← Back to the catalog
D18OPERATIONS

Vendor and supplier risk monitoring

Continuously watches signals about the firm's vendors and suppliers — financial news, public filings, security incidents, certification expirations, delivery performance, payment behavior on their side — and flags rising risks before they become operational problems. Different from B5 (which monitors customer churn risk) in that it watches the supply side and the risks are different: supplier going bankrupt, security cert expiring, key vendor being acquired, delivery quality degrading. The pattern's value is moving vendor risk from an annual review exercise to a continuous signal, so issues get addressed during the relationship rather than discovered when they cause downstream impact.

WHERE THIS FITS
BUSINESS SHAPES
B2B servicesProduct companyProfessional services
VOLUME THRESHOLD
Below 30 active vendors a month, the payback rarely earns the build. Patterns this shape reliably pay back at 200+.
REQUIREMENTS · 6 REQUIRED

Requirements describe capabilities the pattern needs in your environment, not the vendors you must buy. Any system that fills a requirement satisfies it — that’s what makes the catalog portable across the long tail of SMB tooling.

  1. vendor_master
    REQUIREDREADrequest

    The list of vendors being monitored, with the context that matters.

    DATA SHAPE
    Per-vendor: legal name, business identifiers, contract terms, spend, criticality tier, contact owners.
    COMMONLY FILLED BY
    • vendor master in the ERP or procurement system
    • contract management system with vendor records
    • vendor onboarding database
  2. external_risk_signal_sources
    REQUIREDREADbatch

    Public sources of risk-relevant data: news, regulatory filings, security advisories, ratings.

    DATA SHAPE
    Per-vendor signals with source, date, signal type, severity hint.
    COMMONLY FILLED BY
    • news monitoring service with vendor entity matching
    • credit rating feed
    • security advisory feeds
    • regulatory filing alerts
    • data breach notification services
  3. internal_performance_signal
    REQUIREDREADbatch

    How the vendor is performing in the actual relationship: deliveries, defect rates, response times, invoicing accuracy.

    DATA SHAPE
    Per-vendor performance metrics over time with thresholds and trend.
    COMMONLY FILLED BY
    • procurement system with delivery and quality records
    • AP system with invoicing accuracy data
    • internal SLA tracking
    • contract management system with performance attestations
  4. compliance_artifact_tracker
    REQUIREDREADcorpus

    Vendor-provided compliance documents and their expiration: certifications, insurance, financial statements.

    DATA SHAPE
    Per-vendor per-document: type, valid-from, valid-to, status (current/expiring/expired).
    COMMONLY FILLED BY
    • compliance document store in the procurement system
    • vendor portal where they submit certifications
    • structured tracking in the GRC system
  5. risk_destination
    REQUIREDWRITEevent

    Where rising risk signals surface for the vendor owners and procurement team.

    DATA SHAPE
    Per-vendor risk score with reason codes, evidence, suggested actions, priority based on vendor criticality and risk severity.
    COMMONLY FILLED BY
    • risk view in the procurement system
    • weekly digest to vendor owners
    • chat alerts for material changes
  6. incident_response_route
    REQUIREDWRITEevent

    Where confirmed high-severity issues go for immediate action: supplier on hold, contract review, contingency activation.

    DATA SHAPE
    Incident with full context, suggested response options, financial and operational impact estimate.
    COMMONLY FILLED BY
    • procurement leadership alerts with clear action options
    • incident management process in the GRC system
    • structured escalation to procurement, legal, and finance
RUNTIME FLOW · 7 STEPS
  1. 01
    On regular cadence (daily for tier-1 vendors, weekly for others), refresh external risk signals
    external_risk_signal_sourcesvendor_master
  2. 02
    Pull recent internal performance data per vendor
    internal_performance_signal
  3. 03
    Check compliance artifact tracker for upcoming or expired documents
    compliance_artifact_tracker
  4. 04
    Compute combined risk score per vendor with weighted inputs based on vendor criticality
  5. 05
    Detect material changes from prior score and changes that cross threshold
    DECISION Score changes above threshold trigger alerts; stable scores don't generate noise.
  6. 06
    Surface rising risks to risk destination with reason codes and suggested actions
    risk_destination
  7. 07
    For severe events (financial distress, breach, certification lost), route to incident response
    incident_response_route
EMISSIONS · 3

Structured outputs this pattern produces. Other patterns and client systems can subscribe to them, which is how the catalog composes over time.

  • vendor_risk_landscape

    Per-vendor risk score history and aggregate distribution. The view procurement leadership wants to see.

    CONSUMED BY
    • procurement leadership dashboards
    • board risk reporting
    • annual vendor reviews
  • concentration_risk_signal

    Patterns where multiple critical vendors share risk factors (same region, same software dependency, same financial backer).

    CONSUMED BY
    • supply chain risk management
    • strategic procurement reviews
  • compliance_expiry_signal

    Upcoming compliance document expirations, surfaced in time to act.

    CONSUMED BY
    • vendor management workflows
    • compliance team alerts
    • procurement owner workflows
RELATED PATTERNS

Patterns that share the same category, business shapes, or capability needs as D18.

All OPERATIONS patterns