logo

NJP

← Back to News

Vendor Risk Management

Blog - ServiceNow Elite · Nov 22, 2020 · article
Michael Kaufman

The Vendor Risk Management (VRM) application provides a centralized process for managing your vendor portfolio, assessing vendor risk and tiering, and for completing the remediation life cycle.

VRM assesses vendors to determine their risk to an organization and guides that process by using a consistent and powerful application.

This article is mostly just my opinion on how to implement VRM, with a small section on usage. Your implementation experience may vary of course.

Overall Process

Setup

  1. Plugin Install
  2. Establish Vendor Portfolio
  3. Define Engagements
  4. Groups and Roles
  5. Assessment Setup
  6. Scoring Setup
  7. Forms, Properties, and Workflow
  8. Reporting
  9. Integrations

Usage

  1. Tier
  2. Assess
  3. Generate Findings
  4. Remediate Issues
  5. Report risks
  6. Monitor

Setup

STEP 1: Plugin INSTALL

The main plugin you will install is GRC: Vendor Risk Management (com.sn_vdr_risk_asmt).

The plugin has various dependencies that will also be installed:

  • GRC: Profiles
  • GRC: Compliance Assessment
  • GRC: Vendor Portal
  • GRC: Vendor Risk Management Dependencies
  • Explicit Roles

You’ll want to read about the Explicit Roles plugin if that is not already installed in your instance.

Installing the demo data is helpful when demo’ing the product. However you will want to remove that data before going to production.

Read more: Download and activate Vendor Risk Management

VIEW Vendor Record

After the VRM plugin is installed, the first place you should look at is the vendor record. It has a number of fields important to the VRM implementation. If you understand this form completely, you can understand a lot about VRM and what it does.

Vendor Record

Fields

  • Parent
    • Establishes the vendor hierarchy
    • Rolls up Risk Ratings to Parent
  • Status
    • Example: Prospect, Active, Active Unauthorized, Retired
  • Vendor Type (Optional)
    • Type of vendor
    • Used for classification and reporting
  • Industry (Optional)
    • Type of industry
    • Used for classification and reporting
  • Risk Rating
    • The overall risk rating that stems from all of the responses that come from the vendor from assessments (questionnaires and document requests)
    • Note that individual assessments have risk rating too
    • Examples: Critical, High, Medium, Low
  • Rank Tier (Optional)
    • Type of Supplier
    • Can be used in assessments
    • Examples: Strategic Partner, Valued Partner, Tactical Supplier, Blacklisted Supplier
  • Vendor Tier
    • Calculated by Vendor Tiering Assessments. Discussed in Step 5: Templates and Scoring
    • Vendor Tiering is the first step in the VRM Usage Process (Step 7)
    • Calculated by tiering score to the the vendor tiering scale
    • Once Tiering assessment is closed, Vendor tier is assigned
    • Can be used in later assessments to determine the frequency and type of assessment
    • Can be also set manually
    • Examples: Critical, High, Medium, Low
  • Vendor Manager - The employee assigned as the manager to this vendor.
  • Business Owner
    • The employees using this vendor in their daily business.
    • updated automatically based on related business services.
  • Risk Scoring Tab
    • Computed risk rating
      • Shows an average of the vendor risk area risk ratings.
      • Example: Critical, High, Medium, Low
        Override risk rating
      • Allows you to override the computed risk rating for the vendor.
      • Once you select the checkbox and fill in the Overridden risk rating and justification, the Risk Rating changes on the vendor form
    • Assessment risk rating
      • Shows the calculated risk assessment rating
      • Example: Critical, High, Medium, Low
    • Engagement risk rating
      • Shows the calculated engagement rating.
      • Example: Critical, High, Medium, Low
    • Child vendors risk rating
      • Shows the calculated risk rating for child vendors.
      • Example: Critical, High, Medium, Low

Related Lists

  • Child Vendors - This table stores all information fort child vendors. If child vendors are present, their risk ratings are automatically aggregated and shown in the Risk Rating tab on the Vendor form.
  • Vendor Contacts - This table stores information for all of the vendor stakeholders. Typically, the customer creates one primary vendor contact and one or more secondary contacts. The primary contact adds other users to the list.
  • Business Services - The Services table is part of the CMDB. It relates the vendors to the services they provide. For example, assume the IT team has a service called “Video Conference Services” that is used for internal employees to communicate internally and with customers. That business service, they have decided, comes from Zoom rather than building anything in-house.
  • Vendor Engagements - This table stores all engagement information for vendors. If engagements are present, their risk ratings are automatically aggregated and shown in the Risk Rating tab on the Vendor form.
  • Tiering Assessments - This table stores all tiering assessments performed for the vendor.
  • Repeating Assessments - This table stores all repeating assessments performed for the vendor.
  • Assessments - This table stores all assessments performed by the vendor. If vendor risk assessments are present, their risk ratings are automatically aggregated and shown in the Risk Rating tab on the Vendor form.
  • Vendor Risk Components - This table stores all vendor risk components. If vendor risk components (that is, assessments, engagements, or child vendors) are present, their risk ratings are automatically aggregated and shown in the Risk Rating tab on the Vendor form.
  • Issues - This table stores all issues performed for the vendor.
  • Tasks - This table stores all tasks performed for the vendor.

STEP 2: Establish VENDOR PORTFOLIO

import vendors

How to import vendors:

  • Excel spreadsheet - System Import Sets > Load Data.
  • Third-party onboarding system
  • Vendor table - ServiceNow data from Procurement, CMDB, or Vendor Performance
  • Manual

When importing vendors, you can also import additional new fields that the customer may need as well. Some fields such as Vendor Tier can also be imported rather than have Tier Assessments.

SETUP VENDOR HIERARCHY

If you work with vendors who have subsidiaries (or sub-subsidiaries) that pose potential risk to your business, you can create vendor hierarchies by setting up parent-child relationships between parent vendors and all of their children.

This involves setting up the Parent field on the vendor and/or the Child Vendor Related List

You can then perform assessments at each of the individual companies and roll up the results to calculate an overall risk score for the parent vendor.

Read more about Vendor Hierarchy

IMPORT Vendor Contacts

Vendor contacts go through a similar import process like the vendor import

How to import vendors contacts

  • Excel spreadsheet - System Import Sets > Load Data.
  • User table - ServiceNow data from CSM, CMDB, or Vendor Performance
  • Manual

Setup Business Services (Optional)

You may have existing business services to apply to the vendor, which can be applied in the Related List Business Services on the Vendor form

The Business Owner field on the Vendor Form is updated automatically based on related business services.

STEP 3: Define Engagements

Engagements are any products or services offered by a vendor that can be assessed as part of the vendor risk assessment process. As engagements are defined, you can define primary and secondary contacts for both vendors and engagements.

Engagements also work with Vendor Hierarchy. Engagements represent products or services provided to the parent vendor, either directly or from child vendors, which you can assess for risk. In the case where a child vendor provides engagements, the risk scores assigned to the engagements are rolled up to calculate the risk score of the child vendor, which in turn rolls up to the parent.

Examples of Engagements: Laptops from HP, Software from Adobe, HR Software from Workday

Fields

  • Type
    • From GRC Choices Table: Software, Consulting, Hardware, Service Outsourcing, Staff Outsourcing, Other
  • Start/End Date - Engagement Start/End Date
  • State
    • Example: Prospect, Active, Active Unauthorized, Retired
  • Risk Rating
    • The overall risk rating that stems from all of the responses that come from the vendor from assessments (questionnaires and document requests)
    • Examples: Critical, High, Medium, Low
  • Engagement tier
    • Calculated by Tiering Assessments. Discussed in Step 5: Templates and Scoring
    • Calculated by tiering score to the the vendor tiering scale
    • Once Tiering assessment is closed, Engagement tier is assigned
    • Can be used in later assessments to determine the frequency and type of assessment
    • Can be also set manually
    • Examples: Critical, High, Medium, Low
  • Value
  • Engagement manager - List of vendor managers
  • Business Owner
    • The employees using this vendor in their daily business.
    • updated automatically based on related business services.
  • Risk Scoring Tab
    • Computed risk rating
      • Shows an average of the risk ratings.
      • Example: Critical, High, Medium, Low
        Override risk rating
      • Allows you to override the computed risk rating for the vendor.
      • Once you select the checkbox and fill in the Overridden risk rating and justification, the Risk Rating changes on the form

Related Lists

Similar to the vendor related lists

  • Engagement Contacts
  • Business Services
  • Tiering Assessments
  • Repeating Assessments
  • Assessments
  • Vendor Risk Areas
  • Issues
  • Tasks

Read more about Engagements

STEP 4: Groups and Roles

As a minimum, you should setup a Vendor Risk Manager group or assign roles to an existing similar group, so the the client can use VRM. This group would likely have the sn_vdr_risk_asmt.vendor_risk_manager role.

Here are the roles that ServiceNow supplies:

Roles

  • Vendor assessment reviewer [sn_vdr_risk_asmt.vendor_assessment_reviewer]
    • The vendor assessment reviewer reviews and edits vendor assessments and responses.
    • Contains roles: compliance_reader, risk_reader, task_editor, vendor_reader
  • Vendor assessment assessor [sn_vdr_risk_asmt.vendor_assessor]
    • The vendor risk assessor can do everything the vendor assessment reviewer can do, plus users with this role can:
      • manage vendors, vendor contacts, vendor risk assessments, and issues
      • complete vendor risk assessment requests
    • Contains roles: compliance_reader, vendor_assessment_reviewer, vendor_editor, vendor_reader
  • Vendor risk manager [sn_vdr_risk_asmt.vendor_risk_manager]
    • The vendor risk manager can do everything the Vendor assessment assessor can do, plus users with this role can create:
      • vendor assessment templates
      • questionnaire templates
      • document request templates
      • scheduled assessments
    • Contains roles: assessment_admin, vendor_assessment_reviewer, vendor_assessor
  • Vendor Contact [snc_external]
    • The external vendor answers questionnaires regarding risk. Primary contacts can manage other contacts for the vendor.
    • This happens as part of the explicit roles plugin install

Order of Roles (from weak to strong)

  • Vendor contact [snc_external]
  • Vendor assessment reviewer [sn_vdr_risk_asmt.vendor_assessment_reviewer]
  • Vendor assessment assessor [sn_vdr_risk_asmt.vendor_assessor]
  • Vendor risk manager [sn_vdr_risk_asmt.vendor_risk_manager]

Read more about Group and Role Setup

Step 5: Assessment SETUP

Tiering Questionnaire

Organizations use vendor tiering to classify their vendors into categories of potential risk posed at the time of on-boarding. The vendor tier is based on a pre-defined scale from the tiering assessment score. The Vendor Tier is calculated based on a questionnaire provided to assessors.

Read more about Managing Risk Tiering Assessments

Assessments (Questionnaire, Document Request)

Vendor risk assessments are sent to vendors to determine the risk they pose. Assessments may happen during the early stages of the procurement process to help select the best qualified vendor from a pool of candidates, but it is also recommended to do this on a continuous basis on existing vendors to determine their long-term viability as a partner.

Read more about Configuring vendor risk assessments with templates

Assessment Submission Rules

Tier Based Submission

Use the tier-based assessment submission rule to trigger a risk assessment from any changes to the vendor tier.

Fields

  • Vendor - Name of the vendor to apply the rule.
  • Tier
    • Select the tier scale which will automatically generate the risk assessmentvendor risk can override this value.
    • Examples: Critical, High, Moderate, Low, Minor
  • Assessment Template - Template that will be sent when the risk tier scale changes to the tier specified in the rule.
  • Auto submit to vendor - Automatically submit the risk assessment to the vendor after it has been generated. If this is not selected, the assessment stays in Draft after being created.

Score Based Submission

You can create rules to automate the vendor risk assessment functionality based on a change to the vendor's security score.

Read more about Vendor Risk Security Ratings

Step 6: Scoring SETUP

Scoring Setup

  • Risk Area Definition, Criteria, and Risk Area
    • Risk Area
      • Risk Area ties Criteria, Definition, Scoring Method, and Weight
      • Risk areas are used to define the types of risk you want to assess for your vendors. For example, you may want to assess vendors in terms security or financial risk, or risk to reputation. Each of these can be defined as a vendor risk area.
    • Risk Area Criteria
      • After you have defined vendor risk areas, you can define risk area criteria to group different risk areas based on the types of vendors you work with. Within criteria definitions, you can adjust the weight of each grouping.
      • Define risk area criteria to group different risk areas based on the types of vendors you work with. When you define risk area criteria, the scoring method and weight are copied from the risk areas. These values can be overridden, as needed.
      • In Risk Area Criteria, you setup different risk areas which have a scoring method and weight
    • Risk Area Definition
      • Risk is often calculated by examining the impact and likelihood of potential loss caused by an event or action. You can better understand the risk your vendors pose to your business by defining the different areas of their business that they want to assess for risk.
      • Definitions include fields: Default Scoring Method and Weight
  • Component Definition and Criteria
    • Components are the entities for which you can assess risk. The base system comes with three components:
      • Child Vendors
      • Engagements
      • Vendor Risk Assessments
        Although you cannot add new components or modify existing ones in version 10.1, you can define the criteria (in terms of scoring method and weight) to be used to assess these components.
    • Component Definition
      • entities for which you can assess risk. Risk is calculated for each component, then the risk is aggregated and rolled up to calculate vendor risk ratings.
      • Definitions include fields: Default Scoring Method and Weight
    • Component Criteria
      • Changes made to Component Criteria (for example, adding or deleting a component) may affect the risk rating score calculation for the vendor that this criteria applies to.
        The risk rating for impacted vendors can be recalculated by clicking the "Recalculate risk rating" button on the vendor form.
  • Scoring Rules (Engagement and Vendor Risk)
    • Define criteria used by the system to determine which vendors require assessments based on their risk scores.
    • Read more about scoring rules
  • Risk Rating Scale, Service Rating Scale, Vendor Tiering Scale

Setup Security Scoring Configuration (Optional)

Security rating scores reflect an organization’s cybersecurity posture. Similar to personal credit scores, they provide insight on how trustworthy and safe a particular vendor can be, especially if you know that they may be handling sensitive data.

Read more about Security Scoring

Step 7: Forms, Properties, and Workflow

Form and List Modification

  • Most clients will have certain fields to add to the vendor form as part of the vendor portfolio import process

Access Control

  • Here are a few customizations to Access Control to consider
    • Remove ITIL User ability to create and delete vendors
    • If you have users with the user_admin or vendor_editor roles, you may want to adjust some ACLs to control access to certain fields used on the Vendor [core_company] form.

Vendor Portal Modification

  • There is a System Property, sn_vdr_risk_asmt.company.name, that sets the Company name for messages. You’ll want to change this.
  • Turning off functionality. I’ve seen in a lot of these implementations where functionality like “Issues” is turned off as the client doesn’t want to use it
  • Branding - The Vendor Portal uses Service Portal functionality so you can brand it for your organization
  • Navigation - I have written some widgets to provide navigational help when performing assessments
  • Two Portals
    • If you are using an earlier version of ServiceNow, you may be using the older (non-scoped) portal
    • Old Portal /vdp
    • New Portal /svdp
    • sn_vdr_asmt.vendor_portal_endpoint system property controls which portal is in use
    • to adjust the SSO, adjust the svdp_login page

Notifications

  • The Paris version of ServiceNow includes 17 notifications
  • They use mail scripts. Be comfortable with mail scripts before you recommend they are “easy” to modify. :)
  • You may need to add notifications for when certain records are assigned to groups
  • Read more about VRM Notifications

Business Rules

  • ServiceNow includes many script includes that calculate scoring and assessments. I would highly advise not changing those as they are improved with upgrades
  • However real life dictates you must meet requirements. Unless you can smoothly talk the customer out of changing the code. :)
  • I try to use Business rules to work around these issues to avoid extending the script includes. These business rules can be easily turned off if not needed in the future

Properties

  • There are a number of system properties that start with sn_vdr_risk_asmt to view. However here are two I often modify:
    • sn_vdr_risk_asmt.company.name - This property sets the name when an a Vendor contact submits an assessment. It is defaulted to “ServiceNow”. You’ll likely want to change this.
    • sn_vdr_risk_asmt.enable.vendor.rating.auto.recal -

Workflow (Optional)

  • ServiceNow includes one workflow for Vendor assessment reminders
  • You may also want to create additional workflows for approvals or other functionality

Step 8: Reporting

Dashboards

  • ServiceNow includes a vendor Risk Overview dashboard, with two tabs Vendor and Engagement

Reports

  • Key Tables for Reporting
    • Vendor [core_company] (Vendor = true)
    • Policy Exception [sn_compliance_policy_exception]
    • Vendor Tiering Reports VRA View [vendor_tiering_reports_vra_view]
    • Vendor Risk Assessment [sn_vdr_risk_asmt_assessment]
    • Vendor Risk Issue [sn_vdr_risk_asmt_issue]
    • Vendor Risk Task [sn_vdr_risk_asmt_task]
  • ServiceNow includes 20 reports in the Paris release

Quick Start Tests

  • If you are using the Automated Testing Framework (ATF) framework, ServiceNow provides four entire suites to get you started testing VRM. Super helpful actually.
    • GRC: Create Engagement Assessment - Creates and submits an engagement risk assessment to an engagement.
    • GRC: Create Vendor Assessment - Creates and submits a vendor risk assessment to a vendor.
    • GRC: Vendor Portal - Answer and Return Assessment - Vendor contact answers and submits assessment in the Service Vendor Portal.
    • GRC: Vendor Tiering Assessment - Selects and submits an assessment to respective assessors after changing the duration.

Step 9: Integrations

GRC Integration

VRM integrates with the Policy and Compliance, and Risk applications in ServiceNow

  • Policy and Compliance
    • Associate Control Objectives with specific questions in questionnaires
    • Controls marked automatically as non-compliant or compliant
  • Risk
    • Automatically adjust calculated risk score for vendor

VRM Usage

Tier

This step is optional, as Vendor Tier can be setup manually on the vendor record. However this process seems common in my experience for VRM implementations, where a tier assessment (or internal rank) is supplied by internal stakeholders (assessors).

Organizations use vendor tiering to classify their vendors into categories of potential risk posed at the time of on-boarding. The vendor tier is based on a pre-defined scale from the tiering assessment score. The standard tiers are None, Critical, High, Moderate, Low, and Minor. Each tier has different assessment questions and document requests associated to them.

  1. Most organizations import their vendor portfolio through an excel spreadsheet or an integration with another onboarding solution. Vendor risk managers make on-going updates to the vendor information, including risk security scores and vendor tiering scores.
  2. The vendor risk manager or vendor risk assessor determines the risk tier or categories of risk exposure for the vendor.
  3. The vendor risk manager selects the vendor, assigns the tiering questionnaire template, and assigns the internal assessor that is required to complete the assessment.
  4. Internal stakeholders navigate to Self-service > My Assessments and Surveys > to complete and submit the assessment.
  5. After assessors have responded to the questionnaire, the tiering score is calculated from an average of all scores. This tiering score is measured against the vendor tiering scale and when the assessment is closed, the tier is assigned to the vendor. The responses to these tiering assessments are calculated and the risk tier is assigned. The vendor risk manager can initiate the risk assessment or one can be automatically sent using a configured business rule.

Vendor Tiering Process

  1. The tiering assessment initiates one assessment instance for each assigned assessor. The assessor sees only the sections assigned to them based on their role.
  2. The response scores from all assessment instances are averaged to provide the tiering score.
  3. The tiering score is mapped to the vendor tiering scale providing the vendor tier.
  4. This tier is assigned to the vendor when the tiering assessment is closed.

Security Scores

Starting in version 10.1.3, each third-party risk score provider can now have multiple scoring services. Each scoring service can be a set of number ranges, in ascending or descending order, or a set of ratings. Third-party scores are automatically mapped to the normalized scores and normalized ratings in Vendor Risk Management.

Third-party scores can also contribute to the final score/rating of vendors. Provider-based submission rules can be defined to monitor the third-party risk score changes. When the rules are triggered, a series of actions can be taken automatically, such as creating and sending an assessment, issue, or task.

After third-party provider scores have been added to a vendor, the External Risk Rating appears on the Vendor form. You can modify the default scoring method and/or the default weight on the Component Definition form. The Default scoring method can be modified to define how multiple scores for each risk area are calculated.

Assess

Setup and Generate Assessments

Vendor risk assessments are sent to vendors to determine the risk they pose. Assessments may happen during the early stages of the procurement process to help select the best qualified vendor from a pool of candidates, but it is also recommended to do this on a continuous basis on existing vendors to determine their long-term viability as a partner.

Read more about Configuring vendor risk assessments with templates

Security Scores

Continue to use security scores to assess vendors

Generate Findings

Vendor contacts use the Vendor Portal to:

  • View and respond to current assessments
  • Delegate responses to other contacts
  • Manage teams - view, create, update, and delete contacts (Non-primary contacts may only view contacts)
  • Update notification preferences
  • Change a password or request a new password

What does the vendor see in the the vendor portal?

  • Issues and tasks at the assessment level
  • Issues and tasks at the vendor level
  • Vendor contacts assigned to the assessments

Issue Remediation

Issue Management

States - New, Analyze, Finalize with Vendor, Review, Close

Generated by

  • Issue Generation Rules
  • Assessment Related List
  • Vendor Response form

Remediation workflow

Report Risks

GRC Integration

VRM integrates with the Policy and Compliance, and Risk applications in ServiceNow

  • Policy and Compliance
    • Associate Control Objectives with specific questions in questionnaires
    • Controls marked automatically as non-compliant or compliant
  • Risk
    • Automatically adjust calculated risk score for vendor

Monitor

Monitor vendor by security score, repeating assessments and tier-based submission

Retire Vendor

Retire vendor as needed

View original source

https://www.servicenowelite.com/blog/2020/11/22/vendor-risk-management