Vendor Due Diligence: An IT Leader's Guide

Every IT leader has a vendor story that did not end well. The SaaS provider that doubled its prices after locking you into a three-year contract. The managed service partner whose own supplier outage took your email offline for two days. The software vendor whose end-of-life announcement arrived six weeks before your annual renewal.

These are not edge cases. They are the natural consequence of treating vendor management as a procurement task rather than an ongoing strategic discipline. If your vendor review process begins and ends with a purchase order, you are building technical debt with a smile.

I have managed IT vendor portfolios at scale. At my current organisation, we run relationships with over 50 technology suppliers across infrastructure, security, productivity, and line-of-business software. The ones that work well are the ones where someone is paying active attention. The ones that bite you are the ones nobody was watching.

This guide is the framework I use.

Why Vendor Due Diligence Matters More Than You Think

The average mid-size organisation now spends between 30% and 40% of its IT budget with external vendors. For a business running a £2 million IT operation, that is approaching £800,000 flowing to third parties. If you were spending that much with any other category of supplier, you would have a formal relationship management process. With vendors, most IT teams wing it.

The consequences are predictable. Gartner estimates that 60% of organisations have experienced at least one vendor-related disruption in the past three years. Many of those disruptions were preventable with basic due diligence at the front end of the relationship.

There are four categories of vendor risk that every IT leader needs to understand.

Financial risk is the most common killer of vendor relationships. A startup that suddenly cannot raise its next funding round becomes an acquisition target, a cost-cutting candidate, or an outright closure. Your data migration plan becomes urgent at the worst possible moment. Watch for funding rounds, leadership changes, and unusual pricing changes as early warning signals.

Operational risk comes from vendors who are simply not capable of delivering what they promised. Their support desk is understaffed. Their infrastructure is fragile. Their documentation is wrong. You do not find this out until you are already dependent on them.

Security risk is often the hardest to assess because vendors will tell you exactly what you want to hear on questionnaire responses while their actual security posture tells a different story. The SolarWinds breach, the MOVEit incident, the Okta compromise - all of these were vendor security failures that cascaded directly into their customers' environments.

Strategic risk is the category that receives the least attention. A vendor whose product roadmap is diverging from your needs. A platform that is being quietly sunsetted. A partner that has been acquired by a competitor. You do not always see these coming, but you can build relationships that give you early signals.

The Vendor Assessment Framework

Due diligence should happen before you sign anything, not after. I run every new vendor through the same assessment process, adapted for the size and criticality of the relationship.

Tier 1: Critical Vendors

These are vendors whose failure would directly impact your ability to serve customers, protect data, or operate core systems. For most IT teams, this means your hypervisor platform, your identity provider, your backup solution, your firewall vendor, and your primary communications stack. Critical vendors get the full assessment treatment before any contract is signed.

Tier 2: Important Vendors

These are vendors whose products are significant but whose failure would cause inconvenience rather than operational collapse. Your project management tooling, your development platforms, your secondary productivity applications. Important vendors get a streamlined assessment but still require documented evaluation.

Tier 3: Commodity Vendors

These are vendors where switching cost is low, the contract value is modest, and the risk profile is well-understood. You need some process here, but it does not need to be elaborate.

The Assessment Process

Step 1: Financial Health Check

Before you trust a vendor with your infrastructure or your data, understand their financial position. For smaller vendors or new entrants, this is especially important.

Look at their funding history. Check whether they have raised recently, whether they are burning cash at a concerning rate, and whether they have clear path to profitability. A Series A vendor building enterprise software is a different risk profile from a profitable company with a mature product.

Use sites like Companies House for UK entities, Crunchbase for funding history, and Glassdoor for signals about company health and culture. A vendor that is cutting costs aggressively is a vendor whose support quality may deteriorate before you notice.

Step 2: Security Posture Review

Do not rely on a vendor's marketing claims. Instead, ask for evidence.

The minimum viable security review for any vendor processing your data includes: SOC 2 Type II report (or equivalent), a recent penetration test summary, their incident response process, and their data residency and backup approach. If they cannot produce a SOC 2 report, ask why and weigh that gap against the criticality of the service.

For critical vendors, go further. Ask to speak to their security team directly. Understand their vulnerability management process. Ask what their SLA is for critical security patches. A vendor who tells you "we patch when we release our next quarterly update" is not a vendor you want running your identity provider.

Step 3: Reference Conversations

Ask for two or three current customers who have been with the vendor for at least two years. Speaking to a real customer who is actively using the product in a similar context to yours will tell you more than any questionnaire or sales demo.

Ask references specifically about support quality, how they found the onboarding process, whether the vendor has ever had an outage and how they handled it, and whether they would sign the same contract again today. If a reference cannot answer all three of those questions positively, that is data.

Step 4: Contract Review

Your procurement team will handle the commercial terms. But as the IT leader, you need to review the contract from a technical perspective.

Specifically, pay attention to data portability. Can you export your data in a usable format if the relationship ends? What is the data deletion process? What SLA applies to the service, and critically, what SLA applies to your ability to get support when something is broken?

I have seen contracts where the vendor's SLA was 99.9% uptime but their support SLA for severity-one issues was "we will respond within five business days". That disconnect between system availability and support responsiveness can be genuinely damaging.

Step 5: Exit Planning

This is the step that almost nobody does, and it is the one that causes the most pain when a relationship turns sour.

Before you sign, understand what your exit path looks like. How long does contract termination require notice for? What does data migration actually involve - is it a self-service export or a professional services engagement? Are there any automatic renewal traps that will lock you in without deliberate action?

Building your exit plan before you enter a relationship is not pessimistic. It is practical. And vendors who are confident in their product are usually comfortable with clear exit terms.

Managing Vendors After Onboarding

Due diligence does not end at signature. Vendor management is an ongoing discipline.

Quarterly Business Reviews for Critical Vendors

For your tier-one vendors, schedule structured quarterly reviews. Review SLA performance against contract. Discuss their product roadmap and whether it still aligns with your needs. Raise any concerns before they become crises. This is also where you can renegotiate terms before automatic renewals kick in.

Monitoring for Early Warning Signals

Set up basic monitoring for your vendor relationships. Track their status pages, subscribe to their security advisories, and watch for news about funding changes, leadership departures, or acquisition rumours. Most vendor crises give you some warning if you are paying attention.

Contract Review Before Renewal

Automatic renewals are the enemy of good vendor management. Put a reminder in your calendar 90 days before any significant vendor contract is due to renew. That gives you time to run a proper assessment of whether the relationship is still working before you are locked in for another year.

A Note on Multi-Vendor Strategies

There is a school of thought that says you should avoid vendor concentration risk by spreading your work across many suppliers. This is partially right but can create its own problems.

A vendor ecosystem with too many suppliers creates integration complexity, security perimeter expansion, and management overhead that can outweigh the concentration risk you were trying to avoid. The right answer is deliberate vendor selection with clear ownership of each domain, not maximum diversification for its own sake.

My current approach: one primary vendor per significant domain, with a documented alternative for each. That gives you resilience without creating a mesh of integration points that nobody fully understands.

What Good Vendor Management Looks Like

The organisations that manage vendor relationships well share common characteristics. They have a named owner for each critical vendor relationship. They review those relationships on a schedule, not just when something goes wrong. They understand their actual switching costs, not just their contract values. And they treat vendor risk as a standing agenda item in IT leadership reviews, not an annual checkbox exercise.

None of this is complicated. Most of it is discipline. The IT leaders who get burned by vendors are usually the ones who skipped the reference call, accepted the standard contract without review, or let the relationship run on autopilot after the initial onboarding.

Do the work upfront. Your future self will thank you when your critical vendor does not become your critical incident.

---

If you are managing a significant vendor portfolio and want a structured way to track your relationships, see my IT metrics guide for board reporting for how to translate IT operational performance into language the business understands.