Vendor Risk Management in India: A Guide

Here's a scenario that plays out more often than it should: your procurement team signs up a new vendor, invoices start flowing, payments go out on schedule, and six months later, the GST team discovers the vendor's registration was cancelled weeks after onboarding. The ITC you've been claiming? Gone. Plus 18% interest.

A single non-compliant supplier can trigger cascading problems: denied ITC claims, Section 43B(h) disallowances, TDS defaults, and GST audit scrutiny. Yet most Indian businesses still treat vendor risk as an afterthought. This guide lays out a practical framework for vendor risk management tailored to Indian regulations: due diligence, ongoing monitoring, and mitigation strategies your finance team can run without a dedicated risk department.

Understanding Vendor Risk in the Indian Context

Vendor risk in India is shaped by a combination of regulatory, financial, and operational factors you won't find in quite the same form anywhere else.

Regulatory Risk

India's vendor-related compliance landscape includes:

GST compliance risk: If your vendor doesn't file their GSTR-1, your purchase won't appear in your GSTR-2B auto-populated return. Under Section 16(2)(c) of the CGST Act, you can claim ITC only if the supplier has actually deposited the tax with the government. Non-compliant vendors directly threaten your ITC position.
TDS risk: Incorrect PAN details, failure to identify the correct TDS section, or non-deduction exposes your company to disallowance under Section 40(a)(ia) of the Income Tax Act, plus interest and penalties.
MSME payment risk: Section 43B(h), effective from FY 2024-25, disallows deductions for payments to micro and small enterprises not made within the prescribed time limit: 15 days without a written agreement, or up to 45 days with one. If you don't know which vendors are MSME-registered, you can't manage this risk.
E-invoicing risk: Vendors with turnover above Rs 5 crore must generate e-invoices via the IRP. If they don't, those invoices are technically invalid, and your ITC claim is at risk.

Financial Risk

Vendor financial instability can wreck your supply chain without warning. In India, where a huge portion of suppliers are SMEs and MSMEs, financial fragility is common. Watch for the red flags: delayed deliveries, quality deterioration, frequent changes in bank details, or sudden requests for advance payments when terms were previously on credit.

Operational Risk

This covers concentration risk (too much dependence on one vendor), quality risk, delivery risk, and data security risk: especially for IT and BPO vendors handling sensitive data. In India's diverse geography, logistical risks for vendors operating across multiple states add yet another layer.

Why Most Companies Get Caught Off Guard

Industry surveys consistently show that the majority of Indian companies have experienced at least one significant vendor-related disruption in a given year. The root causes split roughly between compliance failures (GST, TDS, or regulatory defaults) and financial instability of the vendor. The striking part? Only a fraction of companies have a formal vendor risk assessment framework in place. Most are reacting to fires, not preventing them.

Building a Vendor Due Diligence Framework

Vendor due diligence is the systematic evaluation of a vendor before and during the business relationship. For Indian businesses, this means going well beyond financial checks to include regulatory compliance verification.

Pre-Onboarding Due Diligence

Before adding a vendor to your approved list, conduct the following checks:

PAN and identity verification: Validate PAN against the Income Tax Department database. For companies, verify CIN on the MCA21 portal. Check for any disqualified directors linked to the entity.
GSTIN validation and filing history: Verify GSTIN status (active, suspended, cancelled) and review the vendor's GST filing compliance over the past 6-12 months. A vendor with multiple months of unfiled returns is a compliance liability.
MSME/Udyam classification: Query the Udyam Registration portal to confirm whether the vendor is a micro (investment up to Rs 1 crore, turnover up to Rs 5 crore), small (up to Rs 10 crore / Rs 50 crore), or medium (up to Rs 50 crore / Rs 250 crore) enterprise. Document this: it directly affects your payment obligation timelines under Section 43B(h).
Financial health indicators: For high-value vendors, review publicly available financials on the MCA portal (balance sheet and P&L for companies). Check for any winding-up petitions or NCLT proceedings on the NCLT website.
Litigation and blacklisting check: Search the vendor's name on GST portal notices, SEBI debarment lists, and relevant industry blacklists. The Government e-Marketplace (GeM) debarment list is also a useful reference for vendors in the government supply chain.

Ongoing Monitoring

Due diligence isn't a one-and-done activity. You need continuous or periodic monitoring:

Monthly (GSTIN status check and GST filing compliance review for all active vendors
Quarterly) Review of payment terms compliance, especially for MSME vendors; TDS reconciliation against vendor ledger
Annually: Full re-verification including PAN, GSTIN, bank details, Udyam status, and financial health review for strategic vendors
Event-triggered: Re-assess when a vendor changes bank details, ownership, or legal structure; when invoice patterns change significantly; or when industry-specific regulatory changes occur

"The biggest mistake companies make is treating vendor due diligence as a procurement checkbox. In India, where regulations change frequently and enforcement is tightening across GST, TDS, and MSME payments, vendor risk is a living thing. You need continuous monitoring, not annual reviews.": Risk Advisory Partner

Creating a Vendor Risk Scoring Model

A scoring model turns qualitative risk factors into numbers your team can act on consistently. Here's a practical model designed for Indian businesses.

Risk Dimensions and Weightage

Assign weights based on what matters most to your business:

Compliance risk (30%): GST filing regularity, TDS compliance history, e-invoicing compliance, regulatory notices or defaults
Financial risk (25%): Revenue stability, payment history with your company, credit rating (if available), publicly available financial indicators
Operational risk (20%): Delivery performance, quality metrics, SLA adherence, business continuity capabilities
Concentration risk (15%): What percentage of your spend or supply for a category depends on this vendor? What percentage of the vendor's revenue comes from your company?
Strategic risk (10%): Alignment with your company's long-term plans, innovation capability, geographic reach

Scoring Scale

Use a 1-5 scale for each dimension:

5: Excellent. No concerns, strong track record.
4: Good. Minor issues, manageable and documented.
3: Average. Some concerns that need monitoring.
2: Below average. Active issues requiring remediation plan.
1: Poor. Significant risk, consider replacement.

The weighted total gives you a vendor risk score between 1.0 and 5.0. Define thresholds: vendors scoring below 2.5 require immediate action plans, those between 2.5 and 3.5 need enhanced monitoring, and those above 3.5 follow standard review cycles.

Automating the Score

For compliance and financial risk, much of the data can be pulled automatically: GSTIN status from the GST portal (services.gst.gov.in), filing compliance from GSTR-2B data, MSME status from Udyam, and company financials from MCA. Operational risk scores typically come from your own ERP data (delivery records, quality inspection reports). The key is feeding all of this into one scoring dashboard instead of maintaining separate spreadsheets that nobody trusts.

Vendor Compliance Check: A Practical Approach

Vendor compliance checks in India span multiple regulatory domains. Here's how to handle each one.

GST Compliance Verification

This is the most frequent and impactful check. Verify:

GSTIN status is "Active" (not suspended, cancelled, or surrendered)
The legal name and trade name match your records
The vendor's place of business matches the address on invoices (important for determining supply type: intra-state vs. inter-state)
GSTR-1 and GSTR-3B filing is regular (check via the GST portal's "Search Taxpayer" feature)
Invoices from this vendor appear in your GSTR-2B (monthly reconciliation)

TDS Compliance Verification

PAN is valid and belongs to the correct entity
The correct TDS section is applied based on the nature of payment (Section 194C for contracts, 194J for professional services, 194I for rent, etc.)
Check for Section 197 certificates (lower/nil deduction): these are valid for a specific financial year and must be renewed
Verify Form 26AS/AIS alignment: the vendor should be able to see TDS credited in their Form 26AS matching your deductions

MSME Compliance Verification

Confirm Udyam Registration Number and classification (micro, small, medium)
Document agreed payment terms in writing (this is crucial for Section 43B(h)
Track payment ageing for MSME vendors separately) if no written agreement exists, the statutory limit is 15 days from acceptance or deemed acceptance; if an agreement exists, the limit can't exceed 45 days
Generate MSME payment compliance reports for tax filing preparation

Third-Party Risk Mitigation Strategies

Identifying and scoring risks is step one. The real work is taking concrete actions to reduce your exposure.

Diversification

For critical supply categories, maintain at least two qualified vendors. One vendor handling more than 40% of a category's spend? That's concentration risk, and it's one of the most common and most dangerous vendor risks out there. Develop alternatives proactively, not after a disruption has already hit.

Contractual Protections

Your vendor agreements should include:

Compliance warranty clauses: the vendor warrants that they will maintain active GST registration, file returns regularly, and comply with all applicable tax laws
Right-to-audit clauses (you can verify the vendor's compliance records upon reasonable notice
Indemnity clauses) the vendor indemnifies you for losses arising from their non-compliance (e.g., ITC denial due to their GST non-filing)
Termination triggers: clear grounds for termination if compliance standards are not met after a cure period

Payment Controls

Link payment releases to compliance verification. Block processing for vendors whose GSTIN status has flipped to inactive. Flag payments to MSME vendors approaching the 15-day or 45-day limit. This turns your accounts payable process from a payment factory into an active risk management tool.

Periodic Review Cadence

Establish a quarterly vendor risk review meeting involving procurement, finance, and compliance stakeholders. Review the vendor scorecard, discuss flagged vendors, approve remediation plans, and update risk scores based on the latest data. Document decisions and actions: this creates an audit trail that demonstrates governance.

Where OneFinOps Comes In

OneFinOps provides a vendor management platform that makes vendor risk management practical to execute, not just a framework in a PDF. The platform brings together the data, automation, and workflows you actually need.

Automated compliance verification: Real-time PAN, GSTIN, and Udyam checks against government databases, with status change alerts.
Vendor risk scoring: Configurable risk scoring model that pulls compliance, financial, and operational data into a unified vendor scorecard.
GSTR-2B reconciliation: Automatic matching of vendor invoices against your GSTR-2B data to identify ITC-at-risk invoices from non-compliant vendors.
MSME payment tracking: Dedicated tracking for MSME vendor payments with proactive alerts before Section 43B(h) deadlines.
Vendor audit trail (Complete history of verification results, risk score changes, compliance flags, and actions taken) ready for auditor review.
Bulk re-verification: Re-verify your entire vendor base in a single operation, rather than checking vendors one by one.

The Bottom Line

Vendor risk management in India isn't a theoretical exercise: it has direct, measurable consequences on your tax position, cash flow, and regulatory standing. Enforcement is tightening across GST (auto-populated returns, ITC matching), TDS (penalties for non-deduction under Section 201(1)), and MSME payments (Section 43B(h) disallowances). Your vendor's non-compliance becomes your non-compliance.

The framework here (structured due diligence, risk scoring, continuous monitoring, and active mitigation) is something any finance team can implement. Start with your top 50 vendors by spend. Build the verification and scoring model. Expand from there.

The cost of a vendor risk programme is always lower than the cost of the problems it prevents. Always. Get started with OneFinOps.