20 May
Not all vendors pose the same level of risk. Treating them as if they do is one of the fastest ways to overload your vendor risk management process.
That’s why most organizations use a tiering system usually with three vendor levels: Low, Medium, and High.
This post is about making vendor tiering meaningful, so that each tier reflects the vendor’s real exposure and operational importance.
Focus on What Matters: Access and Dependency
Tiering is only helpful if it’s grounded in something real. Rather than relying on gut instinct or vendor type, most meaningful tiering decisions come down to two things: what the vendor can influence, and how much your business depends on them.
That’s why one of the ways to tier vendors is to use the lens of Access and Dependency , another popular framework is to use Vendor risk for vendor tiering.
Access: What Can the Vendor Influence or Intereact With?
Access is about understanding what the vendor can see, modify, or interact with inside your environment. That includes not just system permissions, but any exposure to your assets—whether those are data sets, infrastructure, applications, or business-critical processes.
To assess access, consider:
- Which assets does the vendor interact with—directly or indirectly?
- What kind of access do they have: read, write, administrative, or support-level?
- Is their access persistent, limited, or triggered only under specific conditions?
This applies whether you’re dealing with a vendor who hosts your infrastructure, provides consulting services, or plugs into internal workflows via an integration.
You can use the CIA triad as a quick lens:
- Confidentiality – Do they have access to sensitive or regulated information?
- Integrity – Can they affect the reliability or accuracy of your systems or data?
- Availability – Could a failure on their part disrupt the services or platforms you rely on?
When tiering a vendor, access tells you which of your assets are exposed—and in what way. A vendor with visibility into anonymized analytics data isn’t in the same category as one with admin rights to your core infrastructure. Getting that difference right at the tiering stage makes the rest of your process much easier to scale.
Dependency: How Much Do You Rely on the Vendor?
If access tells you where risk could come from, dependency tells you how much it would matter. It’s a way of assessing the operational impact if a vendor fails to deliver, becomes unreliable, or is suddenly unavailable.
To evaluate dependency in a consistent way, you can look at three key factors:
1. Substitutability: Can you easily replace this vendor or work around them if needed?
Some vendors offer commodity services or have clear alternatives. Others may be tightly integrated into your operations, with no short-term fallback.
2. Process Criticality: What business functions depend on the vendor’s performance?
This could range from support tasks with minimal urgency to core functions like financial reporting, customer delivery, or maintaining compliance.
3. Recovery Complexity: If the vendor failed, how difficult would it be to restore normal operations?
Would recovery require internal coordination, cross-functional rework, or renegotiation of contracts? Or is it as simple as switching to another provider?
Together, these three factors: Substitutability, Process criticality, and Recovery complexity (SPR) help you understand not just whether a vendor is important, but why they’re important, and how that should influence their tier.
This kind of dependency isn’t always obvious. A small, low-cost vendor might turn out to be critical if they enable a regulated process or control a key piece of infrastructure. At the same time, some larger vendors may be easier to replace than they seem.
When combined with access, SPR gives you the second half of the picture—showing you where disruption would hurt, how badly, and how much resilience your organization has in place. That’s the kind of insight tiering should be built on.
Together, Access and Dependency Paint a Complete Risk Picture
Once you’ve evaluated what a vendor can influence (access) and how much your organization relies on them (dependency), you have the core inputs needed to assign a tier that reflects real-world risk.
Used together, they provide a clear and transferable way to assess vendors of all types—from infrastructure partners and SaaS tools to outsourced service providers and industry-specific platforms.
In the next section, we’ll translate this model into a practical rubric you can reuse—whether you’re onboarding a new vendor or reviewing an existing one.
Use This Vendor Tiering Rubric to Make Consistent Decisions
Access and dependency give you the raw inputs—now you need a simple, repeatable way to turn those into a tiering decision. Here’s a model you can apply across any vendor, regardless of their function or your industry.
This rubric isn’t designed to be perfect it’s designed to be usable. If your team can answer two questions for each vendor—what can they touch and how much do we rely on them—you’ll have enough context to assign a tier with confidence.
Tiering Model Based on Access and Dependency
| Tier | Profile Summary | Typical Indicators |
|---|---|---|
| Critical | Directly impacts core operations or regulated areas, with privileged access | Access to production systems or regulated data and essential to service delivery or compliance |
| High | Significant influence over sensitive systems or business continuity | Handles sensitive data or supports key business processes without easy substitution |
| Medium | Limited access and moderate operational importance | May access non-sensitive data; supports workflows with fallback options |
| Low | No material access or dependency | No system access; low business impact; easily replaceable |
Example: Slack, Office Cleaning, and a Survey Platform
Let’s walk through three vendors to see how access and dependency play out—and more importantly, how to think through your decision.
| Vendor | Access | Dependency | Tier | Why it matters |
|---|---|---|---|---|
| Slack | Holds internal comms, often integrated with ticketing, alerting, or deployment tools | Used daily across the business; downtime slows operations and communication | High, possibly Critical | Affects both confidentiality and availability, especially if used for production alerts, customer support, or engineering workflows |
| Office Cleaning Company | No system access, no digital interactions | Operationally replaceable with minimal business impact | Low | Doesn’t influence data, systems, or regulated processes |
| Employee Survey Platform | Stores internal feedback, PII, and team performance data; may integrate with HRIS | Used for people decisions and compliance-related reporting | Medium, possibly High | While not part of core operations, it touches sensitive internal data and can influence strategic decisions around culture and leadership accountability |
Reality Check
Most vendors won’t fall cleanly into a single tier based on both access and dependency. And that’s fine—the value of this model is in the nuance.
When access and dependency land in different places, use the higher of the two as a starting point, then scale specific activities (like contract detail, reviews, or security validation) based on which risk dimension carries more weight in context.
You don’t need to split hairs or invent new tiers for every edge case. Just make sure your decisions are intentional, your rationale is documented, and your controls reflect where the risk actually lives.
Make It Easy to Apply and Track
You don’t need to roll out a new tool to get value from this rubric, although we are fans of how Kordon’s vendor risk management connects vendors to assets and risks for a holistic view. You can still get value out of thiss approach, just add two fields—Access and Dependency—to your onboarding form or vendor review sheet. Then store the tier along with a short note on why:
Tier: Medium. Stores employee feedback and PII. Moderate impact if unavailable.
This gives you a defensible record, makes reassessments faster, and helps keep tiering consistent across departments and time.
In the next section, we’ll show how to align your security controls, contracts, and review cycles to these tiers—so you’re applying the right level of scrutiny without creating unnecessary drag.
Scale Vendor Risk Management Effort Proportionally
Once you’ve assigned a tier, the real value comes from using it to guide your next steps. While every organization structures its Vendor Management process a little differently, there are a few core activities that nearly every VRM program adjusts based on vendor criticality. These include due diligence, contractual safeguards, monitoring, and internal ownership.
Think of your vendor risk management activities as existing on a spectrum.
For each activity due diligence, contracts, monitoring, and reviews you can dial the effort up or down depending on the vendor’s tier. Most vendors will land somewhere in the middle, and that’s where your default level of oversight should sit. For vendors on either end of the spectrum, you scale effort accordingly.
Next let’s go over each of these core activities and review how you might scale these across the vendor criticality spectrum.
Due Diligence
Goal
Understand the vendor’s risk posture and validate that their practices align with your expectations.
- Low tier: Basic context gathering—what they do and how they’re used.
- Mid tier: Review of certifications, public-facing policies, or a lightweight intake.
- High/Critical tier: Structured review, tailored follow-ups, or interviews to clarify key controls.
Contractual Safeguards
Goal
Ensure roles, responsibilities, and obligations are clearly defined.
- Low tier: Standard terms, minimal negotiation.
- Mid tier: Privacy and security language, especially where data is involved.
- High/Critical tier: Specific clauses for breach reporting, audit rights, SLAs, and technical or legal controls.
Monitoring and Review
Goal
Stay alert to changes in the vendor’s risk posture.
- Low tier: Only reviewed during contract renewal or when something changes.
- Mid tier: Periodic check-ins or lightweight reassessment on a defined cycle.
- High/Critical tier: Active monitoring, more frequent reviews, and stronger internal ownership.
Internal Visibility and Ownership
Goal
Make sure someone is responsible for managing the vendor relationship and its associated risks.
- Low tier: Owned entirely by the business unit or procurement.
- Mid tier: Joint visibility with central teams like InfoSec or Legal.
- High/Critical tier: Clear escalation paths and shared responsibility across business, security, legal, and compliance stakeholders.
Keep Your Tiering Model Useful Over Time
Tiering adds the most value when it reflects how vendors interact with your environment today—not just how they looked when you first onboarded them. In practice, vendor relationships change. Access expands, dependency grows, services evolve. If the tiering model doesn’t keep up, it loses its usefulness.
The solution isn’t to review everything constantly. It’s to build in natural points where reassessment happens, and to make it easy for someone to spot when a vendor’s role has shifted.
Here’s how to do that in practice:
Reassess at key triggers: Look again at tiering when the vendor’s scope changes, when contract terms are renegotiated, or when the vendor is pulled into a new part of your organization.
Schedule tiering reviews alongside existing activities: Tie them to contract renewals, risk committee check-ins, or annual audit prep—so they don’t become a separate task to manage.
Keep the logic visible: Make sure access and dependency rationale is documented somewhere obvious. If someone new takes over the vendor relationship, they should be able to see why the vendor was classified the way they were—and adjust it if needed.
A tiering model doesn’t need to be complex to stay useful. It just needs to be easy to revisit, easy to explain, and based on what still holds true—not what was assumed at the start.
English 
Estonian