Luke Ellery, VP Analyst at Gartner, explains that as organizations increase reliance on IT vendors, managing third-party risks—cybersecurity, compliance, and continuity—becomes vital. Embedding resilience in contracts ensures performance, mitigates disruption, and supports evolving regulatory needs.
As organizations accelerate digital transformation and adopt automation, cloud and AI technologies, their reliance on IT vendors for business-critical processes and services continues to grow. This increased dependency brings new challenges, as third-party cybersecurity incidents and other disruptions can lead to significant business interruptions and losses. Managing these risks has become a top priority for IT and business leaders, highlighting the need for robust measures to protect organizational assets and ensure operational continuity.
Cybersecurity is just one of several risks that can impact IT vendors and disrupt services—geopolitical events, environmental catastrophes, technology failures and human error also pose significant threats. As regulatory requirements evolve and board expectations rise, sourcing, procurement and vendor management (SPVM) leaders must work closely with business stakeholders to identify key risk domains, review vendor contracts for deficiencies and ensure readiness to respond to incidents.
By moving beyond traditional risk management methods and embedding resilience into vendor relationships, SPVM leaders can help their organizations avoid disruptions, respond effectively to incidents and thrive in an evolving business and regulatory environment.
Identify Material Vendors and Minimum Service Requirements
Many organizations are currently faced with a legacy of IT vendors whose contracts do not reflect current risk or regulatory requirements. The first step in addressing this challenge is to identify operational requirements and ensure vendor relationships align with today’s business needs. Engaging an IT third-party risk management team, or collaborating with business stakeholders, is essential to review the current vendor landscape and identify those vendors that are most critical to operations.
Once material vendors are identified, it is important to work with risk, compliance, security, business and legal teams to determine the minimum requirements these vendors must meet. This process should include a review of relevant legislation and regulations to ensure all obligations are addressed. Key areas to consider from a business continuity perspective include controls for automation failure, system availability expectations, business continuity plans and testing, cybersecurity controls, data mapping, incident response protocols, redundancy measures and transition or exit strategies. For example, automation controls should ensure that automated business capabilities continue to meet business, legal and regulatory requirements, while availability expectations should be clearly defined in terms of uptime and service levels.
After defining these requirements, thorough documentation is essential, including an explanation of the associated risks and the rationale for each requirement—whether to meet business expectations or comply with legal or regulatory mandates. Legal teams should ensure contracts include appropriate language for each requirement. Where possible, requirements should be formalized as service levels, with clear calculations and consequences for non-performance. Well-documented service levels incentivize vendors to meet performance standards, but it is important to avoid an excessive number or poorly drafted service levels, as these can lead to unintended outcomes. By following these steps, leaders can ensure vendor contracts are robust, aligned with current needs and capable of supporting business continuity in a changing risk environment.
Present Operational Requirements to Your Vendor
Preventing new agreements from including inappropriate clauses is a critical first step in managing operational risk. This involves embedding operational risk requirements into the procurement process for vendors that meet established risk thresholds. Collaboration with relevant risk teams—including security, business, operational and enterprise risk—is necessary to develop and agree on these requirements. Once defined, procurement teams should incorporate these standards into their processes, and on external-facing procurement sites.
Vendors may resist new contractual obligations, particularly if they believe similar obligations are already addressed in their own contract documents. Presenting these changes in the context of evolving laws and regulations can help demonstrate that these requirements are industry-wide, not unique to a single organization. When risk remediation programs are included in IT contracts, tracking key dates and milestones and escalating issues early is essential. This approach enables engagement with executive management, who can support escalations with vendors or consult with regulatory bodies as needed.
In cases where no vendor can meet operational risk requirements, it is important to work with the business and relevant stakeholders to identify alternative solutions. These may include developing internal processes, insourcing or implementing additional controls through another IT vendor.
Monitor IT Third-Party Risks and Respond to Events
Ongoing monitoring is essential to effective vendor performance management. For material IT vendors, regular governance meetings should be held to review contractual obligations, service levels, background checks, security measures and other controls. These sessions provide an opportunity to address any gaps, outline remediation actions and ensure that vendors remain aligned with organizational requirements. Leveraging mechanisms such as service credits, termination rights for breach and other remediation measures can further incentivize compliance and demonstrate that obligations are being met.
When a vendor is unresponsive or fails to meet expectations, it may be necessary to audit their obligations—either internally or with the support of external consultants. Taking timely remedial action helps maintain accountability and protects the organization from potential disruptions.
However, governance processes alone are not sufficient. Critical events can and do occur, making it vital to have clearly identified resources on both the organization’s and the vendor’s side. This ensures that, in the event of a crisis, the right contacts are available, and response protocols are clear. By combining robust monitoring with proactive crisis planning, organizations can strengthen third-party IT risk resilience and maintain continuity in an evolving risk landscape.