Back to lesson

Vendor Risk Management

Slide 1: Vendor Risk Management

On-screen

Vendor Risk Management

Protecting continuity and security

Narration

Anna: This section sets up Vendor Risk Management. Treat it as the frame for the decisions, handoffs, and evidence that appear in the next slides.
Greg: The practical question is simple: by the end, what should a junior IT professional be able to explain, check, or document in a real workplace?

Slide 2: Why worry about vendor lock-in?

On-screen

Why worry about vendor lock-in?

Vendor lock-in happens when switching away from a service becomes expensive or

technically difficult. Imagine all your files saved in a format that only one

vendor's software understands. Changing providers might require costly data

conversions or lengthy downtime, so the vendor holds all the power. Real-world

examples range from custom Salesforce integrations that won't export cleanly to

cloud platforms with no easy migration path. Warning signs include contracts

with 12‑month notice periods, proprietary data formats, or ongoing integration

fees that grow over time. It's like dating someone who slowly moves all your

stuff to their place—leaving suddenly becomes a major project. Always ask,

"How do we get our data out if we need to leave?" up front and negotiate

reasonable exit clauses before signing anything.

Narration

Anna: Vendors make bold promises, but what happens when they change
pricing or disappear entirely? If your whole service depends on them, even a
minor hiccup can snowball into a major disruption.
Greg: Exactly. Risk management is about preparing for those "what if"
moments before they happen so you're not left scrambling. We'll break down
vendor lock-in, data security, business continuity and a few other gotchas that
often get overlooked.
Anna: Think of it as disaster planning for external relationships. The more
you understand potential pitfalls, the easier it is to negotiate contracts and
set expectations from the start. Ready to dig in?
Greg: Let's do it.

Slide 3: Safeguarding data security

On-screen

Safeguarding data security

Handing over data to a vendor is like giving someone the keys to your house.

You want to know their locks are strong and they actually monitor who comes and

goes. Ask about encryption both in transit and at rest, and check whether staff

undergo background checks before they can access your information. Find out

where servers are located because privacy laws differ around the world. Don't be

shy about their breach history—have they ever disclosed incidents and how long

did notification take? A reputable vendor will gladly provide documentation such

as SOC 2 or ISO 27001 certifications and will outline their incident response

process. If they dodge questions or claim "trust us," that's a red flag. Asking

about security shouldn't feel like interrogating a spy; if they're evasive,

that's your answer right there.

Narration

Anna: "Vendor lock-in" means it's painfully difficult to move your data or
workflow somewhere else. Think about a car that only runs on fuel from one
specific gas station chain.
Greg: The longer you rely on their proprietary format, the more trapped you
become. I've seen companies spend six months and $50,000 just to migrate their
customer databases to a new CRM.
Anna: That's why you negotiate export capabilities and reasonable notice
periods up front. Ask to see an export demo during the sales process, not after
you've signed a contract.
Greg: When switching is possible before you need to switch, you keep the
power in the relationship instead of the vendor.

Slide 4: Business continuity planning

On-screen

Business continuity planning

Every vendor will claim they have backups, but have those backups ever been

restored in a real emergency? Ask to see test results or drills where the vendor

simulated a failure and recovered systems. Business continuity also means

thinking beyond a single provider. Maintain a secondary supplier or at least a

clear exit clause so you can pivot if their service goes dark. Map out

escalation paths for different severities—who do you call if the service is down

for an hour versus a day? Having a well‑practiced plan keeps you operating when

surprises strike, just like carrying an umbrella even when the forecast looks

sunny.

Narration

Anna: Business continuity planning focuses attention on a concrete part of the work. Every vendor will claim they have backups, but have those backups ever been, restored in a real emergency? Ask to see test results or drills where the vendor, and simulated a failure and recovered systems. Business continuity also means.
Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: restored in a real emergency? Ask to see test results or drills where the vendor; simulated a failure and recovered systems. Business continuity also means; thinking beyond a single provider. Maintain a secondary supplier or at least a.

Slide 5: Financial risk assessment

On-screen

Financial risk assessment

  • Analyse licensing models carefully: is pricing based on users, data volume or something else entirely?
  • Watch for per-seat pricing that looks cheap at 10 users but explodes to $50K at 500.
  • Factor in currency swings and automatic renewal clauses that increase fees annually.
  • Weigh the stability of startups versus established firms—one may cost less but carry higher risk.
  • Case study: one firm spent $200K migrating from Oracle to PostgreSQL after licensing fees spiked.
  • Thorough financial reviews early on prevent nasty surprises later.

Narration

Anna: Financial risk assessment focuses attention on a concrete part of the work. Analyse licensing models carefully: is pricing based on users, data volume or something else entirely?, Watch for per-seat pricing that looks cheap at 10 users but explodes to $50K at 500, and Factor in currency swings and automatic renewal clauses that increase fees annually.
Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Watch for per-seat pricing that looks cheap at 10 users but explodes to $50K at 500; Factor in currency swings and automatic renewal clauses that increase fees annually; Weigh the stability of startups versus established firms—one may cost less but carry higher risk.

Slide 6: Operational dependencies

On-screen

Operational dependencies

Relying on a single vendor can create a fragile chain of dependencies. If their service goes down, do your internal processes grind to a halt? Consider how long it would take staff to learn a replacement system or rebuild integrations. A real-world outage, like Slack's six-hour downtime in 2021, left many teams scrambling because chatbots and help desks all flowed through a single tool. Document alternative workflows—when Slack is down, teams might revert to email threads and phone trees—and build training time into your budget so switching providers doesn't paralyse your organisation.

Narration

Anna: Operational dependencies focuses attention on a concrete part of the work. Relying on a single vendor can create a fragile chain of dependencies. If their service goes down, do your internal processes grind to a halt? Consider how long it would take staff to learn a replacement system or rebuild integrations. A real-world outage, like Slack's six-hour downtime in 2021, left many teams scrambling because chatbots and help desks all flowed through a single tool. Document alternative workflows—when Slack is down, teams might revert to email threads and phone trees—and build training time into your budget so switching providers doesn't paralyse your organisation.
Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next.

Slide 7: Legal and compliance considerations

On-screen

Legal and compliance considerations

Data sovereignty laws and industry regulations can dictate where and how vendor services operate. Ensure that contracts spell out who owns the data, how it may be used and what liability the vendor carries if they breach privacy or security requirements. Ask about compliance certifications relevant to your sector. For example, healthcare providers must verify HIPAA compliance before putting records in the cloud, while retailers may need PCI DSS for payment details. Some jurisdictions require your data to remain in-country, so confirm server locations and backup storage. Insurance coverage and indemnity clauses also play a role; they define who pays if things go wrong. Understanding these legal obligations up front reduces headaches later.

Narration

Anna: When you hand over data to a vendor, it's like giving someone the keys to your house.
Greg: Right, and it's like a friend borrowing your car—you want to know they have insurance and won't lend it to their teenager. Ask about encryption both at rest and in transit.
Anna: Don't forget access controls. If anyone at the vendor can peek at your information, that's a problem.
Greg: A mature vendor will show you compliance certificates and walk you through their incident response plan. If they get hacked, how quickly will they tell you?
Anna: And check their history. A breach isn't always a deal breaker, but silence or slow notifications definitely are.

Slide 8: Due diligence checklist

On-screen

Due diligence checklist

  • Evaluate financial stability and customer references
  • Review security certifications and audit reports
  • Test data export options before signing

Narration

Anna: Due diligence checklist focuses attention on a concrete part of the work. Evaluate financial stability and customer references, Review security certifications and audit reports, and Test data export options before signing.
Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Review security certifications and audit reports; Test data export options before signing.

Slide 9: Red flags during selection

On-screen

Red flags during selection

  • Evasive answers about pricing or compliance
  • No references or vague case studies
  • Unrealistic implementation timelines

Narration

Anna: Red flags during selection focuses attention on a concrete part of the work. Evasive answers about pricing or compliance, No references or vague case studies, and Unrealistic implementation timelines.
Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: No references or vague case studies; Unrealistic implementation timelines.

Slide 10: Exit strategy planning

On-screen

Exit strategy planning

  • Negotiate clear termination clauses and notice periods
  • Document data migration steps and associated costs
  • Keep alternative vendors in mind in case you need to switch

Narration

Anna: Exit strategy planning focuses attention on a concrete part of the work. Negotiate clear termination clauses and notice periods, Document data migration steps and associated costs, and Keep alternative vendors in mind in case you need to switch.
Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Document data migration steps and associated costs; Keep alternative vendors in mind in case you need to switch.

Slide 11: Key takeaway

On-screen

Key takeaway

  • Ask about data export options before signing
  • Verify security certifications and test backups
  • Schedule regular reviews to keep risks visible
  • Document who owns each vendor relationship internally
  • Hold a quarterly risk review to track emerging issues

Narration

Anna: Business continuity is your lifeboat when a vendor hits rough seas.
Greg: Backup plans are like fire drills—they only work if you've actually practiced them. Ask for proof that their backups actually work—a written plan is meaningless if they've never restored from it.
Anna: Some companies schedule practice runs where they simulate a complete outage and measure how quickly systems come back online. That's the kind of evidence you want.
Greg: Also think about dependencies. If your vendor goes down, do you have a secondary provider, or at least an exit clause that lets you bring operations in-house?
Anna: Having these options ahead of time turns a potential disaster into a temporary inconvenience.