GRC (Governance, Risk and Compliance) comprises many tasks related to business and IT across an entire enterprise. It also entails managing risk for vendors or third-party suppliers for an organization. In layman’s terms, vendor risk management ensures that vendors such as service providers and IT suppliers do not have unacceptable risk potential that could disrupt business, or otherwise negatively impact business performance.
ServiceNow GRC consolidates GRC management within a single cloud platform and automates risk management, helping your audits become highly accurate. In fact, a restaurant chain was able to trim its audit time by 70% with ServiceNow GRC. Thanks to automated notifications, control attestations, innovative workflows, and improved frameworks, ServiceNow can revitalize an organization’s GRC management with real-time visibility and greater efficiency.
The Vendor Risk Management application in ServiceNow centralizes the entire process for managing all vendors for an organization in a single window. It includes completion of vendor assessment and all steps in the remediation life cycle. It can also integrate with other GRC applications, and has traceability for compliance.
Designations who might utilize vendor risk management include risk analysts and vendor risk managers. Sometimes functional department heads are responsible for vendor compliance. In such cases, account executives, information security, corporate counsel, HR operations and staff from the IT department might make use of Vendor Risk Management.
You can activate the GRC: Vendor Risk Management (com.sn_vdr_risk_asmt) plugin as a separate subscription. ServiceNow GRC provides easily digestible snapshot views of vendor risk overview reports with visualizations. As part of a vendor risk assessment, many ratings are calculated for a comprehensive assessment.
Some important ServiceNow Vendor Risk Management features and capabilities include:
1. Vendor Portal
Many organizations simply import their vendor portfolio information from an Excel spreadsheet. Alternatively, some of them make use of an integration with another onboarding solution that captures vendor information. This is inefficient and prone to inaccuracies. The Vendor Portal in ServiceNow allows vendor risk managers to update vendor information as and when required. This includes updating vendor tiering scores and risk security scores.
2. Vendor Portfolio
This is the database of vendors and vendor information and includes the vendor contacts, the business services that the vendors fulfill, along with other general vendor information. An organization can also easily integrate Vendor Risk Management with existing supplier management systems.
3. Vendor Tiering Assessments
Vendor tiering in ServiceNow allows organizations to categorize their vendors into different tiers of potential risk determined at the time of on-boarding. The standard tiers for vendor risk are None, Critical, High, Moderate, Low, and Minor. A pre-defined scale exists for vendor tiers, and vendors are categorized based on their tiering assessment score. Different assessment questions and document requests are associated with each tier.
4. Third-party Security Scores
When working with third-party vendors and providers, they have their own score ranges and weights of consideration that may differ from your organization’s scores. ServiceNow helps you manage these third-party scores and normalize them, giving you the option to make use of your company’s internal security metrics.
5. Assessment Management
The Vendor Portal in ServiceNow provides a single window to manage the risk for all vendors to your organization. The vendor primary contact can view all assessments in this portal. During the Generating Observations state, issues and tasks are created on-demand. The vendor risk analyst can assign vendors as needed and uses comment streams to resolve and close issues relating to lack of compliance.
6. Issues and Remediation
Vendors don’t always do what is expected of them. As assessment responses are reviewed, companies can create issues, review them with subject matter experts, design remediation plans, and share them with vendors for closure.
7. Ongoing Vendor Risk Monitoring
In order to continuously monitor vendor risk, assessors can create repeating vendor assessments, ensuring ongoing vigilance.
8. GRC Integration
The VRM application integrates with the other applications in the GRC suite. You can associate your policy statements with questions in a questionnaire. Inadequate responses from a vendor can automatically mark controls as non-compliant.
If you’re interested in GRC and Vendor Risk management with ServiceNow, please feel free to contact us. Our experts at abhra Inc. are experienced ServiceNow implementation partners for all things ServiceNow such as ServiceNow implementations, MSPs, CMDB and modules for GRC, SAM and more.