What is vendor risk management from the AP seat?

Tier on a few signals: annual spend, business criticality (single-source? would a failure stop operations?), data access, and payment risk (international, frequent banking changes). High-tier vendors warrant deeper onboarding diligence, stronger verification, financial monitoring, and a continuity plan; low-tier vendors get the baseline. The point of tiering is to spend your scarce diligence where a failure actually hurts, not to do enhanced due diligence on the office coffee supplier.

It's over-dependence on a single vendor - if too much of your spend or a critical input runs through one supplier, their failure becomes your crisis. Measure it as a vendor's share of total spend (and separately, of spend in a critical category); a single vendor commanding an outsized share, especially as a sole source, is the flag. The threshold is judgment, but anything dominating a critical category deserves a contingency.

Watch the operational tells you already see - slipping delivery, quality drops, sudden payment-term demands, requests for upfront deposits - and layer credit monitoring or news alerts on your critical suppliers. For a single-source vendor showing distress, line up an alternate before you need one; the early signals usually precede the bankruptcy filing by months.

Move fast: inventory open POs, deposits paid, and payments in flight (hold what you can); understand your position as a creditor and any setoff rights (amounts they owe you against amounts you owe them); preserve documentation; and activate your alternate-supply contingency. Coordinate with legal - bankruptcy changes what you can and can't do with payments, and the automatic stay constrains your options.

At onboarding: identity/legitimacy verification, sanctions screening, banking verification, and tax documentation. Ongoing: re-screen sanctions periodically, monitor critical vendors for distress, re-verify on banking changes, and watch concentration. A lean team front-loads the cheap one-time checks and reserves continuous monitoring for the handful of vendors that could actually hurt them.

Yes, at the seam where it becomes payment fraud: a vendor's breached email is *your* BEC problem the moment a fraudster emails you fake banking from their compromised mailbox. AP doesn't run the security assessment, but it should treat vendor breach news as a payment-fraud trigger - re-verify before paying any vendor you know has been compromised.

Worth it when vendor count and criticality outgrow manual tracking, when contracts or customers require documented vendor risk programs, or when a few critical single-source relationships justify continuous credit monitoring. Below that, a simple risk register plus sanctions screening and banking verification covers most of the exposure at a fraction of the cost.

A spreadsheet or your vendor system's fields will do: list critical vendors, their tier, key risks (single-source, financial, data, compliance), the controls in place, and a review date. Keep it short and current rather than comprehensive and stale - a one-page register that's actually reviewed beats a GRC platform nobody opens.

Stampli surfaces the AP-side risk signals where they matter - payment-detail changes that no longer match a known vendor, missing or expired compliance documents that gate payability, and the full history of who changed what on a vendor record. Combined with vendor spend visibility, that gives finance the operational inputs to a risk view: which vendors carry the most spend, which have control gaps, and which payment changes warrant a closer look - without a separate GRC platform.