Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Manage vendor risk assessments

Log in to subscribe to topics and get notified when content changes.

Manage vendor risk assessments

The vendor primary contact uses the Vendor Portal to view all assessments. Before the vendor risk manager closes the assessment, issues and tasks are created on-demand, usually during the Generating Observations state. The vendor risk analyst assigns vendors as needed and communicates using comment streams to achieve closure on non-compliance.

Vendor Risk Assessment workflow

  1. The vendor risk manager creates internal and external assessment templates, questionnaire templates, document request templates, and creates the notifications associated with the workflow.
  2. The vendor risk manager prepares and sends the vendor risk tiering assessment to internal stakeholders.
  3. Internal stakeholders complete and submit the assessment.
  4. After receiving the completed vendor tiering assessments, the vendor risk assessor updates and closes the vendor risk tiering assessment.
  5. Next, the vendor risk manager sends out vendor risk assessments to the primary contact assigned to that vendor. Vendor risk assessments can be sent automatically based on changes to a risk score or vendor tier.
  6. The vendor signs into the Vendor Portal to complete the risk assessment.
    • The Vendor Portal provides a list of assessments and the status of each. From the Vendor Portal, the primary contact can invite other collaborators to complete portions of the assessments. Once complete, the primary contact submits the assessment.
  7. The Vendor Risk analyst reviews the results of the vendor risk assessments and closes each vendor assessment, creating issues for remediation, as necessary.

Remediating an issue means the underlying issue causing the control failure or risk exposure will be fixed. Accepting an issue means you will create an exception for a known control failure or risk. Controls that are Accepted remain in a non-compliant state until the control is reassessed. In this way, the issue can be used to document observations during audits.

Vendor Assessment Portal

The vendor assessment portal is a web interface providing a primary point of interaction for vendors and risk assessors, with a centralized workflow for those involved in the assessment. All remediations that result from those assessments are also coordinated through the Vendor Portal.

To customize this portal, navigate to Service Portal > Portals, and click Vendor Portal. See Now Platform Service Portal for more information.

Change the sn_vdr_risk_asmt.company.name property to display your company name in the portal.

Vendor Assessment Portal - Assessments
Role Purpose
Vendors Uses the Vendor Assessment Portal to:
  • View and respond to current assessments.
  • Delegate responses to other contacts.
  • View or update contact information.
  • Update notification preferences.
  • Change a password or request a new password.
Vendor risk assessor Uses the Vendor Risk Management instance to:
  • Create a login for a new contact.
  • Enable or disable a contact login.
  • Reset a password for a contact.
  • Assign a user role to a contact.
  • Assign a contact to an assessment.
  • View and update customer contact information.
  • Access completed assessments.

Create a vendor risk assessment and initiate the lifecycle

The vendor risk assessor creates an assessment, initiating the vendor risk assessment life cycle. Vendor risk assessments can be created on-demand or from a repeating assessment. When creating an on-demand vendor risk assessment, select the vendor, questionnaire template, and document request template. Additionally, vendor risk managers can select multiple vendors at a time and trigger vendor risk assessments.

Before you begin

Role required: vendor risk assessor

Procedure

  1. Navigate to Vendor Risk > Assessments > All Assessments.
  2. Do any of the following actions:
    OptionDescription
    To associate any existing document requests or questionnaires. Click Edit.
    To create on-demand document requests or questionnaires for the assessments. Click New.
    To associate any existing document requests or questionnaires from the assessment template.
    1. Click New.
    2. In the Assessment template field, select the document requests or questionnaires.
  3. Fill in the fields on the form, as appropriate.
    Table 1. Vendor Risk Assessment
    Field Description
    Number Read-only field that is automatically populated with a unique identification number.
    State
    • Draft
    • Submitted to vendor
    • Closed
    • Cancelled
    Vendor The vendor that is being assessed.
    Risk rating The overall risk rating for this vendor.
    • Critical
    • High
    • Moderate
    • Low
    • Minor
    Note: The Risk rating is determined by finding a risk rating scale range in which the risk score falls. It defines how a minimum and maximum range of assessment scores maps to a qualitative risk score.
    Repeating assessment The assessment that is used to create the current assessment.
    Created by The person who created this assessment.
    Assessment template The template used to create the current assessment.
    Created The date and time when the assessment was created.
    Updated The date and time when the assessment was last updated.
    Watch list People added to the notification list for this assessment.
    Trigger by vendor tier Initiate this assessment when the vendor tier changes
    Name The name of the vendor risk assessment.
    Description A more detailed explanation of the issue.
    Notes and Comments
    Work notes Information about the vendor risk assessment. Work notes are visible to users who are assigned to the issue.
    Additional comments (Customer visible) Public information about the vendor risk assessment.
    Assessment Schedule
    Planned duration (days) Estimated duration period of the assessment
    Actual duration The amount time it took to complete the vendor risk assessment. This field is calculated using the Actual state date and Actual end date.
    Planned start date Date and time that work on the vendor risk assessment is expected to begin.
    Actual start date Date and time that work on the vendor risk assessment began.
    Planned end date Date and time that work on the vendor risk assessment is expected to end.
    Actual end date Date and time that work on the vendor risk assessment was completed.
    Questionnaire Schedule
    Planned duration (days) The amount of time given to the vendor for completing the vendor risk assessment. This field is calculated using the Planned state date and Planned end date.
    Submitted to vendor The date that questionnaires are sent to vendor
    Due date deadline for vendor to answer all the questionnaires
    Review duration (days) The review duration given to customer to review all the questionnaires
    Completion date The actual date when vendor completed all the questionnaires
    Responses expected by The date the vendor is expecting the responses
  4. Click Submit to vendor.
    The primary vendor contact is notified, and the state of assessment changes to Submitted to vendor. The vendor responds to the notification through the Vendor Risk Portal, changing the state of assessment to Response received. All the risk scores are calculated automatically.
  5. The vendor assessor moves the state of the assessment to Generating Observations. During this time, the vendor assessor can click the View Response link in the document requests/questionnaires related list to view the response and provide comments or change responses, as necessary.
    For any problems that rise, the vendor assessor creates an issue to track the remediation process (Finalizing with vendor).
  6. The vendor assessor moves the assessment to Closed state.
    The vendor risk assessor works with the vendor through the vendor portal to close the assessment.

  7. Vendor risk assessment life cycle

Review assessment responses and resubmit questions to the vendor

Vendors use the Vendor portal to complete the assessments and collaborate with the vendor risk manager through the comments section. When assessments reveal gaps, issues can be generated automatically or manually for incorrect responses while reviewing an assessment. If the vendor risk manager or assessor decides that an assessment response is unsatisfactory, they can return the assessment to the vendor by resubmitting a particular questionnaire or document request. Incorrect answers to questions can automatically generate issues or issues can be generated manually, from the question. Vendor contacts can identify resubmitted questionnaires and document requests within an assessment, by reviewing the external comments on

Before you begin

Role required: sn_vdr_risk_asmt.vendor_assessor

Procedure

  1. Navigate to Vendor Risk > Assessments > My Open Assessments.
  2. Click the assessment in the Response received state.
  3. In the Questionnaires/Document Requests related list, click View Response.
    view response link highlighted
  4. Add comments to the questions and make the following selections, as necessary:
    • Select Show Follow-ups.
    • Select Show incorrect and un-scored responses.
    • Select Hide comments.
    • Select Include this question when creating an issue.
    • Enter information in the Internal comment .
    • Select Comment for vendor and add information.
  5. After adding comments, perform one of the following:
    OptionDescription
    To generate issues associated with each question Click Create Issue.
    Note:

    A message with the issue number displays: The issue VRI0003001 has been created successfully.

    To resubmit the assessment to the vendor Click Return to Vendor
    Note:
    If the assessment schedule might be impacted, you can extend the days by adjusting the number in the following message window:
    return questionnaire message asking for an extension of days to complete

Open assessment in the Vendor Portal

The vendor primary contact logs into the Vendor Portal to view all assessments.

Before you begin

Role required: vendor contact

Procedure

  1. Log into the vendor assessment portal through https://myCompany.service-now.com/vdp.
  2. Click through each questionnaire and provide a response to each question.

Review assessment responses on the Vendor Portal

After submitting an assessment, the vendor contact can view all responses in read-only mode on the Vendor Portal.

Before you begin

Role required: vendor contact

Procedure

  1. Log into the vendor assessment portal through https://myCompany.service-now.com/vdp.
  2. Click through each questionnaire and view the responses.
    Note: All responses are read-only since the assessment has already been sent back to the customer.

Create repeating vendor risk assessments

Vendor risk assessors can create repeating vendor assessments to monitor the vendor risk continuously.

Before you begin

Role required: vendor risk assessor

Procedure

  1. Navigate to Vendor Risk > Assessments > Repeating Assessments.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Table 2. Repeating Assessment
    Field Description
    Number
    Created by
    Vendor The vendor that is being assessed.
    Created
    Assessment template The template used to create the current assessment.
    Updated
    Next assessment creation (months) Next assessment will be created in specific number of months after the previous assessment is closed
    Next assessment end date (months) The end date for the new assessment after the previous assessment is closed
    Active Indicates if the current repeating assessment is active.
    Name The name of the repeating assessment.
    Description A more detailed description of the repeating assessment.
  4. Click Submit.
  5. The Assessment Occurrences related list displays the status of all assessments and its associated risk rating.
    repeating assessment form
Feedback