That risk is heightened by the tendency of some business execs to buy software and services directly, without going through central channels -- the rise of so-called 'shadow IT'.
But facing up to the challenge of managing an array of suppliers is necessary, as businesses will increasingly require help from a broad spectrum of emerging vendors if they want to stay competitive in the fast-moving digital space, says Joanne Spencer, research director with Gartner.
"The emerging vendors are an interesting grouping. Primarily because they're the ones that are bringing a lot of innovation to the organization," she says.
"Those vendor relationships really need to ensure proper engagement that goes beyond that operational contractual element. So we're starting to look at things like culture alignment, trust, communication and collaboration."
But how can this pool of emerging vendors be successfully managed, and how do they fit alongside the many legacy vendors that every large business relies upon?
Types of vendors and how to handle them
Broadly, there are four types of vendor, according to Gartner's Spencer.
Tactical vendors that provide ongoing support or services, from whom businesses primarily want a reliable continuity of service.
Legacy vendors that organizations have relied upon for a long time but that firms are looking to transition away from in the near future.
Strategic vendors that are working closely with an organization on broader projects to realize key business goals.
Emerging vendors, of the type typified by these smaller cloud-based firms, who over time will likely become either strategic or tactical vendors.
Managing each of these vendors requires a different approach, although there are broad strategies that firms can use.
Gartner's Spencer highlights three typical approaches to vendor management.
The first is centralized, where everything -- including contract, performance, financial, risk and relationship management -- is handled centrally by vendor management and procurement professionals. This offers control and consistency, but can be inflexible and slow to react.
Another common approach is decentralized, where vendor management is generally handled by individual business and IT departments, which has the benefit of being more responsive to issues as they arise but can have laxer and less consistent controls.
The third, more recent approach, is hybrid, where vendor management functions are spread across the organization, according to where they fit best. In this scenario certain functions, such as contract management, could be handled centrally, while others, such as performance management, are carried out by individual departments or IT groups.
Fuelled by the need for a style of vendor management suited to handling a fast-changing ecosystem of cloud vendors, Gartner's Spencer says more firms are moving to this hybrid model.
"A lot of that is sourcing and vendor management leaders responding to those organizational shifts," she says.
"We're starting to contract in different ways where we're looking at cloud services, we're looking at digital business. We're starting to look at different ways that the products and services are brought in. The techniques are adapting as the organization changes."
There is a difficult balance to be struck when managing emerging vendors says Gartner, which recommends a "light-touch approach" that allows for oversight without imposing "formal vendor management structures".
"Unleash the creativity and innovation from niche and digital business vendors by supporting the business with tools, processes and supportive vendor governance mechanisms," the report Six Key Steps to Developing Effective Vendor Management Governance recommends.
Getting the best from strategic vendors
Alongside emerging vendors, strategic vendors have a crucial role to play in realizing business goals and need to be treated accordingly, says Duncan Jones, principal analyst with Forrester.
Jones gives the example of a strategic vendor who has been employed to design and build some customer-facing piece of technology, such as a website or an app.
Here the prescriptive approach taken to managing operational vendors, where the approach taken is spelled out to the letter, can be a poor fit, he said.
"Traditional outsourcing is buying a painter, what organizations need to do is buy interior designers," said Jones.
He recommends that firms commission vendors who have performed well at similar tasks in the past, and then give those vendors freedom to decide how to achieve high-level goals -- increasing customer engagement or completed sales, for example.
"There are instances where the firm tells the outsourcer exactly what they want to do, and the outsourcer does exactly what they've been told to do, and the customer says: 'That's not very good, that's not what I wanted'," he said.
For instance, in the case of mobile banking apps, "what you're after is somebody who will be able to understand mobile design, who can say 'That's not how you build a mobile app these days'", Jones said.
"They have expertise and skills, and you have expertise and skills, and you have to put these together to develop the result."
Controlling costs is the table stakes for vendor management, says Jones, adding that 'next-generation' approaches to managing strategic vendors put a greater emphasis on realizing broader business goals, such as improving that firm's customer service.
In general, a myopic focus on service-level agreements (SLAs) can hide undesirable outcomes, he warns.
"If you only measure the hard service levels that are in a contract you're not necessarily going to pick up on the softer things about the customer experience," he says.
He gives the example of a firm where "the vendor was meeting their targets for service levels for helpdesk tickets because nobody bothered creating helpdesk tickets, because the service was so lousy it wasn't worth the effort."
Also, firms shouldn't get too hung up on vendor deals that push all of the risk and costs onto the supplier, says Jones, pointing out that saving a few million dollars can pale into insignificance compared to cost to a company's reputation if a customer-facing service goes down.
"It requires an acceptance that the supplier is going to make a profit out of working with you," says Jones.
"A lot of the wrong type of vendor management is squeezing the suppliers, you get them to pick up all the risk, you charge penalties. They're making less and less money, which means they will cut more and more corners to try and make it profitable and it spirals downwards into a mess."
"The best relationships understand that vendors do need to make a margin, then they're able to go the extra mile when you need them to."
The first step is to know yourself
But perhaps the biggest lesson in vendor management is that many businesses need to get their own house in order first.
Ovum chief analyst Spencer Izard says the first step before a business chooses a vendor or decides on a management plan is understanding how their business operates and its goals.
Firms need a handle on "how do they need to deliver services, business support and technology services", he said.
"Once they can understand that step, and that it's a heck of a lot of work, once they can understand and unpick that, it positions them to understand how they need to consume IT services from external parties, and what their licensing agreements need to be."
Too tightly prescribing technologies can be a mistake, said Izard, who feels that rigid contracts with service providers can tie a firm to outdated or undesirable tech.
"Let me give you an example. Obviously database technology changes regularly: Microsoft, Oracle, everybody else releases new products on a yearly basis," he said.
"Often, you'll probably find if you buy a software license for three-year period, you'll probably find say that Microsoft will cover you for being able to install the next version of its database software SQL Server."
"Your services contract, however, has historically been quite tightly defined, to not be evergreen, to say 'We will support the technology as it was handed to us on the day the contract was signed'."
Primarily, it's important to try to manage vendors in a way that gives them latitude to change the services they provide as the needs of the business shift, whether that be due to new goals, changing customer demand or new technologies, said Izard.
"There's a level of alignment between businesses and IT that needs to occur," he added.
"If those business functions have to change how they operate because their industry is under threat or there is a new area they need to expand into, the IT services need to be sensitive enough to deliver to that new cadence."
Ideally, as well as not being too detailed and prescriptive, where possible, service provider contracts should have regular opportunities to be refreshed, he says. Izard recommends "a yearly review cycle that looks at" whether "the business's strategy and operating requirements are changing" and how those changes might require tweaks to the contract.
As the number of software- and infrastructure-as-a-service offerings continue to grow, and as customer-facing apps and services need to be built ever more rapidly, firms will need to be more flexible in how they manage these partner organizations said Forrester's Jones.
"I do see a lot of clients where their traditional procurement/vendor management is a big obstacle.
"They're still trying to do things in the old way. They're still trying to do fixed-bid contracts for work that can't be done that way. Or they're trying to control costs in work where agility and outcomes are more important than costs.
"Forrester talks about moving from perfect to fast. That means getting a minimum value product out fast, getting customer reaction to it, iterating quickly to improve it and address issues. You just can't do that via the traditional fixed bid model.
"If other companies are moving faster, and if you're not getting faster, you get left behind."
Gartner has a set of general tips for managing vendors, with recommendations including:
Create a central governance council, made up of executives with authority to sign contracts with vendors, and who can establish management policies and processes, as well a criteria for adding and removing vendors.
Identify the goals for vendor management, the activities that will realize those goals and who should be involved in overseeing them. Alongside, firms should establish policies that lay out the rules that will guide how these activities will be conducted, setting out the approach to areas such as risk and performance management.
Establish processes relating to areas such as vendor risk assessment, evaluation, onboarding, risk monitoring, issue and escalation management, contract and performance management.
Choose whether the vendor management will be handled using a centralized, decentralized or hybrid approach.
Areas that need defining include business and technology requirements, who has authority to direct vendors work and which vendors will do which work. Firms should also put in a place a charge-back process that allocates cost to business units consuming each service and a monitoring, analysis and forecasting platform that scrutinizes vendor-delivered services.
Common risks to successful vendor management stem from ill-defined governance roles and policies and a lack of support from senior management. Better senior support can be achieved by more closely aligning the goals of vendor management program with the business' mission statement, while governance should be brought in line with the broader corporate approach. Meanwhile representatives from each support area -- HR, legal, finance, risk, security -- should be given an input into vendor management policies.