Home Orlando Governance, Risk, and Compliance Governance, Risk, and Compliance Vendor Risk Management Manage vendor risk assessments

Manage vendor risk assessments

The vendor primary contact uses the Vendor Portal to view all assessments. Before the vendor risk manager closes the assessment, issues and tasks are created on-demand, usually during the Generating Observations state. The vendor risk analyst assigns vendors as needed and communicates using comment streams to achieve closure on non-compliance.

Vendor Risk Assessment workflow

The vendor risk manager creates internal and external assessment templates, questionnaire templates, document request templates, and creates the notifications associated with the workflow.
The vendor risk manager prepares and sends the vendor risk tiering assessment to internal stakeholders.
Internal stakeholders complete and submit the assessment.
After receiving the completed vendor tiering assessments, the vendor risk assessor updates and closes the vendor risk tiering assessment.
Next, the vendor risk manager sends out vendor risk assessments to the primary contact assigned to that vendor. Vendor risk assessments can be sent automatically based on changes to a risk score or vendor tier.
The vendor signs into the Vendor Portal to complete the risk assessment.
- The Vendor Portal provides a list of assessments and the status of each. From the Vendor Portal, the primary contact can invite other collaborators to complete portions of the assessments. After other collaborators are identified, the primary contact submits the assessment.
The Vendor Risk analyst reviews the results of the vendor risk assessments and closes each vendor assessment, creating issues for remediation, as necessary.

Remediating an issue means the underlying issue causing the control failure or risk exposure will be fixed. Accepting an issue means you create an exception for a known control failure or risk. Controls that are Accepted remain in a non-compliant state until the control is reassessed. In this way, the issue can be used to document observations during audits.

Vendor Assessment Portal

The vendor assessment portal is a web interface providing a primary point of interaction for vendors and risk assessors, with a centralized workflow for those involved in the assessment. All remediations that result from those assessments are also coordinated through the vendor assessment portal.

Starting with GRC: Vendor Risk Management v10.0.2, a new version of the Vendor Assessment Portal (GRC: Vendor Portal v10.0.2) is automatically loaded as a dependency application. The new version becomes the default version of the portal and operates exactly the same as the previous version, except it offers new features, such as electronic signatures on assessments. A system property (sn_vdr_risk_amt.vendor_portal_endpoint) allows you to continue to use the legacy version if you want; however, you will not be able to use the new features.

Note: For upgrade information, see GRC: Vendor Risk Management v10.0.02 upgrade details.

To customize the vendor assessment portal, navigate to Service Portal > Portals, and click Vendor Portal. See Now Platform Service Portal for more information.

Change the sn_vdr_risk_asmt.company.name property to display your company name in the portal.


Role	Purpose
Vendors	Use the Vendor Assessment Portal to: View and respond to current assessments. Delegate responses to other contacts. View or update contact information. Update notification preferences. Change a password or request a new password.
Vendor risk assessors	Use the Vendor Risk Management application to: Create a login for a new contact. Enable or disable a contact login. Reset a password for a contact. Assign a user role to a contact. Assign a contact to an assessment. View and update customer contact information. Access completed assessments.

Create a vendor risk assessment and initiate the life cycle

The vendor risk assessor creates an assessment, initiating the vendor risk assessment life cycle. Vendor risk assessments can be created on-demand or from a repeating assessment. When creating an on-demand vendor risk assessment, select the questionnaire template or document request template, and the vendor. Also, vendor risk managers can select multiple vendors at a time and automatically trigger vendor risk assessments.

Before you begin

Role required: vendor risk manager or vendor risk assessor

Procedure

Navigate to Vendor Risk > Assessments > All Assessments.
Click New.

On the form, fill in the fields.

Table 1. Vendor Risk Assessment form
Field	Description
Name	The name of the vendor risk assessment.
Description	A more detailed explanation of the issue.
Number	Read-only field automatically populated with a unique identification number.
Applies to	Select Vendor or Engagement.
Engagement	Select the engagement being assessed. This field is visible only if you selected Engagement from the Applies to field.
Repeating assessment	The assessment used to create the current assessment.
Assessment template	If you want to use one assessment template to create questionnaires or document requests for this assessment, select the one you want to use. If you want to use multiple templates to create multiple questionnaires or document requests for this assessment, leave this field blank.
Owner	The owner of this assessment.
State	Draft Submitted to vendor Closed Canceled
Risk rating	The overall risk rating for this vendor. Critical High Moderate Low Minor Note: The Risk rating is determined by finding a risk rating scale range in which the risk score falls. It defines how a minimum and maximum range of assessment scores maps to a qualitative risk score.
Risk rating valid to	The date the risk rating expires. This date must be later than the Risk rating valid to date on any associated questionnaires or document requests.
Trigger by vendor tier	Initiate this assessment when the vendor tier changes.
Watch list	Add users to be notified when this record is modified.
Risk Scoring
Computed risk rating	Shows an average of the vendor risk area risk ratings.
Override risk rating	Allows you to override the computed risk rating for the vendor. When checked, any future changes made to the assessment risk rating will affect only the computed risk rating, not the risk rating. If the check box is selected and then you deselect it, the computed risk rating is copied back to the assessment.
Overridden risk rating	If you selected Override risk rating, enter the new risk rating.
Justification	If you selected Override risk rating, you must enter a reason for the override.
Assessment Schedule
Planned duration (days)	Estimated duration period of the assessment
Planned start date	Planned start date and time for work on the vendor risk assessment.
Planned end date	Planned completion date and time fort work on the vendor risk assessment.
Created by	Shows the user who created this record.
Created	Shows the date/time the record was created.
Actual duration	The amount time it took to complete the vendor risk assessment. This field is calculated using the Actual state date and Actual end date.
Actual start date	Date and time that work on the vendor risk assessment began.
Actual end date	Completion date and time for the vendor risk assessment.
Updated	Shows the date/time when the record was last updated.
Questionnaire Schedule
Planned duration (days)	The amount of time given to the vendor for completing the vendor risk assessment. This field is calculated using the Planned state date and Planned end date.
Review duration (days)	The review duration given to customer to review all the questionnaires.
Due date	Deadline for vendor to answer all the questionnaires.
Completion date	The actual date when vendor completed all the questionnaires.
Submitted to vendor	The delivery date for vendor questionnaires.
Resubmitted to vendor	The date questionnaires are resent to the vendor.
Responses expected by	The date the vendor is expecting the responses.
Notes and Comments
Work notes	Information about the vendor risk assessment. Work notes are visible to users assigned to the issue.
Additional comments (Customer visible)	Public information about the vendor risk assessment.

Save the record. Additional related lists appear.
If you left the Assessment template field blank and want to use assessment templates to associate multiple questionnaires and/or document requests with this assessment, scroll down to the Questionnaires or Document Requests tabs.
To associate existing questionnaires and/or document requests with the assessment, perform the following steps.
1. Click the Questionnaires or Document Requests tab, depending on the type of questions you want to associate with the assessment.
2. Click Edit.
3. Select the questionnaires or document requests you want to use, then click Save.
4. Repeat for the other type of questions, if needed. That is, if you associated questionnaire templates to the assessment and also want to associate document request templates, click that tab and repeat these steps.
To create new questionnaire and/or document request templates and associate them with this assessment, see Manually define a questionnaire template or document request template.
Click Submit to Vendor.
The state of the assessment changes to Submitted to Vendor, the templates you selected automatically generate questionnaires and/or document requests, and the primary vendor contact receives an email notification, along with a link to the assessment in the Vendor Portal.
When the vendor contact is ready to respond to the assessment, he or she clicks the email link to open the assessment in the Vendor Portal.

Note: As you can see, one of the questionnaires shown above requires a signature. The vendor or reviewer must save and e-sign the questionnaire or document request before it can be returned to the vendor risk assessor. For more information, see Approve questionnaire assessments or document requests with e-signatures.
The vendor assessor moves the state of the assessment to Generating Observations. During this time, the vendor assessor can click the View Response link in the document requests/questionnaires related list to view the response and provide comments or change responses, as necessary.
For any problems that rise, the vendor assessor creates an issue to track the remediation process (Finalizing with vendor).
The vendor assessor moves the assessment to Closed state.
The vendor risk assessor works with the vendor through the vendor portal to close the assessment.

Approve questionnaire assessments or document requests with e-signatures

When questionnaires or document requests are configured to require electronic signatures, vendors and/or reviewers must provide e-signatures during the approval process.

Before you begin

Role required: vendor risk manager or vendor risk assessor

Procedure

After a questionnaire or document request has been submitted to the vendor, the vendor risk manager or vendor risk assessor receives an email notification that includes a link to the record. Click the link to open the questionnaire or document request.

Note: Notice that a signature is required for the Sample questionnaire. Open the questionnaire that requires a signature.
Scroll down and complete the questionnaire or document request.
When you have answered the questions, click Save and Sign. The Sign to Complete dialog box opens.
Either type your name in the Type tab (as shown), or click the Draw tab and provide a free-form signature with your mouse.
After you have provided your signature using either method, click Sign to Complete.
If you want to make any modifications to the answers in the questionnaire or document request, click Make Changes. The signature is removed and you must sign again.
When you have completed and signed the assessment, click Exit, and complete any additional questionnaires or document requests in the assessment.

Note: If any of the questionnaires or document requests in the assessment require e-signatures and have not been signed, you cannot submit the assessment.
When you have completed all questionnaires or document requests in the assessment, click Submit Assessment. The state of the assessment changes to Response Received, and all the risk scores are calculated automatically.

Review assessment responses and resubmit questions to the vendor

Vendors use the vendor portal to complete assessments and collaborate with the vendor risk manager through the comments section.

Before you begin

Role required: sn_vdr_risk_asmt.vendor_assessor

About this task

When assessments reveal gaps, issues can be generated automatically or manually. If the vendor risk manager or assessor decides that an assessment response is unsatisfactory, they can return the assessment to the vendor by resubmitting a particular questionnaire or document request. Incorrect answers to questions can automatically generate issues or issues can be generated manually from the question. Vendor contacts can identify resubmitted questionnaires and document requests within an assessment by reviewing the external comments on the vendor portal.

Procedure

Navigate to Vendor Risk > Assessments > My Open Assessments.
Open an assessment in the Responses Received state.
In the Questionnaires or Document Requests tabs, click View Responses.
Add comments to the questions and make the following selections, as necessary:
- Select Show Follow-ups.
- Select Show incorrect and un-scored responses.
- Select Hide comments.
- Select Include this question when creating an issue.
- Enter information in the Internal comment .
- Select Comment for vendor and add information.

After adding comments, perform one of the following:

Option	Description
To generate issues associated with each question	Click Create Issue. Note: A message with the issue number displays: The issue VRI0003001 has been created successfully.
To resubmit the assessment to the vendor	Click Return to Vendor Note: If the assessment schedule might be impacted, you can extend the days by adjusting the number in the following message window:

Open an assessment in the vendor assessment portal

Starting in Version 10.1, the Vendor Assessment Portal restricts assessment information available depending on the type of contact accessing the portal. New capabilities are available to primary and secondary contacts.

Before you begin

Role required: vendor contact

Procedure

Log in to the vendor assessment portal through https://myCompany.service-now.com/svdp. The Assessment Summary dashboard opens.
Vendor and engagement contacts (both primary and secondary) can view assessment information in the following ways.
- Since engagements are services or products associated with (or offered by) the vendor, engagement contacts cannot view the assessments in the Vendor section. They can view only assessments in the Engagements section.
- Primary vendor contacts and primary engagement contacts can assign new primary contacts from the dashboard. For example, the primary engagement contact can assign another user as a primary engagement contact. If needed, both primary engagement contacts can then be assigned to complete the engagement assessment.
- Primary vendor and engagement contacts can manage their teams, adding and removing contacts, and assigning primary and secondary contact designations.
- The following diagram summarizes the capabilities of each of the contact roles.
Note: If a Secondary Vendor Contact is also assigned the Secondary Engagement Contact role, that individual can take engagement assessments, but cannot take vendor assessments. In that situation, the Secondary Engagement Contact role takes precedence.

Review assessment responses in the vendor assessment portal

After submitting an assessment, the vendor contact can view all responses in read-only mode on the vendor assessment portal.

Before you begin

Role required: vendor contact

Procedure

Log into the vendor assessment portal through https://myCompany.service-now.com/svdp.
Click through each questionnaire and view the responses.

Note: All responses are read-only since the assessment has already been sent back to the customer.

Create repeating vendor risk assessments

Vendor risk assessors can create repeating vendor assessments to monitor the vendor risk continuously.

Before you begin

Role required: vendor risk assessor

Procedure

Navigate to Vendor Risk > Assessments > Repeating Assessments.
Click New.

On the form, fill in the fields.

Table 2. Repeating Assessment form
Field	Description
Number	Read-only field automatically populated with a unique identification number.
Description	A more detailed description of the repeating assessment.
Name	The name of the repeating assessment.
Assessment template	The template used to create the current assessment.
Applies to	Select Vendor or Engagement.
Vendor	The vendor that is being assessed.
Engagement	Select the engagement being assessed. This field is visible only if you selected Engagement in the Applies to field.
Active	Indicates if the current repeating assessment is active.
Next assessment creation (months)	Next assessment will be created in specific number of months after the previous assessment is closed
Next assessment end date (months)	The end date for the new assessment after the previous assessment is closed
Assessment results valid duration (days)	The number of days that the assessment results are valid.

Click Submit.
The Assessment Occurrences related list displays the status of all assessments and its associated risk rating.

Manage third-party security scores

Third-party security scores help you normalize the security risk posed by doing business with particular vendors. The companies that provide the vendor metrics are referred to as providers. Providers can have its different score ranges and varying weights of consideration. Also, you can use your company's own internally generated security metrics.

Vendor Third-Party Security Score workflow

Security scores reflect an company's security posture. Third-party security score providers use different scales (between 0 to 1000) with a higher score indicating better cybersecurity performance. A lower score correlates to a higher risk of a data breach. The score is calculated using various factors, like application security, network security, patching cadence, vulnerability, hacker chatter, and exposed passwords.

The security score provider table contains the security provider's information.
The vendor risk manager monitors the scores generated by the provider for the vendors they are interested in.
The vendor risk manager uses these scores when determining a vendor's tier.
The vendor risk manager can initiate the vendor risk assessment or it is automatically sent using a configured business rule.

Set up third-party vendor security scores

You can add multiple providers and change the scoring scales for those providers. When changes are made to the provider score, those changes are also calculated into the security score.

Before you begin

Role required: sn_vdr_risk_asmt.vendor_assessor

Procedure

Navigate to Security Score Setup > Providers.
Select a provider record or click New.

On the form, fill in the fields.

Table 3. Security Score Providers form
Field	Description
Provider	Name of the third-party score provider.
Order	The weighting assigned to this vendor when calculating the security score. The lower the number, the higher weighting is applied. Note: When there are multiple scores for the provider, the order is applied accordingly.
Range from	The lowest end of the scoring range of the provider.
Range to	The highest end of the scoring range of the provider.

Click Submit.

Figure 1. Security Score Providers
Navigate to Security Score Setup > Scores
Select a security record or click New.

On the form, fill in the fields.

Table 4. Security Scores form
Field	Description
Provider	Name of the third-party score provider.
Vendor	The vendor being scored.
Provider score	The score provided by the third-party provider.
Security score	The normalized security score for this vendor based on the order and weightings of the third-party providers.
URL	Link to additional information about the origin of this score, from the security score provider.
Score generated on	The date and time that the score was updated.

Click Submit.

Figure 2. Security Scores

Update a vendor's security score

When changes are made to a vendor's security score (from an established third -arty score update or the inclusion of another third-party provider score to the calculation), email notifications are sent to interested stakeholders.

Before you begin

Role required: sn_vdr_risk_asmt.vendor_assessor

Procedure

Navigate to Security Score Setup > Providers.
Select a provider record or click New.

On the form, fill in the fields.

Table 5. Security Score Providers form
Field	Description
Provider	Name of the third-party score provider.
Order	The weighting assigned to this vendor when calculating the security score. The lower the number, the higher weighting is applied. Note: When there are multiple scores for the provider being applied, the order is applied accordingly.
Range from	The lowest end of the scoring range of the provider.
Range to	The highest end of the scoring range of the provider.

Click Submit.

Create an automatic scored-based risk assessment

You can create rules to automate the vendor risk assessment functionality based on a change to the vendor's security score.

Before you begin

Role required: sn_vdr_risk_asmt.vendor_assessor

Procedure

Navigate to Assessment Submission Rules > Score Based Submission.
Select a rule record or click New.

On the form, fill in the fields.

Table 6. Score Based Assessment Submission Rules form
Field	Description
Name	Name of the score based assessment submission rules.
Basis	The basis for the change. Choices are: Percentage Score
Extent of change	The extent of the change. Choices are: Increases by Decreases by
Security score	Automatically submit the risk assessement to the vendor after it has been generated.
Score provider and vendor settings
Score Provider	The score provider for this rule.
Apply to vendor	The vendor to apply the rule to.
Apply to vendor tier	Select the tier scale which will automatically generate the risk assessment. Choices are: None Critical High Moderate Low Minor
Assessment template and auto submit
Assessment template	The template that will be sent when the security score changes as specified in the rule.
Auto submit to vendor	Automatically submit the risk assessment to the vendor after it has been generated.

Click Submit.

Previous topic

Next topic

Release version

Manage vendor risk assessments

Vendor Risk Assessment workflow

The vendor risk manager creates internal and external assessment templates, questionnaire templates, document request templates, and creates the notifications associated with the workflow.
The vendor risk manager prepares and sends the vendor risk tiering assessment to internal stakeholders.
Internal stakeholders complete and submit the assessment.
After receiving the completed vendor tiering assessments, the vendor risk assessor updates and closes the vendor risk tiering assessment.
Next, the vendor risk manager sends out vendor risk assessments to the primary contact assigned to that vendor. Vendor risk assessments can be sent automatically based on changes to a risk score or vendor tier.
The vendor signs into the Vendor Portal to complete the risk assessment.
- The Vendor Portal provides a list of assessments and the status of each. From the Vendor Portal, the primary contact can invite other collaborators to complete portions of the assessments. After other collaborators are identified, the primary contact submits the assessment.
The Vendor Risk analyst reviews the results of the vendor risk assessments and closes each vendor assessment, creating issues for remediation, as necessary.

Vendor Assessment Portal

Note: For upgrade information, see GRC: Vendor Risk Management v10.0.02 upgrade details.

To customize the vendor assessment portal, navigate to Service Portal > Portals, and click Vendor Portal. See Now Platform Service Portal for more information.

Change the sn_vdr_risk_asmt.company.name property to display your company name in the portal.


Role	Purpose
Vendors	Use the Vendor Assessment Portal to: View and respond to current assessments. Delegate responses to other contacts. View or update contact information. Update notification preferences. Change a password or request a new password.
Vendor risk assessors	Use the Vendor Risk Management application to: Create a login for a new contact. Enable or disable a contact login. Reset a password for a contact. Assign a user role to a contact. Assign a contact to an assessment. View and update customer contact information. Access completed assessments.

Create a vendor risk assessment and initiate the life cycle

Before you begin

Role required: vendor risk manager or vendor risk assessor

Procedure

Navigate to Vendor Risk > Assessments > All Assessments.
Click New.

On the form, fill in the fields.

Table 1. Vendor Risk Assessment form
Field	Description
Name	The name of the vendor risk assessment.
Description	A more detailed explanation of the issue.
Number	Read-only field automatically populated with a unique identification number.
Applies to	Select Vendor or Engagement.
Engagement	Select the engagement being assessed. This field is visible only if you selected Engagement from the Applies to field.
Repeating assessment	The assessment used to create the current assessment.
Assessment template	If you want to use one assessment template to create questionnaires or document requests for this assessment, select the one you want to use. If you want to use multiple templates to create multiple questionnaires or document requests for this assessment, leave this field blank.
Owner	The owner of this assessment.
State	Draft Submitted to vendor Closed Canceled
Risk rating	The overall risk rating for this vendor. Critical High Moderate Low Minor Note: The Risk rating is determined by finding a risk rating scale range in which the risk score falls. It defines how a minimum and maximum range of assessment scores maps to a qualitative risk score.
Risk rating valid to	The date the risk rating expires. This date must be later than the Risk rating valid to date on any associated questionnaires or document requests.
Trigger by vendor tier	Initiate this assessment when the vendor tier changes.
Watch list	Add users to be notified when this record is modified.
Risk Scoring
Computed risk rating	Shows an average of the vendor risk area risk ratings.
Override risk rating	Allows you to override the computed risk rating for the vendor. When checked, any future changes made to the assessment risk rating will affect only the computed risk rating, not the risk rating. If the check box is selected and then you deselect it, the computed risk rating is copied back to the assessment.
Overridden risk rating	If you selected Override risk rating, enter the new risk rating.
Justification	If you selected Override risk rating, you must enter a reason for the override.
Assessment Schedule
Planned duration (days)	Estimated duration period of the assessment
Planned start date	Planned start date and time for work on the vendor risk assessment.
Planned end date	Planned completion date and time fort work on the vendor risk assessment.
Created by	Shows the user who created this record.
Created	Shows the date/time the record was created.
Actual duration	The amount time it took to complete the vendor risk assessment. This field is calculated using the Actual state date and Actual end date.
Actual start date	Date and time that work on the vendor risk assessment began.
Actual end date	Completion date and time for the vendor risk assessment.
Updated	Shows the date/time when the record was last updated.
Questionnaire Schedule
Planned duration (days)	The amount of time given to the vendor for completing the vendor risk assessment. This field is calculated using the Planned state date and Planned end date.
Review duration (days)	The review duration given to customer to review all the questionnaires.
Due date	Deadline for vendor to answer all the questionnaires.
Completion date	The actual date when vendor completed all the questionnaires.
Submitted to vendor	The delivery date for vendor questionnaires.
Resubmitted to vendor	The date questionnaires are resent to the vendor.
Responses expected by	The date the vendor is expecting the responses.
Notes and Comments
Work notes	Information about the vendor risk assessment. Work notes are visible to users assigned to the issue.
Additional comments (Customer visible)	Public information about the vendor risk assessment.

Save the record. Additional related lists appear.
If you left the Assessment template field blank and want to use assessment templates to associate multiple questionnaires and/or document requests with this assessment, scroll down to the Questionnaires or Document Requests tabs.
To associate existing questionnaires and/or document requests with the assessment, perform the following steps.
1. Click the Questionnaires or Document Requests tab, depending on the type of questions you want to associate with the assessment.
2. Click Edit.
3. Select the questionnaires or document requests you want to use, then click Save.
4. Repeat for the other type of questions, if needed. That is, if you associated questionnaire templates to the assessment and also want to associate document request templates, click that tab and repeat these steps.
To create new questionnaire and/or document request templates and associate them with this assessment, see Manually define a questionnaire template or document request template.
Click Submit to Vendor.
The state of the assessment changes to Submitted to Vendor, the templates you selected automatically generate questionnaires and/or document requests, and the primary vendor contact receives an email notification, along with a link to the assessment in the Vendor Portal.
When the vendor contact is ready to respond to the assessment, he or she clicks the email link to open the assessment in the Vendor Portal.

Note: As you can see, one of the questionnaires shown above requires a signature. The vendor or reviewer must save and e-sign the questionnaire or document request before it can be returned to the vendor risk assessor. For more information, see Approve questionnaire assessments or document requests with e-signatures.
The vendor assessor moves the state of the assessment to Generating Observations. During this time, the vendor assessor can click the View Response link in the document requests/questionnaires related list to view the response and provide comments or change responses, as necessary.
For any problems that rise, the vendor assessor creates an issue to track the remediation process (Finalizing with vendor).
The vendor assessor moves the assessment to Closed state.
The vendor risk assessor works with the vendor through the vendor portal to close the assessment.

Approve questionnaire assessments or document requests with e-signatures

When questionnaires or document requests are configured to require electronic signatures, vendors and/or reviewers must provide e-signatures during the approval process.

Before you begin

Role required: vendor risk manager or vendor risk assessor

Procedure

After a questionnaire or document request has been submitted to the vendor, the vendor risk manager or vendor risk assessor receives an email notification that includes a link to the record. Click the link to open the questionnaire or document request.

Note: Notice that a signature is required for the Sample questionnaire. Open the questionnaire that requires a signature.
Scroll down and complete the questionnaire or document request.
When you have answered the questions, click Save and Sign. The Sign to Complete dialog box opens.
Either type your name in the Type tab (as shown), or click the Draw tab and provide a free-form signature with your mouse.
After you have provided your signature using either method, click Sign to Complete.
If you want to make any modifications to the answers in the questionnaire or document request, click Make Changes. The signature is removed and you must sign again.
When you have completed and signed the assessment, click Exit, and complete any additional questionnaires or document requests in the assessment.

Note: If any of the questionnaires or document requests in the assessment require e-signatures and have not been signed, you cannot submit the assessment.
When you have completed all questionnaires or document requests in the assessment, click Submit Assessment. The state of the assessment changes to Response Received, and all the risk scores are calculated automatically.

Review assessment responses and resubmit questions to the vendor

Vendors use the vendor portal to complete assessments and collaborate with the vendor risk manager through the comments section.

Before you begin

Role required: sn_vdr_risk_asmt.vendor_assessor

About this task

Procedure

Navigate to Vendor Risk > Assessments > My Open Assessments.
Open an assessment in the Responses Received state.
In the Questionnaires or Document Requests tabs, click View Responses.
Add comments to the questions and make the following selections, as necessary:
- Select Show Follow-ups.
- Select Show incorrect and un-scored responses.
- Select Hide comments.
- Select Include this question when creating an issue.
- Enter information in the Internal comment .
- Select Comment for vendor and add information.

After adding comments, perform one of the following:

Option	Description
To generate issues associated with each question	Click Create Issue. Note: A message with the issue number displays: The issue VRI0003001 has been created successfully.
To resubmit the assessment to the vendor	Click Return to Vendor Note: If the assessment schedule might be impacted, you can extend the days by adjusting the number in the following message window:

Open an assessment in the vendor assessment portal

Before you begin

Role required: vendor contact

Procedure

Log in to the vendor assessment portal through https://myCompany.service-now.com/svdp. The Assessment Summary dashboard opens.
Vendor and engagement contacts (both primary and secondary) can view assessment information in the following ways.
- Since engagements are services or products associated with (or offered by) the vendor, engagement contacts cannot view the assessments in the Vendor section. They can view only assessments in the Engagements section.
- Primary vendor contacts and primary engagement contacts can assign new primary contacts from the dashboard. For example, the primary engagement contact can assign another user as a primary engagement contact. If needed, both primary engagement contacts can then be assigned to complete the engagement assessment.
- Primary vendor and engagement contacts can manage their teams, adding and removing contacts, and assigning primary and secondary contact designations.
- The following diagram summarizes the capabilities of each of the contact roles.
Note: If a Secondary Vendor Contact is also assigned the Secondary Engagement Contact role, that individual can take engagement assessments, but cannot take vendor assessments. In that situation, the Secondary Engagement Contact role takes precedence.

Review assessment responses in the vendor assessment portal

After submitting an assessment, the vendor contact can view all responses in read-only mode on the vendor assessment portal.

Before you begin

Role required: vendor contact

Procedure

Log into the vendor assessment portal through https://myCompany.service-now.com/svdp.
Click through each questionnaire and view the responses.

Note: All responses are read-only since the assessment has already been sent back to the customer.

Create repeating vendor risk assessments

Vendor risk assessors can create repeating vendor assessments to monitor the vendor risk continuously.

Before you begin

Role required: vendor risk assessor

Procedure

Navigate to Vendor Risk > Assessments > Repeating Assessments.
Click New.

On the form, fill in the fields.

Table 2. Repeating Assessment form
Field	Description
Number	Read-only field automatically populated with a unique identification number.
Description	A more detailed description of the repeating assessment.
Name	The name of the repeating assessment.
Assessment template	The template used to create the current assessment.
Applies to	Select Vendor or Engagement.
Vendor	The vendor that is being assessed.
Engagement	Select the engagement being assessed. This field is visible only if you selected Engagement in the Applies to field.
Active	Indicates if the current repeating assessment is active.
Next assessment creation (months)	Next assessment will be created in specific number of months after the previous assessment is closed
Next assessment end date (months)	The end date for the new assessment after the previous assessment is closed
Assessment results valid duration (days)	The number of days that the assessment results are valid.

Click Submit.
The Assessment Occurrences related list displays the status of all assessments and its associated risk rating.

Manage third-party security scores

Vendor Third-Party Security Score workflow

The security score provider table contains the security provider's information.
The vendor risk manager monitors the scores generated by the provider for the vendors they are interested in.
The vendor risk manager uses these scores when determining a vendor's tier.
The vendor risk manager can initiate the vendor risk assessment or it is automatically sent using a configured business rule.

Set up third-party vendor security scores

You can add multiple providers and change the scoring scales for those providers. When changes are made to the provider score, those changes are also calculated into the security score.

Before you begin

Role required: sn_vdr_risk_asmt.vendor_assessor

Procedure

Navigate to Security Score Setup > Providers.
Select a provider record or click New.

On the form, fill in the fields.

Table 3. Security Score Providers form
Field	Description
Provider	Name of the third-party score provider.
Order	The weighting assigned to this vendor when calculating the security score. The lower the number, the higher weighting is applied. Note: When there are multiple scores for the provider, the order is applied accordingly.
Range from	The lowest end of the scoring range of the provider.
Range to	The highest end of the scoring range of the provider.

Click Submit.

Figure 1. Security Score Providers
Navigate to Security Score Setup > Scores
Select a security record or click New.

On the form, fill in the fields.

Table 4. Security Scores form
Field	Description
Provider	Name of the third-party score provider.
Vendor	The vendor being scored.
Provider score	The score provided by the third-party provider.
Security score	The normalized security score for this vendor based on the order and weightings of the third-party providers.
URL	Link to additional information about the origin of this score, from the security score provider.
Score generated on	The date and time that the score was updated.

Click Submit.

Figure 2. Security Scores

Update a vendor's security score

Before you begin

Role required: sn_vdr_risk_asmt.vendor_assessor

Procedure

Navigate to Security Score Setup > Providers.
Select a provider record or click New.

On the form, fill in the fields.

Table 5. Security Score Providers form
Field	Description
Provider	Name of the third-party score provider.
Order	The weighting assigned to this vendor when calculating the security score. The lower the number, the higher weighting is applied. Note: When there are multiple scores for the provider being applied, the order is applied accordingly.
Range from	The lowest end of the scoring range of the provider.
Range to	The highest end of the scoring range of the provider.

Click Submit.

Create an automatic scored-based risk assessment

You can create rules to automate the vendor risk assessment functionality based on a change to the vendor's security score.

Before you begin

Role required: sn_vdr_risk_asmt.vendor_assessor

Procedure

Navigate to Assessment Submission Rules > Score Based Submission.
Select a rule record or click New.

On the form, fill in the fields.

Table 6. Score Based Assessment Submission Rules form
Field	Description
Name	Name of the score based assessment submission rules.
Basis	The basis for the change. Choices are: Percentage Score
Extent of change	The extent of the change. Choices are: Increases by Decreases by
Security score	Automatically submit the risk assessement to the vendor after it has been generated.
Score provider and vendor settings
Score Provider	The score provider for this rule.
Apply to vendor	The vendor to apply the rule to.
Apply to vendor tier	Select the tier scale which will automatically generate the risk assessment. Choices are: None Critical High Moderate Low Minor
Assessment template and auto submit
Assessment template	The template that will be sent when the security score changes as specified in the rule.
Auto submit to vendor	Automatically submit the risk assessment to the vendor after it has been generated.

Click Submit.

How search works:

Topics are ranked in search results by how closely they match your search terms

Manage vendor risk assessments

Manage vendor risk assessments

Vendor Risk Assessment workflow

Vendor Assessment Portal

Create a vendor risk assessment and initiate the life cycle

Approve questionnaire assessments or document requests with e-signatures

Review assessment responses and resubmit questions to the vendor

Open an assessment in the vendor assessment portal

Review assessment responses in the vendor assessment portal

Create repeating vendor risk assessments

Manage third-party security scores

Vendor Third-Party Security Score workflow

Set up third-party vendor security scores

Update a vendor's security score

Create an automatic scored-based risk assessment

On this page

Manage vendor risk assessments

Manage vendor risk assessments

Vendor Risk Assessment workflow

Vendor Assessment Portal

Create a vendor risk assessment and initiate the life cycle

Approve questionnaire assessments or document requests with e-signatures

Review assessment responses and resubmit questions to the vendor

Open an assessment in the vendor assessment portal

Review assessment responses in the vendor assessment portal

Create repeating vendor risk assessments

Manage third-party security scores

Vendor Third-Party Security Score workflow

Set up third-party vendor security scores

Update a vendor's security score

Create an automatic scored-based risk assessment

Log in to personalize your search results and subscribe to topics