Vendor Risk Management

Continuous review.

Overview

Vendor risk does not stop at onboarding. SOC2 reports expire, vendors get acquired, financial health changes, and security incidents happen. Without continuous review, the next surprise comes from a vendor whose status changed six months ago and nobody noticed.

• SOC2 and compliance review. Annual report refresh; expired or downgraded reports surface only if you check.
• Incident review. Every public incident at a critical vendor gets a quick assessment of whether your data was affected and how.
• Financial health review. Vendor layoffs, funding changes, and acquisition rumours all affect long-term reliability; track them.
• Quarterly risk review. Standing meeting where each critical vendor gets a green/yellow/red rating; trend matters more than any single quarter.

The approach

Run vendor risk as a quarterly operational rhythm with named owners. The work is small per vendor and large in aggregate; bunching it quarterly is the right cadence.

• Per-vendor SOC2 review. Annual report refresh, gap analysis if the report changed materially, follow-up if findings were not remediated.
• Per-vendor incident review. Standing template for what to capture when a vendor has a public incident; the captured data drives the renewal conversation.
• Per-vendor financial health. Public signals (layoffs, funding, leadership churn) tracked alongside the standard risk metrics.
• Documented risk policy. Capture the categories, the cadence, and the escalation path; new team members inherit the framework.

Why this compounds

Risk discipline keeps paying back: surprise vendor failures become rare, audit conversations get easier, and renewal decisions land with current data rather than initial-evaluation memory.

• Risk posture. Continuous review shrinks the surface for surprise vendor incidents to genuinely surprise you.
• Operational fit. Vendors with deteriorating risk get renegotiated or replaced before they become incidents.
• Compliance evidence. Auditors accept ongoing risk reviews; one-off snapshots invite follow-up questions.
• Decision trail for the next renewal. The risk log becomes the renewal scorecard, not a cold start.