Vendors Inventory and Attributes - Glossary of Terms and Phrases
Vendors Inventory and Attributes
Chapter 2. Glossary of Terms and Phrases
The following terms are used throughout this document with specific meanings.
| Term | Definition |
| Vendor | A third-party organization from which the enterprise procures technology, services, data, or capabilities under a formal or informal engagement. A Vendor is a distinct legal entity with its own governance obligations, risk profile, and contractual relationship with the enterprise. |
| Vendor Tier | A strategic classification of a vendor’s importance to the enterprise: Tier 1 (Critical), Tier 2 (Important), Tier 3 (Standard), Tier 4 (Commodity). Drives the depth of governance oversight, frequency of review, and intensity of risk monitoring applied to each vendor. |
| Dependency Level | An operational assessment of how critically the enterprise depends on a vendor — what would happen to enterprise operations if the vendor were lost or significantly degraded tomorrow. Distinct from Vendor Tier, which is a strategic designation. |
| Substitutability | A measure of how easily a vendor could be replaced if the relationship ended — accounting for market alternatives, switching costs, and transition timeline. A key indicator of vendor leverage and concentration risk. |
| Fourth-Party Risk | The risk introduced by a vendor’s own subcontractors, cloud providers, and service dependencies — the vendor’s vendors. Fourth-party failures can disrupt enterprise services through the vendor without the vendor itself being the direct cause. |
| Data Processing Agreement | A contractual agreement (DPA) between the enterprise and a vendor that processes personal data on the enterprise’s behalf, governing how that data is handled. Required under GDPR and many other privacy regulations. |
| Business Associate Agreement | A contractual agreement (BAA) between the enterprise and a vendor that handles Protected Health Information (PHI) on the enterprise’s behalf. Required under HIPAA. |
| Concentration Risk | The risk that the enterprise is disproportionately dependent on a single vendor or a small group of vendors in the same category — such that the loss or failure of one vendor would have an outsized impact on enterprise operations or spend. |
| ESG Risk | Environmental, Social, and Governance risk in a vendor relationship — covering labor practices, ethical sourcing, carbon impact, diversity standards, and governance transparency. Increasingly required in enterprise vendor assessments by investors, regulators, and customers. |
| Offboarding Plan | A documented plan for the orderly termination of a vendor relationship — covering access revocation, data return or destruction, financial closeout, compliance handoff, and transition of dependent services. Should exist before it is needed for every significant vendor. |
| Vendor Lifecycle | The end-to-end stages of a vendor relationship: Selection and Due Diligence, Onboarding, Active Management and Review, Renewal or Renegotiation, and Offboarding. The Vendors Inventory governs vendor entities across all lifecycle stages. |
| DORA | The EU Digital Operational Resilience Act — a regulatory framework effective 2025 that requires financial institutions to document, assess, and continuously monitor their third-party vendor dependencies, with specific requirements for critical third-party providers. |
Copyright for the International Foundation for Information Technology (IF4IT): 2008 - Present
Legal Disclaimers