Vendor Risk Management ====================== Slide 1: Vendor Risk Management Narration Anna: This section sets up Vendor Risk Management. Treat it as the frame for the decisions, handoffs, and evidence that appear in the next slides. Greg: The practical question is simple: by the end, what should a junior IT professional be able to explain, check, or document in a real workplace? On-screen text Vendor Risk Management Protecting continuity and security Slide 2: Why worry about vendor lock-in? Narration Anna: Vendors make bold promises, but what happens when they change pricing or disappear entirely? If your whole service depends on them, even a minor hiccup can snowball into a major disruption. Greg: Exactly. Risk management is about preparing for those "what if" moments before they happen so you're not left scrambling. We'll break down vendor lock-in, data security, business continuity and a few other gotchas that often get overlooked. Anna: Think of it as disaster planning for external relationships. The more you understand potential pitfalls, the easier it is to negotiate contracts and set expectations from the start. Ready to dig in? Greg: Let's do it. On-screen text Why worry about vendor lock-in? Vendor lock-in happens when switching away from a service becomes expensive or technically difficult. Imagine all your files saved in a format that only one vendor's software understands. Changing providers might require costly data conversions or lengthy downtime, so the vendor holds all the power. Real-world examples range from custom Salesforce integrations that won't export cleanly to cloud platforms with no easy migration path. Warning signs include contracts with 12‑month notice periods, proprietary data formats, or ongoing integration fees that grow over time. It's like dating someone who slowly moves all your stuff to their place—leaving suddenly becomes a major project. Always ask, "How do we get our data out if we need to leave?" up front and negotiate reasonable exit clauses before signing anything. Slide 3: Safeguarding data security Narration Anna: "Vendor lock-in" means it's painfully difficult to move your data or workflow somewhere else. Think about a car that only runs on fuel from one specific gas station chain. Greg: The longer you rely on their proprietary format, the more trapped you become. I've seen companies spend six months and $50,000 just to migrate their customer databases to a new CRM. Anna: That's why you negotiate export capabilities and reasonable notice periods up front. Ask to see an export demo during the sales process, not after you've signed a contract. Greg: When switching is possible before you need to switch, you keep the power in the relationship instead of the vendor. On-screen text Safeguarding data security Handing over data to a vendor is like giving someone the keys to your house. You want to know their locks are strong and they actually monitor who comes and goes. Ask about encryption both in transit and at rest, and check whether staff undergo background checks before they can access your information. Find out where servers are located because privacy laws differ around the world. Don't be shy about their breach history—have they ever disclosed incidents and how long did notification take? A reputable vendor will gladly provide documentation such as SOC 2 or ISO 27001 certifications and will outline their incident response process. If they dodge questions or claim "trust us," that's a red flag. Asking about security shouldn't feel like interrogating a spy; if they're evasive, that's your answer right there. Slide 4: Business continuity planning Narration Anna: Business continuity planning focuses attention on a concrete part of the work. Every vendor will claim they have backups, but have those backups ever been, restored in a real emergency? Ask to see test results or drills where the vendor, and simulated a failure and recovered systems. Business continuity also means. Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: restored in a real emergency? Ask to see test results or drills where the vendor; simulated a failure and recovered systems. Business continuity also means; thinking beyond a single provider. Maintain a secondary supplier or at least a. On-screen text Business continuity planning Every vendor will claim they have backups, but have those backups ever been restored in a real emergency? Ask to see test results or drills where the vendor simulated a failure and recovered systems. Business continuity also means thinking beyond a single provider. Maintain a secondary supplier or at least a clear exit clause so you can pivot if their service goes dark. Map out escalation paths for different severities—who do you call if the service is down for an hour versus a day? Having a well‑practiced plan keeps you operating when surprises strike, just like carrying an umbrella even when the forecast looks sunny. Slide 5: Financial risk assessment Narration Anna: Financial risk assessment focuses attention on a concrete part of the work. Analyse licensing models carefully: is pricing based on users, data volume or something else entirely?, Watch for per-seat pricing that looks cheap at 10 users but explodes to $50K at 500, and Factor in currency swings and automatic renewal clauses that increase fees annually. Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Watch for per-seat pricing that looks cheap at 10 users but explodes to $50K at 500; Factor in currency swings and automatic renewal clauses that increase fees annually; Weigh the stability of startups versus established firms—one may cost less but carry higher risk. On-screen text Financial risk assessment - Analyse licensing models carefully: is pricing based on users, data volume or something else entirely? - Watch for per-seat pricing that looks cheap at 10 users but explodes to $50K at 500. - Factor in currency swings and automatic renewal clauses that increase fees annually. - Weigh the stability of startups versus established firms—one may cost less but carry higher risk. - Case study: one firm spent $200K migrating from Oracle to PostgreSQL after licensing fees spiked. - Thorough financial reviews early on prevent nasty surprises later. Slide 6: Operational dependencies Narration Anna: Operational dependencies focuses attention on a concrete part of the work. Relying on a single vendor can create a fragile chain of dependencies. If their service goes down, do your internal processes grind to a halt? Consider how long it would take staff to learn a replacement system or rebuild integrations. A real-world outage, like Slack's six-hour downtime in 2021, left many teams scrambling because chatbots and help desks all flowed through a single tool. Document alternative workflows—when Slack is down, teams might revert to email threads and phone trees—and build training time into your budget so switching providers doesn't paralyse your organisation. Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. On-screen text Operational dependencies Relying on a single vendor can create a fragile chain of dependencies. If their service goes down, do your internal processes grind to a halt? Consider how long it would take staff to learn a replacement system or rebuild integrations. A real-world outage, like Slack's six-hour downtime in 2021, left many teams scrambling because chatbots and help desks all flowed through a single tool. Document alternative workflows—when Slack is down, teams might revert to email threads and phone trees—and build training time into your budget so switching providers doesn't paralyse your organisation. Slide 7: Legal and compliance considerations Narration Anna: When you hand over data to a vendor, it's like giving someone the keys to your house. Greg: Right, and it's like a friend borrowing your car—you want to know they have insurance and won't lend it to their teenager. Ask about encryption both at rest and in transit. Anna: Don't forget access controls. If anyone at the vendor can peek at your information, that's a problem. Greg: A mature vendor will show you compliance certificates and walk you through their incident response plan. If they get hacked, how quickly will they tell you? Anna: And check their history. A breach isn't always a deal breaker, but silence or slow notifications definitely are. On-screen text Legal and compliance considerations Data sovereignty laws and industry regulations can dictate where and how vendor services operate. Ensure that contracts spell out who owns the data, how it may be used and what liability the vendor carries if they breach privacy or security requirements. Ask about compliance certifications relevant to your sector. For example, healthcare providers must verify HIPAA compliance before putting records in the cloud, while retailers may need PCI DSS for payment details. Some jurisdictions require your data to remain in-country, so confirm server locations and backup storage. Insurance coverage and indemnity clauses also play a role; they define who pays if things go wrong. Understanding these legal obligations up front reduces headaches later. Slide 8: Due diligence checklist Narration Anna: Due diligence checklist focuses attention on a concrete part of the work. Evaluate financial stability and customer references, Review security certifications and audit reports, and Test data export options before signing. Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Review security certifications and audit reports; Test data export options before signing. On-screen text Due diligence checklist - Evaluate financial stability and customer references - Review security certifications and audit reports - Test data export options before signing Slide 9: Red flags during selection Narration Anna: Red flags during selection focuses attention on a concrete part of the work. Evasive answers about pricing or compliance, No references or vague case studies, and Unrealistic implementation timelines. Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: No references or vague case studies; Unrealistic implementation timelines. On-screen text Red flags during selection - Evasive answers about pricing or compliance - No references or vague case studies - Unrealistic implementation timelines Slide 10: Exit strategy planning Narration Anna: Exit strategy planning focuses attention on a concrete part of the work. Negotiate clear termination clauses and notice periods, Document data migration steps and associated costs, and Keep alternative vendors in mind in case you need to switch. Greg: In practice, ask who owns the work, what evidence proves it happened, and what handoff comes next. Use the supporting details as a checklist: Document data migration steps and associated costs; Keep alternative vendors in mind in case you need to switch. On-screen text Exit strategy planning - Negotiate clear termination clauses and notice periods - Document data migration steps and associated costs - Keep alternative vendors in mind in case you need to switch Slide 11: Key takeaway Narration Anna: Business continuity is your lifeboat when a vendor hits rough seas. Greg: Backup plans are like fire drills—they only work if you've actually practiced them. Ask for proof that their backups actually work—a written plan is meaningless if they've never restored from it. Anna: Some companies schedule practice runs where they simulate a complete outage and measure how quickly systems come back online. That's the kind of evidence you want. Greg: Also think about dependencies. If your vendor goes down, do you have a secondary provider, or at least an exit clause that lets you bring operations in-house? Anna: Having these options ahead of time turns a potential disaster into a temporary inconvenience. On-screen text Key takeaway - Ask about data export options before signing - Verify security certifications and test backups - Schedule regular reviews to keep risks visible - Document who owns each vendor relationship internally - Hold a quarterly risk review to track emerging issues