IT vendor risk is the exposure an organization carries from its dependency on external technology providers. It spans seven categories: financial, operational, security, regulatory, concentration, exit, and reputational. Each is monitored differently and surfaces in a different governance forum. A mature vendor-risk capability tracks all seven continuously rather than addressing each only when an incident occurs.
The seven categories.
1. Financial risk.
The vendor's own financial health. A struggling vendor cuts service investment, raises prices, or fails outright. Signals: declining revenue, missed earnings targets (for public vendors), key-person departures, late filings, debt restructuring. Monitor via credit-watch services and quarterly review of public filings for tier-1 vendors.
2. Operational risk.
The vendor's ability to deliver against contractual commitments. Signals: SLA misses, escalating incident rates, slowing response times, deteriorating change-success rates. Monitor via the operational governance forum (Tier 1 in the Three-Tier Governance Model) and monthly scorecard.
3. Security risk.
The vendor's information security posture and recent incident history. Signals: published security advisories affecting the vendor's stack, breach disclosures, certification lapses (ISO 27001, SOC 2), audit findings. Monitor via dedicated security review and standing agenda item at managerial governance.
4. Regulatory and compliance risk.
Exposure under sector-specific regulation: GDPR for any vendor processing personal data, DORA for financial services, GxP for life sciences, BaFin requirements for banking, EU procurement rules for public sector. Signals: regulatory audit findings, jurisdictional changes, evolving data-residency requirements. Monitor via compliance function and quarterly strategic review.
5. Concentration risk.
Excessive dependency on a single vendor or group. Most IT vendor portfolios become concentrated by attrition rather than design — a strategic vendor's scope grows incrementally until 30–40% of in-scope IT services run through one provider. Mitigate via contract design (multi-cloud postures, second-source clauses, exit-support obligations) and explicit board-visible reporting.
6. Exit and lock-in risk.
The cost and difficulty of leaving the vendor if the relationship deteriorates. Signals: weak termination-for-convenience clauses, proprietary formats with no clean export, deep integration footprints, knowledge concentrated in vendor staff. Mitigate at contract signature, not later.
7. Reputational and ESG risk.
Risk from vendor behaviour reflecting on the buyer: labour practices in the vendor's supply chain, sustainability disclosures, governance scandals, association with sanctioned entities. Signals: media coverage, NGO reports, regulatory action against the vendor. Monitor via ESG function and annual review.
How to operationalize this.
Each tier-1 strategic vendor gets a standing risk register with all seven categories. The register is reviewed monthly at the managerial governance forum and quarterly at the strategic forum. Material changes in any category trigger an explicit decision: continue, mitigate, escalate, or prepare for exit.
The discipline that distinguishes mature vendor-risk capability from immature is whether the register is reviewed proactively (every month, on a calendar) or reactively (only when an incident occurs).
FAQ.
How many vendor risk categories should we track?
Seven covers the practical landscape: financial, operational, security, regulatory, concentration, exit, reputational. For tier-1 strategic vendors, all seven; for routine vendors, the first four are usually sufficient.
How often should vendor risk be reviewed?
Tier-1 strategic vendors: monthly at managerial governance, quarterly at strategic governance. Tier-2 vendors: quarterly. Routine vendors: at renewal trigger.
What is the most under-managed vendor risk?
Concentration risk. Most portfolios become over-concentrated by accretion rather than design, and the exposure is usually not visible at any individual vendor's scorecard — only at the portfolio level.
