THE CASE FOR A SUPPLIER RISK TIERING MODEL
Many organisations rely on outsourcing arrangements where their data is processed by suppliers in on, off and nearshore locations. However, while the majority of suppliers will effectively manage and protect organisations’ critical information, others may be less adept and pose a significant risk.
To identify and prioritise the level of risk posed by their suppliers, one option is for organisations to implement a supplier risk tiering model (a fundamental component of any third party risk management (TPRM) programme), which ranks risk from critical (tier 1) to low (tier 4).
By risk ranking their suppliers – ideally, through the means of a supplier risk tiering model – organisations can effectively evaluate each supplier’s business criticality and risk exposure.
Designing a supplier risk tiering model
A supplier risk tiering model should be simple and practical, underpinned by ‘key risk components’ that can help organisations to: (i) collect, store, process and maintain sensitive data, including protected health information (PHI) and personal information identifiers (PII); (ii) strategically support critical functions, such as call centres; and (iii) leverage critical fourth parties to support their operations.
Throughout the design phase of the model, it is important to pressure test the model to ensure it is appropriate and relevant to the organisation’s risk appetite. Stakeholders can be engaged to provide feedback on any cyber security, legal, operations, audit and enterprise risk management-related issues, while an exploration of the supplier risk ranking methods used by industry peers and related organisations could prove beneficial.
Jan-Mar 2026 Issue
The Edmund Group