Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Understanding Vendor Risk Management

Log in to subscribe to topics and get notified when content changes.

Understanding Vendor Risk Management

The Vendor Risk Management application provides a centralized process for managing your vendor portfolio and completing the vendor assessment and remediation life cycle. Also, integrating with other GRC applications, provides traceability for compliance with controls and risks.

Watch this six-minute video to learn about Vendor Risk Management.

Who uses Vendor Risk Management?

  • Risk analysts
  • Vendor risk manager
  • Functional department heads responsible for vendor compliance. For example:
    • Account Executives
    • Corporate Counsel
    • Information Security
    • HR Operations
    • Information Technology

Vendor Risk Management process

  1. Vendor risk managers establish the vendor portfolio by importing the database through an excel spreadsheet, integrating with another onboarding system, or importing them from the vendor table.
  2. Vendor risk managers or assessors schedule vendor tier assessments:
    1. Create tiering assessment templates and questionnaires using the Vendor Tier Assessment Designer which includes a library of questions for various categories, so you do not have to build each questionnaire from scratch.
    2. Send tiering assessments to internal stakeholders.
    3. Internal stakeholders navigate to Self-service > My Assessments and Surveys to complete and submit the assessment.
    4. The results of these assessments are calculated, providing an initial classification for potential risk posed by doing business with this vendor.
    5. Vendor risk assessors can use information from third-party security score/ratings providers to help determine security of the vendor performance over time and manually change the vendor’s tier.
  3. Vendor risk managers or assessors schedule risk assessments:
    1. Create risk assessments using templates, questionnaires, and question banks using the Assessment Designer which includes a library of questions for various categories, so you do not have to build each questionnaire from scratch.
    2. Send a vendor risk assessment to the primary contact of the vendor. They can also be sent automatically based on changes to a vendor risk score or vendor tier.
    3. Vendors use the Vendor portal to complete the assessments and collaborate with the vendor risk manager through the comments section.
    4. When assessments reveal gaps, issues can be generated automatically or manually for incorrect responses while reviewing an assessment.
    5. If the vendor risk manager or assessor decides that an assessment response is unsatisfactory, they can return the assessment to the vendor by resubmitting a particular questionnaire or document request.
    6. Vendor contacts can identify resubmitted questionnaires and document requests within an assessment, by reviewing the external comments on individual questions and customer comments at the questionnaire level.
    7. The Vendor Risk analyst reviews the results of the vendor risk assessments and closes each vendor assessment
Feedback