The promise of supplier tiering
The promise of supplier tiering is simple: group suppliers into high, medium, and low risk, and then focus your attention where it matters most.
In reality, many organisations discover that supplier tiering is harder than it looks. Different stakeholders disagree on what “critical” means, shadow IT suppliers slip through the net, procurement maintain lists of hundreds or maybe even thousands of suppliers, and static models can quickly become outdated.
That’s why we’ve put together a practical guide to tiering your suppliers by risk to help you build a structured, repeatable model. But before diving into how to do tiering, it’s worth understanding why so many companies struggle with it in the first place.
1. Different definitions of “critical”
Ask different stakeholders what makes a supplier “critical”, and you’ll likely get a different answer from each one.
- Business units think in terms of financial exposure.
- IT and security teams care about system access and data sensitivity.
- Compliance focuses on regulatory reporting.
- Procurement worries about contractual and commercial dependencies.
- Suppliers themselves don’t understand their criticality to your organisation.
The result? Inconsistent classification, endless debates, and suppliers slipping through the cracks because no one can agree on the criteria.
2. The shadow IT and hidden supplier problem
Tiering only works if you know who your suppliers are in the first place. But many never make it onto the radar. Teams sign up for SaaS tools on a company card, hire contractors directly, or work with niche providers who never go through a formal onboarding process.
If your supplier inventory is incomplete, your tiering exercise will be fundamentally flawed from the outset.
3. The “one-size-fits-all” trap
As popular as it may be, the classic high/medium/low model oversimplifies risk. Risks are multi-dimensional, and include:
- Data sensitivity
- System integration
- Operational reliance
- Regulatory exposure
- Financial impact
- Reputation and competitiveness
Trying to flatten all of that into a single tier often creates more confusion than clarity. A supplier might score “medium” overall, but still represent high risk in one particular dimension - which could be the one that matters most to your business.
4. The dynamic nature of risk
Supplier risk isn’t fixed. A partner you viewed as low risk yesterday can become high-risk overnight if, for example:
- They get acquired by a company with weaker security practices
- They suffer a breach that exposes your data
- Your own business starts using them in a more critical way
- They are early adopters of emerging technologies, for example they may be using your data to train AI models.
Traditional tiering models, which are often only reviewed annually or less, don’t adapt quickly enough to keep pace.
Understanding a supplier’s criticality isn’t just for prioritisation, it also informs how your Security Operations Centre (SOC) responds to threats. When an incident or vulnerability emerges, knowing which vendors are most critical helps your SOC triage faster, contain risk more effectively, and focus remediation efforts where they’ll have the greatest business impact.
For more information on how a Managed SOC can enhance threat detection, improve compliance and reduce costs, check our Complete Guide to SOC Outsourcing.
5. Resource allocation vs. reality
In theory, tiering helps you prioritise resources: spend more time on the high-risk suppliers, and less on the low-risk ones.
In practice, it doesn’t always work like that. Many organisations end up with hundreds of “critical” suppliers on their list - way more than they realistically have capacity to review. The result is either surface-level assessments that don’t go deep enough, or bottlenecks that slow down the process.
Critical suppliers may also lack the resources to adequately respond to risk assessment questionnaires, or flat out refuse to participate unless remunerated to do so. These factors should also be considered in the overall risk assessment when dealing with that particular supplier, potentially moving them out of the strategic supplier mix.
From tiering to continuous, evidence-based risk management
Supplier tiering is still a critical exercise, but only if it’s done in a structured, repeatable way, and is supported by continuous, evidence-based monitoring.
Without that, tiers risk becoming little more than labels in a spreadsheet. With it, they can guide smarter resource allocation, reduce blind spots, and strengthen your overall third-party risk management programme.
Download our step-by-step guide, How to Tier Your Suppliers by Risk, to see exactly how to build scoring, weighting, and tiering models you can adapt to your business.
If you’d like to explore more on this topic, start with our blog What is Third Party Risk Management?
