Last week, as part 4 of our “MOST Important Clause in Your (Procure) Tech (SaaS) Contract series, we noted that you wanted to know how do I select a vendor NOT likely to screw me over and that this wasn’t easy. There’s no hard and fast rule, and things can go away with even the best of vendors with the best of intentions.
That being said, you can certainly weed out vendors with a high probability of screwing you over in the future, whether they had any intention of doing so or not, because a vendor that is not financially stable is one that will struggle to maintain service levels and possibly even to remain in business.
Moreover, we told you that the best way to gauge financial stability was the relative corporate debt formula, provided you used the right version — one version for PE/VC/investor-backed companies and one for fully private/public companies. Companies with a ratio less than one (< 1) were a risk, and the lower the score the higher the risk. (For example, if the formula came out to 0.5, run for the hills. If you’re risk averse, don’t even consider any vendors with a score less than 0.9.)
We then posted a summary on LinkedIn for feedback, and some people pointed out that the biggest risk in their view is cybersecurity. And it is, for a stable vendor you’ve selected to run your systems or host your data. But the fact that sometimes other risks can be bigger for the organization was not the point.
The point of the article was that you can spend months verifying a vendor’s solution only to have the vendor disqualified in minutes when Risk Management runs a quick financial analysis, and takes you back to square one — and that you should do a baseline financial stability analysis first before investing too much time qualifying the vendor’s solution.
In fact, you should run a slew of basic analyses and tests that would eliminate the vendor before spending too much time evaluating vendor fit where each of those basic analyses only takes a few minutes. You should only do a deep dive where there is a high probability that the vendor won’t be eliminated due to organization risk and compliance requirements.
In other words, before going through your full evaluation process, checklists, form-fit deep dives into products and services, make sure there’s no obvious gotchas that would invalidate all your effort. And yes, this means you that, on paper, you will be doing some analyses twice (because financial viability, cybersecurity, certifications, etc. will show up twice in the evaluation process, but it’s not like you’ll be repeating the work, it will be you’re diving deeper into key areas once you know the effort is worth it, because you don’t do a full security analysis on a vendor you wouldn’t select, as it can be a time-consuming and costly endeavour in some industries, but you do ensure they have all the basics in place [SOC 2, PCI DSS for payment providers, HIPAA for healthcare platform providers, etc.] before you invest anytime qualifying their product or services).
So you need a rapid-fire elimination checklist before you go too deep in vendor evaluations. It will be different for each company depending on their industry, geography, and risk profile, but it must include high level checks for:
- financial viability – the relative corporate debt ratio and the absolute minimum the company will accept
- cybersecurity – SOC 1 or 2 and any technical industry certifications required
- cloud requirements – is the cloud/stack acceptable to your tech organization (if you need it to be hosted in certain jurisdictions, you might be limited in providers)
- API/Integration – is it sufficient for the ecosystem you need the application to integrate with
- certifications – if there are any specific certifications your industry requires, does the vendor have them
- connected party checks – are any owners or investors restricted, denied, sanctioned, or in legal jeopardy
- insurance – if you require a certain (liability) insurance level, does the vendor carry it
- budgetary window verification – including license & annual maintenance, implementation, and integrations
Now, this is not a complete list, but it’s solid starting list for many companies of requirements that can be quickly checked which could instantly eliminate a vendor from consideration if not met.
Furthermore, it’s pretty easy to augment this to a relatively complete “rapid fire elimination” checklist for your company if you simply
- analyze each vendor selection requirement criteria employed by each stakeholder and department
- extract those that result in a no-go that can be verified in a few minutes
Completing this checklist is an effort that pays for itself on the next evaluation as it will save months of effort determining detailed vendor fit only to realize during the final extra-departmental checks that a rule is violated they just won’t accept.