Third-Party Tiering Template

NOTE: This briefing note is intended as general guidance and no action should be taken in reliance on it without specific legal advice.

Categorising third-parties into tiers helps to establish a risk weighted approach to managing the risks they pose. This document provides you with an example of how to tier and profile third-parties. This is one of the first steps in building a third-party risk management (TPRM) framework.

This template is aligned with the tiering guidance provided within Adoptech’s 360° platform.

Start by defining the tiers that each vendor will be categorised into. Once defined, a standard set of questions can be used to determine which category each service should be assigned to.

Definition of Tiers

Assign a red/amber/green (RAG) status to each service to indicate how critical it is to your operations. Define the persona / profile of the firms that fit into each category.

CategoryCriticality
Definition and persona of third-party
REDCritical or Important
Critical or important vendor services have the potential to materially impact the firm’s ability to deliver its own services or for it to meet financial or regulatory obligations.

For EU firms within the financial services sector, this category should be aligned with EBA (European Banking Authority) guidelines:

Critical or Important Functions -
"An operational function shall be regarded as critical or important where a defect or failure in its performance would materially impair the continuing compliance of an investment firm with the conditions and obligations of its authorisation or its other obligations under Directive 2014/65/EU, or its financial performance, or the soundness or the continuity of its investment services and activities’."

Persona:
-Supplier of products or services that are core to the firm’s ability to deliver its own business services
-The third party has access to sensitive information, including client data
-If the third-party were to fail to deliver their service, it is likely to have a financial, reputational or regulatory impact to the firm
-If the third-party were to fail to deliver their service it would not be possible to immediately switch to an alternate provider without impact.
AMBERMedium
Third-party services that have the potential to cause a limited, short-term impact to the firm’s services.

Persona:
Products or services that are not core to the firm’s ability to deliver its business services
The third party has limited access to sensitive information, including client data
If the third-party were to fail to deliver their service it would have a negligible financial or reputational impact
If the third-party were to fail to deliver their service, there are alternate providers that could be switched to with limited impact to operations.

GREENLow
Third-party services that have little or no direct impact on the delivery of the firm’s services.

Persona:
Products or services that are not core to the firm’s ability to deliver its business services
The third party has no access to sensitive information
If the third-party were to fail it would not have a reputational or regulatory impact. There would be negligible financial impact.
Alternate providers could be utilised easily.

Profile your third-parties

Answering the following questions will help guide which category you assign the vendor to.

   
1
What type of product or service does the third-party provide?
If the product or service is a core component in the delivery of your firm's services it should be considered as critical and marked RED?

2
Define the data that the third party has access to and where the data is held.
If the vendor hosts commercially sensitive information, personally identifiable information or payment card information, they would typically be marked as RED. Externally hosted and controlled data presents a significant risk.
3
If the vendor were no longer willing or able to deliver the product or service, would it materially impair the continuing compliance with your firm’s legal or regulatory obligations?
If the vendor hosts any commercially sensitive information, personally identifiable information or payment card information, they should be marked as RED. Externally hosted sensitive data presents a significant risk.
4
If the vendor were no longer willing or able to deliver the product or service, would it materially impact your firm’s financial performance?
If the service provided has the potential to materially impact the financial performance of your firm, it should be marked as RED.
5
How long would it take and what would it cost to migrate to an alternative vendor?
If this is the only supplier that can provide this service or if there is a materially large cost associated with migrating to an alternative provider the RAG should be marked RED.
6
What contractual risk is there?
If the third-party contract exposes the firm to significant liability or reputational risk the vendor would typically be considered as critical / RED.

Is the contract due to renew in less time than it will take to replace? Does the contract meet your standard and where applicable the regulatory standards?

QUERIES AND FOLLOW-UP

Adoptech provides consultancy services and a suite of products that support firms in reducing operational risk and where applicable, complying with respective EU and UK regulations.

Adoptech combines real-time telemetrics, independent practitioner insight and point-in-time assessment to provide a comprehensive third-party risk management framework. Adoptech’s assurance service uniquely offers firms the ability to mitigate third-party risk from the outset of an engagement by ensuring if things go wrong, a practical and realistic contingency “Plan B” is in place.

or contact a member of Operational Resilience team:
Email: OpRes@adoptech.co.uk

More papers…

Menu