Every supplier goes through the same process. The same questionnaire. The same document requirements. The same approval workflow. It doesn't matter if they're a strategic technology partner handling sensitive data or a florist providing occasional office plants—the process is identical.

This one-size-fits-all approach fails everyone. High-risk suppliers receive insufficient scrutiny. Low-risk suppliers face disproportionate burden. The organisation wastes resources on unnecessary process while simultaneously accepting unnecessary risk. Nobody wins.

The Equality Fallacy

The appeal of uniform process is understandable. One process is simpler to administer than many. It feels fair—everyone treated the same. It's easier to defend—nobody can claim discrimination or favouritism.

But equality isn't the same as appropriateness. A one-hour questionnaire for a critical IT services provider is inadequate. The same questionnaire for a catering supplier is excessive. Treating them identically means both are handled inappropriately.

Real risk management means matching scrutiny to risk. High-risk suppliers warrant intensive due diligence. Low-risk suppliers need proportionate process. The goal isn't equal treatment—it's appropriate treatment.

Risk-Based Tiering

Effective onboarding uses tiered approaches based on supplier risk profiles.

Risk factors that commonly drive tiering include: value of the relationship (annual spend); criticality to operations (what happens if they fail?); access to sensitive information or systems; regulatory requirements applying to their activities; and complexity of the relationship.

A simple three-tier model might work as follows:

Tier 1 (High Risk): Strategic suppliers with significant spend, critical operational impact, or access to sensitive systems and data. Full due diligence including financial analysis, site visits where appropriate, detailed security assessment, and senior approval.

Tier 2 (Medium Risk): Important suppliers with moderate spend or some operational significance, but without the critical dependency or sensitivity of Tier 1. Standard due diligence with financial health check, insurance verification, compliance questionnaire, and manager approval.

Tier 3 (Low Risk): Transactional suppliers with low spend, easily replaceable, and no access to sensitive information. Streamlined process with basic verification, self-certification on key compliance points, and automatic approval below defined thresholds.

The specific criteria and tier definitions vary by organisation—what's critical for one may be routine for another. But the principle of differentiated treatment based on risk applies universally.

Designing for Different Levels

Each tier needs its own process design, not just different thresholds for the same process.

Questionnaire depth should match tier. Tier 3 suppliers might answer 10 straightforward questions. Tier 2 suppliers might complete 25-30 more detailed questions. Tier 1 suppliers might face comprehensive assessment covering every relevant risk domain. Asking everyone the same 50 questions wastes time at Tier 3 and may still be insufficient for Tier 1.

Documentation requirements should scale similarly. Tier 3 might need just insurance certificate and company registration. Tier 2 adds financial information and quality certifications. Tier 1 requires comprehensive documentation including detailed security questionnaires, business continuity plans, and specific compliance evidence.

Verification intensity differs by tier. Tier 3 might rely on self-certification with spot-check verification. Tier 2 requires document verification and reference checking. Tier 1 might include site visits, security audits, and third-party background checks.

Approval authority escalates with tier. Tier 3 can be approved by buyers within delegated authority. Tier 2 requires category manager approval. Tier 1 needs senior stakeholder sign-off, possibly including IT security and legal review for relevant suppliers.

The Classification Challenge

Tiering only works if suppliers are classified correctly. Several approaches help ensure appropriate assignment.

Initial screening uses simple criteria to route suppliers to preliminary tiers. Spend threshold, category type, and access requirements can be assessed quickly at registration, providing initial tier assignment.

Assessment refinement may adjust tiering as more information emerges. A supplier initially classified as Tier 2 based on spend might escalate to Tier 1 when system access requirements become clear. The process should accommodate reclassification.

Periodic review prevents stale classification. As relationships evolve, risk profiles change. A supplier that was low-risk when they provided office supplies might become high-risk when they start managing IT services. Regular review ensures tier assignment remains appropriate.

Clear criteria and consistent application prevent gaming and inconsistency. If tier assignment is arbitrary or negotiable, the system doesn't work. Documented criteria and objective assessment are essential.

Operational Efficiency

Risk-based tiering creates efficiency gains that uniform process cannot match.

Processing time for low-risk suppliers decreases dramatically. Instead of a three-week process for every supplier, Tier 3 suppliers can be onboarded in days. The business gets its supplier faster; procurement spends less effort.

Attention focuses where it matters. Instead of spreading effort evenly across all suppliers, resources concentrate on high-risk relationships that warrant detailed attention. The same team can manage more suppliers with better risk outcomes.

Supplier experience improves across tiers. Low-risk suppliers appreciate not being subjected to disproportionate process. High-risk suppliers appreciate thorough process that demonstrates professional partnership. Both experiences are better than one-size-fits-all.

Implementation Considerations

Moving from uniform to tiered onboarding requires attention to several factors.

System capability must support differentiated processes. Configuring different questionnaires, workflows, and approval paths for different tiers requires flexible technology. Rigid legacy systems may struggle to accommodate tiering.

Training ensures people understand and apply the tiers correctly. Classification decisions require judgment. Process differences need navigation. Investment in training supports effective implementation.

Communication to suppliers sets appropriate expectations. Suppliers should understand what's being asked of them and why. Transparency about tiering—explaining that different levels of due diligence apply to different risk levels—prevents confusion and resentment.

Continuous improvement refines the model based on experience. Are the tiers calibrated correctly? Are suppliers being classified appropriately? Is the differentiated process achieving its goals? Feedback loops enable ongoing optimisation.

The Balance Point

Tiering requires finding balance between simplicity and precision. Too few tiers may not capture meaningful risk differentiation. Too many tiers create complexity that undermines efficiency.

Three tiers is a common starting point, providing meaningful differentiation without excessive complexity. Some organisations add a fourth tier for the highest-risk suppliers or subtract one for organisations with simpler supplier portfolios.

The right answer depends on your specific context—the diversity of your supplier base, the range of risk levels you face, and your organisational capacity for process complexity. Start simpler; add complexity only if the benefits justify it.

What's not tenable is continuing with one-size-fits-all. The costs—excessive process for low-risk suppliers, insufficient scrutiny for high-risk ones—are too clear. Risk-based tiering is the obvious evolution for any organisation serious about supplier risk management.