← Financial Operating Model

Vendor and Contract Management

The SaaS sprawl, the renewal surprises, and the contracts you signed and forgot about.

Engineering organisations accumulate software, platforms, and tooling at pace. Without deliberate management, vendor costs grow invisibly, contract leverage disappears, and critical dependencies emerge without anyone noticing. This covers how to manage your vendor portfolio as an engineering asset.

The Accumulation Problem

Engineering organisations accumulate vendors. It happens gradually and for understandable reasons: a team tries a new tool, it solves a problem, they put a credit card down. A different team has a slightly different problem, they find a slightly different tool. Over time, you have dozens of SaaS subscriptions, a handful of managed services, several consulting relationships, and a few platform contracts - many of which nobody is actively managing.

The typical engineering organisation of 100-200 engineers has between 40 and 80 active vendor relationships. A significant portion of these will be duplicates (two teams using different tools for the same purpose), several will be unused (licences for people who left or products that were deprecated), and some will be approaching renewal with no one paying attention.

This is not a sign of poor management. It is what happens when you give capable engineers the autonomy to choose their own tools and do not build the governance to go with it. The answer is not to remove the autonomy. It is to build lightweight governance that makes the portfolio visible and managed without creating bureaucracy that slows everything down.

Classifying Your Vendor Portfolio

Not all vendors deserve the same level of management attention. A useful classification is three tiers:

Critical Vendors

Vendors where an outage or contract termination would significantly impair your ability to operate. Your primary cloud provider, your identity provider, your core database platform, your code hosting and CI/CD platform. These deserve active relationship management, reviewed contracts, documented exit strategies, and regular assessment of the vendor's health and market position.

For critical vendors, you should know: who owns the relationship internally, when the contract renews, what the exit cost and complexity would be, and what the vendor's strategic direction is. You should have a named contact at the vendor and a regular cadence of review.

Important Vendors

Vendors that significantly support your operations but where a replacement exists and migration, while costly, is feasible. Monitoring platforms, communication tools, project management software, security tooling. These warrant annual review, contract awareness, and occasional competitive evaluation.

For important vendors, you should know: the renewal date, the current commercial terms, whether you are getting value relative to cost, and whether better alternatives exist. You do not need a named relationship, but you need someone who is responsible for the category.

Convenience Vendors

Everything else. Single-purpose tools, small SaaS subscriptions, free tiers with paid features. These warrant periodic audit (annually or on a defined cycle) to catch waste and consolidation opportunities, but not active management between audits.

The classification exercise itself is valuable. Most organisations have not done it and discover that things they treated as convenience vendors are actually critical (because teams built workflows that depend on them) and things they thought were critical are actually easily replaceable.

Contract Renewal Strategy and Negotiation Leverage

The most common mistake in vendor management is letting contracts auto-renew without renegotiation. Auto-renewal is designed to benefit the vendor. It locks in pricing from a previous negotiation at a time when you may have grown (and therefore have more leverage) or when better alternatives have emerged.

Building Negotiation Leverage

Leverage in vendor negotiation comes from three sources: scale, competition, and timing.

Scale: the larger your usage, the more the vendor wants to keep you. If you have grown significantly since your last negotiation, your renewal conversation is an opportunity to extract better terms. Vendors will typically share pricing tiers informally - understand where you fall and what the next tier looks like.

Competition: even if you have no intention of switching, evaluating alternatives and making that evaluation visible to your current vendor creates leverage. A genuine alternative - ideally one you have trialled or POC'd - is much more credible than an implied threat. Vendors know the difference.

Timing: the worst time to negotiate is at renewal, when the vendor knows you are unlikely to switch at short notice. The best time is 90-120 days before renewal, when you have time to walk away and the vendor has time to respond. Some organisations begin renewal conversations six months out for critical vendors.

What to Negotiate Beyond Price

Price is the obvious lever but not always the most valuable. Other terms worth negotiating:

Contract length: multi-year deals often come with better pricing but reduce your flexibility. Evaluate whether the saving justifies the commitment, particularly for vendors where the market is evolving fast.

User or seat flexibility: negotiate the right to add and remove users without penalty, or at least with a predictable mechanism. Contracts that lock you to a minimum seat count for the full term are particularly painful when you restructure.

SLA terms: what happens when the vendor has an outage? Credit mechanisms, response time commitments, and escalation paths matter for critical vendors and are negotiable.

Data portability and exit rights: you should always be able to export your data in a usable format, and the contract should say so. This is non-negotiable for any vendor holding data that matters.

Build vs Buy Decision Frameworks

Every significant vendor relationship started with a build vs buy decision - whether explicit or implicit. As your organisation matures, those decisions should be revisited, and new decisions should be made with a consistent framework.

The case for buying (using a vendor) is typically: faster time to value, lower upfront investment, access to capabilities your team could not build to the same quality, and ongoing maintenance is the vendor's problem.

The case for building is typically: you need something that does not exist commercially, you need tight integration with your own systems, the commercial option is prohibitively expensive at your scale, or the capability is so core to your competitive differentiation that you do not want to depend on a third party.

The hidden costs of buying: vendor risk (what happens if they are acquired, pivot, or fail?), lock-in (how hard is it to migrate away?), integration overhead (how much engineering work is required to make the vendor product work in your environment?), and the ongoing cost of licences that do not scale linearly with your growth.

The hidden costs of building: the ongoing maintenance burden, the opportunity cost of engineering time, the risk that your own solution does not reach the quality of a specialist vendor, and the need to keep the solution up to date as requirements change.

A practical rule of thumb: buy when the problem is generic and the vendor market is healthy. Build when the problem is specific to your business, the vendor market is thin, or the capability is core to your competitive position.

Vendor Lock-in: Risk and Mitigation

Vendor lock-in is the state of being so deeply dependent on a vendor that switching is prohibitively costly. It happens across three dimensions: technical lock-in (proprietary APIs, data formats, or deployment models), operational lock-in (processes and workflows built around the vendor's product), and contractual lock-in (terms that make exit expensive).

For critical vendors, lock-in risk should be assessed explicitly. The question is not whether you plan to switch - it is whether you could if you needed to.

Technical lock-in mitigation strategies: use vendor products through abstraction layers where possible (so the underlying vendor can be swapped without changing application code), maintain data exports on a regular basis, and document the migration path even if you never execute it.

The cloud multi-cloud conversation sits here. Multi-cloud architectures can reduce cloud provider lock-in but introduce significant operational complexity. For most organisations, the right approach is to be deliberate about which cloud-native services you use (and which create deep lock-in), rather than maintaining a fully portable multi-cloud posture that adds overhead without proportionate benefit.

SaaS Rationalisation

A periodic SaaS rationalisation exercise - say, annually - typically reveals two or three opportunities for consolidation and several areas of outright waste.

The exercise involves: inventorying all active subscriptions, classifying them, identifying duplicates and overlaps, assessing usage data where available, and making consolidation decisions with input from affected teams.

The governance model for ongoing control: a lightweight approval process for new SaaS spend above a threshold (say, any subscription costing more than X per month, or any annual spend above Y). This is not a bureaucratic blocker - it is a checkpoint that creates visibility and ensures someone is accountable for the decision. Tools like Torii, Blissfully, or Zylo automate the inventory and renewal tracking for organisations with significant SaaS footprints.

The key output of vendor management is not a report. It is an organisation that knows what it is paying for, knows when its commitments renew, and makes deliberate decisions about its vendor relationships rather than allowing them to accumulate by default.

← Previous Unit Economics for Engineering Next → Financial Reporting for Engineering