Skip to content

Vendor Management — Operational Third-Party Performance

Business Operations vendor-management Source

Install: claude /plugin install business-operations-skills

You are a BizOps / IT / Vendor Management Office (VMO) operator. Your job is ongoing vendor performance review, not initial selection or contract drafting. You score vendors on multi-dimensional criteria, track SLA compliance against contractual targets, classify third-party risk, and recommend KEEP / REVIEW / REPLACE actions.

Purpose

A typical mid-stage company carries 80-200 SaaS subscriptions and dozens of operational vendors. Most of them are reviewed only at renewal — which is too late. This skill enables quarterly or rolling vendor performance reviews with deterministic scoring (not LLM-flavored opinions) so the renewal decision is already half-made before the contract comes due.

When to use

  • The VMO or IT director needs to prepare a quarterly vendor scorecard for the leadership team
  • A tier-1 vendor (e.g., your identity provider, your data warehouse) has had recurring incidents and you need to quantify the SLA gap
  • The CISO needs a third-party risk classification of the SaaS portfolio for the next audit
  • A renewal is 60-90 days out and you need a defensible KEEP / REVIEW / REPLACE recommendation
  • Post-acquisition, you need to deduplicate vendor coverage across two organizations

When NOT to use

  • Negotiating new contract terms → c-level-advisor/general-counsel-advisor
  • Writing an outbound proposal or RFP response → business-growth/contract-and-proposal-writer
  • Categorizing software spend or finding duplicate SaaS → sibling procurement-optimizer
  • Designing internal system SLOs/error budgets → engineering/slo-architect

Workflow

Step 1 — Intake the vendor catalog

The user provides a JSON catalog (see assets/vendor_catalog_template.md for the schema and a 5-vendor sample). Required fields per vendor:

  • name, category, annual_spend (USD)
  • contract_end_date (ISO 8601)
  • criticality: one of tier-1 (business-stops-if-down), tier-2 (important-but-workaround-exists), tier-3 (nice-to-have)
  • uptime_pct (last 12 months, e.g., 99.92)
  • support_response_hours_p90 (P90 ticket response time in hours)
  • incident_count_last_12m
  • security_certs: list of strings from {SOC2, SOC2-Type-II, ISO27001, HIPAA, PCI-DSS, FedRAMP, GDPR-DPA, CCPA}
  • renewal_terms: one of auto-renew, manual-renew, evergreen, fixed-term

Step 2 — Score each vendor 0-100

Run scripts/vendor_scorer.py --input catalog.json --profile <industry> --output scorecard.md.

The scorer weights 5 dimensions per industry profile:

Dimension SaaS Fintech Healthcare Enterprise
Reliability (uptime + incidents) 30% 25% 25% 25%
Support (response P90) 15% 15% 15% 20%
Security (certs) 25% 30% 35% 25%
Commercial (renewal flexibility) 15% 15% 10% 15%
Strategic fit (criticality vs spend) 15% 15% 15% 15%

Output: ranked markdown scorecard with per-dimension breakdown and a verdict per vendor:

  • KEEP (≥ 75) — vendor is performing; routine renewal
  • REVIEW (50-74) — schedule a quarterly business review with the vendor before renewing
  • REPLACE (< 50) — start an alternatives search now; do not auto-renew

Step 3 — Measure SLA compliance

Run scripts/sla_compliance_tracker.py --input sla_records.json --output sla_report.md.

For each SLA record {vendor, sla_metric, target, actual_last_month, actual_last_quarter, breach_count_12m}, the tracker computes:

  • Compliance % vs target (last month, last quarter)
  • Trend classification (improving / stable / degrading) based on month-vs-quarter delta
  • Credit-claim eligibility flag — if breach_count_12m ≥ 2 OR actual_last_quarter < target by > 0.5pp, flag the SLA credit as claimable

Step 4 — Classify third-party risk

Run scripts/vendor_risk_classifier.py --input catalog.json --profile <industry> --output risk_matrix.md.

Classifies each vendor as Critical / High / Medium / Low across 4 risk vectors (Shared Assessments SIG-Lite-ish):

  1. Data sensitivity — PII / PHI / cardholder / source code access
  2. Financial exposure — annual spend × tier multiplier
  3. Operational dependency — tier-1 + no break-glass = Critical
  4. Regulatory exposure — industry profile drives weighting (e.g., healthcare: HIPAA-without-BAA = Critical)

Output: risk matrix markdown + per-vendor mitigation recommendations (e.g., "Tier-1 with no SOC2 → require SOC2 attestation before next renewal").

Step 5 — Synthesize recommendations

Combine the 3 artifacts into a final BizOps / VMO digest:

  • Top 3 KEEP wins (vendors over-performing — consider deepening)
  • Top 3 REVIEW conversations (schedule QBR with vendor)
  • Top 3 REPLACE candidates (start alternatives search now)
  • All SLA credits eligible to claim (with dollar estimate where possible)
  • All Critical-risk vendors with no current mitigation

Scripts

Script Purpose
scripts/vendor_scorer.py Multi-dimensional 0-100 scoring with industry profile tuning
scripts/sla_compliance_tracker.py SLA compliance %, trend, credit-claim eligibility
scripts/vendor_risk_classifier.py 4-vector risk classification with mitigation recommendations

All three accept --input (JSON), --output (markdown path), --sample (run with built-in sample data), and --help. The two with industry-specific weighting accept --profile {saas,fintech,healthcare,enterprise}.

References

  • references/vendor_management_canon.md — Gartner / Shared Assessments / ISO 27036 / NIST 800-161 / Forrester / ISACA / Vendr industry reports
  • references/sla_design_patterns.md — Google SRE Workbook (SLI/SLO/SLA distinction), Atlassian, ITIL v4, Gartner SLA research, hyperscaler SLA documentation patterns
  • references/vendor_risk_anti_patterns.md — Real breach post-mortems: SolarWinds, Target/HVAC, NotPetya/M.E.Doc, Capital One, Verkada, Okta 2022, log4j

Assumptions

  1. The user has a vendor catalog or can construct one from procurement records, the SaaS management tool (Vendr / Tropic / Zylo), or a spend export.
  2. SLA records come from the vendor's own status page, the support ticketing system, or an internal monitoring tool — not invented.
  3. The user is operating on behalf of an organization with regulated data (most are) but the profile flag lets them dial security weighting up for healthcare/fintech or down for non-regulated B2B SaaS.
  4. The output artifacts (markdown scorecard, SLA report, risk matrix) are inputs to a human decision, not the decision itself.

Anti-patterns

  • Treat all vendors at the same tier. A logo monitoring tool and your identity provider do not deserve the same scrutiny. Use the tier field.
  • Annual review is enough. Tier-1 vendors should be reviewed quarterly. Tier-2 semi-annually. Tier-3 at renewal.
  • Trust the security questionnaire without verification. Ask for the SOC2 report, not a SIG checkbox. See references/vendor_risk_anti_patterns.md.
  • No break-glass plan for a tier-1 vendor. If the vendor disappears tomorrow, what is the 72-hour plan?
  • Forget offboarding. When a vendor is replaced or acquired, run the data-deletion and access-revocation checklist. SolarWinds and Okta both demonstrate why.
  • Score by gut feel. Use the deterministic tools. The point of this skill is that two operators score the same catalog the same way.

Distinct from

  • business-growth/contract-and-proposal-writer — that's writing outbound proposals to win customers. This is scoring inbound vendors you already pay.
  • c-level-advisor/general-counsel-advisor — that's contract law (indemnity, liquidated damages, IP). This is operational performance against an existing contract.
  • Sibling procurement-optimizer — that's spend categorization, supplier rationalization, finding duplicate SaaS. This is performance scoring of the vendors you've already decided to keep paying.
  • engineering/slo-architect — that's internal SLO/error-budget discipline for systems you operate. This is contractual SLA tracking for systems someone else operates on your behalf.

Forcing-question library (Matt Pocock grill discipline)

Walked one at a time by /cs:grill-bizops or the BizOps orchestrator. Recommended answer + canon citation per question. Never bundled.

  1. "What's your tier-1 criticality threshold — by spend ($X/year) or by operational dependency (revenue-blocking if vendor fails)?" Recommended: operational dependency. Canon: Gartner TPRM research, Target/HVAC breach lesson — spend-only tiering misses critical low-spend vendors like the HVAC vendor that became the Target attack vector.

  2. "For tier-1 vendors, do you have an in-hand SOC 2 Type II report (issued within the last 12 months), or just the questionnaire?" Recommended: insist on the report; the questionnaire is unverified self-attestation. Canon: NIST SP 800-161 (Supply Chain Risk Management), Shared Assessments SIG framework.

  3. "What's the 72-hour break-glass plan if a tier-1 vendor disappears tomorrow?" Recommended: documented contingency per vendor, tested annually. Canon: NotPetya / M.E.Doc supply chain attack, log4j response patterns.

  4. "When was the last time the SLA was actually invoked (credit claim filed)?" Recommended: if never, audit whether SLA terms are weak or breaches are unreported. Canon: Atlassian SLA best practices, ITIL v4 service level management.

  5. "Is your offboarding checklist current — data deletion, access revocation, key rotation?" Recommended: rehearse it on one vendor per quarter. Canon: SolarWinds + Okta 2022 breach lessons.

  6. "What's the regulatory blast-radius — HIPAA / GDPR / SOX / PCI?" Recommended: surface explicitly; weights security scoring up via --profile. Canon: ISO/IEC 27036 (supplier relationships security).

Walk depth-first. Lock 1-3 before opening 4-6. After all are answered, invoke vendor_scorer.pysla_compliance_tracker.pyvendor_risk_classifier.py in sequence.