Gone are the days when enterprises could afford to build a firewall around their kingdom to keep attackers out and all data in.  The perimeter has become porous and the enterprise has learned to leverage partners, suppliers, and outsourcers to be competitive in a global economy.  There’s nothing wrong with that except one fact: you can outsource your business functions, but not your liability.


Whether it’s a supplier who hasn’t upgraded servers beyond Microsoft XP or a partner who doesn’t maintain the appropriate policies for secure access, if an attacker can gain entry into your enterprise it’s you who will suffer the loss of data, diminished reputation, or financial penalties for non-compliance.  That’s why every enterprise should have a vendor risk management program.


If you do have a program in place, you’re already ahead of the competition.  However, it should be evaluated on a regular basis.  We find many enterprises have programs that are very manual; heavily leveraging email, Excel, phone calls, and SharePoint to catalog vendors, deliver assessments, and track issues.  The tools don’t facilitate cross-functional collaboration or consolidate communications for reporting or subsequent use during an audit. Such a program also leaves room for human error,

resource drain, and increased costs.


It was this challenge that prompted us to introduce Vendor Risk Management in the Jakarta release.  It’s the fourth application in the Governance, Risk, and Compliance (GRC) portfolio and breaks down the boundaries of your extended enterprise so you can assess your vendors the same way you would your internal organization.


Vendor Risk Management allows you to create a comprehensive third-party risk process through automation and a deep connection to the ServiceNow platform.  Defining and streamlining the process from the initial point of receiving the request, through determining the inherent risk, continuously monitoring, and ultimately retiring the vendor.


Circular VRM Process Diagram.png

Vendor Risk accomplishes this by focusing on five key capabilities:

  • Vendor Portfolio. This is your database of vendors and vendor information. It includes the vendor contacts you interact with, the business services that the vendors fulfill, along with other general vendor information. We can use the existing Company database within ServiceNow, so if you already have vendor information in the platform, say from an asset discovery service, it can be automatically applied to Vendor Risk Management. You can also easily integrate Vendor Risk Management with your existing supplier management systems.
  • Assessment Management. You can create templates for your assessments, and vary the content and recurrence interval based on the risk tiers of your vendors. You can also create proprietary questionnaires using the visual designer, or use the built-in Shared Assessments SIG questionnaire. Assessment responses are automatically scored using a robust hierarchical weighted scoring framework that you can deeply customize.
  • Issues and Remediation. As you review assessment responses, you can create issues, review them with subject matter experts, design remediation plans, and share them with vendors for closure.
  • Vendor Portal. Here’s where we pull you out of email and spreadsheets. All vendor interaction and communication is centralized in a vendor portal. This provides all vendor stakeholders visibility into what needs to get done, by when, who’s got the ball, and what the status is.
  • GRC Integration. The Vendor Risk Management application integrates with the other applications in the GRC portfolio. You can associate your policy statements with questions in a questionnaire, which will then mark vendors as compliant or non-compliant. This gives you top-down traceability from an authority document to the question in a questionnaire for a specific vendor. Non-compliant controls will then automatically adjust the residual risk score associated with that vendor, which then rolls-up into all other IT and operational risks across your organization.


ServiceNow Vendor Risk Management lets you monitor, prioritize, and automate response to third-party risk, so you can:

  • Control your risk exposure with continuous monitoring
    • No one else can provide a single solution that offers continuous monitoring, both capturing the data and reporting on it, to detect vendor changes in real-time; at a scale that we can.
  • Prioritize and respond to critical risks with a unified Vendor Risk program
    • No one else delivers the cross functional visibility through the single platform and asset-centric approach, delivering risk scoring and effortless collaboration to drive critical risks to closure
  • Slash your unstructured work burden through consistent workflows and automation
    • No one else can automate processes and create consistent workflows across your vendor ecosystem; because no one else can provide a unified system of engagement, with cross functional process integration, and links to other ServiceNow and partner solutions.


All enterprises should have a vendor risk program to reduce their risk exposure.  However, all programs are not created equal.  To ensure you have the visibility you need and the time to proactively approach vendor risk, you need automated, actionable, and unified ServiceNow Vendor Risk Management.


Read the solution brief or contact your ServiceNow representation or partner for more information about Vendor Risk Management


Learn more about the ServiceNow GRC portfolio at www.servicenow.com/grc