Vendor Risk Management in ServiceNow

Vendor Risk Management in ServiceNow

VRM is the process of ensuring that the use of service providers and suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance. Risk and compliance management extends beyond internal systems and processes—third-party relationships must be included.

Why is Vendor Risk Management important? 

Due to trends toward specialization and outsourcing, modern companies are a mix of a massive number of interconnected relationships that go beyond organizational boundaries. Selecting the “best” vendors for your company is critical. Managing reputational risk, financial risk, and/or security risk can help to select the “best”. In today’s world, if one of your vendors makes a mistake, then the world views this as YOUR mistake. Vendor Risk Management assists in making this risk as low as possible.

Due to trends toward specialization and outsourcing, modern companies are a mix of a massive number of interconnected relationships that go beyond organizational boundaries. Selecting the “best” vendors for your company is critical. Managing reputational risk, financial risk, and/or security risk can help to select the “best”. In today’s world, if one of your vendors makes a mistake, then the world views this as YOUR mistake. Vendor Risk Management assists in making this risk as low as possible.

Organizations often rely on third-party software vendors, outsourcers, consultants, subcontractors, partners, affiliates, distributors, resellers, and so on. While this allows companies to focus on core competency, it also creates challenges. 

Vendor Risk Management in ServiceNow

Vendor Risk Management is the fourth application in ServiceNow’s GRC portfolio, following Policy and Compliance Management, Risk Management, and Audit Management. While VRM & GRC have great synergies and work best together, VRM can also stand on its own. Risk Management and the other applications are underpinned by a common platform, with elements like a single database, workflow, notifications, and analytics. And underneath that, there’s the trusted ServiceNow cloud platform that is secure, scalable, and multi-instance.

Key Terminology and Architecture

Before we go any further, take a moment to review the terminology used in the Vendor Risk Management application. Many of these terms are leveraged throughout organizations as they manage risk and compliance.

Vendor Risk Assessment

  • A vendor risk assessment (a.k.a vendor risk review) helps an organization understand the risks that exist when using a vendor’s product or service. Performing a vendor risk assessment is especially critical when the vendor will be handling a core business function, will have access to customer data, or will be interacting with your customers.
Vendor Risk Issue
  • A vendor risk issue is created to document an issue and determine necessary remediation.
Remediation
  • After an issue is identified and assessed, appropriate remediation can take place to mitigate or eliminate the issue.
Questionnaire Template
  • Questionnaire templates include a variety of question formats to obtain assessment-related data from a vendor
Document Request Template
  • Document request templates include default questions to obtain documentation and supporting information. Additional questions may be added.
Assessment Template
  • Assessment templates combine questionnaire templates and/or document request templates.  Assessment templates are related to a vendor to create a unique vendor risk assessment for a specific vendor. 

An assessment template is comprised of a questionnaire template and/or a document request template. The assessment template is then assigned to a vendor. Later you’ll learn how attributes of a vendor determine the type and frequency of the assessment template needed to conduct the vendor risk assessment.

Vendor Risk Assessment Template Equation

So how does it all fit together? Internal personas manage assessment templates and create and track issues in the ServiceNow instance. Members of the vendor organization use the vendor portal to respond to assessments, issues, or tasks and to manage vendor contacts. 

VRM Architecture

Vendor Portal

The vendor assessment portal, commonly referred to as the vendor portal, consolidates all communications between the vendor and the organization. 

  • Assessments are shared via the vendor portal and future assessments can be scheduled so they show up in the vendor portal automatically
  • The portal allows the vendor to communicate more easily with their different functional groups, while tracking issues, tasks, and attaching evidence

Because Vendor Risk Management is cloud-based, like the rest of the ServiceNow applications, it resides outside an enterprise, which allows for secure communications with vendors without creating any vulnerabilities.

Vendor Portal

Roles

The vendor risk function is comprised of several internal roles: a vendor risk manager, assessor, and reviewer. Each person plays an important role in managing vendor portfolios and vendor risk assessments.

The external vendor contacts also play a key role in the vendor risk assessment lifecycle. Vendor contacts use the vendor portal to access and respond to assessments, provide evidence, and respond to issues and tasks.

Each vendor has at least one primary contact, responsible for managing other contacts and assigning assessment and remediation tasks.

Roles

Once the Vendor Risk Management application has been installed, new roles are activated. 

  • Internal users are assigned the role of snc_internal
  • External users assigned the role of snc_external

When vendor contacts are created, they are automatically assigned the snc_external role, giving them access to resources related to the vendor portal. This process ensures strict division between external and internal users.

Roles and description