that allows users to attach one or more files.
    Boolean Yes Question with a check box or Yes and No choices for user responses.
    Choice Yes List of predefined options.
    Date No Date field.
    Date/Time No Date and time field.
    Number No Number field with predefined minimum and maximum values. The default is 1-10.
    Percentage No Percentage field with a prescribed range.
    Scale Yes Predefined Likert scale. Answer options appear as radio buttons.
    Numeric Scale Yes Selectable number scale. The default is 1-5. Answer options appear as radio buttons.
    String No Single or multi-line text field.
    Template Yes Choice list of templates that provide a predefined scale of options.
    Reference No Choice list of fields from a specified reference table. This data type does not support reference qualifiers.

    For example, a user could select a user name if you specify sys_user as the reference table.

    Image Scale Yes Question with a choice of images that can be selected.

    A template can be used to apply the same images to multiple questions.

    Multiple Selection Yes Question with multiple check boxes that can be selected.
    Ranking Question with an order number to be selected for each option.

    One order number cannot be selected twice. This question can be mandatory and it can also be dependent on a parent question, but not vice versa.

    Note: Set the correct answer for the metric that you want to be scored. Scored metrics determine the compliance status of the risk.
  5. Point to the menu icon in the upper right of the designer to select one of the following options:
    Note: The availability of each option depends on the status of the questionnaire that is opened in the designer.
    OptionDescription
    Save Save the current questionnaire.
    Preview Display a preview of the questionnaire.
    New Questionnaire Open a fresh canvas for a new questionnaire.
    Open Questionnaire Open a list of existing questionnaire that you can select and edit.
    Copy Questionnaire Create a copy of the questionnaire that you can edit.

Create vendor document request templates

Risk managers use the Document Request Template Designer to create and edit questionnaire templates which can be used as a basis for other templates.

Before you begin

Role required: vendor risk manager
Note: Three default questions are created automatically for each new document request templates.

Procedure

  1. Navigate to Vendor Risk > Assessment Setup > Assessment Templates.
  2. Click New or New (Designer).
    The designer contains the following elements:
    Element Description
    Controls Controls for the supported question data types are available in the Controls palette. Drag a control onto the designer canvas to create a question of that type.
    Header bar The header bar contains a menu of various functions. The availability of each option depends on the status of the assessment that is opened in the designer.
    Design canvas New assessments open in the Design view. The questionnaire Name field appears above the first category in the canvas. A blank question field appears in the category container.
  3. Enter a name in the Name field.
  4. Drag a control onto the designer canvas to create a question of that type.
    Table 3. Question controls
    Data type Scored Description
    Attachment No Question with a Manage Attachments icon that allows users to attach one or more files.
    Boolean Yes Question with a check box or Yes and No choices for user responses.
    Choice Yes List of predefined options.
    Date No Date field.
    Date/Time No Date and time field.
    Number No Number field with predefined minimum and maximum values. The default is 1-10.
    Percentage No Percentage field with a prescribed range.
    Scale Yes Predefined Likert scale. Answer options appear as radio buttons.
    Numeric Scale Yes Selectable number scale. The default is 1-5. Answer options appear as radio buttons.
    String No Single or multi-line text field.
    Template Yes Choice list of templates that provide a predefined scale of options.
    Reference No Choice list of fields from a specified reference table. This data type does not support reference qualifiers.

    For example, a user could select a user name if you specify sys_user as the reference table.

    Image Scale Yes Question with a choice of images that can be selected.

    A template can be used to apply the same images to multiple questions.

    Multiple Selection Yes Question with multiple check boxes that can be selected.
    Ranking Question with an order number to be selected for each option.

    One order number cannot be selected twice. This question can be mandatory and it can also be dependent on a parent question, but not vice versa.

    Note: Set the correct answer for the metric that you want to be scored. Scored metrics determine the compliance status of the risk.
  5. Point to the menu icon in the upper right of the designer to select one of the following options:
    Note: The availability of each option depends on the status of the questionnaire that is opened in the designer.
    OptionDescription
    Save Save the current questionnaire.
    Preview Display a preview of the questionnaire.
    New Questionnaire Open a fresh canvas for a new questionnaire.
    Open Questionnaire Open a list of existing questionnaire that you can select and edit.
    Copy document request Copy the document request and edit.

Configure vendor risk assessment notifications

Email notifications communicate the status of items within the vendor risk management product. Email notifications are useful when assessment records are created or updated, so analysts and assessors are informed throughout the assessment process. Creating an email notification involves specifying when to send it, who receives it, and what it contains.

Before you begin

Role required: vendor risk manager

Procedure

  1. Navigate to System Notifications > Notifications.
  2. Go to Category, Vendor Risk Assessment.
  3. Select the notification record to open details associated with that notification or click New, to create a new notification.
    Note: Click Preview Notificationto preview the notification while configuring the details.
    Notification Applied to
    Vendor Risk Issue Assigned (External)
    • Table: defaults to Vendor Risk Issue [sn_vdr_risk_asmt_issue]
    • Category: Vendor Risk Assessment
    Vendor Risk Task Assigned (Internal)
    • Table: defaults to Vendor Risk Task [sn_vdr_risk_asmt_task]
    • Category: Vendor Risk Assessment
    Vendor Risk Assessment Assigned
    • Table: defaults to Vendor Risk Assessment [sn_vdr_risk_asmt_assessment]
    • Category: Vendor Risk Assessment
    Vendor Risk Request Assigned
    • Table: defaults to Assessment Instance [asmt_assessment_instance]
    • Category: Vendor Risk Assessment
    Vendor Risk Issue Assigned (Internal)
    • Table: defaults to Vendor Risk Issue [sn_vdr_risk_asmt_issue]
    • Category: Vendor Risk Assessment
    Vendor Assessment Submitted to Vendor
    • Table: defaults to Vendor Risk Assessment [sn_vdr_risk_asmt_assessment]
    • Category: Vendor Risk Assessment
    Vendor Assessment Responses Overdue
    • Table: defaults to Vendor Risk Assessment [sn_vdr_risk_asmt_assessment]
    • Category: Vendor Risk Assessment
    Vendor Risk Task Assigned (External)
    • Table: defaults to Vendor Risk Task [sn_vdr_risk_asmt_task]
    • Category: Vendor Risk Assessment
    Vendor Assessment Responses Received
    • Table: defaults to Vendor Risk Assessment [sn_vdr_risk_asmt_assessment]
    • Category: Vendor Risk Assessment
    Vendor Assessment Responses Due 1 Week
    • Table: defaults to Vendor Risk Assessment [sn_vdr_risk_asmt_assessment]
    • Category: Vendor Risk Assessment
    Vendor Assessment New Request to Vendor
    • Table: defaults to Vendor Risk Assessment [sn_vdr_risk_asmt_assessment]
    • Category:
    Vendor Contact Invited
    • Table: defaults to Vendor Contact [vm_vdr_contact}
    • Category:
    Email Vendor Manager (based on risk tier rule)
    • Table: Vendor Risk Assessment [sn_vdr_risk_asmt_assessment]
    • Category:
    Vendor Assessment Responses Due 3 Days
    • Table: Vendor Risk Assessment [sn_vdr_risk_asmt_assessment]
    • Category:
    Email Vendor Manager (based on change in third-party score)
    • Table: Vendor Risk Assessment [sn_vdr_risk_asmt_assessment]
    • Category:

    For detailed instructions, see Create an email notification.

Create a vendor risk assessment and initiate the lifecycle

The vendor risk assessor creates an assessment, initiating the vendor risk assessment life cycle. Vendor risk assessments can be created on-demand or from a repeating assessment. When creating an on-demand vendor risk assessment, select the vendor, questionnaire template, and document request template. Additionally, vendor risk managers can select multiple vendors at a time and trigger vendor risk assessments.

Before you begin

Role required: vendor risk assessor

Procedure

  1. Navigate to Vendor Risk > Assessments > All Assessments.
  2. Do any of the following actions:
    OptionDescription
    To associate any existing document requests or questionnaires Click Edit.
    To create on-demand document requests or questionnaires for the assessments Click New.
    To associate any existing document requests or questionnaires from the assessment template
    1. Click New.
    2. In the Assessment template field, select the document requests or questionnaires.
  3. Fill in the fields on the form, as appropriate.
    Table 4. Vendor Risk Assessment
    Field Description
    Number Read-only field that is automatically populated with a unique identification number.
    State
    • Draft
    • Submitted to vendor
    • Closed
    • Cancelled
    Vendor The vendor that is being assessed.
    Risk rating The overall risk rating for this vendor.
    • Critical
    • High
    • Moderate
    • Low
    • Minor
    Note: The Risk rating is determined by finding a risk rating scale range in which the risk score falls. It defines how a minimum and maximum range of assessment scores maps to a qualitative risk score.
    Repeating assessment The assessment that is used to create the current assessment.
    Created by The person who created this assessment.
    Assessment template The template used to create the current assessment.
    Assigned to The vendor contact assigned to this vendor risk assessment.
    Note: Primary contacts can reassign requests, issues, and tasks to other vendor contacts.
    Updated The time that the assessment was updated.
    Watch list The names of users who are notified when the record is modified.
    Name The name of the vendor risk assessment.
    Description A more detailed explanation of the issue.
    Notes and Comments
    Work notes Information about the vendor risk assessment. Work notes are visible to users who are assigned to the issue.
    Additional comments (Customer visible) Public information about the vendor risk assessment.
    Assessment Schedule
    Planned duration (days) Estimated duration period of the assessment
    Actual duration The amount time it took to complete the vendor risk assessment. This field is calculated using the Actual state date and Actual end date.
    Planned start date Date and time that work on the vendor risk assessment is expected to begin.
    Actual start date Date and time that work on the vendor risk assessment began.
    Planned end date Date and time that work on the vendor risk assessment is expected to end.
    Actual end date Date and time that work on the vendor risk assessment was completed.
    Questionnaire Schedule
    Planned duration (days) The amount of time given to the vendor for completing the vendor risk assessment. This field is calculated using the Planned state date and Planned end date.
    Submitted to vendor The date that questionnaires are sent to vendor
    Due date deadline for vendor to answer all the questionnaires
    Review duration (days) The review duration given to customer to review all the questionnaires
    Completion date The actual date when vendor completed all the questionnaires
    Responses expected by The date the vendor is expecting the responses
  4. Click Submit to vendor.
    The primary vendor contact is notified, and the state of assessment changes to Submitted to vendor. The vendor responds to the notification through the Vendor Risk Portal, changing the state of assessment to Response received. All the risk scores are calculated automatically.
  5. The vendor assessor moves the state of the assessment to Generating Observations. During this time, the vendor assessor can click the View Response link in the document requests/questionnaires related list to view the response and provide comments or change responses, as necessary.
    For any problems that rise, the vendor assessor creates an issue to track the remediation process (Finalizing with vendor).
  6. The vendor assessor moves the assessment to Closed state.
    The vendor risk assessor works with the vendor through the vendor portal to close the assessment. Vendor risk assessment life cycle

Review the vendor's assessment responses

The vendor assessor can view assessment responses after the vendor has submitted an assessment. The status of all controls are updated when the vendor completes the assessment.

Before you begin

Role required: sn_vdr_risk_asmt.vendor_assessor

Procedure

  1. Navigate to Vendor Risk > Assessments > My Open Assessments.
  2. Click the assessment in the Response received state.
  3. In the Questionnaires/Document Requests related list, click View Response.
    Vendor Risk Assessment form
  4. Add comments or change responses, as necessary.
    Note: Changing a response, may affect the risk rating of the vendor.
    Vendor's Response form

Use the SIG questionnaire for risk assessment

The Santa Fe Group's Standardized Information Gathering Questionnaire (SIG) is used to obtain required assessment documentation from a vendor. The vendor contact can upload the pre-filled SIG spreadsheet or take a form-based questionnaire that gets imported to the instance.

Before you begin

Role required: vendor contact

About this task

SIG version 2017 or later, is considered to be the latest version. If a vendor uploads a version prior to the 2017 SIG, all responses for matching questions are imported and any unmatching questions are imported with blank responses for the vendor to answer later.
Note: Only 2014 and later versions of the SIG are supported.

Procedure

  1. Log into the vendor assessment portal through https://myCompany.service-now.com/vdp.
    Vendor Assessment Portal
  2. Click Import.
    SIG Lite form

Create a vendor risk issue

Issues are created to document audit observations and remediations, or to accept any problems. Issues and tasks can be assigned directly to vendor contacts without the need for a vendor risk assessment.

Before you begin

Role required: vendor risk assessor

Procedure

  1. Navigate to Vendor Risk > Issues > Create New .
  2. Fill in the fields on the form, as appropriate.
    Table 5. Vendor Risk Issue
    Field Description
    Number Read-only field that is automatically populated with a unique identification number.
    State
    • New
    • Analyze
    • Respond
    • Review
    • Closed
    Vendor The vendor with the issue.
    Priority Priority for this issue:
    • 1 - Critical
    • 2 - High
    • 3 - Moderate
    • 4 - Low
    • 5 - Planning
    Assessment The assessment associated with this issue.
    Assessment group A group assigned to the issue.
    Visible in portal Indicates if issues is visible to the vendor in the Vendor Portal.
    Assigned to The user assigned to the issue.
    Vendor Contact The vendor contact associated with this issue.
    Created by The user that created the issue.
    Created The date the issue was created.
    Updated The date the issue was updated.
    Watch list The names of users who are notified when the record is modified.
    Short description Brief description of the issue.
    Description
    Notes and Comments
    Work notes Information about how to resolve the issue, or steps already taken to resolve it, if applicable. Work notes are visible to users who are assigned to the issue.
    Additional comments (Customer visible) Public information about the issue.
    Recommendations
    Recommendation The recommended action to resolve this issue.
    Explanation An explanation of the recommended action.
    Issue Schedule
    Duration Estimated amount of work time. Calculated using the Planned state date and Planned end date.
    Actual duration Estimated amount of work time. Calculated using the Actual state date and Actual end date.
    Planned start date Date and time that work on the issue is expected to begin.
    Actual start date Time when work began on this issue
    Planned end date Date and time that work on the issue is expected to end.
    Actual end date Time when work ended on this issue.
  3. Click Submit.

Open assessment in the Vendor Portal

The vendor primary contact logs into the Vendor Portal to view all assessments.

Before you begin

Role required: vendor contact

Procedure

  1. Log into the vendor assessment portal through https://myCompany.service-now.com/vdp.
  2. Click through each questionnaire and provide a response to each question.

Review assessment responses on the Vendor Portal

After submitting an assessment, the vendor contact can view all responses in read-only mode on the Vendor Portal.

Before you begin

Role required: vendor contact

Procedure

  1. Log into the vendor assessment portal through https://myCompany.service-now.com/vdp.
  2. Click through each questionnaire and view the responses.
    Note: All responses are read-only since the assessment has already been sent back to the customer.

Create repeating vendor risk assessments

Vendor risk assessors can create repeating vendor assessments to monitor the vendor risk continuously.

Before you begin

Role required: vendor risk assessor

Procedure

  1. Navigate to Vendor Risk > Assessments > Repeating Assessments.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Table 6. Repeating Assessment
    Field Description
    Number The number of the assessment.
    Created by The user that created the assessment.
    Vendor The vendor that is being assessed.
    Created The date the assessment was created.
    Assessment template The template used to create the current assessment.
    Updated The date the assessment was updated.
    Next assessment creation (months) Next assessment will be created in specific number of months after the previous assessment is closed
    Next assessment end date (months) The end date for the new assessment after the previous assessment is closed
    Active Indicates if the current repeating assessment is active.
    Name The name of the repeating assessment.
    Description A more detailed description of the repeating assessment.
  4. Click Submit.
  5. The Assessment Occurrences related list displays the status of all assessments and its associated risk rating.