hello I'd like to talk to you about vendor risk management one of the four applications Illustrated here it begins with internally tearing your vendors to determine the type and frequency of risk assessments to distribute findings are generated issues are created and unsatisfactory questionnaires are returned to the vendor for remediation this cycle continues until the assessment is closed at that time a risk score is generated for reporting purposes with continuous monitoring you can stay on top of changes increase performance and ultimately protect your company from unnecessary risks let's jump ahead to what your vendors see this is the vendor portal where we take you out of email and consolidate all communication and collaboration vendors can manage their teams and address issues all in one place now let's go back and talk about how we got here the dynamic risk dashboard is the best place to get an overview of your vendor risk program dashboards show you the state of the vendors you do business with easily see which vendors are processing assessments the risk across your vendor ecosystem and much more view the status of vendor issues and get visibility into your assessment plans so you can proactively plan for upcoming workloads continuously monitor using security score ratings to help detect risks in the vendor ecosystem that assess mitigate and remediate them all in one platform note the three vendors with past hearing assessments and the two vendors with a moderate risk rating dashboards are customized to show any information available in the platform making them perfect for communicating compliance or providing status to other departments and upper management reports can be scheduled or run on-demand let's click on vendors and select a work faster from our vendor catalog to look at the vendor record without the Box capabilities you can easily import vendors into this list or integrate with vendor management systems you can see the standard information on this vendor record this is an active vendor the risk rating is low the risk tiers tactical supplier and the vendor tier has not yet been calculated you can also identify your vendor managers and business owners you can see the vendor contacts which the vendor can modify the other portal if you've used ServiceNow IT operations management for service mapping or asset discovery to add vendor information into the now platform CMDB those vendor services automatically populate along with the business owners it's a best practice to assess your vendors on a regular basis automating adhere in repeating assessments helps achieve that if you're using the GRC module vendor controls could be mapped to a questionnaire response for example if the vendor answer's no to multi-factor authentication this control would fail and you would see their non-compliance on the policy dashboard risks could be generated based on this failure such as the risk of the vendor exposing sensitive information because of the lack of security other risks could be the vendor being unable to deliver high-quality services impacting the business the ability to automate cross-functional GRC processes based on vendor issues and real time changes in your vendor risk posture allows you to more quickly identify and respond to risks now let's select altering assessments Adam has assigned this to himself as a vendor Asst manager selected the vendor work faster and given it a name you'll notice the vendor tier is blank also he selected the Assessors Barbara is a contract manager and Abel is a risk manager he's already added the basic tiering questionnaire template this is provided with the product if he had more questionnaires or document or quest templates he could add them all so once the tarring assessment is complete Adam can manually send the appropriate vendor risk assessment out to work faster or he could automate sending the vendor risk assessment using submission rules selecting tier based submission you can see the various rules previously set up looking at the high submission rule you can see that when the vendor gets assigned hi the high-risk vendor risk assessment template will be used by checking the box auto submit to vendor Adam can automate the process of submitting the risk assessment the vendor as soon as the assessment is closed let's take a quick look at the basic tearing questionnaire template it has three different sections for the purpose of the demo the contract manager role has been assigned to the first section the second section has no roles assigned so anyone can answer the questions and the risk manager is assigned to the third section let's submit this tearing assessment for completion by the tearing Assessors Abel and Barbara you can see the message on the top of the screen that shows that earring questionnaire has been sent let's log in as Barbara when she selects my assessment and surveys she can see the assessment that was just sent because she is a contract manager she sees the first section from the questionnaire that was assigned to her specifically and the second section that did not have any roles assigned so she will complete that also questionnaires for GRC assessments are built using the drag-and-drop survey designer drop-down lists can have customized response options and you can create dependent questions visible based on the answer to a previous question we filled this out as if this were a strategic vendor that has access to sensitive information now the slogan is Abel who is a risk manager and open the same assessment in the questionnaire he also sees the comment section that had no roles assigned to it and he sees the third section that was specifically assigned to him again we filled this out as if this were a strategic vendor that requires us to satisfy many federal industry and regionally specific regulations let's log back in as Adam the vendor is manager and review the responses from Abel and Barbara you can see the vendor tears now step two hi the assessment instances each show a score of 70 which also averages out to 70 this falls in the high tier range remember this is not the actual risk posed by the vendor it is the tier the vendor is placed in based on access to sensitive information or important to the business Adam can edit the ranges to meet his organizational guidelines and he can have a different scale for each assessment because of the tier based submission rule when we go back and close out the tearing assessment the high-risk vendor risk assessment will go out to the vendor you can see the message at the top of the screen the dashboard now shows there are four vendors that have performed tearing assessments and two vendors that are currently performing a risk assessment one of which is based on the tearing assessment let's bring up the vendor portal the vendor portal now shows a new assessment that was automatically generated based on a tearing change in this case an initial tearing we've embedded and licensed the entire seed questionnaire and made it backwards compatible by the message at the top of the screen work faster entered a previous version the import parses the entire spreadsheet and fills in all the questions you can see the additional questions that were added in the latest version this increases accuracy and improves efficiency we're going to select no for questions 71 and 72 those should really be answered yes going to the sock one document request we are going to select no again this should be yes the status bars show you how far your team has gotten in addressing the various questionnaires and document templates the vendor can manage his own team Alex is a primary vendor contact can assign additional work faster personnel to complete the various portions of the assessment standard vendor contacts can only assess items they are assigned by assigning multiple people to a section it allows a functional groups to better collaborate let's attach the sock to report and submit the assessment if Alex hasn't completed the assessment he must confirm his intention to submit to set expectations note the expected response date under the assurance that the assessment has been submitted bringing of Adam's customer view you can see by the numbers referring back to zero and one that the risk assessment has been submitted if we drill back down into the automated assessment for work faster you can see the risk rating is set to high Adam can easily view the progress of work faster even before they submit the response this will show percent complete taking the guesswork out of how far along the vendor is in the assessment automatic reminders are sent when the deadline is approaching automated scoring of assessment responses use the robust hierarchical weighted scoring framework that is fully configurable if Adam drilled into the questionnaire let's select the sig Lite questionnaire during the review Adam can filter responses to focus where action is needed and flag questions for follow-up adding internal and external comments with a vendor help reduce the back-and-forth necessary with email anyone wanting to see status can filter using the SHO follow-up check box to see just those checked questions by checking the include this question when creating an issue box Adam can easily consolidate many questions under one issue use the create issue button at the top to manually generate an issue because we have questions that still must be addressed Adam is going to return this questionnaire to the vendor after adding a comment to help clarify and speed response Adam can see the questionnaire marked as returned issues can also be generated automatically based on an insufficient or incorrect response let's click on issue generation rules Adam is going to modify an existing rule he wants an issue generated if the sock one report was not provided by the vendor if this questionnaire template had multiple questions and he wanted an issue created if any of them were a problem he could select all the questions at this time now let's go back to the assessment by selecting generate observations the system invokes issue generation rules and you can see here generates an issue we know it's based on the lack of a sock one report the high-risk rating seen above was due to the high risk calculated for the sock one document request essentially the lack of a report Adam is going to create a task before he reviews and submits the issues to the vendor once submitted the vendor will see this on his portal issues and tasks are created in real-time before the assessment is closed we're marking these with the recommendation of vendor to remediate if we were to mark it as accept the assumption is we would be creating an exception for this non-compliance controls that are accepted remain in a non-compliant state until the control is reassessed in this way the issue can be used to document observations during audits here you can see the two questions from the cig light-atom selected when he created the issue finally Adam now returns to sock one document requests to work faster on the vendor portal alex will update question number 71 on the sig light he doesn't need to address every question to resubmit under issues you can see the real-time communication stream used to communicate between the vendor Asst manager and the vendor to achieve closure on non-compliance this message that Alex just typed will already be visible for Adam to see in his view you can see the message that Adam sent to Alex under tasks Alex could respond if he needed clarification let's go add the sock 1 report once saved you can see on the portal the progress has changed now Alex can resubmit back in atoms of you atom can see that the vendor has responded with their soccer and report and the risk rating has gone down to just moderate he can look under issues to see the communication thread Adam can add work notes to himself or make comments visible to Alex and work faster back on the vendor portal Alex can see Adams response to his questions this will continue until Adam finalizes with the vendor and closes the assessment now that we've gone through the process you can see the lifecycle and we show one additional vendor in the moderate risk range Alex sees the assessment has been closed accurately tearing continuously monitoring and properly assessing your vendors reduces your risk of a breach or non-compliance if you'd like to learn more please visit the product page on ServiceNow com