Most organizations manage vendor relationships reactively. They notice a contract is about to auto-renew, realize they don't know if they're getting value, and decide without leverage.
There is a moment that happens in a lot of IT organizations, usually around the end of a fiscal quarter, where someone in procurement notices that a software contract is about to auto-renew. They send an email to the IT team asking if they still use the product. The IT team asks around. Someone says yes. Someone else is not sure. Finance wants to know if it is budgeted. The vendor account manager shows up for a "check-in" that is really a retention call, and by the end of the week the contract renews at a higher price than last year because nobody had the time or the data to negotiate.
This is reactive vendor management. Most organizations I have read about or spoken with practice it more often than they would like to admit.
The scale of the problem is worth pausing on. A large enterprise might have hundreds of technology vendors: software licenses, cloud services, hardware contracts, managed service providers, staff augmentation firms, specialized SaaS tools for individual teams, and consultants on retainer. Each of these relationships has a contract, a renewal date, a performance expectation, and a risk profile. Actively managing all of them simultaneously would require a dedicated function. Most IT departments do not have one.
According to Gartner research on technology business management (TBM), IT vendor sprawl, meaning the accumulation of vendor relationships without systematic oversight, is a consistent governance challenge across enterprise organizations (see https://www.gartner.com/en/newsroom for Gartner's current releases on this area). Gartner has noted that organizations often underestimate both the number of active vendor relationships they hold and the aggregate cost of managing them poorly. I am hedging specific statistics here, but the directional finding matches what I see described in practitioner accounts repeatedly.
One distinction that I think makes a real difference in how organizations should approach this is the difference between strategic vendors and commodity vendors. A commodity vendor is one where alternatives exist, switching costs are manageable, and the service being provided is essentially standardized. If your cloud provider for a particular workload is interchangeable with two other providers who could do the same job at comparable cost, you are in a commodity relationship. Pricing power sits with you, not the vendor. These relationships should be managed efficiently, with attention to cost and contract terms, but they do not require deep partnership investment.
A strategic vendor is different. This is the ERP provider who spent eighteen months building custom integrations into your finance and supply chain workflows. This is the data platform vendor whose product is the foundation for six other analytics tools. These vendors are deeply embedded. Switching costs are high, sometimes prohibitively so. The vendor knows this, and in many cases the pricing reflects it. In a strategic vendor relationship, the leverage shifts to the vendor unless the customer has actively worked to maintain alternatives, document the integration complexity, and keep genuine optionality on the table even if they never exercise it.
The mistake I see described in IS governance literature is treating all vendors as commodity relationships when some are clearly strategic, and treating some vendors as strategic partners when they are actually commodities and should be managed as such. Both errors are expensive, just in different ways.
Concentration risk is a related problem that deserves more attention than it usually gets. An organization that routes a critical business process through a single vendor for cost efficiency, or because the integration is too complex to distribute, creates a dependency that can become a liability when that vendor has an outage, raises prices aggressively, changes its terms of service, or gets acquired. The acquisition scenario in particular is worth thinking about. When a strategic vendor is acquired by a larger company, the relationship dynamics change, the support quality may change, and the roadmap may change, none of which the customer has any say in. What leverage existed in the original vendor relationship often disappears in the acquiring company's portfolio.
Risk management in vendor relationships is not just about contracts, though contracts matter. It is about understanding what happens to the business if this vendor is unavailable tomorrow. That business impact assessment is the foundation of vendor risk management, and it should drive both how the organization manages the relationship and how much redundancy it builds in.
The SaaS model has made this more complicated, not simpler, even though the pitch is usually the opposite. SaaS reduces deployment complexity, yes. But it also creates a continuous dependence on the vendor's infrastructure, pricing model, and product roadmap. A perpetual software license is an asset you own. A SaaS subscription is a relationship you are continuously in. The vendor can change pricing, deprecate features, modify integrations, or exit the market, and the customer's recourse is limited by the contract and the switching costs.
Gartner has research on vendor risk management as a formal enterprise discipline, and the consistent finding is that organizations that treat vendor risk management as a systematic process, with defined ownership, regular reviews, and documented business impact assessments, tend to experience fewer costly surprises than those that manage it as an administrative task (see https://www.gartner.com/en/newsroom). I am not citing specific Gartner reports here because I have not verified them against their exact publication pages, and the skill's rules are strict about not guessing URLs.
The governance principle behind all of this is that when vendor relationships are not actively managed, the vendor manages the relationship on terms that favor the vendor. That is not a criticism of vendors. It is just how relationships work. The organization that knows its own costs, dependencies, alternatives, and renewal leverage is in a very different negotiating position than the one that discovers the problem when the invoice arrives.
About the author
Share
More notes
Related notes