Vendor Risk Management Overview

Why is vendor risk?

Organizations do not operate in isolation because its success is dependent upon a complex network of third-party relationships. A third party
can be any individual or entity, which is not a direct employee, which provides a product/service to, or on behalf of, the sourcing
organization.

Outsourced Support
Certification bodies Licensing
Call center
Labs

Prime Brokers/Custodians
Customer support
Transfer Agents
Inventory planning
Data Providers
R&D
Shipping

Office products
Logistics
Core Service Waste disposal
Suppliers Operational Support
Providers
Cleaning
Fourth parties Brokers/Agents Facilities

Joint ventures
Contract manufacturing
Sourcing Recruiting

Customers Benefits providers

Marketing Payroll processing

Infrastructure and Legal & Compliance
Human
application support
Resources
Hosted vendor solutions

Disaster Recovery Technology

Organization
Insurance Advertising
agency
Licensed vendor solutions

Hardware lease
Media and sales
Vendor Risk Management - OOB Service Now
Here is a high-level demo scenario :

Vendor Portfolio Vendor Tiering Assessment Management

Vendor Issues
Vendor Portal
&
Task
 Vendor Engagement – Case Study

New or Existing
1 2 Assets 3 Vendor Selection
5 Vendor Engagement Process
Associate IOT Create Vendor Assign
Vendor Engagement
BO & VRM
Vendor Tiering Draft Business Risk
Engagement Assessment Assessment
HealthCare Ventilator process starts created
Vendor Profile
Institution Equipment New

Complete
4 Create Vendor Engagement
Internal
Profile Terminated
Assessment

Ongoing
monitoring Engagement Score
Cancelled/ Ratin
phase
Onboarding Closed g
Process Scope of Development Issues and
tasks with
Vendor
Applicability Contract
Matrix Negotiation Initiate IRA Inherent Rating
Automated

Manual Performing No
Finalizing
ongoing Contract Initial Risk Assess Due Diligence
Development Vendor Portal
monitoring Assessment ? Prescribe
Areas

Use Case Group Description

Streamline Vendor risk management through ServiceNow

IoT Based Asset and Resource Monitoring
and Management Companies Vendor Risk Management enhanced and customized capabilities and bring in the effective
measures for onboarding and monitoring processes.
VRM Demo Scenario – Internal Tiering Assessment
The vendor tier is based on a pre-defined scale from the tiering assessment score. The standard tiers are None, Critical, High, Moderate,
Low, and Minor. Each tier has different assessment questions and document requests associated to them:

Assign tiering questionnaire

Create Vendor Portfolio Assign Internal Assessor
template

Create Assessment
Instance

Conduct Assessment

Change in
Tier ?

Yes

Create New Risk Assessment

Assessment Workflow
VRM Demo Scenario – Vendor Risk Assessment
Here is a high-level demo scenario for and end to end assessment record:

Define a repeating
assessment
Create vendor risk • Questionnaire
Configure Assessment •
assessment Document Request

Launch an adhoc
assessment

Review Responses Take Assessment

• Issues
• Tasks Generate Observations Work on Issues
• Follow Up

Yes Vendor Portal

Re- Close
open? Assessment
VRM in ServiceNow

Vendor Risk Management Framework

Modules Sub-Modules

All Vendors
Vendors
Vendor Contacts

My Open Tiering Assessments Vendor risk ratings and scoring calculations

Tiering Assessments All Tiering Assessments
All Open Tiering Assessments

My Open Assessments Repeating Assessments

Assessments
Vendor tiering scale and scoring calculations
All Open Assessments Vendor Responses Due

Tiering Questionnaire Template

Tiering Setup
Default Vendor Tiering Scale
Vendor Tiering Assessments
Providers
Security Score Setup
Scores
Third Party Security Scores
Tier Based Submission
Assessment Submission Rules
Role Based Submission

Create New My Open Vendor Risk Assessments

Tasks
All Open All Issues
Business Service Rating Scale
Assessment Setup Assessment Templates Questionnaire Templates Repeating Vendor Assessments
Document Request Template Default Risk Rating Scale
Create New My Open
Issues
All Open All Issues
Roles and Responsibilities
Below are the roles and responsibilities installed with Vendor Risk Management:

Role Title Responsibilities Roles

Manages vendor risk assessments and • sn_vdr_risk_asmt.vendor_assessment_review
completes vendor risk assessment requests. er
• vendor_editor
• vendor_reader
Business Owner • compliance reader

Manages vendors, manages vendor contacts, • assessment_admin

manages vendor assessment templates,
manages questionnaire templates, manages
documentation request templates, and
manages scheduled assessments.
Vendor risk manager
• sn_vdr_risk_asmt.vendor_assessment_review
er
• sn_vdr_risk_asmt.vendor_assessor

Manages vendor risk assessments if assigned by • sn_compliance.reader

Business Owner and completes vendor risk • sn_risk.reader
assessment requests. • vendor reader
Assessor • task editor

Answers questionnaires regarding risk. Primary • snc_external

contacts can also manage other contacts for the
Vendor contact vendor.