Mon - Sat8.00 - 18.00 Sunday CLOSED
Offices47 Trinidad Terrace New Kingston, Jamaica.
[email protected]
1876 9265210
 
Cloud GovernanceData ProtectionData Protection & PrivacyData QualityData Restore and recoveryDawgen TRUSTDawgen TRUST360™Third-Party Risk ManagementVendor Risk Management

Your Vendors Change Faster Than Your Controls | Dawgen TRUST360™

June 16, 2026by Dr Dawkins Brown

You vetted your critical suppliers carefully — once. Since then they have changed their subprocessors, their data locations, their security and sometimes their owners, and you have not looked again. In a cloud-first Caribbean, that gap is where operational risk now lives.

This series has worked through annual governance as a liability, the continuous operating model, the six blind spots, the audit it complements, and — last time — artificial intelligence, the fastest-moving of the six. We turn now to the domain where, in my experience, the most operational risk quietly accumulates: third parties. It deserves a close look for a simple reason. More of what your organisation does is now done by someone else than at any time in its history — and you re-examine those someones far less often than they change.

Your operations are now a supply chain

Start by seeing the modern organisation for what it has become: an assembly of vendors. Your email and documents live in someone else’s cloud. Your payments run through a processor. Your core systems are increasingly software you rent rather than own, hosted on infrastructure you will never see, supported by teams you will never meet. Functions that were once internal — payroll, IT, customer service, analytics — are now outsourced to specialists. This is efficient and, for most Caribbean organisations, unavoidable. But it carries a consequence governance has been slow to absorb: a large and growing share of your risk surface now sits outside your own walls, in organisations you do not control.

Why vendor risk is a drift problem

The trouble is that we govern vendors as though they were fixed, when they are anything but. The standard model is to perform careful due diligence at onboarding — references, security questionnaires, financial checks, contract negotiation — and then, having satisfied ourselves, to move on. That diligence is real work and it matters. But it captures the vendor as it was on a single day. The vendor does not stop there.

Due diligence is a photograph. Your vendors are films.

Five things that change between your reviews

Consider what can shift between the day you onboarded a critical supplier and today, entirely without your knowledge.

Their subprocessors. You vetted your vendor; you did not vet your vendor’s vendors. Yet the supplier you approved can engage new subprocessors at will — a new analytics provider, a new hosting partner, a new offshore support team — each of which may now touch your data, in places and under terms you never reviewed. Your due diligence stopped at the first link of a chain that keeps extending.

Where your data lives. The location of your data can move — to a new region, a new datacentre, a new jurisdiction — as a vendor optimises its own operations. For an organisation subject to Jamaica’s Data Protection Act 2020 or its regional equivalents, a quiet change in data residency is not a technicality; it can be a compliance breach you do not know you are committing.

Their security posture. Certifications lapse. Controls that were strong at onboarding decay, exactly as your own can. And vendors suffer breaches — increasingly, the breach that hurts you most is not yours but theirs. An annual glance cannot tell you whether your supplier’s defences are still what they were when you signed.

Their ownership and stability. Vendors are acquired, merge, pivot, or fall into financial difficulty. A change of ownership can change a supplier’s priorities, its security culture, even its willingness to honour your terms. A vendor in quiet financial distress is a continuity risk hiding in plain sight — until the service simply stops.

Your own dependence. Finally, the thing that changes most invisibly is you. Over time, organisations lean harder on their critical vendors than they ever intended, until a handful of suppliers underpin operations that cannot run without them. That is concentration risk — and most organisations discover its true extent only when one of those vendors fails.

Concentration, continuity, and the exit you never planned

These last two points deserve emphasis, because they are where third-party risk becomes a board-level resilience question rather than a procurement detail. Depending heavily on a few critical providers creates single points of failure, and the honest test of that dependence is blunt: if a critical vendor failed tomorrow — or had to be dropped for a breach or a price dispute — could you move? For most organisations the answer is that they have never built or tested an exit, which means the dependence is effectively unmanaged. Resilience is not only about your own systems; it is about whether you can survive the failure of the third parties your systems now rest on.

The contract in the drawer

It is worth adding that the protections most organisations rely on — audit rights, data-handling clauses, service-level commitments, breach-notification obligations, exit assistance — are only as good as the attention paid to them. A strong contract negotiated at onboarding and then filed away is not governance; it is a document. Audit rights you never exercise, service levels you never measure and subprocessor-disclosure clauses you never check protect you on paper and nowhere else.

What continuous vendor governance does

The remedy is not more onerous onboarding; it is a refresh cadence — turning vendor oversight from a one-time gate into a continuing relationship. In practice that means keeping a living inventory of critical vendors (which, again, most organisations cannot produce on demand); tiering them by criticality and risk so attention goes where it matters; periodically refreshing due diligence, subprocessor disclosures, certifications and data-location facts; tracking whether contract protections remain current and are actually being used; and maintaining a clear-eyed view of concentration and exit-readiness. None of this is exotic. It is simply the difference between vetting a vendor once and governing it continuously.

The Caribbean dimension

This matters with particular force in our region. Caribbean organisations are, by necessity, cloud-first: scale, cost and the global talent market push us toward overseas providers for the very systems we depend on most. That dependence is sensible, but it concentrates third-party and cross-border-data risk to a degree many boards have not fully reckoned with — even as regional regulators, and Jamaica’s Data Protection Act 2020 in particular, pay closer attention to where data goes and who handles it. For the Caribbean board, vendor governance is not a peripheral domain. It is close to the centre.

What good looks like

This is why third-party governance is one of the six domains Dawgen TRUST360™ monitors continuously, through a Vendor Governance Refresh that keeps the critical-vendor inventory, the risk ratings, the subprocessor and data-location picture, and the contract protections current — so that what changes at your vendors does not change your exposure without your knowledge.

A test you can apply this week

So here, once more, is a test you can apply this week. Ask your operations and procurement leaders for four things about your critical vendors as they stand today: a current list of who they are; a list of their subprocessors; a statement of where your data physically resides; and your exit plan for each. If those four answers arrive quickly and confidently, your vendor governance is mature. If they do not — and for most organisations at least one of them will not — you have found the part of your risk surface that is changing faster than you are watching it. Your vendors will keep moving. The only question is whether you are still watching.

About the author

Dr. Dawkins Brown is Executive Chairman and Founder of Dawgen Global, an independent, integrated multidisciplinary professional services firm operating across the Caribbean, and Founding Editor of Caribbean Boardroom Perspectives.

Continue the conversation: dawgen.global  ·  [email protected]

Next in the series — Article 7: “Cyber Oversight Is a Board Sport.”

About Dawgen Global

Dawgen Global is an independent, integrated multidisciplinary professional services firm headquartered at 47 Trinidad Terrace, New Kingston, Jamaica, serving more than 15 territories across the Caribbean. Founded and led by Dr. Dawkins Brown, Executive Chairman, the firm is independent and not affiliated with any international network. It delivers a full suite of professional services under one roof: audit and assurance; tax advisory; IT and digital transformation; risk management; cybersecurity; actuarial and insurance regulatory advisory; HR advisory; mergers and acquisitions; corporate recovery; business advisory and strategy; accounting BPO and virtual CFO services; and legal process outsourcing.

The proposition is simple: big-firm capability without the big-firm price. Dawgen Global’s integrated approach is built for the specific complexities and opportunities of the Caribbean market, helping organizations make sharper, better-informed decisions that drive measurable progress.

To explore a partnership, reach out:

by Dr Dawkins Brown

Dr. Dawkins Brown is the Executive Chairman of Dawgen Global , an integrated multidisciplinary professional service firm . Dr. Brown earned his Doctor of Philosophy (Ph.D.) in the field of Accounting, Finance and Management from Rushmore University. He has over Twenty three (23) years experience in the field of Audit, Accounting, Taxation, Finance and management . Starting his public accounting career in the audit department of a “big four” firm (Ernst & Young), and gaining experience in local and international audits, Dr. Brown rose quickly through the senior ranks and held the position of Senior consultant prior to establishing Dawgen.

previous
AI Governance Can’t Wait for Year-End | Dawgen TRUST360™

https://www.dawgen.global/wp-content/uploads/2023/07/Foo-WLogo.png

Dawgen Global is an integrated multidisciplinary professional service firm in the Caribbean Region. We are integrated as one Regional firm and provide several professional services including: audit,accounting ,tax,IT,Risk, HR,Performance, M&A,corporate recovery and other advisory services

Where to find us?
https://www.dawgen.global/wp-content/uploads/2019/04/img-footer-map.png
Dawgen Social links
Taking seamless key performance indicators offline to maximise the long tail.
https://www.dawgen.global/wp-content/uploads/2023/07/Foo-WLogo.png

Dawgen Global is an integrated multidisciplinary professional service firm in the Caribbean Region. We are integrated as one Regional firm and provide several professional services including: audit,accounting ,tax,IT,Risk, HR,Performance, M&A,corporate recovery and other advisory services

Where to find us?
https://www.dawgen.global/wp-content/uploads/2019/04/img-footer-map.png
Dawgen Social links
Taking seamless key performance indicators offline to maximise the long tail.

© 2023 Copyright Dawgen Global. All rights reserved.

© 2024 Copyright Dawgen Global. All rights reserved.