Create and start a tiering assessment — Legacy process

  • Release version: Washingtondc
  • Updated January 30, 2025
  • 3 minutes to read

    • The TPR assessor creates a tiering assessment from the vendor record, initiating the third-party risk tiering assessment life cycle. Also, third-party risk managers can select multiple third parties at a time and trigger multiple third-party risk tiering assessments.

    Before you begin

    Role required: sn_vdr_risk_asmt.vendor_assessor

    About this task

    The more complete IRQ process replaces tiering.

    Important:

    In the TPRM application, the IRQ is an internal questionnaire that improves the original tiering assessment process. IRQs enhance internal risk assessments with increased flexibility, control, and scalability. Unlike a tiering assessment where external questionnaires are determined solely by the risk tier, an IRQ can dynamically trigger external questionnaires based on both respondents' answers and risk tier.

    To enable a seamless transition to TPRM, you have the option to duplicate existing tiering assessments and designate them as IRQ internal assessments. Risk tiering is supported as an unchanging legacy process.

    Procedure

    1. Use either of the following methods to start the process:
      • On the Risk tab of the Vendor Management Workspace, select Create tiering assessment in the Quick actions box.
      • Navigate to All > Third-party Risk Management > Assessment Submission Rules > Tier Based Submission.
    2. Fill in the fields on the Details tab and then click Save.
      Table 1. Tiering Assessment section
      Field Description
      Name Name of the tiering assessment.
      Short description Description of the tiering assessment.
      Number

      For each risk tiering assessment, the system auto-assigns a unique ID number that starts with the text VTA.

      The unique ID is used in all references to the item. You can use the ID to search or filter for the item that you want to work on.
      Applies to The entity to which the assessment applies:
      • Third party: The parent organization.
      • Engagement: The organization within the third party that will supply the product or service.
      Third party Vendor being assessed.
      State
      • Draft: Default value while the assessment is being defined.
      • Awaiting Response
      • Tiering Assignment
      • Closed
      Assigned to TPR manager assigned to manage the tiering assessment process.
      Tier level Risk tier for the third party.
      • Critical
      • High
      • Moderate
      • Low
      • Minor

      The results of the tiering assessment and risk assessment help to determine the value. The TPR manager can override the value.
      Tiering assessors Internal assessors responsible for completing the tier assessment.
      Table 2. Tiering assessment schedule
      Field Description
      Tiering Assessment Schedule
      Planned duration Estimated duration of the assessment.
      Planned start date / Planned end date Date and time that work on the tiering assessment is expected to begin and end.
      Actual duration Amount of time it took to complete the tiering assessment. This value is calculated using the Actual state date and Actual end date.
      Actual start date / Actual end date Date and time that work on the tiering assessment began and was completed
      Notes and Comments
      Work notes Information about the assessment process. Work notes are visible to users who are assigned to the issue.
      Additional comments (Customer visible) Public information about the third-party risk assessment.
    3. Click Save.
      The Compose section on the Details tab enables you to permanently add text to the record. The Activity section is updated with any actions on issues and tasks, submissions to TP contacts, and also with work notes and comments that users add to the record. Add text in the following fields as needed:
      • Work notes (Private): Information about the third-party risk assessment. Work notes are visible only to internal users who are assigned to the process.
      • Comments: Comments about the third-party risk assessment are visible both to internal users and to third-party contacts.
    4. Select the Tiering Questionnaires tab, select the questionnaires to use for the tiering assessment, and then click Add and click Add.
      Note:
      The base system includes a sample tiering questionnaire called Basic. Modify and save the questionnaire to meet your needs.
    5. Click Save.
    6. When all settings are correct, click Submit Assessment.