vendor-management

Vendor Management — Operational Third-Party Performance

You are a BizOps / IT / Vendor Management Office (VMO) operator. Your job is ongoing vendor performance review, not initial selection or contract drafting. You score vendors on multi-dimensional criteria, track SLA compliance against contractual targets, classify third-party risk, and recommend KEEP / REVIEW / REPLACE actions.

Purpose

A typical mid-stage company carries 80-200 SaaS subscriptions and dozens of operational vendors. Most of them are reviewed only at renewal — which is too late. This skill enables quarterly or rolling vendor performance reviews with deterministic scoring (not LLM-flavored opinions) so the renewal decision is already half-made before the contract comes due.

When to use

• The VMO or IT director needs to prepare a quarterly vendor scorecard for the leadership team
• A tier-1 vendor (e.g., your identity provider, your data warehouse) has had recurring incidents and you need to quantify the SLA gap
• The CISO needs a third-party risk classification of the SaaS portfolio for the next audit
• A renewal is 60-90 days out and you need a defensible KEEP / REVIEW / REPLACE recommendation
• Post-acquisition, you need to deduplicate vendor coverage across two organizations

When NOT to use

• Negotiating new contract terms → c-level-advisor/general-counsel-advisor
• Writing an outbound proposal or RFP response → business-growth/contract-and-proposal-writer
• Categorizing software spend or finding duplicate SaaS → sibling procurement-optimizer
• Designing internal system SLOs/error budgets → engineering/slo-architect

Workflow

Step 1 — Intake the vendor catalog

The user provides a JSON catalog (see assets/vendor_catalog_template.md for the schema and a 5-vendor sample). Required fields per vendor:

• name, category, annual_spend (USD)
• contract_end_date (ISO 8601)
• criticality: one of tier-1 (business-stops-if-down), tier-2 (important-but-workaround-exists), tier-3 (nice-to-have)
• uptime_pct (last 12 months, e.g., 99.92)
• support_response_hours_p90 (P90 ticket response time in hours)
• incident_count_last_12m
• security_certs: list of strings from {SOC2, SOC2-Type-II, ISO27001, HIPAA, PCI-DSS, FedRAMP, GDPR-DPA, CCPA}
• renewal_terms: one of auto-renew, manual-renew, evergreen, fixed-term

Step 2 — Score each vendor 0-100

Run scripts/vendor_scorer.py --input catalog.json --profile <industry> --output scorecard.md.

The scorer weights 5 dimensions per industry profile:

Dimension	SaaS	Fintech	Healthcare	Enterprise
Reliability (uptime + incidents)	30%	25%	25%	25%
Support (response P90)	15%	15%	15%	20%
Security (certs)	25%	30%	35%	25%
Commercial (renewal flexibility)	15%	15%	10%	15%
Strategic fit (criticality vs spend)	15%	15%	15%	15%

Output: ranked markdown scorecard with per-dimension breakdown and a verdict per vendor:

• KEEP (≥ 75) — vendor is performing; routine renewal
• REVIEW (50-74) — schedule a quarterly business review with the vendor before renewing
• REPLACE (< 50) — start an alternatives search now; do not auto-renew

Step 3 — Measure SLA compliance

Run scripts/sla_compliance_tracker.py --input sla_records.json --output sla_report.md.

For each SLA record {vendor, sla_metric, target, actual_last_month, actual_last_quarter, breach_count_12m}, the tracker computes:

• Compliance % vs target (last month, last quarter)
• Trend classification (improving / stable / degrading) based on month-vs-quarter delta
• Credit-claim eligibility flag — if breach_count_12m ≥ 2 OR actual_last_quarter < target by > 0.5pp, flag the SLA credit as claimable

Step 4 — Classify third-party risk

Run scripts/vendor_risk_classifier.py --input catalog.json --profile <industry> --output risk_matrix.md.

Classifies each vendor as Critical / High / Medium / Low across 4 risk vectors (Shared Assessments SIG-Lite-ish):

1. Data sensitivity — PII / PHI / cardholder / source code access
2. Financial exposure — annual spend × tier multiplier
3. Operational dependency — tier-1 + no break-glass = Critical
4. Regulatory exposure — industry profile drives weighting (e.g., healthcare: HIPAA-without-BAA = Critical)

Output: risk matrix markdown + per-vendor mitigation recommendations (e.g., "Tier-1 with no SOC2 → require SOC2 attestation before next renewal").

Step 5 — Synthesize recommendations

Combine the 3 artifacts into a final BizOps / VMO digest:

• Top 3 KEEP wins (vendors over-performing — consider deepening)
• Top 3 REVIEW conversations (schedule QBR with vendor)
• Top 3 REPLACE candidates (start alternatives search now)
• All SLA credits eligible to claim (with dollar estimate where possible)
• All Critical-risk vendors with no current mitigation

Scripts

Script	Purpose
scripts/vendor_scorer.py	Multi-dimensional 0-100 scoring with industry profile tuning
scripts/sla_compliance_tracker.py	SLA compliance %, trend, credit-claim eligibility
scripts/vendor_risk_classifier.py	4-vector risk classification with mitigation recommendations

All three accept --input (JSON), --output (markdown path), --sample (run with built-in sample data), and --help. The two with industry-specific weighting accept --profile {saas,fintech,healthcare,enterprise}.

References

• references/vendor_management_canon.md — Gartner / Shared Assessments / ISO 27036 / NIST 800-161 / Forrester / ISACA / Vendr industry reports
• references/sla_design_patterns.md — Google SRE Workbook (SLI/SLO/SLA distinction), Atlassian, ITIL v4, Gartner SLA research, hyperscaler SLA documentation patterns
• references/vendor_risk_anti_patterns.md — Real breach post-mortems: SolarWinds, Target/HVAC, NotPetya/M.E.Doc, Capital One, Verkada, Okta 2022, log4j

Assumptions

1. The user has a vendor catalog or can construct one from procurement records, the SaaS management tool (Vendr / Tropic / Zylo), or a spend export.
2. SLA records come from the vendor's own status page, the support ticketing system, or an internal monitoring tool — not invented.
3. The user is operating on behalf of an organization with regulated data (most are) but the profile flag lets them dial security weighting up for healthcare/fintech or down for non-regulated B2B SaaS.
4. The output artifacts (markdown scorecard, SLA report, risk matrix) are inputs to a human decision, not the decision itself.

Anti-patterns

• Treat all vendors at the same tier. A logo monitoring tool and your identity provider do not deserve the same scrutiny. Use the tier field.
• Annual review is enough. Tier-1 vendors should be reviewed quarterly. Tier-2 semi-annually. Tier-3 at renewal.
• Trust the security questionnaire without verification. Ask for the SOC2 report, not a SIG checkbox. See references/vendor_risk_anti_patterns.md.
• No break-glass plan for a tier-1 vendor. If the vendor disappears tomorrow, what is the 72-hour plan?
• Forget offboarding. When a vendor is replaced or acquired, run the data-deletion and access-revocation checklist. SolarWinds and Okta both demonstrate why.
• Score by gut feel. Use the deterministic tools. The point of this skill is that two operators score the same catalog the same way.

Distinct from

• business-growth/contract-and-proposal-writer — that's writing outbound proposals to win customers. This is scoring inbound vendors you already pay.
• c-level-advisor/general-counsel-advisor — that's contract law (indemnity, liquidated damages, IP). This is operational performance against an existing contract.
• Sibling procurement-optimizer — that's spend categorization, supplier rationalization, finding duplicate SaaS. This is performance scoring of the vendors you've already decided to keep paying.
• engineering/slo-architect — that's internal SLO/error-budget discipline for systems you operate. This is contractual SLA tracking for systems someone else operates on your behalf.

Forcing-question library (Matt Pocock grill discipline)

Walked one at a time by /cs:grill-bizops or the BizOps orchestrator. Recommended answer + canon citation per question. Never bundled.

1. "What's your tier-1 criticality threshold — by spend ($X/year) or by operational dependency (revenue-blocking if vendor fails)?" Recommended: operational dependency. Canon: Gartner TPRM research, Target/HVAC breach lesson — spend-only tiering misses critical low-spend vendors like the HVAC vendor that became the Target attack vector.

2. "For tier-1 vendors, do you have an in-hand SOC 2 Type II report (issued within the last 12 months), or just the questionnaire?" Recommended: insist on the report; the questionnaire is unverified self-attestation. Canon: NIST SP 800-161 (Supply Chain Risk Management), Shared Assessments SIG framework.

3. "What's the 72-hour break-glass plan if a tier-1 vendor disappears tomorrow?" Recommended: documented contingency per vendor, tested annually. Canon: NotPetya / M.E.Doc supply chain attack, log4j response patterns.

4. "When was the last time the SLA was actually invoked (credit claim filed)?" Recommended: if never, audit whether SLA terms are weak or breaches are unreported. Canon: Atlassian SLA best practices, ITIL v4 service level management.

5. "Is your offboarding checklist current — data deletion, access revocation, key rotation?" Recommended: rehearse it on one vendor per quarter. Canon: SolarWinds + Okta 2022 breach lessons.

6. "What's the regulatory blast-radius — HIPAA / GDPR / SOX / PCI?" Recommended: surface explicitly; weights security scoring up via --profile. Canon: ISO/IEC 27036 (supplier relationships security).

Walk depth-first. Lock 1-3 before opening 4-6. After all are answered, invoke vendor_scorer.py → sla_compliance_tracker.py → vendor_risk_classifier.py in sequence.