Vendor Dependency Risk Assessment

Every buy decision creates a vendor dependency. The risk assessment quantifies the impact if that dependency becomes problematic — the vendor raises prices dramatically, is acquired by a competitor, deprecates a critical feature, or goes out of business. Vendor dependency risk has three components: probability (how likely is a disruptive vendor event, based on vendor health monitoring?), impact (what would it cost to respond — migrate, rebuild, or renegotiate?), and response time (how quickly could you respond — is there a validated alternative, or would you need to start from scratch?).

1. Assess Probability Using Vendor Intelligence Use your vendor scorecard and health monitoring to estimate the probability of disruptive events. A well-funded, profitable vendor with growing market share has low disruption probability. A venture-backed startup with declining funding runway and customer concentration risk has higher disruption probability. Express the probability as a percentage and update it quarterly.
2. Quantify Impact Estimate the cost of the three most likely disruptive scenarios: price increase (30-50% above current), feature deprecation (critical feature removed), and vendor exit (product discontinued). For each scenario, calculate the migration cost (engineering time + new vendor costs), the business disruption cost (downtime, customer impact), and the opportunity cost (engineering diverted from roadmap to migration).
3. Calculate Expected Risk Cost Expected risk cost = probability x impact for each scenario, summed across scenarios. Add the expected risk cost to the buy option's TCO. This risk-adjusted TCO provides a fair comparison with the build option, which carries different risks (cost overrun, timeline slippage, maintenance burden) that should be similarly quantified.