Over the course of several vendor risk implementations for health care providers, commercial enterprises and everywhere in between, there are some questions about the assessment functionality within the application that pop up on a regular basis.
Here are 7 of the most frequently asked questions related to the set up and operation of vendor risk assessments in ServiceNow:
Q1: What causes a vendor risk assessment to be initiated?
By default, there are three possible triggers for vendor risk assessments: (1) manual creation by a team member, (2) automatic creation based on the results of a tiering assessment, and (3) a repeat assessment based on a pre-defined frequency. Most vendor risk management programs will use a combination of all three methods for triggering an assessment, and in some cases, there may be the need to develop additional triggers (e.g., to integrate with a procurement or legal review process).
Q2: What types of questionnaires and questions does the platform support?
Responses can be elicited from vendors through assessment questionnaires and document requests. The full range of question types (i.e., text, multiple choice, multi-select, attachments, true/false, etc.) can be included within either. Dependencies between questions can also be established to dynamically short-circuit and expand the assessment based on provided responses.
Q3: Do we have to use the same assessment for all vendors?
No – assessment questionnaires and document requests can be unique to each vendor. Though for efficiency and consistency purposes, it is helpful to pre-define assessment templates based on vendor characteristics such as inherent risk tiers or data security levels (e.g., for high risk vendors, send this designated set of questionnaires and document requests). These templates can be automatically or manually assigned to an assessment, and there is the ability to further adjust the selected questionnaires and document requests as desired.
Q4: How does the platform handle situations where a third party is non-responsive to the questionnaires sent to them?
Within the assessment workflow, security team members will have the ability to monitor the vendor’s progress on each questionnaire and document request included within the assessment. Additionally, automated notifications are in place to remind the third parties of upcoming due dates and provide ongoing notices for past due assessments. Unfortunately, as with any platform, it may be necessary to pursue action outside of ServiceNow if a vendor is ignoring the notifications and has truly become unresponsive.
Q5: What’s the process for reviewing and following up on assessment responses?
Assigned team members will be informed once an assessment has been submitted by a vendor and will be able to access a review interface to view question responses, identify risks and issues, flag questions for follow up, export responses, provide notes and comments, and request follow-up from the vendor. Automation can be incorporated within the review process as well to highlight high-risk responses and generate issues.
Q6: How are identified risks addressed and resolved?
Risks identified as part of a vendor risk assessment are addressed within the vendor risk issue module. The issue resolution process allows team members to document key details, assign reviewers, chat and interact with the vendor, and establish and monitor tasks for the vendor to complete in order to resolve the issue.
Q7: Can we update the vendor portal and notifications?
Absolutely, the vendor portal and notifications are configurable. The vendor portal theme can be adjusted to include your organization’s color scheme and branding, similar to the platform service portal (note: it is advised not to adjust the widgets within the portal though as such changes could impede future system upgrades). As with other modules, there is full control over the notifications for vendor risk assessments, including which templates to use, text adjustments, and de-activating or creating new notifications.
If you’re looking to implement ServiceNow Vendor Risk Management within your organization, hopefully the responses to these commonly asked questions were helpful. If you would like to learn more about what’s involved in setting up an assessment process or have some additional questions, please reach out to info@lionwarellc.com and we can set up time to discuss, risk-free.
Your success is our mission.
Kommentare