Vendor Risk Management

VENDOR RISK PHILOSOPHY

Understanding Vendor Risk for CEOs

Your vendors are extensions of your company. When AWS goes down, your customers don't blame Amazon—they blame you. When a vendor has a data breach, your data is exposed. When a vendor goes bankrupt, your operations stop.

THE VENDOR RISK REALITY
═══════════════════════════════════════

WHAT CEOs GET WRONG ABOUT VENDOR RISK:

Common misconception: "Our vendors are responsible for their own problems"
Reality: Your customers hold YOU accountable for vendor failures

Common misconception: "We only need to worry about big vendors"
Reality: Small vendors often have weakest security

Common misconception: "Once vetted, vendors are always safe"
Reality: Vendor risk changes continuously

VENDOR RISK CATEGORIES:

OPERATIONAL RISK:
☐ Service availability and uptime
☐ Performance and scalability
☐ Support responsiveness
☐ Business continuity capability

SECURITY RISK:
☐ Data protection practices
☐ Access controls and encryption
☐ Incident detection and response
☐ Compliance with security standards

FINANCIAL RISK:
☐ Vendor financial stability
☐ Risk of acquisition or pivot
☐ Pricing predictability
☐ Contract terms and flexibility

COMPLIANCE RISK:
☐ Regulatory compliance
☐ Data handling practices
☐ Audit requirements
☐ Sub-processor management

CONCENTRATION RISK:
☐ Single points of failure
☐ Geographic concentration
☐ Technology dependency
☐ Alternative availability

THE CEO'S ROLE IN VENDOR RISK:

☐ Set vendor risk appetite and policy
☐ Approve critical vendor relationships
☐ Review vendor risk dashboard quarterly
☐ Ensure adequate vendor governance
☐ Own customer communication for vendor failures

---

COMPREHENSIVE VENDOR RISK FRAMEWORK

Vendor Categorization Framework

═══════════════════════════════════════
SECTION 1: VENDOR CATEGORIZATION
═══════════════════════════════════════

VENDOR TIER CLASSIFICATION:

TIER 1 - CRITICAL VENDORS:
Definition: Vendors where failure causes immediate, severe business impact
Examples:
☐ Cloud infrastructure (AWS, GCP, Azure)
☐ Core product dependencies
☐ Payment processors
☐ Primary CRM/business systems
☐ Key integration partners

Requirements:
☐ Full security due diligence
☐ Quarterly business reviews
☐ Contractual SLAs with teeth
☐ Disaster recovery tested
☐ Executive relationship
☐ Exit plan documented

TIER 2 - IMPORTANT VENDORS:
Definition: Vendors where failure causes significant disruption but workarounds exist
Examples:
☐ Sales and marketing tools
☐ HR and payroll systems
☐ Communication platforms
☐ Analytics and reporting
☐ Non-critical integrations

Requirements:
☐ Security questionnaire reviewed
☐ Semi-annual reviews
☐ Standard SLAs
☐ Backup plan identified
☐ Relationship owner assigned

TIER 3 - STANDARD VENDORS:
Definition: Vendors where failure causes minor inconvenience
Examples:
☐ Office supplies
☐ Basic SaaS tools
☐ Convenience services
☐ Non-sensitive data tools

Requirements:
☐ Self-certification accepted
☐ Annual reviews
☐ Standard terms acceptable
☐ Easy replacement identified

Vendor Risk Assessment Form

═══════════════════════════════════════
SECTION 2: VENDOR ASSESSMENT
═══════════════════════════════════════

VENDOR INFORMATION:
Vendor name: _______________
Primary contact: _______________
Service provided: _______________
Contract value: $_____ / ☐ month ☐ year
Assessment date: _______________
Assessed by: _______________

CRITICALITY ASSESSMENT (Score 1-5):

Business Impact:
☐ If unavailable, impact is:
   ☐ Catastrophic (5) ☐ Severe (4) ☐ Significant (3) ☐ Moderate (2) ☐ Minor (1)
Score: ___

Data Sensitivity:
☐ Vendor accesses:
   ☐ Customer PII (5) ☐ Financial data (4) ☐ Employee data (3)
   ☐ Business data (2) ☐ No sensitive data (1)
Score: ___

Integration Depth:
☐ Integration level:
   ☐ Core to product (5) ☐ Deep integration (4) ☐ Moderate (3)
   ☐ Light integration (2) ☐ Standalone (1)
Score: ___

Switching Difficulty:
☐ Replacement difficulty:
   ☐ No alternatives (5) ☐ 6+ months (4) ☐ 3-6 months (3)
   ☐ 1-3 months (2) ☐ Easy replacement (1)
Score: ___

TOTAL CRITICALITY SCORE: ___ / 20

TIER DETERMINATION:
☐ 16-20: Tier 1 (Critical)
☐ 10-15: Tier 2 (Important)
☐ 5-9: Tier 3 (Standard)

ASSIGNED TIER: ___

Vendor Security Assessment

═══════════════════════════════════════
SECTION 3: SECURITY DUE DILIGENCE
═══════════════════════════════════════

VENDOR: _______________
Assessment date: _______________

CERTIFICATIONS AND AUDITS:

SOC 2 Type II:
☐ Current certification: ☐ Yes ☐ No
☐ Report date: _______________
☐ Exceptions noted: ☐ Yes ☐ No
☐ Exceptions acceptable: ☐ Yes ☐ No ☐ N/A

ISO 27001:
☐ Certification: ☐ Yes ☐ No
☐ Certificate date: _______________
☐ Scope includes our services: ☐ Yes ☐ No

OTHER CERTIFICATIONS:
☐ PCI-DSS: ☐ Yes ☐ No (if payment data)
☐ HIPAA: ☐ Yes ☐ No (if health data)
☐ FedRAMP: ☐ Yes ☐ No (if government)
☐ Other: _______________

INFRASTRUCTURE SECURITY:

Data Encryption:
☐ Data at rest encrypted: ☐ Yes ☐ No
☐ Encryption standard: _______________
☐ Data in transit encrypted: ☐ Yes ☐ No
☐ TLS version: _______________

Access Controls:
☐ SSO/SAML support: ☐ Yes ☐ No
☐ MFA enforced: ☐ Yes ☐ No
☐ Role-based access: ☐ Yes ☐ No
☐ Audit logging: ☐ Yes ☐ No

Data Handling:
☐ Data location: _______________
☐ Data residency options: ☐ Yes ☐ No
☐ Data deletion process: _______________
☐ Backup frequency: _______________
☐ Backup encryption: ☐ Yes ☐ No

INCIDENT RESPONSE:

☐ Incident response plan documented: ☐ Yes ☐ No
☐ Customer notification timeframe: ___ hours
☐ Recent security incidents: ☐ Yes ☐ No
   If yes, details: _______________
☐ Penetration testing frequency: _______________
☐ Bug bounty program: ☐ Yes ☐ No

SUB-PROCESSORS:

☐ Sub-processor list available: ☐ Yes ☐ No
☐ Number of sub-processors: ___
☐ Sub-processor notification: ☐ Yes ☐ No
☐ Sub-processor due diligence: ☐ Yes ☐ No

SECURITY ASSESSMENT RESULT:
☐ Approved
☐ Approved with conditions: _______________
☐ Not approved: _______________

Vendor Financial Assessment

═══════════════════════════════════════
SECTION 4: FINANCIAL DUE DILIGENCE
═══════════════════════════════════════

VENDOR: _______________
Assessment date: _______________

COMPANY VIABILITY:

Company Age:
☐ < 2 years (High risk)
☐ 2-5 years (Medium risk)
☐ 5+ years (Lower risk)

Funding Status:
☐ Bootstrapped: _______________
☐ Venture-funded: _______________
  Last round: _______________
  Amount: $_____
  Runway: ___ months
☐ Public company: _______________
☐ Private equity: _______________

Financial Health Indicators:
☐ Revenue trend: ☐ Growing ☐ Stable ☐ Declining ☐ Unknown
☐ Profitability: ☐ Profitable ☐ Approaching ☐ Burning ☐ Unknown
☐ Customer base: ☐ Diverse ☐ Concentrated ☐ Unknown
☐ Recent news/signals: _______________

RED FLAGS:
☐ Leadership turnover
☐ Layoffs announced
☐ Acquisition rumors
☐ Customer complaints increasing
☐ Product roadmap stalled
☐ Support quality declining

FINANCIAL RISK LEVEL:
☐ Low - Stable, well-funded
☐ Medium - Some concerns, monitor closely
☐ High - Significant concerns, mitigation needed
☐ Unacceptable - Seek alternatives

MITIGATION ACTIONS (if Medium/High):
☐ _______________
☐ _______________
☐ _______________

Vendor Contract Requirements

═══════════════════════════════════════
SECTION 5: CONTRACT REQUIREMENTS
═══════════════════════════════════════

CONTRACT CHECKLIST BY TIER:

TIER 1 (CRITICAL) - REQUIRED TERMS:

Service Levels:
☐ Uptime SLA: ___% minimum
☐ Response time SLA: ___ hours (P1), ___ hours (P2)
☐ Resolution time SLA: ___ hours (P1), ___ hours (P2)
☐ SLA credits: ___% per ___% below target
☐ SLA exclusions reasonable: ☐ Yes ☐ No

Data Protection:
☐ Data processing agreement (DPA) signed
☐ Data ownership clearly ours
☐ Data return on termination: ___ days
☐ Data destruction certified
☐ Sub-processor provisions included

Security:
☐ Security obligations defined
☐ Breach notification: ___ hours
☐ Audit rights: ☐ Yes ☐ No
☐ Penetration test rights: ☐ Yes ☐ No
☐ Insurance requirements: $_____

Termination:
☐ Termination for convenience: ☐ Yes, ___ days ☐ No
☐ Termination for cause: ☐ Yes, ___ days cure
☐ Transition assistance: ☐ Yes, ___ days ☐ No
☐ Data export: ☐ Standard format ☐ Custom

Liability:
☐ Liability cap: $_____ or ___x fees
☐ Indemnification: ☐ Mutual ☐ One-way ☐ None
☐ IP indemnification: ☐ Yes ☐ No
☐ Data breach indemnification: ☐ Yes ☐ No

TIER 2 (IMPORTANT) - REQUIRED TERMS:
☐ Reasonable SLAs defined
☐ Data processing agreement
☐ Data return on termination
☐ Breach notification
☐ Reasonable termination terms
☐ Adequate liability provisions

TIER 3 (STANDARD) - MINIMUM TERMS:
☐ Standard terms acceptable
☐ Data handling adequate
☐ Termination possible
☐ Basic security commitments

Vendor Ongoing Monitoring

═══════════════════════════════════════
SECTION 6: ONGOING MONITORING
═══════════════════════════════════════

MONITORING CADENCE BY TIER:

TIER 1 - QUARTERLY REVIEW:
☐ Business review meeting
☐ SLA performance review
☐ Security certification check
☐ Financial health check
☐ Roadmap alignment
☐ Relationship health
☐ Incident review

TIER 2 - SEMI-ANNUAL REVIEW:
☐ Performance review
☐ Security update
☐ Contract status
☐ Alternatives assessment

TIER 3 - ANNUAL REVIEW:
☐ Basic performance check
☐ Continued need assessment
☐ Renewal decision

VENDOR PERFORMANCE SCORECARD:
Vendor: _______________
Period: _______________

| Category | Weight | Score (1-5) | Weighted |
|----------|--------|-------------|----------|
| Uptime/Availability | __% | ___ | ___ |
| Performance | __% | ___ | ___ |
| Support Quality | __% | ___ | ___ |
| Security Posture | __% | ___ | ___ |
| Innovation/Roadmap | __% | ___ | ___ |
| Relationship | __% | ___ | ___ |
| Value for Money | __% | ___ | ___ |
| TOTAL | 100% | | ___ |

PERFORMANCE ACTIONS:
☐ 4.5-5.0: Expand relationship
☐ 3.5-4.4: Maintain, seek improvements
☐ 2.5-3.4: Formal improvement plan
☐ Below 2.5: Plan transition

INCIDENT TRACKING:
| Date | Issue | Impact | Resolution | Root Cause | Recurrence |
|------|-------|--------|------------|------------|------------|
| | | | | | |
| | | | | | |
| | | | | | |

Vendor Concentration Risk

═══════════════════════════════════════
SECTION 7: CONCENTRATION RISK
═══════════════════════════════════════

CONCENTRATION ANALYSIS:

SINGLE VENDOR DEPENDENCIES:
| Service | Primary Vendor | Alternative | Migration Time |
|---------|----------------|-------------|----------------|
| Cloud infrastructure | | | |
| Database | | | |
| Email/communication | | | |
| Payment processing | | | |
| CRM | | | |
| Analytics | | | |

GEOGRAPHIC CONCENTRATION:
| Region | # Vendors | % of Critical | Risk |
|--------|-----------|---------------|------|
| US West | | | |
| US East | | | |
| Europe | | | |
| Asia | | | |

TECHNOLOGY CONCENTRATION:
| Platform | # Vendors | Critical Services | Risk |
|----------|-----------|-------------------|------|
| AWS | | | |
| GCP | | | |
| Azure | | | |
| Other | | | |

CONCENTRATION RISK MITIGATION:
☐ Identify single points of failure
☐ Evaluate multi-cloud strategy
☐ Document manual workarounds
☐ Maintain vendor alternatives list
☐ Test failover procedures
☐ Negotiate favorable exit terms

Vendor Exit Planning

═══════════════════════════════════════
SECTION 8: EXIT PLANNING
═══════════════════════════════════════

EXIT PLAN TEMPLATE:

VENDOR: _______________
Exit plan last updated: _______________

TRIGGER CONDITIONS:
☐ Breach of contract
☐ Security incident
☐ Financial instability
☐ Service degradation
☐ Strategic change
☐ Better alternative

ALTERNATIVE VENDORS:
| Priority | Vendor | Status | Migration Time | Notes |
|----------|--------|--------|----------------|-------|
| Primary | | ☐ Evaluated ☐ POC ☐ Ready | | |
| Secondary | | ☐ Evaluated ☐ POC ☐ Ready | | |

DATA EXTRACTION:
☐ Export format: _______________
☐ Export method: _______________
☐ Data completeness: _______________
☐ Historical data: _______________
☐ Test export completed: ☐ Yes ☐ No, date: ___

MIGRATION PLAN:
Phase 1: _______________ (Timeline: ___)
Phase 2: _______________ (Timeline: ___)
Phase 3: _______________ (Timeline: ___)

ESTIMATED COSTS:
☐ New vendor setup: $_____
☐ Migration resources: $_____
☐ Parallel running: $_____
☐ Training: $_____
☐ Total exit cost: $_____

CUSTOMER IMPACT:
☐ Downtime expected: _______________
☐ Communication plan: ☐ Yes ☐ No
☐ Feature parity: ☐ Yes ☐ Partial ☐ No

EXIT DECISION AUTHORITY:
☐ Routine exit: _______________
☐ Critical vendor exit: _______________
☐ Emergency exit: _______________

Vendor Risk Dashboard

═══════════════════════════════════════
SECTION 9: VENDOR RISK DASHBOARD
═══════════════════════════════════════

VENDOR RISK SUMMARY:

VENDOR INVENTORY:
Total vendors: ___
☐ Tier 1 (Critical): ___
☐ Tier 2 (Important): ___
☐ Tier 3 (Standard): ___

RISK OVERVIEW:
| Risk Level | Vendors | Trend |
|------------|---------|-------|
| High Risk | ___ | ↑↓→ |
| Medium Risk | ___ | ↑↓→ |
| Low Risk | ___ | ↑↓→ |

CRITICAL VENDOR STATUS:
| Vendor | Service | Risk | Performance | Next Review |
|--------|---------|------|-------------|-------------|
| | | H/M/L | ___/5 | |
| | | H/M/L | ___/5 | |
| | | H/M/L | ___/5 | |
| | | H/M/L | ___/5 | |
| | | H/M/L | ___/5 | |

OPEN ISSUES:
| Vendor | Issue | Priority | Owner | Status |
|--------|-------|----------|-------|--------|
| | | P1/P2/P3 | | |
| | | P1/P2/P3 | | |
| | | P1/P2/P3 | | |

UPCOMING ACTIONS:
| Action | Vendor | Due | Owner |
|--------|--------|-----|-------|
| Contract renewal | | | |
| Security review | | | |
| QBR scheduled | | | |
| Exit plan update | | | |

CEO Vendor Risk Checklist

═══════════════════════════════════════
CEO VENDOR RISK GOVERNANCE
═══════════════════════════════════════

QUARTERLY CEO REVIEW:

DASHBOARD REVIEW:
☐ Critical vendor status reviewed
☐ High-risk vendors identified
☐ Performance issues noted
☐ Financial health verified

STRATEGIC DECISIONS:
☐ New critical vendor approvals
☐ Vendor exit decisions
☐ Risk acceptance decisions
☐ Investment in alternatives

GOVERNANCE:
☐ Vendor policy current
☐ Risk appetite aligned
☐ Team capabilities adequate
☐ Budget sufficient

CEO QUESTIONS FOR VENDOR RISK:

1. Which vendors could take us down if they failed tomorrow?
2. Do we have a tested alternative for each critical vendor?
3. Are any critical vendors showing warning signs?
4. What's our total exposure to our riskiest vendor?
5. When did we last test our backup plans?

---