Vendor risk management (VRM) refers to the management of the potential risks that the vendors, contractors or service providers are likely to have on your business. As 60% of security problems now have external parties as their roots (Forrester) and supply chain attacks are increasing by 300 percent in a year,companies are placing more emphasis on the proactive management of third-party risks than ever. This urgency is compounded by regulatory requirements such as GDPR, which cause VRM to be critical to the safety of your cybersecurity, compliance, and day-to-day business and brand name.

‍

Why Is Vendor Risk Management Important?

Working with vendors brings speed and flexibility, but it also introduces risk. A single overlooked contract clause, compliance gap, or unreliable vendor can quickly turn into unexpected costs or security issues. That’s why vendor risk management is more than a checkbox; it's a safeguard for your business.

‍

Here’s why it matters:

‍

• Protects your business from compliance failures
  Regulations like GDPR or SOC 2 require proof that your vendors handle data responsibly. Without structured risk management, you leave your organization exposed to fines or reputational damage.
• Keeps costs under control
  Missed renewal dates, poor pricing terms, or overlapping tools can erode budgets. Vendor risk management helps you spot inefficiencies early and renegotiate from a position of strength.
• Improves operational resilience
  If a critical vendor goes offline or underperforms, your teams feel the impact immediately. Risk management ensures you have visibility into performance and contingency plans in place.
• Builds trust with stakeholders
  Finance leaders, procurement teams, and IT all need confidence that vendor relationships are safe and well-managed. A strong process shows you’re in control.

‍

With the right systems in place, vendor risk management isn’t just about avoiding problems, it's about creating efficiency, saving costs, and giving your team the confidence to grow. Platforms like Spendflo bring these processes into a single dashboard, so you can reduce risk and get full visibility without slowing the business down.

‍

VRM vs. Vendor Management vs. TPRM

Key Components of a Vendor Risk Management Program

A strong VRM program doesn’t just check boxes. It gives your business the visibility, control, and confidence to manage vendors safely and effectively. Here are the essential building blocks:

‍

Vendor Assessment

Every VRM program starts with a thorough vendor assessment. This involves collecting details on financial stability, compliance certifications (SOC 2, ISO 27001, GDPR), security practices, and past performance. The goal is to identify risks before contracts are signed, not after.

‍

Risk Categorization

Not all vendors carry the same level of risk. A SaaS platform handling sensitive customer data poses a higher risk than a marketing agency. Categorizing vendors into low, medium, and high risk helps you prioritize oversight and allocate resources effectively.

‍

Continuous Monitoring

A single point-in-time assessment isn’t enough. Risks change as vendors grow, update technology, or face regulatory changes. Continuous monitoring ensures you stay updated on security alerts, contract performance, and compliance lapses.

‍

Contract Management

Contracts are more than renewal dates. They define responsibilities, service levels, and penalties for non-compliance. Effective VRM uses contract management to enforce risk controls tracking clauses like data handling, breach notification, and audit rights.

‍

Incident Response Planning

Even with strong controls, incidents happen. A solid VRM program outlines how to respond if a vendor suffers a breach or fails to meet obligations. Clear escalation paths and predefined communication plans reduce downtime and limit damage.

‍

Third-Party Risk Exchanges

To scale risk management, many organizations participate in third-party risk exchanges. These platforms share standardized vendor risk data, cutting down redundant assessments and helping businesses evaluate vendors faster.

‍

What Is the Vendor Risk Management Maturity Model (VRMMM)?

The Vendor Risk Management Maturity Model (VRMMM) is a framework that shows how advanced your organization’s vendor risk management program is. It highlights the journey from reactive, ad hoc processes to fully integrated, proactive risk management.

‍

Instead of treating vendor risk as a checklist, VRMMM helps you benchmark your current state, uncover gaps, and prioritize improvements.

‍

Stage 1: Initial (Ad hoc)

• Vendor risks are only addressed when problems occur.
• No formal documentation or standardized assessments.
• High reliance on individuals and reactive decision-making.

‍

Stage 2: Repeatable (Basic)

• Some vendor assessments exist but vary by team or department.
• No central system, leading to duplication of effort.
• Inconsistent processes make comparison across vendors difficult.

‍

Stage 3: Defined (Structured)

• Organization-wide policies for vendor assessments are in place.
• Vendors are categorized by risk level (low, medium, high).
• Contracts begin to reflect compliance and security obligations.
• Processes remain manual with limited continuous monitoring.

‍

Stage 4: Managed (Proactive)

• Vendors are assessed regularly with formal monitoring processes.
• Dashboards and reports give visibility into vendor risks.
• Incident response plans include vendor-related scenarios.
• Still resource-intensive without automation.

‍

Stage 5: Optimized (Advanced)

• VRM is fully integrated with enterprise-wide risk management.
• Automation, analytics, and third-party risk exchanges are used.
• Continuous monitoring provides real-time visibility.
• Governance is ongoing, but gaps are minimal.

‍

Vendor Risk Management (VRM) Framework Structure

A vendor risk management framework is the blueprint that organizations use to identify, measure, and control risks throughout the vendor relationship. It typically covers the full lifecycle of working with vendors, supported by clear assessment methods, categorization rules, and maturity models to measure progress

‍

What Is the VRM Lifecycle?

The VRM lifecycle captures the stages of managing a vendor relationship from start to finish.

‍

1. Pre-engagement

• Assess potential vendors before contracts are signed.
• Collect compliance certifications, security posture, and financial stability data.
• Compare multiple vendors to identify the lowest-risk option.

‍

2. Engagement

• Establish contracts with clear risk clauses, service-level agreements (SLAs), and responsibilities.
• Categorize vendors by risk level and begin continuous monitoring of performance.
• Ensure stakeholders (procurement, finance, IT, security) stay aligned.

‍

3. Post-engagement

• Monitor vendors over time with audits, performance reviews, and compliance checks.
• Plan for incident response if a breach or service failure occurs.
• Evaluate renewal or exit decisions based on risk performance.

‍

Understanding Vendor Risk Assessment

A vendor risk assessment is the process of evaluating a vendor’s potential impact on your business. It typically reviews:

‍

• Security: Data protection policies, certifications (SOC 2, ISO 27001, GDPR).
• Compliance: Adherence to regulations relevant to your industry.
• Financial Health: Ability to sustain operations.
• Operational Risk: Reliability and continuity of services.
• Reputation: Past incidents or red flags.

‍

Risk Categorization Framework

Once assessments are complete, vendors are categorized into tiers to determine how much oversight is required.

‍

• Low Risk Vendors
  Vendors with minimal access to sensitive data or low impact on operations. These may require lighter monitoring.
  
• Medium Risk Vendors
  Vendors with some access to business data or tools critical to teams. Regular assessments and monitoring are needed.
• High Risk Vendors
  Vendors that process sensitive information, handle financial transactions, or are critical to business continuity. These require deep assessments, contract controls, and continuous monitoring.

‍

Vendor Risk Maturity Model Levels and Progression

The VRM Maturity Model (VRMMM) shows how organizations can grow from ad hoc risk management to advanced, automated programs:

‍

1. Initial (Ad hoc): No structured processes.
2. Repeatable (Basic): Some assessments exist but are inconsistent.
3. Defined (Structured): Policies and risk categories are standardized.
4. Managed (Proactive): Ongoing monitoring and dashboards are in place.‍
5. Optimized (Advanced): Continuous monitoring, automation, and risk exchanges drive efficiency.

‍

What is Vendor Risk Management ?

Vendor risk management involves a detailed process to prevent business disruptions and minimize adverse effects on performance stemming from engagement with service providers and IT suppliers. 

‍

This approach often leverages vendor risk management software, which helps managers evaluate, oversee, and control the risks associated with third-party vendors. These suppliers either offer IT products and services or have access to a company's information. In this context, the key aspect of a vendor risk management policy is to provide a strategic angle, ensuring that the relationships with these third parties do not jeopardize the enterprise's stability and operational integrity.

‍

‍

What Are the Different Types of Vendor Risks?

Every vendor relationship carries some level of risk. Knowing the different categories helps organizations prioritize monitoring efforts and apply the right safeguards.

‍

1. Cybersecurity Risks

Vendors usually access sensitive systems, and they might be a gateway to data breaches, ransomware, and system vulnerabilities. And, as an illustration, a payroll partner may have weak defenses that can reveal financial information of employees. Cybersecurity risk is the most pressing item of vendor evaluation since 60 percent of security incidents are caused by external partners (Forrester).

‍

2. Operational Risks

The core service vendors may cause any disruption, downtime, or service failure to impact your normal activities. The failure of a cloud storage provider to work will stop the internal cooperation, and the inability of a logistics partner to deliver a shipment on time might affect customer satisfaction. The important ones are to monitor the uptime, performance metrics, and contingency plans.

‍

3. Financial Risks

Unstable vendors might go bankrupt, default on payments, unexpectedly increase costs, or introduce hidden charges.In the event of a SaaS company failing or doubling charges, your cost and survival is in jeopardy. Reducing exposure can be achieved by reviewing audited financials, credit ratings and pricing models.

‍

4. Compliance Risks

Organizations are also obliged when their suppliers do not comply with such laws as GDPR, HIPAA, SOX, or PCI-DSS. The wrong treatment of personal data by a vendor may result in fines, lawsuits and the loss of client confidence. Other compliance risks include the failure to comply with the audit requirements or the failure to update controls. Best practices include incorporating audit rights within contracts and regularly reviewing compliance.

‍

5. Reputational Risks

Your vendors are related to your brand reputation. A vendor that has encountered ethical scandals, labor abuse, data abuse, or bad publicity can damage you by association. For example, if a vendor mishandles customer data, your organization may also be held responsible. Establishing transparent codes of conduct and keeping watch on reputations of the vendors can protect brand trust.

‍

6. Fourth-Party Risks

Suppliers tend to lean on sub-contractors or other collaborators and this poses risks that are many layers in. As an illustration, your cloud system provider might be relying on a third-party data centre operator. When that operator is breached in terms of security, it trickles down to you. Fourth-party risks are more difficult to track, but can be addressed by disclosing these vendors, contractual terms and real-time monitoring of risks.

‍

What is the benefit of vendor risk management?

An effective vendor risk management (VRM) framework does more than reduce exposure; it helps your business run faster, safer, and smarter. Key benefits include:

‍

1. Risk Minimization

This grouping of vendors as low-, medium- or high-risk will give you a good perspective of where to target. Focusing on the high-risk vendors will minimize the risk of security breach, loss of money, or even reputation. Risk assessments that are conducted by AI are capable of detecting problems early so that you can intervene before they get to be problems.

‍

2. Greater Regulatory Adherence.

As the scrutiny of GDPR, CCPA, HIPAA, and others is increasing, companies will be responsible for the behavior of their vendors. The compliance is inculcated within the vendor relationships through a structured VRM policy. The new AI-powered tools also keep audit logs and create compliance reports on demand, which makes regulatory assessment much less resource-intensive.

‍

3. Cost and Time Savings

This is done by a cohesive VRM initiative which reduces duplication and manual efforts within the finance, legal, IT and procurement. Automation with AI helps in minutes rather than hours to carry out tasks such as risk scoring, tracking and renewal messages of contracts. Users of Spendflo have seen savings of up to 30 percent on SaaS spend and 3x ROI in the first year - evidence that efficiency is directly converted to financial impact.

‍

4. Stronger Security Defense

Total security might not be possible, but documented risk management processes are due diligence in case of a breach. Monitoring of the vendor and their performance is enhanced by AI which keeps a watch over the behavior of the vendor to detect the vulnerabilities in the shorter time and liability is minimized.

‍

5. Greater Transparency

Transparent reporting will allow all stakeholders, from finance to IT, to clearly understand how the vendors are chosen, evaluated, and tracked. AI dashboards provide real-time access to vendor health, compliance ratings, and contract status, enhancing the ability of collaborators and decision-makers.

‍

6. AI Advantage Proactive Risk Prevention.

In contrast to the manual processes, which respond when risks are evident, AI-native vendor risk management tools anticipate the occurrence of a problem. You can act proactively to predictive analytics that will identify suspicious spending patterns, may be license abusers or vendors who are not adhering to the SLA terms.

‍

VRM Implementation Guide

Building a vendor risk management program can feel overwhelming at first. Breaking it into clear steps makes it easier to implement and scale. Below is a structured approach organizations can follow.

‍

A. The 7-Step Implementation Process

1. Define Objectives
   
   
   • Align VRM goals with business priorities such as compliance, security, and cost control.
     
     
2. Build Policies and Frameworks
   
   
   • Document the VRM lifecycle, risk assessment standards, and escalation paths.
     
     
3. Identify and Onboard Vendors
   
   
   • Create a centralized vendor inventory and classify each vendor by risk level.
     
     
4. Conduct Due Diligence
   
   
   • Evaluate security, compliance, and financial health before signing contracts.
     
     
5. Integrate Contract Management
   
   
   • Ensure contracts include clauses for data protection, SLAs, and breach notifications.
     
     
6. Enable Continuous Monitoring
   
   
   • Track vendor performance, compliance, and renewal timelines with dashboards and alerts.
     
     
7. Review and Improve Regularly
   
   
   • Audit processes, update frameworks, and refine monitoring as regulations and risks evolve.
     
     

B. Vendor Onboarding Procedures

• Collect essential documentation (certifications, policies, financial reports).
  
• Verify vendor identity and ownership details.
  
• Categorize vendors into low, medium, or high risk tiers.
  
• Set up communication protocols and assign internal stakeholders.
  
  

C. Due Diligence Checklists

A strong due diligence process should cover:

‍

• Security: SOC 2, ISO 27001, penetration test reports.
  
• Compliance: GDPR, HIPAA, CCPA, or industry-specific standards.
  
• Financial Stability: Credit ratings, audited statements.
  
• Operational Readiness: Business continuity and disaster recovery plans.
  
• Reputation: Past breaches, lawsuits, or regulatory fines.
  
  

D. Contract Management Integration

Contract management is at the heart of VRM. Best practices include:

• Embedding risk clauses (data handling, breach response, right-to-audit).
  
• Tracking renewal and termination dates to avoid lapses.
  
• Ensuring pricing, SLAs, and liability terms reflect the vendor’s risk level.
  
• Centralizing contracts in a single repository for easy access.
  
  

E. Continuous Monitoring Protocols

Risk management doesn’t stop at signing the contract. Ongoing monitoring includes:

• Automated alerts for security incidents or compliance violations.
  
• Performance dashboards to track SLAs and vendor obligations.
  
• Periodic reassessments, especially for high-risk vendors.
  
• Leveraging third-party risk exchanges to reduce redundant assessments.

‍

How to Conduct Vendor Risk Assessments

A vendor risk assessment is the foundation of a strong VRM program. It allows you to evaluate how a vendor might impact your business before you commit to working with them and ensures you’re not blindsided later.

‍

Here’s how to run an effective assessment:

‍

Step 1: Define What You’re Assessing

Decide which risk areas matter most to your organization. Common dimensions include:

‍

• Security: How well does the vendor protect data? (SOC 2, ISO 27001, penetration tests)
• Compliance: Do they meet regulatory requirements (GDPR, HIPAA, CCPA)?
• Financial Stability: Can they sustain operations long term?
• Operational Risk: Do they have disaster recovery and business continuity plans?
• Reputation: Any history of breaches, lawsuits, or regulatory fines?

‍

Step 2: Use Assessment Methods

There are several ways to collect vendor information:

‍

• Questionnaires: Custom or standardized (e.g., SIG Lite, CAIQ) to capture security and compliance details.
• Document Reviews: Certifications, audit reports, insurance policies, financial statements.
• Interviews: Direct discussions with vendor security or compliance officers.
• External Data Sources: Third-party risk exchanges, credit ratings, and security ratings platforms.

‍

Step 3: Distribute a Vendor Risk Questionnaire

A well-designed questionnaire is one of the most practical tools for gathering vendor data. It should cover:

‍

• Data handling practices (encryption, access controls, data residency).
• Incident response processes.
• Employee security awareness and training.
• Subcontractor and third-party relationships.
• Compliance with industry-specific regulations.

Tip: Tailor the questionnaire to vendor criticality don’t overwhelm low-risk vendors with hundreds of questions.

‍

Step 4: Score and Categorize the Risk

Use a scoring model to categorize vendors into low, medium, or high risk based on their responses and supporting documents. High-risk vendors require deeper due diligence and continuous monitoring.

‍

Step 5: Document and Review

Record the assessment in a central repository so all stakeholders procurement, finance, IT, and security have visibility. Review findings regularly, especially during renewals or after major vendor changes.

‍

How to Address a Vendor Breach

When a vendor breach occurs, the first priority is rapid detection, verification, and containment. This means confirming the incident, assessing which systems or data are impacted, and working with the vendor to limit exposure. Clear communication with internal teams, regulators, and customers guided by the contract’s breach clauses is critical to maintaining trust and compliance.

AI can make this process faster and more reliable. Continuous monitoring helps detect anomalies early, automated risk scoring prioritizes response, and predictive analytics highlight vendors most likely to pose future risks. With these capabilities, platforms like Spendflo help organizations move from reactive damage control to proactive vendor risk management.

‍

VRM KPIs & Tracking

Measuring vendor risk management (VRM) performance is just as important as building the framework. The right KPIs and dashboards ensure leaders know whether vendor risks are being managed effectively and whether the program is delivering ROI.

‍

Vendor Performance KPIs

• SLA adherence (uptime, response times)
• Incident frequency and resolution time
• Audit findings and remediation completion rates
• Vendor satisfaction scores from internal stakeholders

‍

Risk Scoring Methodologies

• Weighted scoring models (security, compliance, financial, operational risks).
• AI-driven scoring that updates automatically as vendor conditions change.
• Tiering into low, medium, and high risk for easier prioritization.

‍

Reporting and Dashboard Examples

• Centralized dashboards showing vendor risk levels by tier.
• Heat maps highlighting critical vendors at higher risk.
• Trend reports for renewals, compliance lapses, and SLA breaches.

‍

ROI Measurement for VRM Programs

• Cost savings from avoided disruptions or renegotiated contracts.
• Reduction in audit preparation time.
• Faster vendor onboarding cycles.
• Time saved through automation and fewer manual assessments.

‍

Benchmark Data and Industry Standards

• According to Gartner, the average company wastes 30% of SaaS spend on unused or poorly managed tools.
• Deloitte reports that 40% of businesses lack a clear SaaS inventory, increasing risk exposure.
• Benchmarking against peers helps demonstrate maturity and justify investment in VRM.

‍

Regulatory Requirements for Vendor Risk Management

Vendor risk management isn’t just best practice, it's a compliance requirement in many industries. Regulations often hold companies accountable for the security and compliance of their third-party vendors.

‍

Key Regulatory Frameworks

• GDPR (EU): Requires proof that vendors protect personal data and notify you of breaches.
• HIPAA (US healthcare): Mandates vendor safeguards for patient data through Business Associate Agreements.
• CCPA (California): Extends consumer data rights, including oversight of vendor data practices.
• SOC 2 & ISO 27001: Industry standards for data security, often expected in vendor contracts.
• FFIEC & OCC (US financial services): Require banks to manage third-party risks and document oversight.

‍

Compliance Monitoring

Meeting these requirements means more than signing a contract. Organizations need continuous monitoring to verify vendors stay compliant tracking certifications, audit reports, and breach notifications. AI-powered platforms like Spendflo simplify this by centralizing vendor compliance data, automating alerts for expiring certifications, and ensuring you’re always audit-ready.

‍

VRM Tools & Technology

‍

Vendor risk management today relies heavily on technology to reduce manual work and improve accuracy. Modern VRM software combines automation, real-time monitoring, and seamless integrations to help businesses stay compliant and resilient.

‍

1. Core Capabilities

At its core, VRM software should provide:

‍

• Centralized vendor database and contract repository
• Automated vendor onboarding workflows
• Risk tiering and categorization
• Audit trails and reporting features

‍

2. AI and Automation in VRM

Repetitive work like risk assessments, reviewing of contracts and compliance checks can be automated using AI-based tools. The automated reminders in case of renewal and audits of vendors minimize the possibility of human error and accelerate the overall process.

‍

3. Interoperability with the Existing Systems.

VRM platforms are to be connected with ERP, procurement, finance, and IT systems to be the most efficient. This guarantees smooth flow of vendor data within departments, eradicating silos and providing the stakeholders with one source of truth.

‍

4. Real-Time Monitoring Reports.

Intuitive dashboards provide clear, real-time visibility into vendor performance, compliance status and risk scores. Live tracking assists teams in detecting anomalies at the earliest and respond promptly.

‍

5. Risk Scoring Automated Mechanisms.

Risk scoring is an AI-based risk assessment of vendors, which is performed continuously and is based on a set of predetermined criteria, including financial health, data security, and regulatory compliance. This aids organizations to put high risk vendors first and resource allocation is better.

‍

Vendor risk management best practices

To manage risks effectively, we have curated some vendor risk management best practices you can follow:

‍

1. Use a procure-to-pay (P2P) system

Effective vendor management, from the initial onboarding to the development of mutually beneficial partnerships, requires a holistic and integrated approach, particularly in a comprehensive P2P system. 

‍

Incorporating Spendflo's Third-Party Risk Assessment into a P2P system enhances vendor management by providing clear visibility into spending and vendor behaviors. This streamlines onboarding, ensures compliance management, and offers real-time monitoring and analytics for a more secure and data-backed vendor management process. The result is a more streamlined, informed, and resilient P2P process—decisions are based on financial considerations and a comprehensive understanding of vendor-related risks.

‍

2. Assign a dedicated risk team

Creating a dedicated team to oversee vendor risk can immensely help. This team is responsible for identifying and addressing issues promptly, formulating and enforcing policies. As a result, everyone in the organization is considered a stakeholder in vendor risk management.

‍

3. Formalize risk assessment

Your procurement team should onboard vendors following established protocols, starting with a formal vendor assessment. This process, ranging from simple questionnaires to sophisticated digital assessment tools, is facilitated by a superior P2P solution. 

This identifies and eliminates unsuitable suppliers while scrutinizing qualified ones more effectively.

‍

4. Track vendor performance

Metrics such as cybersecurity robustness, HIPAA compliance, delivery punctuality, and use of sustainable materials should be incorporated. Tracking these KPIs helps in monitoring supplier performance. Vendor management solutions can streamline and accelerate this process, allowing for consistent monitoring and real-time adjustments to the supply chain to prevent potential risks.

‍

5. Watch out for fourth-party risks

In some cases, even without formal agreements with your suppliers, vendors can pose risks. To counter this, implement stringent vendor risk management standards for your suppliers to manage their vendors effectively. Suppliers adhering to these standards are preferable, reducing overall risk and streamlining your supplier assessment and onboarding processes.

‍

6. Include risk management in business continuity planning

Supplier-related risks, from data security breaches to unethical behaviors, can also threaten your business. Vendor risk management is closely tied to disaster response and recovery. 

Make sure your vendor risk management program has strategies in place for quickly substituting any supplier that doesn't comply with your criteria and presents intolerable risks.

‍

Take control of your vendor risk management with Spendflo

Ignoring vendor risks leaves your business exposed to compliance penalties, security breaches, and unnecessary costs. That’s why leading finance and procurement teams turn to Spendflo. One SaaS company saved $500K in the first year by consolidating vendor oversight, cutting wasted SaaS spend, and reducing compliance gaps with Spendflo’s AI-powered platform.

‍

Without automation, your teams will stay buried in spreadsheets, renewal surprises, and manual audits. With Spendflo, vendor risk management becomes seamless: assessments are automated, compliance is tracked in real time, and risks surface in one intuitive dashboard. The result? Up to 30% savings on SaaS spend and 3x ROI in year one.

‍

Ready to protect your business and free your team from manual vendor management? Book a free demo today.

‍

Frequently Asked Questions

How often should vendor assessments be conducted?

Vendor risk assessment The vendor risk assessment must be done at least once a year. Nevertheless, in the case of high-risk vendors, i.e. those operating with confidential financial or customer data, quarterly or bi-annual reviews are advised. Frequent evaluations allow us to detect the risks at the early stages, keep contractual obligations, and make sure that the vendors are performing as expected.

‍

What are the costs of poor vendor risk management?

Vendor risk may result in loss of money, compliance fines, reputation, and loss of business. As an example, a third-party vendor can compromise security exposing sensitive information leading to millions of fines and trust loss.Effective risk management saves costs and safeguards your brand.

‍

How to handle vendor risk assessment failures?

In case a vendor does not pass an assessment, begin with a remediation plan. Map out the problems, establish deadlines in case of corrective measures, and control the situation. In case the vendor fails to fulfill needs, change suppliers or restrict their access to the vital systems. Compliance requires documentation at each point.

‍

Best practices for vendor contract risk clauses

In writing vendor contracts, provide:

‍

• Data security: Adherence to such regulations as GDPR/CCPA.
• Audit rights: Reviewing of vendor practices.
• Termination rights: Exit rights, in case of failure by vendors to deliver.‍
• Business continuity: Disaster recovery and backup requirements.