TPRM Issue Summarization

TPRM Issue Summarization

Overview

This skill generates comprehensive summaries of Third-Party Risk Management (TPRM) issues in ServiceNow. It covers:

• Aggregating TPRM issues by vendor, risk tier, and assessment cycle
• Evaluating vendor risk exposure across security, operational, financial, and compliance dimensions
• Identifying assessment gaps where vendors lack current or complete assessments
• Tracking remediation status for open findings and overdue corrective actions
• Measuring compliance impact by mapping vendor issues to regulatory requirements
• Producing executive-ready dashboards for vendor risk committees

When to use:

• Preparing for vendor risk committee meetings or board reporting
• During annual or periodic third-party assessment reviews
• When onboarding new vendors and evaluating risk posture
• After a vendor security incident requiring rapid exposure analysis
• For regulatory examinations requiring third-party risk documentation

Prerequisites

• Roles: sn_tprm.viewer, sn_tprm.manager, sn_grc.manager, or admin
• Plugins: com.sn_tprm (Third-Party Risk Management), com.sn_grc
• Access: Read access to sn_tprm_assessment, sn_tprm_issue, sn_tprm_vendor_assessment, sn_grc_profile, core_company tables
• Knowledge: Understanding of vendor risk tiering methodology and organizational third-party risk appetite

Key TPRM Tables

Table	Purpose	Key Fields
sn_tprm_assessment	TPRM assessment records	number, short_description, state, assessment_type, vendor, risk_tier, due_date, score
sn_tprm_issue	Issues found during assessments	number, short_description, state, priority, vendor, assessment, remediation_plan, due_date
sn_tprm_vendor_assessment	Vendor-level assessment rollups	vendor, assessment_status, overall_risk, last_assessment_date, next_assessment_date
core_company	Vendor/company master records	name, sys_id, vendor_type, stock_symbol, city, state, country
sn_grc_profile	GRC profile linked to vendors	number, short_description, profile_type, applies_to
sn_grc_risk	Risk records associated with vendor profiles	number, risk_score, state, treatment, residual_risk, inherent_risk

Procedure

Step 1: Retrieve Open TPRM Issues

Query all active TPRM issues to establish the current issue landscape.

Using MCP (Claude Code/Desktop):

Tool: SN-Query-Table
Parameters:
  table_name: sn_tprm_issue
  query: active=true^ORDERBYDESCpriority
  fields: sys_id,number,short_description,description,state,priority,vendor,assessment,remediation_plan,due_date,assigned_to,category,risk_rating,sys_created_on
  limit: 200

Using REST API:

GET /api/now/table/sn_tprm_issue?sysparm_query=active=true^ORDERBYDESCpriority&sysparm_fields=sys_id,number,short_description,description,state,priority,vendor,assessment,remediation_plan,due_date,assigned_to,category,risk_rating&sysparm_limit=200&sysparm_display_value=true

Step 2: Gather Vendor Assessment Context

For each vendor with issues, retrieve their assessment history and current risk posture.

Using MCP:

Tool: SN-Query-Table
Parameters:
  table_name: sn_tprm_vendor_assessment
  query: vendor=[vendor_sys_id]
  fields: sys_id,vendor,assessment_status,overall_risk,last_assessment_date,next_assessment_date,risk_tier,assessment_score
  limit: 10

Using REST API:

GET /api/now/table/sn_tprm_vendor_assessment?sysparm_query=vendor=[vendor_sys_id]&sysparm_fields=sys_id,vendor,assessment_status,overall_risk,last_assessment_date,next_assessment_date,risk_tier,assessment_score&sysparm_limit=10&sysparm_display_value=true

Step 3: Identify Assessment Gaps

Find vendors with overdue or missing assessments to highlight blind spots.

Using MCP:

Tool: SN-Execute-Background-Script
Parameters:
  script: |
    var gaps = [];
    var va = new GlideRecord('sn_tprm_vendor_assessment');
    va.addQuery('next_assessment_date', '<', new GlideDateTime().toString());
    va.addOrCondition('assessment_status', 'incomplete');
    va.addOrCondition('assessment_status', 'not_started');
    va.query();

    while (va.next()) {
      var vendor = new GlideRecord('core_company');
      vendor.get(va.vendor);
      gaps.push({
        vendor_name: vendor.name.toString(),
        vendor_sys_id: va.vendor.toString(),
        assessment_status: va.assessment_status.getDisplayValue(),
        overall_risk: va.overall_risk.getDisplayValue(),
        risk_tier: va.risk_tier.getDisplayValue(),
        last_assessment: va.last_assessment_date.toString(),
        next_assessment: va.next_assessment_date.toString(),
        days_overdue: gs.dateDiff(va.next_assessment_date.toString(), new GlideDateTime().toString(), true)
      });
    }

    gs.info('ASSESSMENT GAPS (' + gaps.length + ' vendors):\n' + JSON.stringify(gaps, null, 2));
  description: "TPRM: Identify vendors with overdue or incomplete assessments"

Step 4: Generate Vendor Risk Exposure Summary

Produce aggregate metrics across all vendors and risk tiers.

Using MCP:

Tool: SN-Execute-Background-Script
Parameters:
  script: |
    var summary = {
      generated_date: new GlideDateTime().toString(),
      issue_overview: { total_open: 0, critical: 0, high: 0, medium: 0, low: 0, overdue: 0 },
      by_vendor: {},
      by_category: {},
      remediation_status: { with_plan: 0, without_plan: 0, plan_overdue: 0 },
      assessment_coverage: { total_vendors: 0, assessed_current: 0, assessed_overdue: 0, never_assessed: 0 },
      risk_tier_distribution: {}
    };

    var now = new GlideDateTime();

    // Issue metrics
    var gr = new GlideRecord('sn_tprm_issue');
    gr.addQuery('active', true);
    gr.query();
    while (gr.next()) {
      summary.issue_overview.total_open++;
      var pri = gr.priority.toString();
      if (pri == '1') summary.issue_overview.critical++;
      else if (pri == '2') summary.issue_overview.high++;
      else if (pri == '3') summary.issue_overview.medium++;
      else summary.issue_overview.low++;

      if (gr.due_date.toString() && new GlideDateTime(gr.due_date.toString()).compareTo(now) < 0) {
        summary.issue_overview.overdue++;
      }

      var vendorName = gr.vendor.getDisplayValue() || 'Unknown';
      summary.by_vendor[vendorName] = (summary.by_vendor[vendorName] || 0) + 1;

      var cat = gr.category.getDisplayValue() || 'Uncategorized';
      summary.by_category[cat] = (summary.by_category[cat] || 0) + 1;

      if (gr.remediation_plan.toString()) {
        summary.remediation_status.with_plan++;
        if (gr.due_date.toString() && new GlideDateTime(gr.due_date.toString()).compareTo(now) < 0) {
          summary.remediation_status.plan_overdue++;
        }
      } else {
        summary.remediation_status.without_plan++;
      }
    }

    // Assessment coverage
    var va = new GlideRecord('sn_tprm_vendor_assessment');
    va.query();
    while (va.next()) {
      summary.assessment_coverage.total_vendors++;
      var tier = va.risk_tier.getDisplayValue() || 'Untiered';
      summary.risk_tier_distribution[tier] = (summary.risk_tier_distribution[tier] || 0) + 1;

      if (!va.last_assessment_date.toString()) {
        summary.assessment_coverage.never_assessed++;
      } else if (va.next_assessment_date.toString() && new GlideDateTime(va.next_assessment_date.toString()).compareTo(now) < 0) {
        summary.assessment_coverage.assessed_overdue++;
      } else {
        summary.assessment_coverage.assessed_current++;
      }
    }

    gs.info('TPRM EXECUTIVE SUMMARY:\n' + JSON.stringify(summary, null, 2));
  description: "TPRM: Generate executive risk exposure summary"

Step 5: Analyze Remediation Effectiveness

Evaluate how effectively issues are being remediated across the vendor portfolio.

Using MCP:

Tool: SN-Execute-Background-Script
Parameters:
  script: |
    var remediation = {
      avg_days_to_close: 0,
      closed_on_time: 0,
      closed_late: 0,
      still_open_on_time: 0,
      still_open_overdue: 0,
      top_overdue_vendors: []
    };

    var now = new GlideDateTime();
    var closedDays = [];

    // Closed issues - resolution time
    var closed = new GlideRecord('sn_tprm_issue');
    closed.addQuery('active', false);
    closed.addQuery('closed_at', '>=', gs.daysAgo(180));
    closed.query();
    while (closed.next()) {
      var created = new GlideDateTime(closed.sys_created_on.toString());
      var closedAt = new GlideDateTime(closed.closed_at.toString());
      var days = gs.dateDiff(created.toString(), closedAt.toString(), true);
      closedDays.push(parseInt(days));

      if (closed.due_date.toString() && closedAt.compareTo(new GlideDateTime(closed.due_date.toString())) <= 0) {
        remediation.closed_on_time++;
      } else {
        remediation.closed_late++;
      }
    }

    if (closedDays.length > 0) {
      var total = 0;
      for (var i = 0; i < closedDays.length; i++) total += closedDays[i];
      remediation.avg_days_to_close = Math.round(total / closedDays.length);
    }

    // Open issues - on-time vs overdue
    var vendorOverdue = {};
    var open = new GlideRecord('sn_tprm_issue');
    open.addQuery('active', true);
    open.query();
    while (open.next()) {
      if (open.due_date.toString() && new GlideDateTime(open.due_date.toString()).compareTo(now) < 0) {
        remediation.still_open_overdue++;
        var v = open.vendor.getDisplayValue() || 'Unknown';
        vendorOverdue[v] = (vendorOverdue[v] || 0) + 1;
      } else {
        remediation.still_open_on_time++;
      }
    }

    // Sort vendors by overdue count
    var sorted = Object.keys(vendorOverdue).sort(function(a, b) { return vendorOverdue[b] - vendorOverdue[a]; });
    for (var j = 0; j < Math.min(5, sorted.length); j++) {
      remediation.top_overdue_vendors.push({ vendor: sorted[j], overdue_count: vendorOverdue[sorted[j]] });
    }

    gs.info('REMEDIATION ANALYSIS:\n' + JSON.stringify(remediation, null, 2));
  description: "TPRM: Analyze remediation effectiveness across vendor portfolio"

Step 6: Generate Compliance Impact Narrative

Search for issues with regulatory or compliance implications.

Using MCP:

Tool: SN-Natural-Language-Search
Parameters:
  table_name: sn_tprm_issue
  query: "third-party vendor issues related to data privacy, GDPR, SOC 2, regulatory compliance, or security controls"
  limit: 30

Post the summary as work notes:

Tool: SN-Add-Work-Notes
Parameters:
  table_name: sn_tprm_vendor_assessment
  sys_id: [vendor_assessment_sys_id]
  work_notes: |
    === TPRM ISSUE SUMMARY ===
    Vendor: [vendor_name]
    Report Date: [current_date]
    Risk Tier: [tier]

    OPEN ISSUES: [count] ([critical] critical, [high] high)
    OVERDUE ISSUES: [overdue_count]

    ASSESSMENT STATUS:
    - Last Completed: [date]
    - Next Due: [date]
    - Coverage Gaps: [gap_details]

    COMPLIANCE IMPACT:
    - Regulatory Findings: [count]
    - Affected Frameworks: [SOC 2, GDPR, HIPAA, etc.]
    - Remediation Timeline: [estimated_completion]

    RECOMMENDED ACTIONS:
    1. [action_1]
    2. [action_2]
    3. [action_3]

Tool Usage

Operation	MCP Tool	REST Endpoint
Query TPRM Issues	SN-Query-Table	GET /api/now/table/sn_tprm_issue
Search Issues by Theme	SN-Natural-Language-Search	N/A
Query Assessments	SN-Query-Table	GET /api/now/table/sn_tprm_assessment
Query Vendor Assessments	SN-Query-Table	GET /api/now/table/sn_tprm_vendor_assessment
Aggregate Analysis	SN-Execute-Background-Script	POST /api/now/table/sys_trigger
Schema Discovery	SN-Discover-Table-Schema	GET /api/now/table/sys_dictionary
Post Summary Notes	SN-Add-Work-Notes	PATCH /api/now/table/{table}/{sys_id}

Best Practices

• Risk Tiering: Always segment vendor analysis by risk tier (critical, high, medium, low) to prioritize attention and resources appropriately
• Assessment Currency: Flag any Tier 1 or Tier 2 vendor whose assessment is more than 12 months old as an immediate gap
• Remediation SLAs: Define clear remediation timelines by issue severity: Critical (30 days), High (60 days), Medium (90 days), Low (180 days)
• Trend Analysis: Include quarter-over-quarter trends to show whether the vendor risk posture is improving or degrading
• Concentration Risk: Highlight vendors with disproportionate numbers of open issues, which may indicate systemic risk management failures
• Fourth-Party Awareness: Note any vendor issues that stem from their subcontractors or fourth-party dependencies
• Regulatory Mapping: Map TPRM issues to specific regulatory requirements (OCC, FFIEC, GDPR) for examination readiness

Troubleshooting

Empty Vendor Assessment Records

Symptom: sn_tprm_vendor_assessment returns no results for known vendors Cause: Vendor assessments may use a different relationship model or the vendor record is in core_company but not linked to TPRM Solution:

Tool: SN-Discover-Table-Schema
Parameters:
  table_name: sn_tprm_vendor_assessment

Verify the vendor reference field name. Some configurations use entity or company instead of vendor.

Assessment Score Fields Return Null

Symptom: Assessment scores are empty despite completed assessments Cause: Scoring may be calculated at the questionnaire response level, not stored on the assessment record Solution: Query sn_tprm_assessment with the assessment sys_id to check for child questionnaire records or asmt_metric_result entries that hold the computed scores.

Issue-to-Vendor Linkage Missing

Symptom: Issues show no vendor association in query results Cause: Issues may be linked via the assessment record rather than directly to the vendor Solution: Join through the assessment reference: query the issue's assessment field, then read the assessment record to find its vendor field.

Examples

Example 1: Quarterly Vendor Risk Committee Report

Scenario: VP of Risk needs a portfolio-wide TPRM summary for the quarterly committee meeting.

Tool: SN-Natural-Language-Search
Parameters:
  table_name: sn_tprm_issue
  query: "all open third-party risk issues with critical or high priority updated in the last quarter"
  limit: 50

Generated Summary:

• Total Open Issues: 83 across 34 vendors (down from 91 last quarter)
• Critical/High Priority: 18 issues requiring immediate attention
• Overdue Remediation: 12 issues past due date (14% overdue rate)
• Top Risk Category: Data Security (28 issues, 34%)
• Assessment Coverage: 92% of Tier 1 vendors current; 3 Tier 1 vendors overdue
• Average Remediation Time: 47 days (target: 30 days for critical)
• Recommendation: Escalate 3 Tier 1 vendors with overdue critical findings; initiate reassessment for 5 vendors approaching annual review

Example 2: Vendor-Specific Deep Dive After Incident

Scenario: A critical vendor reported a data breach; need immediate risk exposure summary.

Tool: SN-Query-Table
Parameters:
  table_name: sn_tprm_issue
  query: vendor=[vendor_sys_id]^active=true
  fields: sys_id,number,short_description,state,priority,category,due_date,remediation_plan
  limit: 50

Generated Detail:

• Vendor: DataCorp International (Tier 1 - Critical)
• Open Issues: 7 (2 critical, 3 high, 2 medium)
• Pre-Existing Security Issues: 3 issues related to access controls and encryption
• Last Assessment: 2025-11-15 (Score: 62/100 - Below Acceptable Threshold)
• Overdue Remediations: 2 critical findings past 90-day SLA
• Compliance Impact: SOC 2 Type II gaps; GDPR Article 28 processor requirements unmet
• Recommended Actions: Invoke contractual audit rights; require 30-day remediation plan; evaluate alternative vendors

Related Skills

• grc/issue-summarization - General GRC issue summarization for broader risk context
• grc/risk-assessment-summarization - Deep risk analysis behind vendor risk scores
• grc/regulatory-alert-analysis - Monitor regulatory changes affecting third-party requirements
• grc/control-objective-management - Manage controls mapped to vendor risk areas
• security/audit-compliance - Audit trail and compliance reporting for vendor assessments

References

• ServiceNow TPRM Documentation
• OCC Third-Party Risk Management Guidance
• NIST SP 800-161 Supply Chain Risk Management