Small teams rarely have time to monitor every clause or data promise. Yet regulators and customers will still hold you accountable. Here’s how to keep vendor risk visible without building a compliance department.
Risk radar in one page
| Area | Current risk | Evidence | Owner | Next check |
|---|---|---|---|---|
| Data processing | Medium – awaiting updated DPA | Draft DPA v2 from supplier | Legal | 21 May |
| Service continuity | Low – DR test passed in April | Test report attached | Vendor | 15 Aug |
| Exit readiness | High – no asset handover plan | None | Project lead | Draft plan by 5 Jun |
Review the table monthly with your vendor and sponsor. Green items stay, amber/red get action owners.
Compliance reminders
- Keep signed DPAs, SLAs, and audit certificates in one shared folder
- Ask for proof of security or continuity tests once per quarter
- Log any breaches or near misses immediately—even if they were fixed
Have an exit plan before you need it
- List all assets the vendor holds (source code, credentials, documentation).
- Set a calendar reminder to check that those assets are up to date.
- Agree on what 30/60/90-day transition support looks like if you terminate.
- Capture all this in a one-page “exit playbook” you can send to executives.
When to call us
If you struggle to get evidence from the supplier, or you have to brief legal/compliance with zero notice, bring us in. We build the risk register, chase the proof, and prepare your exit playbook so you can answer any “what if” question calmly.