How to use this framework

The framework structures the six foundational dimensions of a working TPRM programme. For organisations building TPRM from a low maturity base, work through the sections in sequence. For organisations operating an existing programme, the items can be used as a diagnostic against the five-level supplier-attestation maturity ladder (see the related insight).

01

Supplier tiering framework

  • Define tier criteria explicitly: operational criticality (impact if supplier disrupts), data sensitivity (what data the supplier accesses), regulatory exposure (whether supplier's acts affect the organisation's regulatory posture), substitutability (how easily replaced)
  • Avoid tiering by contract value alone — value correlates poorly with criticality in most regulated industries
  • Establish three or four tiers with clear differentiation: Tier 1 (critical infrastructure / single-source / high data sensitivity); Tier 2 (significant impact, generally substitutable); Tier 3 (routine operational); Tier 4 (administrative / immaterial)
  • Engage operational, engineering, and information-security functions in tier determination — not just procurement
  • Document tier rationale for each supplier; subject tier determinations to periodic review (typically annual)
  • Establish governance for cross-functional disputes on tiering: who decides when operations and procurement disagree
02

Assessment depth by tier

  • Tier 1 (critical) — substantive due-diligence: detailed questionnaire, document review, on-site assessment or independent assessor report, ongoing monitoring, contract provisions including audit rights and breach-notification, regulatory-equivalent control attestation
  • Tier 2 (significant) — detailed questionnaire with follow-up on key responses, document spot-check, contract provisions including audit rights, annual re-assessment
  • Tier 3 (routine) — standard questionnaire, contract provisions including standard security and confidentiality, biennial re-assessment or trigger-based reassessment
  • Tier 4 (immaterial) — basic onboarding due-diligence; contractual compliance only
  • For each tier, define the substantive content that must be addressed: information security, business continuity, data protection, financial stability, legal/regulatory standing, performance management
  • Calibrate assessment depth to the tier's control objectives — depth without purpose is cost without return
03

Onboarding due-diligence

  • Define which due-diligence content is mandatory across all tiers (baseline) and which scales with tier
  • Establish documentation requirements: completed questionnaires, supporting evidence (certifications, audit reports, financial statements), executed contracts with required provisions
  • Define approval workflow: who reviews due-diligence findings; who has authority to onboard at each tier; what triggers escalation
  • Set onboarding service levels: typical turnaround times by tier; escalation if exceeded
  • Document the basis for onboarding decision: not just “approved” but the substantive basis for approval; deficiencies identified and how addressed
04

Ongoing monitoring

  • Tier 1 — continuous or near-continuous monitoring: cybersecurity posture monitoring services, financial health monitoring, regulatory and enforcement monitoring; periodic substantive re-assessment
  • Tier 2 — annual re-assessment plus event-driven re-assessment (material changes in supplier circumstances, contract renewal, performance issues)
  • Tier 3 — biennial or trigger-based re-assessment
  • Tier 4 — minimal ongoing monitoring; rely on baseline contractual provisions
  • Define event triggers across all tiers that warrant immediate re-assessment: regulatory enforcement against supplier; major security incidents; substantial financial distress; ownership changes; performance deterioration
  • Establish escalation protocols for adverse monitoring signals: who reviews, who decides on contract action, how is operational continuity protected during reassessment
05

Contract provisions

  • Information security: alignment with the organisation's ISMS standards; breach notification timelines; data handling and return on termination
  • Business continuity: required continuity capabilities; right-to-audit continuity arrangements; notification of material continuity events
  • Audit rights: right to conduct audits; right to receive third-party assessment reports (SOC 2, ISO 27001, etc.); right to require remediation of identified deficiencies
  • Subprocessor / sub-supplier provisions: notification and approval requirements; flow-down of substantive obligations
  • Regulatory cooperation: supplier's obligations during regulator inspections of the buying organisation; provision of evidence to regulators where required
  • Termination provisions: triggers for cause; data return and destruction; transition support to successor supplier
06

Programme governance

  • Establish TPRM function with clear ownership: typically procurement, risk, or a dedicated TPRM team; accountability for programme effectiveness rests at executive level
  • Define reporting cadence to executive risk function and board / audit committee: programme posture, critical-tier supplier status, material issues, escalations
  • Integrate TPRM into enterprise risk management — supplier risk is enterprise risk; should appear on risk registers and risk reports
  • Conduct annual programme effectiveness review: is the programme producing the assurance the organisation needs; where are the gaps
  • Document programme charter approved at appropriate executive level; review periodically

For deeper treatment

See the related insight TPRM for regulated utilities — the supplier-attestation maturity ladder for the five-level maturity model that orients TPRM capability development over time. The CUC engagement (read here) is the practice base for the framework.