Global +919619426581 | +96598743346 support@tprmalliance.com

Few Stats

  • A study by Shared Assessments (2022) found that 45% of organizations categorize their vendors into 3 or more risk tiers (e.g., High, Medium, Low).
  • The same Shared Assessments study (2022) showed that 67% of organizations use continuous monitoring for their high-risk vendors. This trend is growing due to the dynamic nature of vendor risks, particularly in industries like finance, healthcare, and technology.
  • Risk-based tiering helps companies focus their resources effectively. According to a KPMG survey (2021), 68% of organizations reported improved efficiency in vendor management by implementing a risk-tiering approach.
  • Organizations that use vendor tiering have reported a 30% reduction in costs associated with vendor management, as they focus reviews on higher-risk vendors and reduce the frequency of low-risk vendor reviews.
  • Key Drivers for Vendor Tiering
    • According to PwC (2022), the top drivers for vendor risk tiering include:
      • Regulatory Compliance: 72% of organizations cite compliance requirements as the main reason for implementing risk-tiering systems.
      • Data Security: 63% of companies rank data privacy and security risks as primary factors in their vendor tiering process.

In a Third Party Risk Management (TPRM) program, Vendor Risk Tiering is a key component of managing and categorizing third-party vendors based on the level of risk they pose to the organization. This process typically happens towards the end of the TPRM assessment, after completing the inherent risk assessment and evaluating any identified issues related to the vendor. Here’s a more detailed breakdown:

  1. Inherent Risk Rating

This is the initial risk assigned to a vendor based on their potential impact on the organization, considering factors like:

  • Nature of the Services Provided: Criticality of the services (e.g., access to sensitive data, regulatory involvement).
  • Data Sensitivity: How much and what type of sensitive data the vendor has access to.
  • Business Continuity: How important the vendor is to the core operations of the business.

Vendors are usually categorized into High, Medium, or Low inherent risk categories based on these factors.

  1. Issue Rating

Once inherent risk is determined, any specific issues discovered during the due diligence process are assessed. These issues could relate to:

  • Compliance Gaps: Regulatory non-compliance or missing certifications (e.g., GDPR, SOC 2).
  • Security Concerns: Weak cybersecurity controls or past security breaches.
  • Financial Instability: Potential risk of vendor insolvency or financial instability.

These issues are also rated as High, Medium, or Low, depending on their severity.

  1. Final Vendor Rating (Risk Tiering)

The final vendor rating is determined by combining the Inherent Risk Rating with the Issue Rating. This matrix-based approach provides a more nuanced understanding of a vendor’s risk profile. The possible outcomes are:

  • High Risk Vendors: A vendor rated High in both inherent risk and issues would be classified as a High Risk Vendor. They require the most stringent ongoing monitoring and regular reassessment, typically every year.
  • Medium Risk Vendors: If a vendor has a Medium inherent risk and some issues rated as Medium, they may be considered a Medium Risk Vendor, which may warrant a review every 2 years.
  • Low Risk Vendors: Vendors with Low inherent risk and few or no major issues might be categorized as Low Risk Vendors, with reviews less frequently (e.g., once every 3 years or based on policy).

Review Cycle Based on Vendor Rating

The final vendor risk tiering determines how often a vendor needs to be reassessed. Here’s an example of how the review cycle is structured:

  • High Risk Vendor: Reviewed annually. These vendors are critical to the organization’s operations and pose significant risks.
  • Medium Risk Vendor: Reviewed once every 2 years. These vendors pose moderate risks but still need consistent monitoring.
  • Low Risk Vendor: Reviewed every 3 to 4 years or as determined by the organization’s policy. These vendors pose minimal risk, so reassessments are less frequent.

Risk Mitigation and Monitoring

For vendors with higher risk ratings, organizations often engage in continuous monitoring. This includes:

  • Regularly reviewing the vendor’s financial health, compliance updates, and security posture.
  • Implementing mitigation measures, such as additional contractual clauses, enhanced security controls, or even vendor replacement if necessary.

By using this tiering system, organizations can allocate resources efficiently, focusing more on high-risk vendors and maintaining a lighter touch with low-risk ones. This risk-based approach ensures that the organization can manage third-party risks proactively while maintaining regulatory compliance and protecting sensitive information.

Useful Links

What do we do ?
Join TPRM Alliance
Register as a Speaker
Regulatory Updates
Summit Reports
TPRM Learnings
Website developed with by Yedhu and Dinker for the upliftment of the global TPRM Community. 

©2024. International TPRM Alliance. All Rights Reserved.

Privacy Policy