all right we'll welcome everybody to another ask the expert event and we're excited to have you all here today so just as a reminder this is being recorded and it will be available on the community link that I provided the chat so with that let's go take it away perfect hello and good morning afternoon or evening depending on where and when you're joining us today my name is Jackie oh well I'm on the wrist team here at ServiceNow and I'm joined by my colleague Jorge Garcia to just talk a little bit more about our new enhancements on the vendor risk management product that we launched here at ServiceNow in the in the June release on the store and we're going to talk through some of those enhancements and then Jorge will actually be going through a live demo of the product so as I just mentioned we were really excited in June to launch some new GRC applications on the store including an updated version of our vendor rich management product which is the focus today but this is just one of the events that we're planning for the summer so we have another event coming up on July 16th and ask the experts webinar on our policy compliance and dashboards this will cover policy exceptions for vulnerability items and our security operations vulnerability response application which is something that we've heard a lot of Jimmy enforce so it's definitely excited to get to that we also have some enhancements to our ServiceNow dashboards for application owners and CIOs we've built these dashboards to showcase some of the information that is really important to these roles and you know it's still possible to create your own dashboards but it'll definitely be nice to have these out-of-the-box so make sure that you mark your calendars for July 16th at 10 a.m. Pacific time as we covered these updates so and if you missed it we had our first ask the experts webinar on June 22nd where we spoke about some of our advance risk capabilities about a year ago we released our advance risk engine and we've now released some enhancements to that including the ability to assess any object automate collection of responses to assessments and to save you time and also added risk events to different applications so that you can report risk events or whatever application you're in so hey you interrupt you for just a moment we have one of our attendees telling us that they're not able to hear any audio so I am asking all of our attendees today to let us know if you could throw that in the chat or the Q&A let us know are you able to hear us if not it might be ok great ok all right we have some so the person who said that the audio is no good please check your volume so thank you and I'm sorry to interrupt no worries glad to glad to check that so make sure that you go on our YouTube channel the ServiceNow community YouTube channel or a ServiceNow community to check out that webinar that was pre-recorded from June 22nd but that brings us to today our webinar on vendor risk management so this is one that we're really excited about we made some really exciting enhancements to our product on our June release in the store and especially in our current environment vendor risk management it's becoming more important than ever as we adapt to our new normal ways of working and build resilience as we go back to work there's three main enhancements that we'll focus on today so the first new vendor hierarchies and enable you to manage more complex vendor relationships seamlessly vendor engagements adding vendor engagements allows you to break risks down to specific products and services provided by vendor and also risk areas you can measure things like financial risk reputational risk and security risk which help you pinpoint where your risk might be coming from I'm really excited to have Jorge Garcia with us today to give us a live demo of the product and these enhancements and how they can help you improve your resilience in risk foster it's without further ado I'd love to turn it over to Jorge to take us through it all right thanks Jackie so just let me know if you can see my screen Jackie yes I can see it ok awesome so before I go into the demo it's kind of a hybrid of slides and demo but I do want to stay in this kind of slide and the features that Jackie's talk spoke about just to make a distinction as to what they are just because there is some misconception about what I've been there hierarchy is and then their engagements right because they are very very similar but different enough that we've had to model them differently in our solution and so it's bender hierarchy we're dealing primarily with legal entities and so if you have an organization that has subsidiaries or sub subsidiaries you would use the vendor hierarchy to map out what those organizations are from a legal entity perspective and what we can use vendor engagements for is to manage and assess the product the service oftentimes you can use engagements to map out different geographies and so you may have a data center based out of amia that has certain privacy regulations that govern it versus a data center offered by the same exact vendor using the same technology maybe even the same name but it's being hosted in somewhere else besides amia with again different regulations that govern that so that is the distinction between a vendor hierarchy and a vendor engagement and when we go through the demo I think we'll be able to see that a little bit better then finally then the risk areas which is just the ability to assess either level 1 or level 2 risk but you can go as granular as you wish because it is highly configurable and so it's not hard coded vendor risk areas or risk domains that we've introduced so that said when we talk about a vendor capabilities today today we're have the ability to assign contacts tie it back to business services to provide business context perform both tearing and regular assessments and then go through an issue resolution process remediation process what we've done when we created this engagement model is that we essentially cloned the vendor capabilities to do the same things at the engagement level so when we go through the demo I'll show you what the difference is between a contact assign at the engagement level versus the vendor level because it does of some repercussions on the vendor portal but you can also tie it to business services you can perform tearing assessments because the level of data handled at the engagement level perhaps was not something that you accounted for when you did your clearing assessment at the vendor level and then you can assess these engagements and go through the remediation process because we've introduced engagements and the vendor hierarchy the vendor would change where they would now have child vendors or subsidiaries underneath it our vendor hierarchy is configurable in the sense that it's not you can go as many levels down on any of the branches as you wish but you and you'll also have engagements right so that is the difference between the vendor record before the June release because we've introduced child vendors and engagements that means that we will now be able to score risk differently I'm just closing a couple in this year that are my way but what we're doing now is we're introducing these three things as scoring factors into the vendor risk rating assessments is the way that we've done things historically by performing assessments at the vendor level but now we can perform assessments at the engagements level and meaning that well the risk calculation engine gives us the capability to aggregate and roll that risk up and I'll walk you through that in the slide and the demo and then you can assess risk for each individual subsidiary or child vendor and then you determine the weight and the scoring method of each and I'll go again in detail in the next slide of these three factors to calculate your vendor risk rating and so that is the difference between how the way that risk is was calculated prior to the gern release and how it's going to be calculated with the introduction of engagements and vendor hierarchy so in this slide I'll walk you through the risk calculation engine show you how engagements how when the risk areas have been their hierarchy are all shown and rolled up and argued together and are configurable risk engine and I'll also kind of shift between the slides and the demo version to show you what these new things look like so the risk scoring rule really revolves around the the rules that you specify and the rules have three things that will help you create the you know as essentially calculate risk based on the vendor population or subsets of your vendor population and the first component of it is the vendor filter and with the vendor filter what we're looking at is attributes about the vendor in order to scope out the rule right so the rule will specify what things need to be done right how are we going to weigh engagements what is the weight of security risk versus financial risk but the first step is really scoping it out against either your entire vendor population or again using attributes about the vendor you can create these rules to map out for instance where if you have a company headquarter in the US then you'll have a rule specifically for that one but even if that company changes their headquarter location to somewhere else besides the US you may have another rule that captures those right so these are dynamic in nature where based on attributes they would apply be applicable to sub subsets of your vendor population the second thing is risk area criteria so the first thing that we can do with risk areas is that we can define our own so there's based on the literature or the program that you have you may either have a series of level 1 risk for here shown in this slide but you may include geopolitical you may include reputational risk so really you can create any risk area or risk domain that you SS in your current program the other option that you have is we have customers that focus primarily on security and privacy risk and so what they do is they go a level deeper from the level 1 risk and map out security risk broken bound by cloud security versus on prime security versus physical security for example and they ask questions related to those three risk areas and then they roll it up to showcase the overall vendor risk rating but with an understanding and disability of what there's three security related risk areas look like once you've defined your risk areas then we get into the rule itself which is we using the risk area criteria and what we've done here is that you have the ability to group risk areas based on attributes about the vendor like I said and so for instance if we wanted to create a risk area criteria for our consulting vendors we would perhaps care about these four right and this is just an example you can specify the average meaning if I have three assessments all tied to the security risk area then I would take the average of the three versus financial where if I can have as many as you know ten or twenty assessments and I would take the maximum value right over the worst-case scenario and in this case give it the weight so for my consulting firms what I really care about is the legal risk that they pose and second is financial and then security and resiliency what I can also do is I can create a risk area criteria specifically for raw materials providers and in this case I still care about resiliency just like I did for consulting firms but I have given it a higher weight but now I am also assessing them not for legal financial and security but rather for health safety and environmental risk as well as for labor law violations and they both have the same weight so how do we use the risk area criterias we use them when we assess you know when we perform a risk assessment for this particular vendor and so we'll use the risk area criteria to calculate the score of the assessment we'll be able to see the scores broken down by risk areas which will calculate a risk score based on the weights and I'll show you that in just a few minutes and the second place is that we will use them to calculate engagements records as well so that's it let me pivot back oil into the platform here and what I'm looking at now is I'm looking at a list of all of my vendors I'm gonna go ahead and click on vas corporation which is one of our demo records here first thing that you'll notice that the system lets you or notifies you let's you know notifies you which rule is being applied to this particular record and in this case it's a strategic partner rule perhaps based on the fact that I'm using the ranked here field to a couple or it's a group of sorry all of my vendors into that rule if I scroll down I'll first focus on the risk assessment so I will click on this one that has been closed and what you'll see here is that we've introduced this risk scoring tab right so before we would just have this risk rating that allows you to understand what your risk was but now we've added a method in which you see your computed risk rating but you have the ability to override it based either on issues or anything else that you've seen or know about that particular vendor as you're going through the assessment process so in this case I've chosen to override this moderate risk rating to high and that's what it's shown here however what I really want to focus on is if I scroll down I see four questionnaires being performed and at the questionnaire level I see that each questionnaire has a vendor risk area associated to it so if I wanted to ask a security questionnaire then I would tie it to the security vendor risk area that I can define and so as I said these are configurable you can add whichever level one or level two risk or level three risk based on your program and then you tie them back to a questionnaire so that when you're asking those questions to the vendor you're keeping them in the theme so that we can score them appropriately what I can see is that these responses have been received I can see the risk rating associated with each questionnaire and in the case where you had multiple questionnaire tied to either financial risk for example and you had some document requests which in this case I don't we also have this tab than the risk areas which gives you a summary of all of the activities that were perform at the assessment level broken down by vendor risk area in this case I can see that I only have one object tied to each when the risk area which is one of these four questionnaires what the vendor risk area tab shows you however as an end-user is what has been determined by the organization in terms of what should I care about when I look at one of these strategic partners right and in this case I can see that financial risk has a weight of 35 and they've all been defined as average risk right so if I have multiple objects then I would take the average but in this case financial risk has a weight of 35 in resiliency has a weight of 5 and so despite resiliency risk having a high risk rating we do a weighted average which is why it comes out to moderate so our risk rating is again a weighted average based on all of these four different risk areas that we've identified and it comes out as moderate what I'll do now is I'll go back to the vendor record and I'll click on this new risk scoring tab as well and what I can see now is that my assessment risk rating based on the one risk assessment that has been closed is high and so we provide a summary here within the risk scoring tab and so far we've only seen the assessment risk rating well do now result we'll check the vendor engagements which is a new object in ServiceNow in the risk management but I'll just click on this first one so the intent of this first kind of iteration was to make it look and feel much like a vendor record and so here I see that it is the name of the engagement the vendor that it's associated to and some attributes that we gather just based on customer feedback that were important but this can obviously be easily extended to include additional attribute if I scroll down here and I focus on the related list then I can see that I have the ability to associate engagement contacts tie it back to business services and essentially do the same things that I can do for an assessment now when I click on an assessment the assessment record will show me whether it applies to an engagement or to a vendor and so we're using the same vendor risk assessment engine we're using the same issues engine or using the same task engine what we've added is this field to determine whether this vendor risk assessment is targeting a vendor record or it's targeting an engagement record and if it's targeting an engagement record and how we would see this field here as a job down we're automatically if I select a new assessment assessment it would populate this but if I was creating a new assessment from scratch then I'd have these to fill out these fields now I'll go back here just to focus on the engagement contacts so what I've done here is I've assigned francisco as an engagement contact specifically to the crude oil engagement now because francisco is also a vendor contact he may have visibility into what is happening at the vas corporation level but he has been assigned as a primary contact for crude oil and that means that he'll have different responsibilities so what I'll do now is I will impersonate a vendor contact and walk you through what changed from a vendor portal perspective so I'll click on impersonate a vendor contact Alex Newton I will go into the vendor portal and let me just and so here I see that because I'm logged in as Alex Newton I have this ability into every single engagement and assessment issue and tasks associated to each engagement because I'm the primary vendor contact if I was to log in as Kevin Dolan then I would only have per view into the HR Manager system because I'm only associated to that particular engagement as the primary vendor contact I can select other additional folks to be engaged when primary contacts for a particular engagement if I wanted to everything else has stayed the same and the only thing that we've added is this tab to show you whether a particular assessment issue or task belongs to a vendor or it belongs to an assessment and where it's relevant as if I was to click on assessments and click on the closed ones then I would see that this assessment was perform at the vendor level while some of these other assessments were perform at the engagement level the other thing that is different is our managed team page because we have two now as vendor contacts manage not just vendor contacts we have to also manage engagement contacts that page is also different as a primary vendor contact I still have the ability to invite folks I can click click on Kevin Dolan and I still have the ability to edit his profile delete the contact but we do see here that kevin has been assigned to the HR management system engagement if I wanted to add additional folks to the HR management system engagement then what we've tried to mimic is the slush bucket functionality that is that is kind of a ServiceNow feature to try to drag and drop if you will people from the left-hand side and add them to the right-hand side so if I wanted to add Sarah to participate in this engagement meaning she would not have the ability to be assigned to and respond to particular assessments and view the engagement record from within the vendor portal once she logs in then I would have the ability to add her like this or if I wanted to remove her then I can also click on that button and remove her the one thing you'll see is that I cannot remove Kevin Dolan but if I add Sarah and I make her primary contact then now I can remove Kevin Dolan because I have someone who can essentially likes substitute dream if you will as a primary contact for that particular engagement right so this case I'll remove Sarah as the primary contact and just remove her and lead Kevin to participate in that particular engagement so those are the changes that we've done from a vendor portal perspective the other thing that I'll touch on is if let's say work faster it was a subsidiary of another vendor then Alex Newton as a vendor contact associated to work faster does not have the visibility to the parent company of work faster and vice-versa if work faster was the parent company of another subsidiary then Alex Neeson does not have the visibility to go into that subsidiary vendor record or any of its engagements and have the ability to assign people invite additional contacts so there is a very thick line in terms of a vendor hierarchy but not in terms of an engagement so what I'll do now is I will go back to the platform and and my impersonation of Alex Newton and just go back to that vendor record so I'll click here and click back on bass corporation and in the rest going tab what I will now see based on the two engagements that I have is that we've also summarized they engagement risk rating and we've calculated as moderate and so right now my assessment risk rating is high my engagement risk rating is moderate what we've also done is we I can now click on vendor risk components tab because this can instruct me as a user of what the weight is of each and so right now I've done vendor risk assessments and engagements and the weight of those is 45 and 45 each with ten left for child vendors which we'll go in just a few minutes but I can also click on this record here when the risk assessments my risk rating is high as I see in the summary here but I can click here as well and get a summary of all the vendor risk areas that have been assessed and their respective risk so if I wanted to understand what has been the risk so far for this particular vendor in terms of them the risk assessments I can see that from a reputational perspective risk is critical which is the highest thing that we have in ServiceNow so so far we've seen direct assessments perform at the vendor level and we have seen vendor engagements what I will do is I will go back to this presentation and just walk through the end of it and walk through the last thing that composes this rule which is the component criteria and so for the component criteria as we saw in the funnel just a few minutes ago we are including these three factors child vendors engagements and assessments and unlike risk area definitions where we have asked our customers have the ability to create as many risk areas as they wish these three are hard-coded and so there are no other possibilities enable to create a additional components but we do have things in a roadmap that will create additional components and so right now I have the ability to score child vendors engagements and assessments however much like risk area criterias I can create grouping of those components assign it a scoring method and assign it a weight and so in this case for service providers I've specified that child vendors should have a weight of 20 and engaged when the assessments a weight of 40 each and I'm not showing here and this slide just because I ran a room but let's say that for strategic suppliers I've defined that weight of child when just to be zero right essentially saying that subsidiaries and the performance from a risk perspective the subsidiaries have a zero basically don't inform risk for their parent vendors and so now that we define the component criteria what we can do now is calculate vendor records using that component criteria of looking at the assessments that were directly perform at the vendor level the engagements and their and their respective assess down at the vendor level and then any child vendors if they have them right and so that's what we have now with this sample vendor record we've done we've taken the characteristics to scope out the rule we perform direct assessments we've assessed engagements and now we also need to assess I'm sorry the performance of child vendors so I'll go back into the platform once again and what we did in terms to map out our vendor hierarchy is that we are still using vendor records so here I'm looking at a subsidiary of VAS corporation I can see that ID uses a completely different rule based on other factors right so they are not a strategic partner and therefore there's another rule that captures them but they're still part of the company table and I can see here who their parent is if I scroll down I see that in this case even though I perform an assessment I never closed it out because I just override it for demo purposes right but what I can see here is that I have two subsidiaries as I stated earlier we don't have a limit on how many levels deep you can go in terms of child vendors and sebast accounting associates may go seven levels deep well in this case this child when there is really the only one in that branch so there's a lot of flexibility in how you structure these organizations as more and more are starting to kind of go in this direction and so now that we've identified the risk for each of our child vendors in this case both being low and low we can also see in the summary tab the child vendors risk rating which is set to low and so now we have all of our three factors fully calculated and we can now calculate the computed risk rating now if I wanted to see based on the rule what the weight is of each as I stated before we can click on this vendor risk components and I can see that child vendors really only has a weight of ten while the other ones have 45 and 45 each and so my risk rating ends up being moderate but I do have the capability as a vendor risk manager to override this rate risk rating with something different right and provide a justification if necessary so if I see something on a media article if I see something around a merger and acquisition or something that may either reduce or increase risk I can modify this and provide a justification finally the one thing that will that will say is that every time that assessment is performed either directly for the vendor that one of the assessments is perform at the engagement level or we noticed that the child when the risk rating has been recalculated then we can recalculate the risk rating automatically however we do have this related link here if you wanted to make sure that you are seeing the latest and greatest in terms of the risk rating calculation again we have plenty of triggers to make sure that this is as real-time as possible but again just in case you want to make sure that this is the most relevant or most up-to-date risk rating we do have the capabilities to perform that recalculation at that point so what I will now show you is a little bit about those the scoring setup how you define those risk areas how you create the risk area criterias and finally the vendor risk scoring rules so first thing I'll show you is the risk area definitions so here I see that I have seven then the risk areas defined I can create a new one if I wanted to and from a security risk perspective I select the full stuff and they give it a description this vendor risk area is tied directly to questionnaire templates meaning that I can have an assessment with ten questionnaires but it is at the questionnaire template level that I can say this questionnaire will ask questions specifically about business resiliency while this questionnaire will ask questions specifically about reputational and by tying those questionnaires and/or document requests to this vendor risk that is how we are able to calculate those scores and then roll them up across all the different objects we have to show you the risk area criteria is we can create again multiple of these and just based on which subset of a vendor population you want to capture then you could enable those vendor risk areas so when you are looking at strategic partners these are the five vendor risk areas that you care you may assess them for risk but they may not have they would have a weight of zero right because you've identified that these five are the ones that you should care about and in this case financial risk has a weight of 35 which is the highest once you've created and defined your risk area criteria component definition as I said it's hard-coded so I don't have the ability to modify these but once you create your vendor risk scoring rule what we'll be able to see is the first thing is that we've have this vendor filter right so it is it can be fully dynamic and even if you extend the vendor record table and add additional attributes or feels that we don't capture out of the box you would be able to create filters based off of those attributes or based off of those fields as well as whenever a filter is no longer applicable then a vendor would be automatically or dynamically kicked out of that rule and then the risk recalculated right so again in the example where they were based out of amia and now are now based in the US now you'll use a different rule and then finally you you map out which vendor risk area criteria as we saw in the slides you are going to utilize as well as which vendor risk component criteria use and with all of this we've essentially created our vendor hierarchy we've mapped different vendor engagements to our vendor record and I'll just close out by showing you what that looks like so if I go back to vas corporation I can see this ability into all of the subsidiaries and I have I can click on one of these to see if they if I have any sub subsidiaries as part of VAS corporation i can create engagements based on product services even locations for vast corporation based on the contracts and the things that I am engaging with vas corporation around and then through all the entire thing I have the ability to assess things from a vendor risk perspective so that I can double click on items and understand not just my risk rating but how that risk rating was composed based on some of these risk areas or risk domains that I'm looking to assess and that is how I would like to close out the presentation because with ServiceNow what we'll be able to do is kind of like FICO scores I'm sorry I have a magic mouse that sometimes goes by itself but just like FICO scores we'll be able to see the risk rating of Acme Consulting double click on it understand where my risk rating is really being influenced from based on the risk rules but also understand the performance of each right so within Acme consulting perhaps I see that from an assessment perspective they're doing well but for some reason across all of the engagements I see poor performance and then the second thing is broken breaking the risk down by risk areas and so today in the June release you can view your your risk area score on assessments and engagements but the reason we have an asterisk is because that is something that we'll get to in our October release and so when when that happens if for Acme Consulting you'll also be able to kind of see that score for Acme consulting broken down by which vendor risk areas were assessed taking into account whether financial risk comes from an engagement which we would then need to weigh appropriately plus the way that you apply for financial risk as a whole and so the end result will be for you to understand your risk rating for a particular vendor but again be able to double-click and understand risk at a more granular level and so that that is it for me if you have any questions you know feel free to reach out make a post any comments post any comments on the on the a community site and I can gladly gladly answer those yeah we have actually have a couple of questions in the chat Jorge that it'd be it'd be great to get your view on so the first question is about a recalculation so the question was what will happen to an overridden score when there's a recalculation yep so so let me go back into the platform and so when we override scores at an assessment level whenever it would be recalculated it would be shown here but typically what we would you know we've seen and gotten feedback from is you override as you're about to close out an assessment write an assessment has a beginning and an end and therefore you may not necessarily be see this as a something that was recalculated however if I go to a vendor record then I for instance may have perform assessments and engagements but all of the data coming from child vendors has not been calculated yet and so I choose to override this and what we've placed is a flag of when it was overridden on but we've gotten set for several feedback so we will also put a flag on when the risk was less calculated to provide visibility in a flag where perhaps after it was overridden the risk rating has changed and so initially we just decided that he field on when that over justification and that overridden risk rating was introduced would be enough but we do recognize that we do need to flag it somehow to ensure that even though it was chosen to be overridden there should that should be revisited based on changes to the risk rating great thank you another question was about questionnaires and multiple risk areas so the question is can we have one questionnaire mapped to multiple risk areas having different questions than mapped back to different risk areas yes so that is something that we've also explored for this release we received us a face 1 and we wanted to really provide that capability to customers to assess at the risk area level and so I would say sometime in the second half of 2021 is when we are planning on breaking it down by sections right and so it is completely understandable that within one assessment you ask questions that are related to security privacy and reputational and in some cases you may have a question that maps to both right so if you're asking whether they handle PII that's a privacy risk but it might also be a security risk and even a reputational risk right and so those are all enhancements that we have in our roadmap but for the June release just to make sure that we were able to complete everything we left it so that one questionnaire can only have one vendor risk area okay that makes sense I'm glad to know that's on the roadmap another question that we got is assessing vendors on a particular service so if there's a way to assess a vendor against a particular service if engagement is to be treated as a service I'm pretty sure that that's true but just wanted to confirm that's correct yeah so engagements we used to we use that terminology just to mean of a series of things right so it may be a product that you're procuring from that vendor it may be a service it may be outsourcing something you may be having like temp workers come in and perform something on that behalf so it may be mapping out things by location so we use the word engagements really just to mean anything right so in that case if you are dealing with multiple services from the same vendor then you would map those to be vendor engagements great thank you another question we had was on child vendor so wondering if we can have two levels of child vendors over a limited only one level no so it is not limited to one level we and we don't have a limit so I can have a second level here and then vast accounting may have child vendors of their own the child when there's a vast account they may have child child of their own so we can go as many levels deep as as possible we have no restriction or limitation of how many levels deep an organization may go great thank you another question we had is more about how this impacts existing customers so how will this impact existing implementations and if they upgrade so will impact their existing vendor records or their existing assessments yep so it does not we've accounted for migration and so out of the box what we've done to fit in our engine is that we come up with a default risk area definition and a default vendor risk scoring rule and what we would do upon migration is that whatever risk rating the customer has determined that that vendor should be we essentially override it so that that we still calculate something but we use whatever the customer has determined to be that vendor risk rating and so we've accounted for migration so that there should be no impact on what the risk rating the customer has determined to be even though that may actually be different from what we end up calculating and then additionally you know migration should not be a problem but once you introduce when the risk areas and you start playing around with weights then this will change even more but again we we preserve that original risk rating because we don't want to you mean you know upon migration or upon upgrading having 50 vendors set to critical and then you migrate and now you have your entire vendor populations that's a critical just because that is how the risk rating calculation engine works now we we make sure that we preserve that risk rating that the customer had great yeah that's great to hear another question that we had was could you show the the third party's view of an example question set for a risk area when they're responding remotely so showing what it would look like for a third party yeah so they actually don't have visibility into those vendor risk areas it is everything is internal and so if I was to click into this work faster assessment you know I I see all of these questionnaires but I don't have this ability into what the risk areas associated to I think I can make a guess right so I would say that this is a security vendor risk area but not every customer that I as a vendor participate on assessments within the ServiceNow platform will configure then there is carriers right and so they may choose to not use when they're mysterious at all and just keep it the default setting which means that these are not tied to them the risk areas they may choose to do this dot but as a vendor contact I don't have that disability okay thank you and the last question that I see is when changes are happening on the vendor portal whether you're adding or removing contacts answering questionnaires does the company get notified in real time of these changes that are happening we have placed kind of an vendor contacts from a management perspective of managing their team we don't we let them do that so the vendor contact may add 50 people and we don't have visibility into that we would see how many vendor contacts a vendor has right so if I click on the ask corporation then I would see that they they have three vendors contacts and so I would see a list here being populated but we don't send notifications every time a new vendor contact gets added to our customer right what we do have provide visibility into and we can send notifications and it's real-time visibility as to when assessments get responded to and so in this case because this has been submitted to the vendor once I start receiving those responses then I would get notified and then they have to I would have real-time visibility into that we do have a back-and-forth process and certain ServiceNow so I once I received this questionnaire for instance I may return it back to the vendor and then the vendor will get notified that there's another questionnaire that they've been to us us and one savory some it that assessment then again I would get notified real-time based on on that activity so there are some things that we do notify customers on and there are some things like adding and managing their team that we don't awesome thank you so much I think that's all the questions that I see live on the chatter on the Q&A for now as Jorge mentioned we will have the you can always ask questions on the community post or on the video later on if you have more questions that come to you we have a number of resources that you can use to kind of get in contact with us and continue to engage with us after our time here today so obviously our website service now.com slash risk and service Eric calm slash BRM specifically learn a little bit more about vendor management we have our community at ServiceNow comm where you can rewatch this video as well as just ask questions and our other assets but ask the experts videos and we're up on our YouTube channel and this one has been recorded and will be up there again today so thank you everyone for joining us I think we just do have two more questions Oh perfect I'm not sure if you've got them all oh they're just thank you so okay I see that what mechanism for third-party response okay I don't see that one maybe let me stop sharing so you can see it yeah so jorge one more question what is the mechanism for third parties to respond to questions is it import or export of a questionnaire and response as possible in formats like Microsoft Excel or CSV yeah so the way that we handle responding to these questions is we do offer the capability to go into the vendor portal and respond to those assessments directly by using the vendor portal that we just saw we are getting feedback to perform questionnaires offline and so being able to export them then import them we do offer that capability for the sing and so if you have completed the cig elsewhere you can import the cig into the vendor portal and then we parse through all of the responses and map them accordingly and it is something that we is in a roadmap to do for other types of assessments or homegrown assessments right to be able to be responded to offline through Excel great thank you in one final question so wondering what the difference is between a business service related list and vendor engagements now that we have vendor engagements on the risk management tool yeah so and that's a good question so business services are part of kind of platform functionality and service now you can think of them as CMDB even though they're not necessarily CIS or configuration items but the reason why we create a tie-in and not assess directly within the business services because the business service is a platform table what we do is tie back to those business services and then provide the capability to assess for risk and then do kind of a remediation process if there are any issues and I think the what we are exploring is being able to inform risk back to those business services table right and so that's something we call better together in service now and we are exploring if we aren't creating that tie-in to business services what can we push back to the kind of default view of a business service and can we provide a risk rating at that level great thank you for clarifying that all right if there are no more questions and we thank you given for all this great interactivity but if there are no more questions today we're gonna wrap things up the YouTube embedded video is available on that community link that we've shared in the chat on and off also we shared the direct YouTube link so you can also watch and replay and share this with your colleagues and team members and we hope you join us for our next event which some 16th and thank you again for joining us today