โ† Blog

The Only Vendors Worth Worrying About (And How to Actually Review Them)

Jonathan Mandell, Founder, Docubark ยท Apr 24, 2026

Most third-party risk programs spend the bulk of their energy in the wrong place.

The standard playbook says to throw the longest questionnaires, the deepest reviews, and the most senior attention at your largest, most critical vendors. It feels intuitive โ€” bigger vendor, bigger risk. But if you've worked in this space long enough, you already know the dirty secret: those reviews rarely surface anything new. The Microsofts, AWSes, and Salesforces of the world have control environments more mature than your own. A 300-question SIG isn't telling you something their SOC 2, ISO 27001, and CSA STAR reports haven't already covered. You're doing paperwork, not risk management.

So where does the real risk in your program actually live?

The quadrant that matters

Think of every vendor as a point on a simple grid: vendor size on one axis, inherent risk on the other. This is the core of the two-axis framework.

Large vendors with mature control environments are well-suited to almost any engagement โ€” high or low inherent risk. Their scale is the control. They have redundancy, incident response teams, audited processes, and balance sheets that absorb shocks. You can hand them a critical workload and reasonably expect they'll still be standing next quarter.

Small vendors with simple control environments are fine โ€” for low inherent risk engagements. If they're processing non-sensitive data or providing a non-critical service, their lighter controls are proportionate to the exposure.

The danger zone is the fourth quadrant: small vendors carrying high inherent risk. That's where residual risk concentrates. And it's the quadrant most programs systematically under-review, because the questionnaire returns look "fine" and the spend is too low to attract executive attention.

Why small + high-inherent is the real problem

A vendor with 100 employees or fewer simply cannot absorb what a large vendor can. A few realities to sit with:

  • They're more fragile operationally. One key engineer leaving, one bad quarter, one founder dispute can degrade their service in ways that never show up on a questionnaire.
  • They're more likely to be acquired, pivot, or shut down. The vendor you diligenced two years ago may not be the same company today โ€” new owners, new priorities, new (or absent) security leadership.
  • They're less able to handle a critical incident. When something goes wrong at a 50-person vendor, there's no 24/7 SOC, no dedicated breach counsel, no PR machine. There's a CTO answering Slack messages at 2am.
  • Their controls scale with headcount. A small team genuinely cannot maintain the segregation of duties, monitoring, and redundancy that a larger control environment provides.

None of this is a knock on small vendors. Plenty of them do excellent work and are the right partner for the job. But when one of them sits in a high inherent risk role โ€” handling regulated data, plugged into critical infrastructure, holding customer credentials โ€” the residual risk you're carrying is meaningfully higher than your tier rating probably reflects.

How to actually review them

Two things change for vendors in this quadrant.

First, ditch the questionnaire as the primary artifact and get them on video. A 60- to 90-minute working session with the right people on their side will tell you more than 200 yes/no answers ever will. Walk through the assessment together. Ask about their incident response in concrete terms โ€” who gets paged, what's happened in the last 12 months, what they learned. Ask about key-person risk. Ask what happens to your data if they're acquired or shut down. You're not auditing them; you're building a real picture of whether this organization can carry the risk you're handing them.

Second, loop the business in honestly. The team that wanted this vendor needs to understand the exposure they're taking on. That means a frank conversation about backups, contingency, and elevated monitoring. What's the plan if this vendor goes dark for a week? Is there a secondary provider identified? Who owns the decision to pull the cord if things deteriorate? These conversations are uncomfortable in procurement cycles where someone is excited about the new tool โ€” but they're the conversations that prevent the worst incidents.

The reframe

Your program's job isn't to review every vendor with equal rigor. It's to find the residual risk hiding in plain sight and put real attention on it. For most organizations, that means spending less time auditing large vendors like Workday โ€” and more time on the 40-person SaaS vendor your finance team just signed.

See How Docubark Focuses Review Where It Matters

Related reading