Business Operations SOP

Vendor & Subscription Review SOP #

This SOP defines how PrecisionTech reviews, records, monitors, and controls business vendors, software subscriptions, licensing, renewals, service dependencies, tool ownership, security exposure, and operational risks.

Core Vendor Control Principle #

A vendor or subscription should not exist without a clear business purpose, owner, renewal awareness, access control, cost visibility, and risk review. Tools must support PrecisionTech’s operations, not create unmanaged complexity.

Vendor & Subscription Categories #

Vendor & Subscription Review Procedure #

1. Maintain the register: Record each active vendor, subscription, licence, platform, or service dependency in the approved vendor and subscription register.
2. Confirm business purpose: Verify why the vendor or subscription is used and which PrecisionTech service or internal function it supports.
3. Assign ownership: Each vendor or subscription must have an internal owner responsible for review, renewal tracking, access oversight, and issue escalation.
4. Review cost and billing: Confirm billing frequency, cost, payment method, renewal date, price changes, duplicate subscriptions, and unused licences.
5. Review access and security: Confirm administrator access, MFA, user access, password storage, offboarding control, and whether access is still appropriate.
6. Review service performance: Check uptime, support responsiveness, reliability, recurring issues, vendor communication, and whether the tool remains fit for purpose.
7. Review client impact: Identify whether the vendor supports client delivery, affects Business Care clients, stores client data, or creates service dependency risk.
8. Review data and privacy exposure: Check whether the vendor stores financial, client, system, identity, security, or sensitive business information.
9. Identify risks: Record risks relating to renewals, access control, cost increase, vendor lock-in, data exposure, backup gaps, poor support, or business continuity.
10. Create action items: Assign follow-up actions for renewals, cancellation, licence cleanup, access changes, cost review, security remediation, or vendor escalation.
11. Escalate critical concerns: Escalate any issue affecting client delivery, cybersecurity, financial data, business continuity, legal obligations, or owner-level decisions.
12. Document the review: Update the register, action item tracker, risk register, and internal business review record where applicable.

Recommended Review Rhythm #

• Monthly: Review upcoming renewals, new subscriptions, cancelled subscriptions, billing changes, licence usage, and urgent vendor issues.
• Quarterly: Review vendor performance, cost value, access control, MFA status, client data exposure, and operational dependency risks.
• Annually: Review all vendors and subscriptions for continued business fit, price value, duplication, security posture, contract terms, and strategic alignment.
• Event-Based: Review after vendor outages, data concerns, security incidents, pricing changes, tool replacements, client onboarding changes, or service model changes.

Vendor & Subscription Register Template #

Renewal Decision Guide #

• Renew when the tool is still used, cost is justified, access is controlled, and it supports current business operations.
• Downgrade when the tool is useful but the plan level, licence count, or feature set exceeds current needs.
• Replace when the tool is unreliable, insecure, too costly, duplicated, poorly supported, or no longer fit for purpose.
• Cancel when the tool is unused, duplicated, no longer required, or creates more risk than value.
• Escalate when the vendor affects client delivery, security, financial data, business continuity, or contractual obligations.

Related SOPs and Records #

• Business Operations Master SOP
• Internal Business Review SOP
• KPI & Metrics Tracking SOP
• Action Item & Follow-Up Management SOP
• Operational Risk Register SOP
• Client Health Review SOP
• Incident Response SOP
• Backup Verification SOP
• Business Continuity SOP
• Documentation Standards SOP

Escalation Triggers #

• Vendor outage affects client service or internal operations.
• Vendor stores client, financial, identity, or sensitive data and security concerns are identified.
• Admin access is not controlled or MFA is missing on critical platforms.
• Renewal is approaching and the owner has not approved continuation.
• Subscription cost increases materially or becomes commercially unsuitable.
• Critical licence, domain, hosting, email, backup, or security service may expire.
• Vendor support failure affects client delivery, continuity, or security response.
• Tool replacement, cancellation, or migration requires owner-level decision.

Completion Checklist #

• Vendor or subscription recorded
• Business purpose confirmed
• Internal owner assigned
• Admin access owner confirmed
• Cost and billing reviewed
• Renewal date checked
• Licence usage reviewed
• Access and MFA reviewed
• Data handled identified
• Client impact assessed
• Vendor performance reviewed
• Risk rating assigned or updated
• Action items created where required
• Escalation raised where required
• Register updated and archived

Document Control #

Owner: PrecisionTech

Applies To: Business Operations, Vendor Management, Subscription Management, Client Service, Bookkeeping, IT Support, Cybersecurity, Business Care Plans, Risk Management, Business Continuity

Review Frequency: Monthly for renewals and urgent issues; quarterly for access, cost, vendor performance, and risk; annually for full vendor review

Last Reviewed: [Insert Date]

Version: 1.0