Vendor Management — IT definition

Vendor management is the structured practice of managing the IT vendor lifecycle: selection, contracting, performance monitoring, risk management, renewal and exit planning. It is a discipline combining procurement, legal, IT governance, cybersecurity, and FinOps.

The topic gained strategic importance with SaaS generalization (an average enterprise now manages 200 to 500 IT vendors), regulatory pressure (DORA and NIS2 require IT vendor mapping and contractual framing), and the explosion of supply-chain attacks.

The six steps of vendor management

### 1. Sourcing

• •Definition of functional and non-functional needs.
• •Market study, RFI/RFP.
• •Comparative evaluation: product, price, security, compliance, vendor viability.
• •POC / pilot management.
• •Decision and validation.

### 2. Contracting

• •Negotiation of contractual terms.
• •Mandatory clauses: SLA, GDPR DPA, audit, exit, subcontracting, compliance (ISO 27001).
• •Legal, security, finance validation.
• •Signature and activation.

### 3. Onboarding

• •Access provisioning, SSO.
• •User training.
• •Performance monitoring setup.
• •Internal communication.

### 4. Operational management

• •SLA and service quality tracking.
• •Periodic contractual reviews (monthly to quarterly).
• •Incident management, escalation.
• •Consumption and cost monitoring.

### 5. Renewal

• •Anticipation 6 to 12 months before expiry.
• •Evaluation: satisfaction, alternatives, negotiation.
• •Tariff renegotiation based on real usage.
• •Contractual evolution if needed.

### 6. Exit

• •Formalized exit plan (DORA article 30).
• •Data recovery and migration.
• •Access deactivation.
• •Internal communication and customer if necessary.
• •Post-exit audit.

Vendor risk management (VRM)

Vendor risk management is the sub-discipline of vendor risk, made a priority by DORA and NIS2. It covers:

• •Cyber risk: vendor security posture, certifications (ISO 27001, SOC 2), incident history.
• •Continuity risk: vendor's capacity to maintain service during a crisis.
• •Financial risk: editor's financial health, bankruptcy risk.
• •Compliance risk: GDPR, AI Act, sectoral (PCI-DSS, HDS).
• •Geopolitical risk: data localization, Cloud Act, sovereignty.
• •Concentration risk: excessive dependence on a critical vendor.
• •Exit risk (vendor lock-in): ability to change vendors.

For critical vendors, an annual in-depth evaluation is expected.

Vendor tiering

Good practice consists of classifying vendors by criticality level:

• •Tier 1 — Critical: their failure stops activity. Monthly tracking, annual audit, formalized exit plan.
• •Tier 2 — Important: significantly degrade activity. Quarterly tracking.
• •Tier 3 — Standard: limited impact. Annual tracking, contractual review.
• •Tier 4 — Accessory: commodity, easily replaceable. Minimal review.

Tiering directs governance effort where it has the most impact.

Vendor management and FinOps

Vendor cost management is one of the most immediate FinOps levers:

• •Renegotiation: based on real usage (cf. license management).
• •Consolidation: move from 5 videoconferencing vendors to 1 enterprise standard.
• •Cost allocation: recharge (chargeback) to consuming directions.
• •Rightsizing: of commitments (cf. rightsizing).
• •Anticipation: of renewals to avoid forced tacit renewals.

Vendor management and regulatory compliance

Regulations impose a discipline of vendor management:

• •[DORA](/en/glossary/dora): (article 28): IT vendor register, mandatory contractual clauses, exit plan, critical vendor supervision.
• •[NIS2](/en/glossary/nis2): supply-chain security, third-party risk management.
• •GDPR: DPA, contractual guarantees, subcontractor register.
• •[ISO 42001](/en/glossary/iso-42001): AI vendor governance.

Vendor management and mapping

An up-to-date view of vendors and their IT estate exposure is an indispensable prerequisite:

• •Which services rendered by which vendor?
• •Which applications are impacted if a vendor goes down?
• •Which data flows out to which vendor?
• •Which accesses are granted to vendors (and revoked in time)?

Kabeen automatically cross-references applications, vendors, contracts, and usage to provide the CIO an actionable vendor management view compliant with DORA / NIS2.