What Is Vendor Tiering?

All vendors can expose your organization to third-party risk, but those risks aren’t necessarily created equally. It’s important to determine which risks can have the most impact on your organization and customers, so you can apply the appropriate level of oversight to those vendor relationships.

This can be achieved through a process known as vendor tiering. This blog will give you an introduction to the vendor tiering process and some tips to develop a strategy to implement it within your own vendor risk management (VRM) program.

What Is Vendor Tiering? 

Vendor tiering is a strategic process that categorizes your vendors based on the types of third-party risk that are most significant to your organization. This process can bring more efficiency to your vendor risk management program by identifying the vendors that require the most oversight. Although every organization will have its own risk appetite, certain risks like cybersecurity, business continuity, and compliance are typically considered the most impactful because they can result in material losses for your organization or customers. 

The vendor tiering structure is typically equivalent to the following risk ratings:

• Tier one = critical or high risk
• Tier two = non-critical and moderate risk
• Tier three = non-critical and low risk

However, beyond the risks identified in the initial inherent risk review, other factors may influence how a vendor is tiered or re-tiered over time. For example, a tier two vendor may be re-tiered to tier one if their scope of work changes and they start accessing, processing, transmitting, or storing personally identifiable information (PII). Other examples include if regulatory changes occur, requiring more oversight of a vendor’s products or services, or if dependencies on their products or services increase internally. Other factors, such as a decline in performance or a cyber event, could result in the vendor being moved to a higher tier to ensure increased monitoring, testing, or the application of other risk management controls. 

You may also have specific requirements for tiering regardless of risk rating. For example, you may determine that any offshore vendor is automatically tier one, regardless of the product or service they provide. It’s also crucial to consider vendor tiering for categorizing relationships with fourth- and nth-party vendors, which are your vendor's vendors. Fourth parties that provide essential products and services to your direct third party should be closely monitored and managed by the third party. 

How to Develop a Vendor Tiering Process 

Before you begin the vendor tiering process, it’s important to develop an effective strategy to ensure you’ll produce consistent and accurate results. 

Here are some tips to consider for vendor tiering: 

• Define the criteria for each tier – These criteria will be different for each organization, depending on factors such as your risk appetite, strategic goals, regulatory requirements, and more. Criteria should be clearly defined to avoid any confusion or misinterpretation among stakeholders. It should consider what actions or controls are necessary to monitor, mitigate, and manage risks at each tier level. 
  
  Example: Let's say your organization defines tier one vendors as those that store customers' PII, interact directly with customers, or are classified as critical to your operations. Therefore, risk and performance metrics are required for all tier one vendors, but only for tier two vendors providing specific products and services, and aren’t required for tier three vendors.
• Consider the weight of each risk – Vendor tiering can be more effective when you add weight or importance to risk categories. For example, cybersecurity risk can have different weight depending on the vendor’s access to PII. A vendor that stores PII would be more impactful than a vendor who has limited access to PII through your network. The following factors can help determine weight:
  • Occurrence – How frequently can this risk occur?
  • Likelihood – What is the probability that this risk will occur?
  • Severity – How much time and money are needed to resume normal operations after this risk occurs?
  • Impact – Who and what will be impacted by this risk? 
• Determine the criticality classification – Your organization should have a consistent, repeatable process for determining whether a vendor is critical to your operations. 
  
  Criticality refers to the business impact of a vendor’s failure and can be determined by answering “yes” to one or more of these questions:
  
  • Would a sudden loss of the vendor significantly disrupt your organization?
  • Would that disruption impact your customers?
  • Would your organization or customers be impacted if the vendor’s service were interrupted for more than 24 hours?
  Your organization may develop its own additional criteria to consider when determining criticality, such as:
  
  • Is the vendor instrumental to your organization’s regulatory compliance?
  • Have significant resources (time, money, people, etc.) been invested in the vendor relationship, limiting your ability to easily switch to another vendor?
  • Is the vendor a single point of failure (SPOF) because there are no other vendors providing the specific product or service in the marketplace?
• Document the process and decisions – Make sure to formally document the vendor tiering process according to your organization’s procedures, which may include review and approval from the board of directors and senior management. 

3 Essential Vendor Tiering Elements  

The vendor tiering process is closely aligned with the initial steps of the risk assessment process in which you identify and quantify the diverse types of third-party risk. The following elements can be used for vendor tiering and help identify your organization’s most significant vendor relationships:

• Inherent risk assessment – The vendor owner should complete the inherent risk assessment for each product or service the vendor is providing. This assessment usually involves a questionnaire that addresses key risk areas, such as strategic, reputation, operational, transactional, compliance, financial, and information security.
• Subject matter expert (SME) reviews – In the due diligence process, SMEs review a vendor's risk questionnaire and due diligence documentation to assess the vendor's risk management practices and controls. They identify any gaps or weaknesses and provide a qualified opinion on the sufficiency of the vendor's controls. The findings of the SME's review should be taken into consideration when assigning a tier to a vendor. 
• Periodic evaluations – Although vendor tiering should be done at the beginning of the relationship, this isn’t a one-time activity. A vendor’s risk and performance can change from new regulatory requirements, cybersecurity incidents, decreasing financial performance, and more. It’s essential to perform periodic evaluations or audits to ensure the vendor is still categorized at the correct tier. Beyond regular evaluations, vendor tiering may be changed at any time your organization deems it necessary to sufficiently manage the risks.

The implementation of a vendor tiering system presents numerous advantages for an organization. Firstly, it enables more effective vendor relationship management by categorizing them based on performance, capabilities, and strategic importance, leading to better allocation of resources and attention to key vendors. Additionally, it fosters improved risk management and compliance by ensuring vendors adhere to specific standards based on their tier, thereby minimizing potential disruptions, and ensuring consistent quality. Overall, a well-structured vendor tiering system can significantly enhance overall vendor management and make a positive impact on the organization's bottom line.