Adding a new ITAD vendor without a formal RFP is not a shortcut. It’s an unreviewed liability entering your chain of custody. Fewer than 25% of enterprise organizations run what qualifies as a structured IT asset retirement program. The casual vendor add — a warm introduction, a reference call, a contract that materializes from a template — is the same informality that keeps ITAD under-resourced and under-governed. It hands a new vendor scope and access before you’ve defined what you actually need from them, which tier of relationship this is, or what governance applies if something goes wrong. The stakes are concrete. GDPR Article 83 sets the exposure ceiling at 4% of global annual turnover for disposal failures. SEC whistleblower channels are available to any employee with knowledge of inadequate sanitization controls. A significant gap exists between vendors who hand you a certificate of destruction and vendors who can demonstrate sanitization occurred — and the only reliable place to close that gap is before the first device ships. A well-constructed RFP forces the work that protects the program: R2v3 certification verification; downstream vendor chain review; site audit requirements; SLA definitions with teeth; and data portability provisions if the relationship ends. It also levels the field — the strongest vendors for a specific scope are often specialized, not the largest names, and a structured evaluation finds them. Multi-vendor strategies reduce concentration risk. That’s the right direction. But every vendor in the mix should have entered through a process that documented your due diligence — not a handshake that looked fine at the time. The RFP is how a vendor earns a place in your program. What does your current onboarding process actually require of them?
