Trust, But Verify: 7 Best Practices for Managing Vendor Risk

Many companies fail to follow through in planning for supply-chain disruptions, but the loss of a critical vendor can bring operations at an unprepared company to a standstill. Today’s blog offers seven best practices every organization should follow to reduce its vulnerability to vendor outages.

Managing Third-Party Risk in 2025

There’s never a bad time to talk about the importance of supply-chain resilience. The loss of a critical supplier has always had the ability to cause pain to an unprepared company. And the area has long been one where even responsible companies tend to fall short. 

That said, right now might be an especially good time to talk about supply-chain security, given the ongoing tensions on the international scene and the new uncertainty regarding tariffs.

Thankfully, in 2025 awareness of the issue of vendor vulnerability is more widespread than it used to be. For that, we can thank COVID and our recent experience of empty store shelves and stacked-up container ships.

Unfortunately, awareness has been slow to translate to action, if MHA consultants’ experience in the field is any guide. 

We’ve seen a lot of companies identify where the risks in their vendors lie. But relatively few organizations have taken the next step of remediating their vulnerabilities.

Awareness Isn’t Enough: The Importance of Taking Action

Third-party risk management isn’t complicated. It comes down to assessing which vendors you rely on most as well which of your suppliers are the most vulnerable to disruptions. Once you’ve done that, you need to make arrangements in advance to cope with their potential loss, whether by finding redundant vendors, stockpiling product, and/or planning to perform the service in-house. 

It's straightforward but it requires being proactive rather than reactive, which many organizations find hard to do. It’s about being aware and making conscious decisions, rather than putting one’s head in the sand or leaving things to chance.

7 Best Practices for Managing Third-Party Risk

Here are seven best practices every organization should follow to secure their vendors and improve their operational resilience.

• Identify Your Critical Vendors

Start by determining which vendors your business truly depends on to maintain critical operations. Don’t confuse this with how much you spend—some of your most essential suppliers may not be your most expensive. Classify vendors based on their importance to your organization: high, medium, or low. This sets the foundation for your entire third-party risk strategy.

• Assess the Resilience of Key Vendors

Once you know who matters most, evaluate how vulnerable they are to disruption. Ask questions about their risk exposure and business continuity planning. Place them into categories—high, medium, or low—based on how likely they are to experience a disruption. If they resist sharing information, treat that as a risk indicator and plan accordingly.

• Make Backup Plans and Arrangements Ahead of Time

Starting with your most critical and most vulnerable vendors, develop contingency plans before a disruption occurs. Options include lining up alternate suppliers, stockpiling essential goods, or preparing to bring the function in-house. Be aware that with regulated products, switching vendors may involve delays due to compliance and approval processes.

• Build Resilience Requirements into Your Vendor Contracts

Work to embed resilience requirements directly into your contracts. This may involve gaining access to your vendor’s BC plans, setting expectations for recovery time, or outlining responsibilities during a disruption. Success here often depends on your leverage and persistence—negotiating contract language may take time and repeated dialogue.

• Don’t Be Fooled by Size

A common misconception is that large or well-known vendors are immune to outages. In reality, size does not guarantee resilience. Always perform due diligence—even industry giants can experience failures that impact your business.

• Consider the Resilience of Your Vendors’ Vendors

Your vendors rely on suppliers of their own, and weaknesses in those secondary vendors can impact you. Ask about your vendors’ critical dependencies and how they manage them. True resilience requires looking one or two layers deeper.

• Review and Refresh Regularly

Third-party risk management isn’t a set-it-and-forget-it exercise. Review your vendor landscape, risk assessments, and continuity plans at least annually—or sooner if there are changes to your operations, your vendors, or the regulatory environment.

By following these best practices, organizations can significantly reduce their exposure to third-party disruptions and build a vendor that’s ready for whatever comes next.

Vendor Resilience Starts Now

Managing third-party risk may seem complex, but the core principles are straightforward: know which vendors matter most, understand how resilient they are, and prepare for the unexpected. By systematically identifying vulnerabilities and addressing them through proactive planning, organizations can avoid the costly consequences of supply-chain disruption.

The good news is that resilience is within reach. By putting these best practices into action, businesses can strengthen their vendor relationships, improve operational stability, and position themselves to weather future shocks with confidence.

Further Reading

• Vulnerable Vendors: Supplier Weaknesses Put Your Organization at Risk
• How to Stop Third-Party Vendors from Becoming Your Achilles’ Heel
• The Corporate Supply Chain: BCM’s Ticking Time Bomb
• Strengthening the Chain: Four Steps to a More Secure Corporate Supply Chain
• You Have to Kick the Tires: Protecting Yourself Against Supply-Chain Catastrophes