Thinking About the Things We Don't Think About

In performing Vendor Risk Assessments on SaaS providers for SMB clients this week, it dawned on me how we don't often give much thought to the small things that can sway a decision.

Take the location of a vendor's headquarters, for instance. Why should such a detail that seemingly has no impact on a software product's capabilities, features and fit to our business, be a big deal given our globalized, digitalized economy?

Even for small businesses that don't aspire to global domination of their market, vendor locations represent potential complications in business relationships. That applies to vendors in different states, as well as foreign countries.

The legal, cybersecurity and cultural ramifications can present obstacles that many small businesses can't or don't want to contend with. 

I conducted a vendor risk assessment on potential practice management SaaS vendors for a lawyer recently. His selection eventually came down to one criteria, given that ratings and reviews, pricing, and features aligned closely between the three SaaS vendor finalists.

Location proved to be the deciding factor, as he eliminated two of the finalists -- one in Canada and the other in Australia, even though a colleague gave a favorable recommendation of the Australian vendor.

I, myself, in performing VRAs on SaaS vendors for EDM Info Pro, found what I believed to be the perfect software for my research and information business last year. It handled everything from soup to nuts for what I wanted to do, and met my budget.

As I continued with the assessments, however, I discovered that while it showed Norfolk, Va., for its headquarters, a search of the owners' Twitter accounts revealed that they spent a good deal of their time in their native Serbia rather than the U.S. I also had to translate most of their Twitter posts from Serbian.

This didn't necessarily disqualify that company, in my mind. I liked the software enough to continue pursuing the cybersecurity implications of deploying it for my business and my clients.

What I found didn't engender confidence, as it became clear that the company utilized programmers and data storage in Serbia.

Plus, I found no comfort that Russian influence over Serbia -- and by extension Serbia's businesses -- wouldn't become a security threat at some point. As Russian allies for two centuries, Serbia's recent attempts to improve relations with Western nations created an uneasy balancing act that I didn't feel comfortable with.

Further, the U.S. government's International Trade Administration stated about Serbia, "Despite significant progress in economic and administrative reforms, serious problems remain. These challenges include weak rule of law; political interference in the economy; a slow-moving judicial system subject to political pressure; legislative and regulatory unpredictability; both real and perceived issues of corruption; an overly complex and sometimes non-transparent bureaucracy; an opaque tendering process, and difficulties in collecting payments from both public and private entities."

Even though I didn't intend to conduct business IN Serbia, I thought that didn't bode well for cybersecurity of the data I collected for my clients. I eventually chose another provider in the U.S.

Only in performing such due diligence can you discover the seemingly small things that make a big difference in final decisions between prospective vendors that have little separation between them on the major criteria.

You can also request an online meeting.