The Vendor Management Trap
Someone told you need a vendor risk management program. So you exported your accounts payable list and discovered 127 vendors. Now what—send questionnaires to all 127? Review every contract? Maintain a spreadsheet the size of a small database?
That way lies madness. And here's the thing: it's also the wrong approach.
Most vendor risk programs make a critical mistake: they treat contract value as the primary indicator of vendor importance. A million-dollar infrastructure contract gets intensive scrutiny, while the $50/month analytics tool quietly processing customer data gets almost none.
This creates a massive mismatch between perceived vendor importance and actual vendor risk.
The Real Principle: Risk-Based Tiering
The office plant service is not the same risk as your cloud infrastructure provider. But many programs treat them identically—either everything gets a checkbox review, or nothing gets reviewed at all.
What matters isn't contract value—it's data exposure, business criticality, and operational dependencies. A free Slack integration with admin access to your systems poses more risk than a $100K vendor with no data access.
The solution is tiered classification: group vendors into risk categories, then apply proportional due diligence. More rigor where it matters, less where it doesn't.
The Four-Tier Framework
Tier 1: Critical (5-10 vendors)
These vendors can take down your business or expose sensitive data. They deserve real attention:
Examples
Cloud infrastructure (AWS, Azure, GCP). Core SaaS (CRM, your main line-of-business apps). Payment processing. Customer data processors. Identity providers (Okta, Google Workspace).
Assessment
Full security review with detailed questionnaire (SIG Lite or equivalent). Request and review SOC 2 report. Contract security terms review. Annual re-assessment. Monitor for breaches in security news.
Tier 2: Important (10-20 vendors)
These have meaningful access or could cause operational disruption, but aren't existential risks:
Examples
Communication tools (Slack, Zoom). HR/payroll systems. Development tools (GitHub, CI/CD). Support ticketing. Email marketing platforms.
Assessment
Abbreviated questionnaire (key controls only). Check for SOC 2 or ISO 27001 certification. Review data handling terms. Re-assess every 18-24 months or on renewal.
Tier 3 & 4: Standard and Minimal (Everything Else)
Office software, design tools, project management, office supplies, physical vendors. Verify basic certifications exist for Tier 3; standard procurement for Tier 4. Don't spend hours reviewing the catering company.
If a vendor has access to multiple business resources, always assign them the highest applicable tier. The risk is cumulative. And any vendor whose access is 'Unknown' should start as Tier 1 until you figure out what they actually touch.
The Tiering Scorecard
When onboarding a vendor (or retroactively tiering your existing list), score them on three dimensions:
Data Access
Customer data access: +10 points. Employee data (PII, HR): +5 points. Financial data: +5 points. No data access: 0 points.
System Access
Production environment access: +10 points. API integrations: +5 points. Internal network access: +5 points. No system access: 0 points.
Business Impact
Downtime stops revenue: +10 points. Significant operational impact: +5 points. Limited impact, easily replaceable: 0 points.
15+ points = Tier 1 | 10-14 points = Tier 2 | 5-9 points = Tier 3 | 0-4 points = Tier 4
Customer data: +10. Financial data: +5. API integration: +5. Revenue impact: +10. Total: 30 → Tier 1
Internal communication data: +5. API integrations: +5. Operational impact: +5. Total: 15 → Tier 1 (just)
Internal design assets only: +2. No integrations: 0. Limited impact: 0. Total: 2 → Tier 4
Red Flags in Vendor Reviews
When you do review vendors, watch for these signals:
Major Concerns
No MFA option: Disqualifying for Tier 1/2. Resistance to questionnaires: Good vendors expect security reviews. No incident response plan: How will they notify you of a breach? Data in unexpected locations: Know where your data actually lives.
Worth Noting
No SOC 2/ISO 27001: Not disqualifying for smaller vendors, but note it. Long questionnaire turnaround: May indicate immature security program. Generic responses: "We take security seriously" without specifics.
Managing Without a Full-Time Team
You don't need a dedicated vendor risk manager. Here's a sustainable rhythm:
Quarterly (2 hours): Check Tier 1/2 certification expirations. Review security news for vendor breaches. Update inventory with new additions. Annually (1 day): Re-tier all vendors. Request updated SOC 2 reports from Tier 1. Send refresh questionnaires to Tier 2. Trigger-based: New vendor onboarding. Vendor breach announcement. Contract renewal. Significant service change.
Treated all vendors equally—either reviewed none (usual) or scrambled to review everything before audits (chaos). No clear ownership. Spreadsheet with outdated information. Failed SOC 2 control for vendor management.
Identified 7 Tier 1 vendors (full assessment), 15 Tier 2 (abbreviated review), 30 Tier 3 (certification check), 37 Tier 4 (procurement only). Created sustainable quarterly rhythm. Passed SOC 2 with no exceptions.
The Bottom Line
Effective vendor risk management isn't about reviewing every vendor with equal rigor—that's impossible and counterproductive. It's about knowing which vendors matter most, focusing limited time on critical risks, having a documented process you actually follow, and updating assessments when things change.
Five thorough vendor reviews beat 50 checkbox exercises. Start with your Tier 1 vendors—the ones with customer data, production access, or revenue impact. Get those right, and you've addressed the vast majority of your actual vendor risk.
The other 50 vendors? They can wait.