Get Instant Access
to This Blueprint

Vendor Management icon

Identify and Manage Financial Risk Impacts on Your Organization

Good vendor management practices help organizations understand the costs of negative vendor actions.

  • As vendors become more prevalent in organizations, organizations increasingly need to understand and manage the potential financial impacts of vendors’ actions.
  • It is only a matter of time until a vendor mistake impacts your organization. Make sure you are prepared to manage the adverse financial consequences.

Our Advice

Critical Insight

  • Identifying and managing a vendor’s potential financial impact requires multiple people in the organization across several functions – and those people all need educating on the potential risks.
  • Organizational leadership is often unaware of decisions on organizational risk appetite and tolerance, and they assume there are more protections in place against risk impact than there truly are.

Impact and Result

  • Vendor management practices educate organizations on the different potential financial impacts that vendors may incur and suggest systems to help manage them.
  • Prioritize and classify your vendors with quantifiable, standardized rankings.
  • Prioritize focus on your high-risk vendors.
  • Standardize your processes for identifying and monitoring vendor risks to manage financial impacts with our Financial Risk Impact Tool.

Identify and Manage Financial Risk Impacts on Your Organization Research & Tools

1. Identify and Manage Financial Risk Impact on Your Organization Deck – Use the research to better understand the negative financial impacts of vendor actions.

Use this research to identify and quantify the potential financial impacts of vendors’ poor performance. Use Info-Tech’s approach to look at the financial impact from various perspectives to better prepare for issues that may arise.

2. “What If” Financial Risk Impact Tool – Use this tool to help identify and quantify the financial impacts of negative vendor actions.

By playing the “what if” game and asking probing questions to draw out – or eliminate – possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.


Identify and Manage Financial Risk Impacts on Your Organization

Good vendor management practices help organizations understand the costs of negative vendor actions.

Analyst Perspective

Vendor actions can have significant financial consequences for your organization.

Photo of Frank Sewell, Research Director, Vendor Management, Info-Tech Research Group.

Vendors are becoming more influential and essential to the operation of organizations. Often the sole risk consideration of a business is whether the vendor meets a security standard, but vendors can negatively impact organizations’ budgets in various ways. Fortunately, though inherent risk is always present, organizations can offset the financial impacts of high-risk vendors by employing due diligence in their vendor management practices to help manage the overall risks.

Frank Sewell
Research Director, Vendor Management
Info-Tech Research Group

Executive Summary

Your Challenge

As vendors become more prevalent in organizations, organizations increasingly need to understand and manage the potential financial impacts of vendors’ actions.

It is only a matter of time until a vendor mistake impacts your organization. Make sure you are prepared to manage the adverse financial consequences.

Common Obstacles

Identifying and managing a vendor’s potential financial impact requires multiple people in the organization across several functions – and those people all need educating on the potential risks.

Organizational leadership is often unaware of decisions on organizational risk appetite and tolerance, and they assume there are more protections in place against risk impact than there truly are.

Info-Tech’s Approach

Vendor management practices educate organizations on the different potential financial impacts that vendors may incur and suggest systems to help manage them.

Prioritize and classify your vendors with quantifiable, standardized rankings.

Prioritize focus on your high-risk vendors.

Standardize your processes for identifying and monitoring vendor risks to manage financial impacts with our Financial Risk Impact Tool.

Info-Tech Insight

Companies without good vendor management risk initiatives will take on more risk than they should. Solid vendor management practices are imperative –organizations must evolve to ensure that vendors deliver services according to performance objectives and that risks are managed accordingly.

Info-Tech’s multi-blueprint series on vendor risk assessment

There are many individual components of vendor risk beyond cybersecurity.

Cube with each multiple colors on each face, similar to a Rubix cube, and individual components of vendor risk branching off of it: 'Financial', 'Reputational', 'Operational', 'Strategic', 'Security', and 'Regulatory & Compliance'.

This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.

Out of scope:
This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.

Financial risk impact

Potential losses to the organization due to financial risks

In this blueprint, we’ll explore financial risks and their impacts.

Identifying negative actions is paramount to assessing the overall financial impact on your organization, starting in the due diligence phase of the vendor assessment and continuing throughout the vendor lifecycle.

Cube with each multiple colors on each face, similar to a Rubix cube, and the vendor risk component 'Financial' highlighted.

Unbudgeted financial risk impact

The costs of adverse vendor actions, such as a breach or an outage, are increasing. By knowing these potential costs, leaders can calculate how to avoid them throughout the lifecycle of the relationship.

Loss of business represents the largest share of the breach

38%

Avg. $1.59M
Global average cost of a vendor breach

$4.2M

Percentage of breaches in 2020 caused by business associates

40.2%

23.2% YoY
(year over year)
(Source: “Cost of a Data Breach Report 2021,” IBM, 2021) (Source: “Vendor Risk Management – A Growing Concern,” Stern Security, 2021)

Example: Hospital IT System Outage

Hospitals often rely on vendors to manage their data center environments but rarely understand the downstream financial impacts if that vendor fails to perform.

For example, a vendor implements a patch out of cycle with no notice to the IT group. Suddenly all IT systems are down. It takes 12 hours for the IT teams to return systems to normal. The downstream impacts are substantial.

  • There is no revenue capture during outage (patient registration, payments).
    • The financial loss is significant, impacting cash on hand and jeopardizing future projects.
  • Clinicians cannot access the electronic health record (EHR) system and shift to downtime paper processes.
    • This can cause potential risks to patient health, such as unknown drug interactions.
    • This could also incur lawsuits, fines, and penalties.
  • Staff must manually add the paper records into the EHR after the incident is corrected.
    • Staff time is lost on creating paper records and overtime is required to reintroduce those records into EMR.
  • Staff time and overtime pay on troubleshooting and solving issues take away from normal operations and could cause delays, having downstream effects on the timing of other projects.

Insight Summary

Assessing financial impacts is an ongoing, educative, and collaborative multidisciplinary process that vendor management initiatives are uniquely designed to coordinate and manage for organizations.

Insight 1 Vendors are becoming more and more crucial to organizations’ overall operations, and most organizations have a poor understanding of the potential impacts they represent.

Is your vendor solvent? Do they have enough staff to accommodate your needs? Has their long-term planning been affected by changes in the market? Are they unique in their space?

Insight 2 Financial impacts from other risk types deserve just as much focus as security alone, if not more.

Examples include penalties and fines, loss of revenue due to operational impacts, vendor replacement costs, hidden costs in poorly understood contracts, and lack of contractual protections.

Insight 3 There is always an inherent risk in working with a vendor, but organizations should financially quantify how much each risk may impact their budget.

A significant concern for organizations is quantifying different types of risks. When a risk occurs, the financial losses are often poorly understood, with unbudgeted financial impacts.

Three stages of vendor financial risk assessment

Assess risk throughout the complete vendor lifecycle

  1. Pre-Relationship Due Diligence: The initial pre-relationship due diligence stage is a crucial point to establish risk management practices. Vendor management practices ensure that a potential vendor’s risk is categorized correctly by facilitating the process of risk assessment.
  2. Monitor & Manage: Once the relationship is in place, organizations should enact ongoing management efforts to ensure they are both getting their value from the vendor and appropriately addressing any newly identified risks.
  3. Termination: When the termination of the relationship arrives, the organization should validate that adequate protections that were established while forming a contract in the pre-relationship stage remain in place.

Inherent risks from negative actions are pervasive throughout the entire vendor lifecycle. Collaboratively understanding those risks and working together to put proper management in place enables organizations to get the most value out of the relationship with the least amount of risk.

Flowchart for 'Assessing Financial Risk Impacts', beginning with 'New Vendor' to 'Sourcing' to the six components of 'Vendor Management'. After a gamut of assessments such as ''What If' Game' one can either 'Accept' to move on to 'Pre-Relationship', 'Monitor & Manage', and eventually to 'Termination', or not accept and circle back to 'Sourcing'.

Stage 1: Pre-relationship assessment

Do these as part of your due diligence

  • Review and negotiate contract terms and conditions.
    • Ensure that you have the protections to make you whole in the event of an incident, in the event that another entity purchases the vendor, and throughout the entire lifecycle of your relationship with the vendor.
    • Make sure to negotiate your post-termination protections in the initial agreement.
  • Perform a due-diligence financial assessment.
    • Make sure the vendor is positioned in the market to be able to service your organization.
  • Perform an initial risk assessment.
    • Identify and understand all potential factors that may cause financial impacts to your organization.
    • Include total cost of ownership (TCO) and return of investment (ROI) as potential impact offsets.
  • Review case studies – talk to other customers.
    • Research who else has worked with the vendor to get “the good, the bad, and the ugly” stories to form a clear picture of a potential relationship with the vendor.
  • Use proofs of concept.
    • It is essential to know how the vendor and their solutions will work in the environment before committing resources and to incorporate them into organizational strategic plans.
  • Limit vendors’ ability to increase costs over the years. It is not uncommon for a long-term relationship to become more expensive than a new one over time when the increases are unmanaged.
  • Vendor audits can be costly and a significant distraction to your staff. Make sure to contractually limit them.
  • Many vendors enjoy significant revenue from unclear deliverables and vague expectations that lead to change requests at unknown rates – clarifying expectations and deliverables and demanding negotiated rate sheets before engagement will save budget and strengthen the relationship.

Visit Info-Tech’s VMO ROI Calculator and Tracker

The “what if” game

1-3 hours

Input: List of identified potential risk scenarios scored by likelihood and financial impact, List of potential management of the scenarios to reduce the risk

Output: Comprehensive financial risk profile on the specific vendor solution

Materials: Whiteboard/flip charts, Financial Risk Impact Tool to help drive discussion

Participants: Vendor Management – Coordinator, IT Operations, Legal/Compliance/Risk Manager, Finance/Procurement

Vendor management professionals are in an excellent position to collaboratively pull together resources across the organization to determine potential risks. By playing the “what if” game and asking probing questions to draw out – or eliminate – possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

  1. Break into smaller groups (or if too small, continue as a single group).
  2. Use the Financial Risk Impact Tool to prompt discussion on potential risks. Keep this discussion flowing organically to explore all potential risks but manage the overall process to keep the discussion on track.
  3. Collect the outputs and ask the subject matter experts for management options for each one in order to present a comprehensive risk strategy. You will use this to educate senior leadership so that they can make an informed decision to accept or reject the solution.

Download the Financial Risk Impact Tool

Stage 2.1: Monitor the financial risk

Ongoing monitoring activities

Never underestimate the value of keeping the relationship moving forward.

Examples of items and activities to monitor include;

Stock photo of a worker being trained on a computer.
  • Fines
  • Data leaks
  • Performance
  • Credit monitoring
  • Viability/solvency
  • Resource capacity
  • Operational impacts
  • Regulatory penalties
  • Increases in premiums
  • Security breaches (infrastructure)

Info-Tech Insight

Many organizations do not have the resources to dedicate to annual risk assessments of all vendors.

Consider timing ongoing risk assessments to align with contract renewal, when you have the most leverage with the vendor.

Visit Info-Tech’s Risk Register Tool

Stage 2.2: Manage the financial risk

During the lifecycle of the vendor relationship

  • Renew risk assessments annually.
  • Focus your efforts on highly ranked risks.
  • Is there a new opportunity to negotiate?
  • Identify and classify individual vendor risk.
  • Are there better existing contracts in place?
  • Review financial health checks at the same time.
  • Monitor and schedule contract renewals and new service/module negotiations.
  • Perform business alignment meetings to reassess the relationship.
  • Ongoing operational meetings should be supplemental, dealing with day-to-day issues.
  • Develop performance metrics and hold vendors accountable to established service levels.
Stock image of a professional walking an uneven line over the words 'Risk Management'.

Stage 3: Termination

An essential and often overlooked part of the vendor lifecycle is the relationship after termination

  • The risk of a vendor keeping your data for “as long as they want” is high.
    • Data retention becomes a “forever risk” in today’s world of cyber issues if you do not appropriately plan.
  • Ensure that you always know where data resides and where people are allowed to access that data.
    • If there is a regulatory need to house data only in specific locations, ensure that it is explicit in agreements.
  • Protect your data through language in initial agreements that covers what needs to happen when the relationship with the vendor terminates.
    • Typically, all the data that the vendor has retained is returned and/or destroyed at your sole discretion.
Stock image of a sign reading 'Closure'.

Related Info-Tech Research

Stock photo of two co-workers laughing. Design and Build an Effective Contract Lifecycle Management Process
  • Achieve measurable savings in contract time processing, financial risk avoidance, and dollar savings
  • Understand how to identify and mitigate risk to save the organization time and money.
Stock image of reports and file folders. Identify and Reduce Agile Contract Risk
  • Manage Agile contract risk by selecting the appropriate level of protections for an Agile project.
  • Focus on the correct contract clauses to manage Agile risk.
Stock photo of three co-workers gathered around a computer screen. Jump Start Your Vendor Management Initiative
  • Vendor management must be an IT strategy. Solid vendor management is an imperative – IT organizations must develop capabilities to ensure that services are delivered by vendors according to service level objectives and that risks are mitigated according to the organization's risk tolerance.
  • Gain visibility into your IT vendor community. Understand how much you spend with each vendor and rank their criticality and risk to focus on the vendors you should be concentrating on for innovative solutions.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.

Author

Frank Sewell

Contributors

  • Nicole Bellelo, Senior Auditor, Crowe Horwath
Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019