The Five Vendor Risk Domains Every Library Should Evaluate

Where this comes from: The evaluation framework below is adapted from vendor risk assessment surveys used in legal tech knowledge management. Those survey instruments were shared with me by practicing knowledge managers, then reworked for library technology contracts based on real consulting engagements, contract negotiations, and the patterns that actually show up in library vendor deals.

Want a quick score first? Run the Vendor Evaluation Wizard (5 minutes, 15 questions) and come back here to dig deeper into your results.

Understanding Vendor Risk

Vendor decisions shape your library's entire future. But vendor lock-in is real. After year two or three, switching costs become prohibitive. The time to negotiate (when you have leverage) is before you sign.

When you're evaluating a vendor, five critical areas can cause problems. These domains cover the full lifecycle of the vendor relationship, from deciding whether to talk to them through the day you need to extract your data because they failed you.

Domain 1: Vendor Stability

Will They Still Be There in Year 5?

The question: Is this vendor financially healthy enough to keep operating for the duration of your contract? Do they have the expertise to support what they're promising? Are they growing or dying in the market?

Vendor failures are deeply disruptive. If your ILS vendor goes out of business, you lose access to your entire catalog. You're forced into an emergency migration. Staff are stretched thin. Patrons lose access to their holds. Meanwhile, you're probably still contractually obligated to pay the dying vendor's final invoices.

What to evaluate:

• Company financial health: Company size, funding, growth trajectory. A vendor with 500+ employees and recent funding is less likely to disappear than a one-person operation. Ask: "How many libraries are you currently serving? What's your annual revenue?" A vendor refusing to answer is a red flag.
• Time in business: Newer vendors (under 3 years) are higher risk due to startup failure rates. Vendors losing market share to competitors are riskier than those with stable or growing presence.
• Team stability: Has leadership been consistent? Is there an active product development team, or just a support team keeping things limping along?
• References from similar libraries: Talk to libraries like yours. Listen for: "We had to migrate data in a rush when they got acquired" or "Support disappeared when the founder left."

Domain 2: Contract & Data Terms

Can You Actually Leave?

The question: What happens to your data if you need to exit? How much will it cost to switch vendors? Are you locked in by contract language that makes leaving prohibitively expensive?

Lock-in is how vendors extract value. If leaving costs $200K in migration expenses and six months of staff time, you won't leave even if the vendor is terrible. The time to negotiate exit terms is upfront, when you have leverage.

What to evaluate:

• Data export requirements: Demand specific language: "Vendor shall provide complete export of all Customer Data, in MARC format and vendor-proprietary format, within 30 days of written request, at no additional cost." Don't settle for vague timeframes and negotiated rates, because that's code for "we'll drag it out and charge you."
• Total cost of ownership: It's not just the license fee. Calculate: License + implementation + customization + training + migration costs + switching costs. A vendor might charge $80K/year but require $500K in implementation. Be realistic about internal staff time too.
• Price increase mechanisms: Cap annual price increases. Standard: "No more than 3% annually, or CPI whichever is lower." Don't accept "prices may increase in line with market conditions" (vendors will claim market conditions to justify anything).
• Auto-renewal traps: Watch for contracts that auto-renew unless you give written notice 90+ days before expiration. This kills negotiations. Better: demand 90-day outs from auto-renewal without penalty.
• Exit costs: What happens when you leave? Can you take your data for free or is there an exit fee? Push back: "Exit from this contract may occur with 90 days written notice, with no penalty fees beyond prorated expenses through notice date."

Domain 3: Support & Governance

Will They Actually Help When Things Break?

The question: When something goes wrong (and something will), does the vendor have an obligation to fix it? Or are they just collecting fees while you're stuck?

Most vendor relationships fail on support, not features. The feature set is usually fine. But when a critical system goes down during your busiest day and support doesn't respond for 48 hours, you learn what the vendor really thinks of your contract.

What to evaluate:

• Service Level Agreements (SLAs) with teeth: Demand specific commitments:
  • Critical issues (system down): 4-hour response, 1-hour acknowledgment
  • High severity (major functionality broken): 8-hour response
  • Medium: 24-hour response
  • Low: 5 business days
  Include penalties: "If vendor misses response time by 4+ hours, customer receives $500 credit toward next invoice."
• Uptime guarantees: Demand 99.5% monthly uptime minimum. That's about 3.6 hours of allowed downtime per month. Include penalty credits: 1% credit for every 0.5% below the guarantee.
• Vendor staff continuity: Ask: "If my account manager leaves, how do you transition accounts?" You want account documentation in their system with 30-day overlap with the new rep.
• Training and onboarding: Is initial training included or paid separately? Can your whole team get trained? Is documentation available in formats your team can actually use?
• Escalation procedures: If your main contact can't solve an issue, what happens? "If issue not resolved in 10 days, escalates to Product Manager; if not resolved in 20 days, escalates to VP of Customer Success; if not resolved in 30 days, customer may terminate contract."

Domain 4: Security & Compliance

Can Patrons Actually Trust You?

The question: What's the vendor doing with patron data? Who can access it? Can you verify they're protecting it? Are they using it to train AI systems without permission?

Patron data is sensitive. For some patrons (undocumented immigrants, domestic violence survivors, LGBTQ+ youth), this data could be dangerous if exposed. The biggest new risk is AI training. Vendors are now quietly adding language that lets them use your patron data to train AI systems: forever, for free, and for vendor profit.

What to evaluate:

• Data encryption and access controls: Demand encryption in transit (HTTPS) and at rest. Ask: "Who inside your company can access customer data, and what controls prevent unauthorized access?"
• Breach notification: "Vendor shall notify customer within 24 hours of discovering breach, provide details of scope and nature, and cooperate with any required notifications to patrons/regulators." Don't accept "notify in reasonable timeframe."
• Subpoena procedures: "Vendor shall not disclose patron data in response to subpoena without notice to customer. Vendor shall seek to limit disclosure scope." This protects vulnerable patrons.
• Third-party data sharing: Ask: "Do you share patron data with any third parties?" You want a strict list and approval rights.
• AI training restrictions: This is where vendors sneak in predatory language. Demand: "Vendor shall not use Customer Data, including usage patterns, search queries, patron activity logs, to train AI or machine learning models without Customer's prior written consent."
• Audit rights: You should be able to audit vendor compliance through: (a) annual security audit reports (SOC 2 Type II); (b) upon reasonable notice, physical or remote audit; (c) documented AI system testing reports; (d) written certification of compliance.

Domain 5: Equity & Long-Term Fit

Who Gets Left Out?

The question: When you implement this vendor, will service improve for everyone, or only for some people? Will it require cutting services to low-income areas to fund it? Does the system actually work for patrons with disabilities, non-English speakers, or vulnerable populations?

Equity isn't a bonus feature; it's a core mission issue. A vendor that's great for English-speaking patrons but inaccessible for blind patrons, or that works great in wealthy neighborhoods but forces you to cut hours in low-income areas, that vendor is embedding inequality into your service model.

What to evaluate:

• Accessibility compliance (WCAG 2.1 AA): The vendor should demonstrate: tested with screen readers (NVDA, JAWS), fonts adjustable to 48pt+, color contrast tested and adjustable, keyboard navigation for all features, video captioned, PDFs accessible. If the vendor says "we have an accessibility team" but can't show test results, you're not getting WCAG 2.1 AA compliance.
• Language support: What languages does the interface support? Is Spanish support built-in or machine-translated? Ask the vendor to describe their Spanish-language support in Spanish. If they can't, it's probably not native.
• Algorithmic bias and testing: If the system includes AI recommendations or search ranking: Has vendor tested for algorithmic bias? Do results from marginalized communities get deprioritized? Who audits this: just the vendor, or external auditors too?
• Cost impact on service: Does implementing require cutting hours in low-income branches? Eliminating a service? If the cost savings come from cutting service to the patrons most dependent on the library, you haven't actually saved money. You've transferred that cost to the people least able to afford it.
• Pricing structure impact: How is the vendor pricing this? Per-library flat fee? Per-patron? Per-circulation? This matters for equity. Per-circulation pricing might force you to cut hours at branches serving people who need it most.

Red Flags That Should Stop You

Some contract issues are so predatory they're deal-breakers on their own. Push back hard or walk away:

The AI Training Trap

"Customer grants Vendor a worldwide, non-exclusive, royalty-free license to use, reproduce, and create derivative works from Customer Data for purposes of improving Vendor's services, including but not limited to machine learning and artificial intelligence development."

The vendor wants to use your patron data forever, for free, to train AI systems they'll sell to other customers. This is predatory. Demand instead:

"Vendor shall not use Customer Data, including usage patterns, search queries, patron activity logs, or any data generated by Customer's use of the Service, to train, develop, improve, or create machine learning models, artificial intelligence systems, or derivative products without Customer's prior written consent. Any such use requires a separate written agreement specifying scope, duration, compensation (if any), and audit rights."

The "AI Is Unaccountable" Trap

"Vendor provides AI-powered features on an "as-is" basis. Vendor makes no warranties regarding accuracy, reliability, or performance of AI-generated content."

You're liable if the AI screws up. Demand instead:

"Vendor shall be liable for damages arising from AI features that: (a) produce outputs that violate applicable law, (b) fail to perform materially as documented, or (c) result from defects in Vendor's AI design, training, or implementation."

The "No Audit Rights" Trap

"Customer agrees not to reverse-engineer, decompile, or attempt to discover the underlying algorithms, models, or training data used in Vendor's AI features."

You can't audit whether the AI is biased or compliant with regulations. Demand instead:

"Customer has the right to: (a) receive annual reports on AI system performance, bias testing results, and training data sources; (b) request third-party audit reports (SOC 2, ISO 27001) that include AI systems; and (c) audit Vendor's compliance with this Agreement's AI provisions."

The "We're Not Liable" Trap

"Vendor's indemnification obligations under Section [X] do not apply to any claims arising from or related to use of AI-powered features."

If someone sues because of vendor's AI, vendor won't defend you. Demand instead:

"Vendor shall defend, indemnify, and hold harmless Customer from any claims, damages, or liabilities arising from: (a) AI outputs that infringe third-party intellectual property rights; (b) AI outputs that violate applicable privacy laws; (c) defects in Vendor's AI design or implementation; or (d) Vendor's failure to disclose known AI limitations."

Case Study: How Equity Impact Hides in Spreadsheets

A 15-branch public library system is evaluating a new discovery system. The vendor is $80K cheaper annually. On paper, this looks like a win. But the migration requires 3 months of heavy IT staff time. The budget office can't fund both the vendor fees and keep current staffing, so they decide: fund migration by cutting 2 FTE reference positions. Which branches get hit? The three serving the lowest-income neighborhoods: 80% non-English speakers, 45% household income under $35K, significant unhoused community.

The logic was: "These branches have the lowest circulation, so cutting there has the smallest percentage impact." But the real impact was on the populations most dependent on librarian help navigating systems, immigration processes, and language support. Reference desk hours dropped from 45 to 30 hours/week. This was supposed to be temporary. It's now year 3 and hours haven't been restored. Circulation at these branches actually dropped by 12%, because patrons shifted to under-staffed phone reference.

The lesson: When evaluating vendors, always ask: "Whose services are being cut to fund this decision?" If the answer is "branches in low-income neighborhoods," you haven't actually saved money. You've transferred cost to the people least able to bear it. That's a mission failure, regardless of vendor quality.

When to Call a Consultant

You can evaluate most vendors yourself. But there are moments when outside help is worth the investment:

• Get legal review for: Enterprise vendor contracts, any contract with AI training language, consortium negotiations, high-value contracts (if vendor cost exceeds $500K over contract term, legal review costs $2K-5K and often saves tens of thousands)
• Get equity impact assessment from: Someone with accessibility expertise if you serve blind/low-vision patrons, someone with experience in diverse communities, external equity auditor
• Get technical review for: Open-source implementations, complex integrations, security-critical systems
• Get negotiation support for: First time negotiating with enterprise vendors, consortium negotiations, any contract where you're facing power imbalance

The investment in consulting ($2K-10K) usually saves you hundreds of thousands in contract negotiations or prevents catastrophic implementation failures.