Third Party Risk Management (TPRM)  1. What is Third Party Risk Management (TPRM)?  Third-Party Risk Management (TPRM) is the process of identifying, assessing, and managing risks from vendors, suppliers, contractors, or service providers.  The TPRM application helps you organize and standardize these processes, track third-party issues, and reduce risks to your organization’s operations, reputation, and assets. It also automates risk assessments, saving time, and reducing manual work. 1.1. Overview of TPRM   The TPRM application helps ensure that external vendors and suppliers do not disrupt business or affect performance. It allows organizations to assess third-party risks, automate processes to save time and costs, and manage risks effectively. A strong TPRM framework covers governance, roles and responsibilities, processes, and technology.   1.2. Third-Party Risks and How They Impact Your Business  Risk Type  Impact on Business  Real-World Example  Data Privacy Risk  Exposure of customer or employee personal data, leading to loss of trust and legal issues.  A marketing vendor accidentally exposes customer email addresses due to improper data handling.  Compliance Risk  Failure to meet regulatory standards, resulting in audit failures, fines, or penalties.  A payroll vendor cannot provide SOC 2 reports, putting your company at risk during compliance audits.  Security Risk  Cyberattacks on the vendor can compromise your systems or sensitive information.  A cloud storage vendor gets hacked, allowing attackers to access stored files.  Operational Risk  Vendor outages or performance issues disrupt your business operations and customer experience.  Your payment gateway provider goes down for 3 hours, stopping all customer transactions.  Financial Risk  A vendor’s financial instability affects service continuation, support, or obligations.  A small SaaS vendor suddenly shuts down due to bankruptcy, leaving your operations unsupported.  1.3. Before Starting the TPRM Flow – Required Plugins  To use TPRM and Vendor Risk Management features, ensure the following plugins are activated:  Plugin Name  Purpose  TPRM – Vendor Risk Management (sn_vdr_risk_asmt)  Core TPRM functionality including assessments, due diligence, and risk workflows  GRC Common (sn_grc)  Base tables, engine, and workflows required for risk operations  ServiceNow Workspace Experience (sn_workspace)  Allows access to Vendor Management Workspace, Due Diligence Workspace, etc.  TPRM Portal / SVDP Portal Plugin (if applicable)  Required for external vendor survey submission through SVDP portal  Note: Without sn_workspace, users cannot see Vendor Management Workspace in the workspace.  2. TPRM Workflow   3. TPRM Roles  3.1. TPRM Internal Roles  Role  Technical Role Name  Description  Contains Roles  Third-party Reader  vendor_reader  Read only access to third-party and contact records.  —  Third-party Editor  vendor_editor  Create, update, and delete third-party contact records.  vendor_reader  Third-party Assessment Reviewer  sn_vdr_risk_asmt.vendor_assessment_reviewer  View assessment & questionnaire data and comment on tiering, internal assessments, risk assessments, issues, tasks, and due diligence requests.  compliance_reader, risk_reader, task_editor, vendor_reader  Third-party Risk (TPR) Assessor  sn_vdr_risk_asmt.vendor_assessor  All reviewer permissions + manage third parties, contacts, engagements, external risk assessments, and issues.  compliance_reader, vendor_assessment_reviewer, vendor_editor, vendor_reader  Due Diligence Approver  sn_vdr_risk_asmt.approver  All reviewer permissions + approve Internal Risk Questionnaires (IRQs).  vendor_assessment_reviewer  Third-party Contract Negotiator  sn_vdr_risk_asmt.contract_negotiator  All assessor permissions + modify contract status, start date, and end date.  sn_vdr_risk_asmt.vendor_assessor  Third-party Risk (TPR) Manager  sn_vdr_risk_asmt.vendor_risk_manager  All assessor permissions + manage assessment templates, scheduled assessments, property settings, and scoring rules.  vendor_assessment_reviewer, vendor_assessor  Third-party Risk Admin  sn_vdr_risk_asmt.vendor_risk_admin  Full admin access. Manage questionnaire templates and document request templates.  assessment_admin, sn_vdr_risk_asmt.vendor_risk_manager  Third-party Reader  vendor_reader  Read only access to third-party and contact records.  —  Third-party Editor  vendor_editor  Create, update, and delete third-party contact records.  vendor_reader  Third-party Assessment Reviewer  sn_vdr_risk_asmt.vendor_assessment_reviewer  View assessment & questionnaire data and comment on tiering, internal assessments, risk assessments, issues, tasks, and due diligence requests.  compliance_reader, risk_reader, task_editor, vendor_reader  Third-party Risk (TPR) Assessor  sn_vdr_risk_asmt.vendor_assessor  All reviewer permissions + manage third parties, contacts, engagements, external risk assessments, and issues.  compliance_reader, vendor_assessment_reviewer, vendor_editor, vendor_reader  Due Diligence Approver  sn_vdr_risk_asmt.approver  All reviewer permissions + approve Internal Risk Questionnaires (IRQs).  vendor_assessment_reviewer  Third-party Contract Negotiator  sn_vdr_risk_asmt.contract_negotiator  All assessor permissions + modify contract status, start date, and end date.  sn_vdr_risk_asmt.vendor_assessor  Third-party Risk (TPR) Manager  sn_vdr_risk_asmt.vendor_risk_manager  All assessor permissions + manage assessment templates, scheduled assessments, property settings, and scoring rules.  vendor_assessment_reviewer, vendor_assessor  Third-party Risk Admin  sn_vdr_risk_asmt.vendor_risk_admin  Full admin access. Manage questionnaire templates and document request templates.  assessment_admin, sn_vdr_risk_asmt.vendor_risk_manager   3.2. TPRM External Role  Role  Description   Contains Role  Vendor Contact (vendor_contact)  Access third-party assessment portal- Answer assessment questions- Assign/manage other contacts- Communicate with TPR managers  snc_external  4. Fields in Due Diligence Field  Description / Key Points  Number  Auto-assigned unique ID starting with DDR.  State  Current stage: IRQ, external due diligence, approval, contract risk, or closed.  Request Type  Onboard: New engagement with third party. – Reassess existing engagement: Due to changes/adverse news. – Reassess for contract renewal. – Offboard with due diligence. – Offboard without due diligence: Normal IRQ still applies.  Priority  1-Critical, 2-High, 3-Moderate, 4-Low, 5-Planning  Third Party  Associated third-party organization.  Annual Spend  Money spent with the third party per year.  Engagement  Associated engagement; can be updated post-submission to link existing engagement.  Skip Contract Risk Process  Checkbox to bypass contract negotiation; replaces contract dates with engagement dates. Request closes after TPR manager approval.  Requestor  Creator of the request.  Opened  Date request was created.  Contract Start/Expiration Date  Preferred start/end dates for contract interactions.  Engagement Start/Expiration Date  Preferred start/end dates for engagement interactions.  IRQ Assessor  User responding to the Inherent Risk Questionnaire (IRQ).  Contract Negotiator  User preparing, negotiating, and approving the contract.  Assignment Group  Group responsible for the request; notifications sent automatically. Members can assign to self or others; TPR managers/assessors can modify.  Assigned To  Individual responsible for completing, reviewing, and resolving assessment tasks. Must have TPR manager/assessor role.  Short Description / Description  Summary of request purpose and requirements.  5. Process of TPRM 5.1. Request Submission    The lifecycle begins when an employee submits a Due Diligence Request through the Employee Center.  Open the Employee Service Center (ESC) portal. This is where employees submit requests related to vendors and third-party assessments.  Use the search bar at the top of the portal. Type “Due Request” in the search field.  View the search results. The portal displays all matching catalog items.  Select: “Request Third-Party Risk Due Diligence” This is the official catalog item used to start the TPRM lifecycle.  After selecting “Request Third-Party Risk Due Diligence”, the form opens.  The employee must choose the type of request they want to initiate. The available options are:  Onboard a New Vendor For introducing a new third-party vendor to the organization.  Reassess an Existing Vendor Engagement For periodic evaluations or when vendor risk/operations change.  Prepare for Contract Renewal For reviewing risk before renewing an existing contract.  Off board a Vendor For terminating the relationship with a vendor, ensuring proper closure, data return/deletion, and risk documentation.  The requester fills in key details, including:  Third Party Information   Name*, Type*, Website, Phone,