Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

What Is Vendor Tiering?

6 min read
Featured Image

All vendors can expose your organization to third-party risk, but those risks aren’t necessarily created equally. It’s important to determine which risks can have the most impact on your organization and customers, so you can apply the appropriate level of oversight to those vendor relationships.

This can be achieved through a process known as vendor tiering. This blog will give you an introduction to the vendor tiering process and some tips to develop a strategy to implement it within your own vendor risk management (VRM) program.

What Is Vendor Tiering? 

Vendor tiering is a strategic process that categorizes your vendors based on the types of third-party risk that are most significant to your organization. This process can bring more efficiency to your vendor risk management program by identifying the vendors that require the most oversight. Although every organization will have its own risk appetite, certain risks like cybersecurity, business continuity, and compliance are typically considered the most impactful because they can result in material losses for your organization or customers. 

The vendor tiering structure is typically equivalent to the following risk ratings:

  • Tier one = critical or high risk
  • Tier two = non-critical and moderate risk
  • Tier three = non-critical and low risk

However, beyond the risks identified in the initial inherent risk review, other factors may influence how a vendor is tiered or re-tiered over time. For example, a tier two vendor may be re-tiered to tier one if their scope of work changes and they start accessing, processing, transmitting, or storing personally identifiable information (PII). Other examples include if regulatory changes occur, requiring more oversight of a vendor’s products or services, or if dependencies on their products or services increase internally. Other factors, such as a decline in performance or a cyber event, could result in the vendor being moved to a higher tier to ensure increased monitoring, testing, or the application of other risk management controls. 

You may also have specific requirements for tiering regardless of risk rating. For example, you may determine that any offshore vendor is automatically tier one, regardless of the product or service they provide. It’s also crucial to consider vendor tiering for categorizing relationships with fourth- and nth-party vendors, which are your vendor's vendors. Fourth parties that provide essential products and services to your direct third party should be closely monitored and managed by the third party. 

How to Develop a Vendor Tiering Process 

Before you begin the vendor tiering process, it’s important to develop an effective strategy to ensure you’ll produce consistent and accurate results. 

Here are some tips to consider for vendor tiering: 

  • Define the criteria for each tier – These criteria will be different for each organization, depending on factors such as your risk appetite, strategic goals, regulatory requirements, and more. Criteria should be clearly defined to avoid any confusion or misinterpretation among stakeholders. It should consider what actions or controls are necessary to monitor, mitigate, and manage risks at each tier level. 

    Example: Let's say your organization defines tier one vendors as those that store customers' PII, interact directly with customers, or are classified as critical to your operations. Therefore, risk and performance metrics are required for all tier one vendors, but only for tier two vendors providing specific products and services, and aren’t required for tier three vendors.
  • Consider the weight of each risk – Vendor tiering can be more effective when you add weight or importance to risk categories. For example, cybersecurity risk can have different weight depending on the vendor’s access to PII. A vendor that stores PII would be more impactful than a vendor who has limited access to PII through your network. The following factors can help determine weight:
    • Occurrence – How frequently can this risk occur?
    • Likelihood – What is the probability that this risk will occur?
    • Severity – How much time and money are needed to resume normal operations after this risk occurs?
    • Impact – Who and what will be impacted by this risk? 
  • Determine the criticality classification – Your organization should have a consistent, repeatable process for determining whether a vendor is critical to your operations. 

    Criticality refers to the business impact of a vendor’s failure and can be determined by answering “yes” to one or more of these questions:
    • Would a sudden loss of the vendor significantly disrupt your organization?
    • Would that disruption impact your customers?
    • Would your organization or customers be impacted if the vendor’s service were interrupted for more than 24 hours?
    Your organization may develop its own additional criteria to consider when determining criticality, such as:
    • Is the vendor instrumental to your organization’s regulatory compliance?
    • Have significant resources (time, money, people, etc.) been invested in the vendor relationship, limiting your ability to easily switch to another vendor?
    • Is the vendor a single point of failure (SPOF) because there are no other vendors providing the specific product or service in the marketplace?
  • Document the process and decisions – Make sure to formally document the vendor tiering process according to your organization’s procedures, which may include review and approval from the board of directors and senior management. 

what is vendor tiering

3 Essential Vendor Tiering Elements  

The vendor tiering process is closely aligned with the initial steps of the risk assessment process in which you identify and quantify the diverse types of third-party risk. The following elements can be used for vendor tiering and help identify your organization’s most significant vendor relationships:

  • Inherent risk assessment – The vendor owner should complete the inherent risk assessment for each product or service the vendor is providing. This assessment usually involves a questionnaire that addresses key risk areas, such as strategic, reputation, operational, transactional, compliance, financial, and information security.
  • Subject matter expert (SME) reviews – In the due diligence process, SMEs review a vendor's risk questionnaire and due diligence documentation to assess the vendor's risk management practices and controls. They identify any gaps or weaknesses and provide a qualified opinion on the sufficiency of the vendor's controls. The findings of the SME's review should be taken into consideration when assigning a tier to a vendor. 
  • Periodic evaluations – Although vendor tiering should be done at the beginning of the relationship, this isn’t a one-time activity. A vendor’s risk and performance can change from new regulatory requirements, cybersecurity incidents, decreasing financial performance, and more. It’s essential to perform periodic evaluations or audits to ensure the vendor is still categorized at the correct tier. Beyond regular evaluations, vendor tiering may be changed at any time your organization deems it necessary to sufficiently manage the risks.

The implementation of a vendor tiering system presents numerous advantages for an organization. Firstly, it enables more effective vendor relationship management by categorizing them based on performance, capabilities, and strategic importance, leading to better allocation of resources and attention to key vendors. Additionally, it fosters improved risk management and compliance by ensuring vendors adhere to specific standards based on their tier, thereby minimizing potential disruptions, and ensuring consistent quality. Overall, a well-structured vendor tiering system can significantly enhance overall vendor management and make a positive impact on the organization's bottom line.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo