When Broadcom acquired VMware and restructured its licensing, many enterprises were caught flat-footed. Some saw modest price increases; others saw costs multiply. But the real damage wasn’t financial — it was the realization that they had no response plan.
“The teams that come out best aren’t the ones who reacted the fastest,” said Heather Clauson Haughian, co-founder and technology attorney at CM Law. “They’re the ones who already knew what switching would take before they ever had to ask.”
That’s a hard standard, and most organizations don’t meet it. The CIOs who do share a common approach: They treat vendor risk as an ongoing practice, not a crisis response.
As companies rely more on partners, risk follows
Since the pandemic, companies have accelerated their reliance on external partners, including for core strategic capabilities once built in-house. Cloud adoption, AI platform investments, talent shortages and the need to keep pace with competitors have pushed organizations toward external partners for work that once took years to develop internally, often without a clear picture of the dependencies they were creating.
But while this approach delivers speed, it also changes the risk framework, according to Kyle Mutz, a partner in business and technology consultancy West Monroe’s operations excellence practice.
“Greater dependence on ecosystem partners means a greater exposure for the organization,” he said. “Vendor management is no longer just a sourcing function: It’s a core part of how IT operates.”
The biggest threat isn’t necessarily the largest provider, but the one that’s most embedded in IT’s ability to deliver business outcomes. Identifying this threat can make all the difference between thriving and flailing.
How CIOs identify vendor exposure
To address partner vulnerabilities, companies first need to identify where those vulnerabilities lie. CM Law’s Clauson Haughian said she evaluates vendors against three criteria: criticality, concentration and likelihood of change.
-
Criticality. “It means asking, ‘If this vendor disappeared tomorrow — or doubled their prices — what breaks?'” she said. “I’m thinking about revenue impact, safety exposure and regulatory consequences.”
-
Concentration.Vendor concentration is subtler. Instead of thinking about a single vendor, Haughian advised thinking about and examining where a single cloud platform, virtualization layer or region has “quietly become the default for nearly everything important.” This kind of exposure can build without any clear signals, catching organizations by surprise.
-
Likelihood of change. The third factor is the product’s trajectory. Haughian has a few questions that she recommends CIOs interrogate: “Is this technology approaching end-of-life? Has the vendor signaled it’s no longer a strategic priority? Who owns the company, and do they have a history of aggressive monetization?” she asked. “Track records matter.”
Niel Nickolaisen, field CTO at Valcom Technologies, takes a different approach, framing vendor risk assessment as a supply chain problem. “Post-COVID, a lot of organizations scrutinized their critical supply chains. Perhaps we need to do the same for IT,” he said. “Brainstorm which technologies are critical, then ask: What would we do if there were a disruption?”
Building resilience before you need it
The goal isn’t to eliminate vendor dependency; that’s unrealistic. Instead, CIOs should focus on avoiding being locked into a single path with no alternatives.
“For every high-risk vendor, I document what they touch: systems, contracts, data flows, integrations,” Clauson Haughian explained. “Not a theoretical map. A real one. If I can’t draw a clear picture of the dependency, I don’t actually understand my exposure.”
From there, she focuses on three areas: alternatives, contracts and triggers.
-
Alternatives. What fallback options are available if a vendor relationship deteriorates or ends abruptly? Not every vendor needs a fully built backup plan, Haughian said, but you should know whether a plan exists, how long it would take to execute and what it would cost to do so.
-
Contracts. This is where leverage is built or lost. Are pricing protections, notice periods, data portability rights and termination clauses in place? “These matter enormously when a vendor situation starts to deteriorate,” Clauson Haughian explained. “I’d rather negotiate those terms during a routine renewal than discover they’re missing in the middle of a crisis.”
-
Triggers. What are the early warning signals — a change in ownership, a product roadmap pivot or a vendor decision to sunset a support tier? “I document what to watch for in advance, so I’m not reacting to news; I’m responding to patterns I already anticipated,” she said.
Karthi P, a senior analyst at research and advisory firm Everest Group, agrees that leading organizations are designing for optionality from the start. This is what gives them the advantage when a vendor switches up its licensing.
“That means avoiding deep lock-in through modular architectures and abstraction layers, maintaining multi-provider or fallback options, and building internal visibility into data integrations and dependencies,” he said. “Provider exposure is becoming an architectural decision, not just a procurement one.”
For every high-risk vendor, I document what they touch: systems, contracts, data flows, integrations. Not a theoretical map. A real one. If I can’t draw a clear picture of the dependency, I don’t actually understand my exposure.
— Heather Clauson Haughian, co-founder, CM Law
Absorb, negotiate or walk away?
When a major vendor disruption lands, CIOs have several options for how to respond. Ultimately, the decision comes down to impact versus feasibility.
“Absorbing makes sense when the cost of moving is genuinely higher than the new terms you’re being asked to accept,” CM Law’s Haughian said. “Sometimes the math just works out that way.”
Negotiating is the right move when you have leverage: You’re a meaningful customer, the timing favors you, or the vendor needs retention more than they need your specific contract terms. The third option is leaving the relationship altogether.
“Walking is warranted when the disruption points to something deeper,” Haughian said. “A change in incentives, a pattern or a trajectory [that suggests] this won’t be the last uncomfortable surprise.”
Organizations have long had to consider several angles in regard to evolving vendor partnerships. According to Karthi P, what’s changing is that CIOs are now considering long-term strategic exposure, not just immediate cost. “A provider that becomes too dominant or too restrictive may trigger an exit, even if short-term disruption is higher,” he said.
What separates organizations that handle these moments well from those that struggle is maturity, said Ashish Nadkarni, research vice president at IDC. “A mature organization has processes and people skills in place that enable a transition — partially or totally — to a different vendor,” he said. “The more mature you are, the more decoupled you are from lock-in.”
The alternative? Panicking. Nadkarni warned that can lead to greater financial strain, however — either from spending on external consultants to tell you what to do, or from paying more to stay with bad solutions.
The reality of vendor lock-in
West Monroe’s Mutz said the biggest takeaway from recent disruptions is that vendor relationships are defined by a natural tension.
“Vendors are incentivized to create lock-in because it drives predictable, long-term revenue. Organizations want flexibility to maintain leverage,” he said. “How IT manages that balance directly affects exposure and speed to compete.”
This is more complex than it may appear at first. Mutz cautioned against overestimating negotiating power. After all, threatening to leave works only if you can actually do it. “It’s often cost-prohibitive to have multiple vendors performing the same function,” Mutz warned. “You need to be realistic about where true leverage exists.”
Leverage matters, but so does knowing when to cut your losses.
While migrating away may require more hands-on effort upfront, exiting a troubled vendor relationship can prove to be the most efficient long-term choice. This is particularly true when the vendor has proven unreliable from the beginning. Clauson Haughian’s most enduring insight comes from platform migrations gone wrong.
“When a vendor establishes a pattern of unresolved issues early in an implementation, you cannot assume it will self-correct,” she said. “Act decisively: document everything, engage legal and be prepared to exit if the remediation plan isn’t credible and time-bound.”
Taking action: How to start assessing vendor risk
For CIOs without a formal vendor risk practice, the advice is consistent: start small, but start. Delaying these decisions only increases the chance you’ll be caught unprepared.
“List your top 10 vendors by criticality and spend,” Clauson Haughian advised. “For each, ask three questions: What breaks if they disappear? How hard would it be to replace them? What does the contract runway look like? Turn those answers into a one-page heatmap you revisit quarterly.”
Mutz agreed with this approach, recommending that CIOs identify their top five to seven partner concentrations and assess their impact on mission-critical operations. “If a disruption in one partner could materially affect those operations, treat that relationship as a priority.”
The hardest part isn’t the assessment; it’s operationalizing it. “Most organizations do this once, file the results, and revisit only after something goes wrong,” Clauson Haughian said. “If you could do one thing, run a regular ‘what if this disappeared tomorrow’ exercise for your top 10 dependencies. The question sounds extreme. The answers are usually clarifying.”
At Swiss National Supercomputing Centre (CSCS), a government-funded research organization, systems engineer Dino Conciatore said he has seen both sides. “For many years, we were locked with vendors — Cray, HP, IBM,” he said. When VMware’s licensing changes hit, CSCS was already moving toward open alternatives. Today, Conciatore said, vendor independence is becoming central to how CSCS operates.
Not every organization will be so prepared. But CIOs can start asking the questions now — before the next VMware happens to them.
