Vendors Inventory and Attributes

Description — The overall risk rating for this vendor relationship — the combined assessment of likelihood and impact of vendor failure, data breach, service disruption, or compliance violation.

Benefit(s) — Surfaces high-risk vendor relationships for priority governance attention. Drives the depth of due diligence, frequency of assessment, and intensity of monitoring applied to each vendor.

Source — Manual.

Examples — Very High, High, Medium, Low, Very Low

Notes — Valid values: Very High | High | Medium | Low | Very Low. Risk considerations: financial concentration, operational dependency level, data access breadth, security certification status, geopolitical exposure, financial health, substitutability. Assessed at onboarding and reviewed at each formal review cycle.

Description — How operationally critical this vendor is to the enterprise’s ability to function if the vendor were lost or significantly degraded.

Benefit(s) — Distinct from Vendor Tier (strategic importance) and Assessed Risk (probability-weighted exposure). Dependency Level answers: what happens operationally tomorrow if this vendor disappears today? Drives business continuity planning and substitutability investment.

Source — Manual.

Examples — Mission-Critical, High, Medium, Low

Notes — Valid values: Mission-Critical, High, Medium, Low. A Tier 4 commodity vendor can have a Mission-Critical Dependency Level if they are the sole provider of a specific service with no available alternative in the near term.

Description — How easily this vendor could be replaced if the relationship ended — accounting for market alternatives, switching costs, transition complexity, and time required.

Benefit(s) — One of the most governance-valuable attributes in the inventory. Substitutability directly informs make-vs-buy decisions, vendor concentration risk management, business continuity investment, and negotiating leverage. A vendor that is Not Replaceable in Near Term has disproportionate leverage in contract negotiations.

Source — Manual.

Examples — Easily Replaceable (multiple alternatives, low switching cost), Replaceable with Effort (alternatives exist, 6–12 month transition), Difficult to Replace (few alternatives, high switching cost, 12–24 month transition), Not Replaceable in Near Term (sole source or deeply embedded, >24 month transition)

Notes — Reviewed annually and whenever a material change in the vendor’s market position occurs (acquisition, product discontinuation, new competitor entry).

Description — Whether this vendor represents a concentration risk to the enterprise — either as a single vendor accounting for a disproportionate share of enterprise technology spend, or as the sole provider of a critical capability or service category with no viable alternative.

Benefit(s) — Surfaces portfolio-level risk that is invisible from individual vendor records. Two vendors each rated Medium risk may together create a High concentration risk if they are the only two providers of a critical service category and both are experiencing financial distress.

Source — Manual.

Examples — Yes — sole provider of enterprise integration platform; Yes — accounts for >30% of total IT vendor spend; No

Notes — Concentration risk is a portfolio-level finding that may be triggered by individual vendor attributes (Substitutability = Not Replaceable) or by cross-vendor analysis (multiple vendors in the same sector all rated High risk).

Description — An assessment of the vendor’s financial stability and viability as a going concern — based on publicly available financial information, credit ratings, or third-party financial health monitoring services.

Benefit(s) — A vendor experiencing financial distress is an operational risk regardless of their current service performance. Financial distress may precede service degradation, acquisition, or sudden discontinuation by months or years. Early warning enables proactive transition planning.

Source — Manual.

Examples — Stable, Under Watch, Distressed, Unknown

Notes — Valid values: Stable (no financial concerns), Under Watch (indicators of financial stress warrant monitoring), Distressed (material financial risk — activate contingency planning), Unknown (insufficient information available). Sources: Dun and Bradstreet rating, S&P/Moody’s credit rating, annual report analysis, news monitoring. Reviewed annually and on material financial news events.

Description — Whether the enterprise has assessed the risk profile of this vendor’s key subcontractors, cloud providers, and service dependencies — the vendor’s vendors — that could affect service delivery to the enterprise.

Benefit(s) — Fourth-party risk is a growing governance blind spot. A vendor’s own security controls may be strong while a critical subcontractor introduces the exposure. Regulatory frameworks including DORA and the UK FCA Critical Third Parties regime now explicitly require fourth-party visibility.

Source — Manual.

Examples — Yes (assessed), In Progress, No, Not Required

Notes — Valid values: Yes (assessed), In Progress, No, Not Required. For Tier 1 vendors, Yes is the minimum acceptable status. Fourth-party assessment typically involves requiring the vendor to disclose their key subcontractors and their security certifications.

Key Fourth Parties

[Multi-Value]

Description — The key subcontractors, cloud providers, or service dependencies that this vendor relies on to deliver services to the enterprise — the most material fourth parties identified during fourth-party risk assessment.

Benefit(s) — Makes invisible supply chain dependencies visible. When a fourth party experiences a breach or service disruption, this attribute immediately surfaces which enterprise vendors are affected and therefore which enterprise services are at risk.

Source — Manual.

Examples — Amazon Web Services (infrastructure); Stripe (payment processing); Okta (identity management); Wipro (development staffing)

Notes — Separate multiple values with semicolons. Record the most material fourth parties — those whose failure would materially affect the vendor’s ability to deliver services to the enterprise. Not intended to be an exhaustive list of every subcontractor.

Key Risk Factors

[Multi-Value]

Description — The specific conditions or vulnerabilities driving the Assessed Risk rating for this vendor relationship.

Benefit(s) — Translates the overall risk rating into actionable governance targets. A practitioner reading the Key Risk Factors knows exactly which conditions to monitor and which to remediate.

Source — Manual.

Examples — Sole-source dependency; Geopolitical exposure (operations in sanctioned region); Financial instability (Under Watch); Broad data access (PII, PHI); Expired security certifications; No DPA in place; Poor SLA performance history; Reputational concerns (public regulatory action); No offboarding plan documented

Notes — Separate multiple risk factors with semicolons. Include reputational risk factors where relevant — association with a vendor under regulatory action or public controversy creates enterprise reputational exposure.

Description — An assessment of the vendor’s environmental, social, and governance risk profile — covering labor practices, ethical sourcing, carbon impact, diversity and inclusion standards, and governance transparency.

Benefit(s) — ESG risk in the vendor portfolio is increasingly required by investors, regulators, enterprise procurement policies, and customers. A vendor with poor ESG practices creates reputational and regulatory exposure for the enterprise beyond the direct financial and operational risk of the relationship.

Source — Manual.

Examples — Low, Moderate, High, Not Assessed

Notes — Valid values: Low, Moderate, High, Not Assessed. Sources: vendor-provided ESG disclosures, third-party ESG ratings (EcoVadis, Sustainalytics, MSCI ESG), news monitoring. For Tier 1 and Tier 2 vendors, Not Assessed is not an acceptable long-term status.

Description — The direction of travel of the vendor’s risk profile over the past review period.

Benefit(s) — Enables early warning of deteriorating vendor risk before it reaches the threshold requiring immediate action. A vendor whose risk is consistently Deteriorating warrants proactive contingency planning before the risk score itself triggers escalation.

Source — Manual.

Examples — Improving, Stable, Deteriorating