Tiering Third Parties & Triggering Enhanced Due Diligence

If you’re sending the same full-blown risk assessment to every third party, whether they host sensitive data or simply mow your corporate lawn, it’s time for smarter automation. 

Third Party tiering isn’t just a best practice, it’s a necessity. But too often, it’s handled manually or inconsistently, leading to: 

• Wasted time on low-risk third parties

• Insufficient scrutiny of high-risk partners 

• Frustration from internal teams and third parties alike 

With automation, you can streamline how third parties are tiered, when they’re reassessed (i.e., their assessment cycle time), and whether they trigger enhanced due diligence, all without adding manual work. 

Why Tiering Matters 

Third Party tiering (or risk segmentation) helps you: 

• Prioritize time and resources 

• Tailor assessments based on risk 

• Justify lighter-touch reviews when appropriate 

• Align to internal policies and regulatory expectations 

But the old way of doing it, with manual scoring, spreadsheet-based tiers, and ad hoc judgment, doesn’t scale.

How Automation Improves Vendor Tiering & EDD 

Let’s break this down into two key functions that benefit from automation: 

1. Automated Vendor Tiering 

Start by automatically assigning third party to tiers based on logic built into your intake or inherent risk assessment process. 

Common inputs include: 

• Type and amount of data accessed (e.g., PII, PHI, cardholder data) 

• If the third party will access your organization's internal network and which environment (e.g., VPN, production environment) 

• Geographic presence or location of services 

• Regulatory exposure (e.g., HIPAA, GDPR) 

• Criticality to business operations 

Tool Tip: Use intake forms or TPRM platforms that include conditional logic. Based on answers, third parties are automatically placed into Tier 1 (High), Tier 2 (Moderate), or Tier 3 (Low/Non-Critical). 

Example Automation:  Business Owner selects “Yes” to the third party accessing customer PII → Platform sets them as Tier 1 → Full information security risk assessment initiated automatically. 

2. Triggering Enhanced Due Diligence (EDD) 

Once a third party is tiered, you can then set triggers to launch deeper reviews on a regular cadence, as well as if/when something changes. 

EDD may include: 

• Expanded assessments

• Onsite or virtual visits

• Background checks on executives 

• Penetration testing evidence 

• Financial statement reviews 

• Crisis response documentation (e.g., BCP/DR tests) 

Trigger Conditions Could Include, but not be Limited to: 

• A risk score threshold is exceeded 

• The third party is acquired by another organization and there is a change in leadership

• The third party will now host data offshore

• Contract change increases data access 

• Negative media or litigation is detected 

Tool Tip: Connect monitoring platforms (BitSight, Security Scorecard, RiskRecon, Sayari) to your TPRM system to ensure events auto-trigger reassessment workflows. 

Real-World Example: How a Tech Company Reduced Third Party Assessment Volume by 40% 

A SaaS firm supporting fintech clients struggled with over-assessing third parties. Everyone received the same 200-question InfoSec review, whether they hosted client data or just helped with branding. 

The organization decided to implement an automated tiering engine using a simple logic tree: 

• Tier 1: Hosts client data or business-critical systems → full TPRA Information Security Questionnaire + SOC 2 

• Tier 2: Indirectly supports regulated operations → limited questionnaire 

• Tier 3: No data access, non-critical → no further review 

When a Tier 2 vendor’s risk rating system score dipped significantly, the system triggered an EDD workflow with an escalated assessment. 

Results after 6 months: 

• 40% fewer full assessments 

• Average assessment cycle time dropped 30% 

• Fewer third party complaints about irrelevant or overbearing reviews 

What to Include in an Automated Tiering Framework 

The TPRA community has created a free inherent risk questionnaire that can be leveraged within an automated tiering framework.

If you are a TPRA member, you can obtain the inherent risk questionnaire template here.

Getting Started 

You don’t need to go from 0 to full automation in one step. Start with: 

• A basic inherent risk assessment that captures core risk drivers 

• A rules-based tiering system in Excel, Power Automate, or your TPRM tool 

• Clear definitions for Tier 1, 2, and 3, and what EDD should be performed for each tier

• Additional triggers for EDD (e.g., change in data access or poor cyber score) 

Pro Tip: Automation Doesn’t Mean “Set and Forget” 

You still need risk oversight. Automation just ensures your attention is focused on the third parties who need it most and when they need it most. 

Key Takeaways 

• Treating all third parties the same is inefficient and risky 

• Automated tiering reduces noise and sharpens focus 

• Enhanced due diligence should be triggered by real risk, not just policies 

• You can implement this in phases with existing tools 

Author Bio

Physical Security, Safety, Business Recovery, Financial Crimes, Model Risk Management, and Enterprise Risk Management.  In her TPRM role she had oversight of over a thousand third party relationships, systems, due diligence reviews and contract management activities.  She developed, facilitated, and implemented training programs for thousands of employees over the years.

Heather is a natural born connector of people and values relationship building at the cornerstone of her career.  She encourages you to connect with TPRA and herself via LinkedIn to join in the "TPRM Global Conversation".