Application Portfolio Management (APM) Best Practices - Assess vendor health and viability as part of application risk management

Application Portfolio Management (APM) Best Practices

Assess vendor health and viability as part of application risk management

Overview

An application is only as organizationally stable as the vendor that develops, supports, and maintains it. A financially distressed vendor may discontinue product development, reduce support quality, or cease operations - leaving the organization with a suddenly unsupported application and no migration plan. A vendor acquired by a competitor may immediately introduce commercial terms that create conflicts of interest or discontinue the product in favor of the acquirer’s competing offering. These vendor risks are entirely independent of the quality of the application itself and can materialize regardless of how well the application performs and how effectively it is governed internally.

Best Practice

Assess the health and viability of every material application vendor as part of the annual portfolio risk review. Vendor health assessment should consider: financial stability indicators; product roadmap continuity and evidence of active investment in product development; market position and competitive dynamics that could threaten the vendor’s long-term viability; ownership stability and the likelihood of acquisition or significant change during the planning horizon; and the vendor’s strategic alignment with the organization’s technology direction. Flag elevated-risk vendors in the portfolio risk register and develop contingency plans for the applications they supply.

Benefit(s)

Proactive vendor health assessment surfaces vendor risks before they materialize as application disruptions that the organization is poorly positioned to respond to. Contingency planning for at-risk vendors reduces the organizational impact of vendor distress events. Migration plans are developed with adequate lead time rather than under crisis conditions. The organization demonstrates to leadership and governance bodies that it governs vendor risk proactively as part of its enterprise risk management framework - a posture increasingly expected by boards, regulators, and auditors reviewing technology risk governance.

Copyright for the International Foundation for Information Technology (IF4IT): 2008 - Present

Legal Disclaimers
Share:
Contact Us to Discuss →