I want to be direct about what this post is and is not.
It is not “I spent 20 years in banking and here is my wisdom.” I have not. I spent time working in cybersecurity GRC roles at APRA-regulated financial institutions in Australia — environments where third-party risk management is a regulatory requirement with real consequences for getting it wrong. What I observed there, and what I practised, gave me a structured way of thinking about vendor risk that I had not found elsewhere.
This post shares the parts of that framework that are genuinely applicable to Tanzanian SMEs — stripped of the enterprise overhead that makes it inaccessible at smaller scale.
Why Vendor Risk Is Not a Large-Organisation Problem
In Australian banking, vendor risk management is mandated by APRA CPS 234 (Information Security) and CPS 230 (Operational Risk). If you have a material vendor — one whose failure could affect your ability to operate or whose breach could expose your customer data — APRA expects you to assess them, manage the relationship, and have contingency plans.
The regulation exists because a bank’s security is not just about its own systems. A major payment processor, a cloud provider, a core banking software vendor — if they are breached or fail, the bank’s customers suffer. The bank is accountable.
This dynamic is identical for Tanzanian SMEs. The scale differs. The regulatory mandate differs. But the underlying reality — that your suppliers can expose your customers, your data, and your operations to risk you did not create — is the same.
Most Tanzanian SMEs have never formally assessed a supplier. They have made decisions based on price, relationships, and reputation — which are all reasonable inputs — but without asking the security questions that determine whether the relationship introduces material risk.
The Single Most Useful Concept: Criticality Tiering
In enterprise vendor risk management, every supplier is not assessed with the same level of scrutiny. A stationery supplier and a cloud CRM platform are both vendors — but they represent very different levels of risk.
Criticality tiering divides vendors into categories based on the risk they represent:
Critical — vendors whose failure or breach would materially impact your operations or expose significant customer data. Your cloud infrastructure provider, your payroll system, your payment processor.
High — vendors with access to some business data or systems, whose failure would be disruptive but manageable. Your IT support provider, your accounting software.
Medium — vendors who handle limited data or provide non-critical services. A marketing agency with access to your email list.
Low — vendors with no access to systems or sensitive data. Physical suppliers, utilities, standard professional services.
Critical and high vendors get full assessments. Medium vendors get a shorter questionnaire. Low vendors get a terms-of-business check and nothing more.
This is the concept that makes vendor risk management scalable for SMEs. You do not need to deeply assess every supplier. You need to know which ones matter — and focus your limited time and attention there.
What a Right-Sized Assessment Looks Like
In Australian banking, vendor questionnaires can run to 200+ controls. This is appropriate for a bank assessing a cloud provider that holds sensitive customer data for millions of customers. It is completely inappropriate for a Dar es Salaam retail chain assessing its point-of-sale software vendor.
A right-sized assessment for a critical vendor in an SME context covers:
- Data handling: What data do they hold on your behalf? How is it protected? Where is it stored?
- Access controls: Who within the vendor organisation has access to your data or systems? How is that access managed and reviewed?
- Incident notification: If they experience a breach or significant incident, how quickly will they notify you? Can they evidence a process?
- Business continuity: What happens to your data and service if they cease operations?
- Certifications: Do they hold any relevant certifications (ISO 27001, SOC 2)? What is the scope?
Fifteen well-chosen questions, answered honestly, tell you most of what you need to know about whether a vendor is operating with basic security hygiene or not.
The One Contract Clause That Makes the Biggest Difference
Of all the contract provisions that vendor risk professionals in regulated environments focus on, one stands out for its practical value at SME scale:
Incident notification.
A standard clause requiring your vendor to notify you within 72 hours (or less) of discovering a security incident that may affect your data or your service. Not when they have investigated and understood it fully — when they become aware of it.
Without this clause, a vendor has no contractual obligation to tell you when something has gone wrong. You may find out weeks later — after the breach has been publicly disclosed, after customer data has been circulated, after you have missed your own regulatory notification window.
With this clause, you have information early enough to respond — to notify your own customers, engage your incident response plan, and limit the damage.
This clause is free to include in a contract. Many vendors will accept it without negotiation because it reflects what a well-run organisation should be doing anyway. Vendors who push back hard on a basic incident notification requirement are providing you with useful information about how they operate.
Three Things Tanzanian SMEs Can Do This Month
You do not need an enterprise vendor risk programme. You need a start.
1. Write down your vendors. Every cloud tool, every outsourced service, every IT provider. Put them in a spreadsheet. Include what data they hold and what systems they access. This is your vendor inventory, and the fact that you now have one puts you ahead of most SMEs.
2. Tier them. For each vendor, answer: if they were breached tomorrow, what would be affected? High impact = critical or high tier. Low impact = medium or low. The critical and high vendors get your attention first.
3. Ask your top three vendors one question. Email them: “Can you share your most recent security certification or a summary of your information security practices?” The response — or absence of one — tells you something. A vendor who readily shares a SOC 2 report or ISO 27001 certificate is managing security actively. A vendor who cannot answer the question may not be.
The Bigger Picture
Vendor risk is not a compliance checkbox. It is a genuine business risk that grows as you rely on more cloud services, more outsourced functions, and more connected partners.
The Australian banking environment is not a perfect model for a Tanzanian SME. The regulatory context is different, the resources are different, and the threat landscape has local characteristics. But the underlying discipline — knowing who your vendors are, understanding the risk they represent, and having basic contractual protections in place — translates directly.
You do not need to build a 200-vendor enterprise programme. You need to know your five most critical suppliers, have assessed them at a level proportionate to the risk, and have incident notification clauses in your contracts.
That is a realistic starting point. And a starting point is what matters.
If you would like to discuss building a right-sized vendor risk programme for your business, book a free discovery call.