This assessment evaluates how concentrated and risky an organization's technology vendor dependencies are across six dimensions: vendor concentration, contract terms and lock-in, migration difficulty, financial health of vendors, alternative availability, and operational dependency depth. Third-party involvement in data breaches doubled to 30% in 2025, and single-cloud outages cascade across dozens of dependent services. [src1]
What this measures: How concentrated IT spending and critical functions are across the vendor portfolio.
| Score | Level | Description | Evidence |
|---|---|---|---|
| 1 | Ad hoc | Single vendor provides 60%+ of stack; no vendor inventory | One cloud runs everything; no vendor register; spend unknown |
| 2 | Emerging | Top vendor 40-60% of spend; basic inventory but incomplete | Vendor list outdated; top 3 = 80%+ of spend; no limits defined |
| 3 | Defined | Inventory maintained; concentration limits defined (no vendor >30%) | Quarterly vendor register; spend tracked; thresholds documented |
| 4 | Managed | Active diversification; real-time monitoring; fourth-party risk mapped | Real-time dashboards; vendor tiering; alternatives identified for tier-1 |
| 5 | Optimized | Multi-vendor by design; no vendor >20% of critical ops; automated alerts | Multi-cloud by policy; annual failover testing; board-level reporting |
Red flags: Single vendor >50% of stack; no vendor inventory; IT spend by vendor unknown; no fourth-party risk assessment. [src4]
What this measures: How contracts create switching barriers through pricing, termination penalties, data ownership, and renewal terms.
| Score | Level | Description | Evidence |
|---|---|---|---|
| 1 | Ad hoc | Auto-renew without review; no exit clauses; data ownership unclear | Multi-year with no exit; 30-day opt-out; vendor owns transformations |
| 2 | Emerging | Some contracts reviewed; basic exit clauses untested; data export theoretical | Exit penalties 50%+; data export clause but format unspecified |
| 3 | Defined | All contracts reviewed; exit penalties <25% annual spend; data portability tested | Contract review documented; exit capped; data export tested yearly |
| 4 | Managed | Swap rights and flex terms; data portability verified quarterly; termination assistance | License transfer provisions; quarterly export verification; benchmarking clauses |
| 5 | Optimized | Maximum flexibility; short commitments or usage-based; full portability in open formats | Annual or usage-based; open format exports; vendor-agnostic architecture |
Red flags: Auto-renewal with 30-day opt-out; no data export clause; termination penalties >50%; vendor owns derived data. [src5]
What this measures: How hard it would be to migrate away from each critical vendor — technical complexity, data portability, integration depth.
| Score | Level | Description | Evidence |
|---|---|---|---|
| 1 | Ad hoc | Migration never considered; proprietary formats everywhere; no documentation | Proprietary APIs with no abstraction; vendor-specific data formats; key knowledge in one person |
| 2 | Emerging | Difficulty acknowledged but not assessed; basic export tested for 1-2 vendors | Cost estimates for top vendor; export tested but incomplete; 12+ month timeline |
| 3 | Defined | Difficulty assessed for tier-1 vendors; abstraction layers for 50%+ integrations; runbooks exist | Migration scored per vendor; data export tested e2e annually; 6-12 month estimate |
| 4 | Managed | Architecture designed for portability; migration playbooks tested; parallel-run capability | Vendor-agnostic patterns; playbooks tested in staging; 3-6 month estimate |
| 5 | Optimized | Multi-vendor active; hot-swap capability; annual migration drills | Active multi-vendor; chaos engineering; <30 day vendor switch; zero-downtime migration |
Red flags: No migration assessment ever done; proprietary data with no export; all code tightly coupled to one vendor; 18+ month migration estimate. [src2]
What this measures: Whether critical vendors are financially stable and will continue operating over the contract period.
| Score | Level | Description | Evidence |
|---|---|---|---|
| 1 | Ad hoc | No financial health assessment; reliance on startups for critical infra; no escrow | Unknown vendor financial status; no credit checks; no escrow; vendor could vanish |
| 2 | Emerging | Financial check at contract signing for largest vendors; no ongoing monitoring | 10-K reviewed at procurement; no escrow for SaaS; startup vendors accepted without diligence |
| 3 | Defined | Annual review for tier-1; credit monitoring; escrow for critical SaaS | Annual review; D&B monitoring; source code escrow; contingency plans for weak vendors |
| 4 | Managed | Continuous monitoring with alerts; vendor failure scenarios modeled; escrow tested | Continuous monitoring (D&B/CreditSafe); escrow tested annually; alternatives pre-qualified |
| 5 | Optimized | Vendor health in enterprise risk management; predictive indicators; automatic contingency | Predictive models; automatic escalation; board reporting; proactive vendor switches |
Red flags: Critical infra on pre-revenue startup with no escrow; no financial review ever performed; vendor had 30%+ layoffs or going-concern warnings. [src7]
What this measures: Whether viable alternatives exist for each critical vendor and readiness to switch.
| Score | Level | Description | Evidence |
|---|---|---|---|
| 1 | Ad hoc | No alternatives identified; "locked in" mentality; no competitive RFPs in 3+ years | No alternative research; sole-source with no procurement challenge |
| 2 | Emerging | Alternatives known but not evaluated; occasional market scans at renewal | Awareness of competitors; no POC or pilot; switching costs estimated informally |
| 3 | Defined | Alternatives evaluated for tier-1; competitive RFPs at renewal; POC tested | Alternative matrix maintained; POC completed; switching cost estimated; gaps documented |
| 4 | Managed | Pre-qualified alternatives for all critical vendors; annual pilots; dual-vendor for some | Shortlist per category; annual pilots; dual-vendor for some; switching playbook maintained |
| 5 | Optimized | Multi-vendor active for all critical categories; switching exercised regularly | Active multi-vendor ops; switching executed in 2 years; new vendors onboarded in 90 days |
Red flags: No alternatives identified for tier-1 vendors; sole-source with no competitive pressure; no RFP in 5+ years. [src6]
What this measures: How deeply embedded each vendor is in daily operations — from surface usage to deep process integration.
| Score | Level | Description | Evidence |
|---|---|---|---|
| 1 | Ad hoc | Vendor embedded in core processes with no separation; vendor downtime = shutdown | Processes inseparable from vendor; workflows depend on vendor features; vendor staff do critical ops |
| 2 | Emerging | Deep integration acknowledged; some process docs independent of vendor | Docs reference vendor features; some degraded-mode capability; significant disruption from outage |
| 3 | Defined | Processes documented vendor-agnostically; manual fallbacks exist; dependency heat map | Vendor-agnostic process maps; fallbacks tested; RTO/RPO defined for vendor outages |
| 4 | Managed | Architecture separates business logic from vendor; automated failover; SLAs monitored | Business logic separated; automated failover; SLA monitoring with alerts; vendor-agnostic procedures |
| 5 | Optimized | Vendor-agnostic by design; hot-swap; vendor change = configuration, not redesign | Hot-swap tested quarterly; chaos engineering includes vendor failure; vendor-independent metrics |
Red flags: Vendor downtime causes complete shutdown; processes cannot be described without vendor references; vendor staff do critical daily ops; no fallback procedures. [src3]
Formula: Overall Score = (Concentration + Contract Terms + Migration + Financial Health + Alternatives + Operational Dependency) / 6
For regulated industries, weight Contract Terms and Financial Health 1.5x. For tech companies, weight Migration Difficulty and Operational Dependency 1.5x.
| Overall Score | Maturity Level | Interpretation | Next Step |
|---|---|---|---|
| 1.0 - 1.9 | Critical | Severe vendor dependency creating existential risk; single failure could halt operations | Vendor inventory; identify top-3 risks; negotiate exit clauses; establish escrow; create continuity plan |
| 2.0 - 2.9 | Developing | Dependencies recognized but not managed; contract terms favor vendors | Build vendor risk register; competitive RFPs at renewal; test data export; assess migration formally |
| 3.0 - 3.9 | Competent | Vendor risk actively managed with defined processes; exit strategies exist | Continuous monitoring; build abstraction layers; test migration playbooks; pre-qualify alternatives |
| 4.0 - 4.5 | Advanced | Proactive vendor risk management with diversification strategy | Multi-vendor architecture; automate health monitoring; integrate into enterprise risk management |
| 4.6 - 5.0 | Best-in-class | Vendor-agnostic architecture; dependency is managed choice, not trap | Annual resilience exercises; share best practices; innovate with emerging vendors confidently |
| Segment | Expected Average | "Good" Threshold | "Alarm" Threshold |
|---|---|---|---|
| Startup (1-50) | 1.5 | 2.5 | 1.0 |
| SMB (51-500) | 2.3 | 3.0 | 1.5 |
| Mid-market (501-5,000) | 3.0 | 3.8 | 2.2 |
| Enterprise (5,000+) | 3.5 | 4.2 | 2.8 |
| Regulated (any size) | 3.2 | 4.0 | 2.5 |
[src1]
Fetch when a user asks to evaluate vendor risk, is preparing for contract renegotiation, experienced a vendor outage, responding to DORA/NIS2/OCC third-party risk requirements, planning multi-cloud strategy, or conducting due diligence on technology stack concentration.