Skip to content
Nusantech
← Back to insights

Vendor lock-in in regulated industries: how to evaluate exit cost before signing

Insights · Procurement · 6 min read ·

The procurement gap

Enterprise procurement in regulated industries is good at scoring vendors on what they cost to buy. It is much weaker at scoring what they cost to leave.

That gap is where lock-in lives. The vendor's incentive is to make the exit expensive without making the entrance suspicious. Done well, the lock-in is invisible at signing and only becomes visible in year three, when the renewal lands on a procurement manager who inherited the contract.

The fix is not anti-vendor. SaaS works fine for many use cases, and a deep partnership with a single vendor can be the right call. The fix is to price exit before you commit, so the procurement decision reflects both sides of the bargain.

This post lays out the four-part exit-cost stack we walk clients through before they sign anything material. Each part has a defensible way to estimate it, and together they produce a number you can compare against year-one TCO and three-year TCO. The gap between those three numbers is usually the most revealing single signal in a procurement file.

The four-part exit-cost stack

1. Data extraction cost

How do you get your data out, in what format, and how complete is it?

Read the contract for:

  • The export format. "CSV export available" is not the same as "schema-preserving JSON export including foreign-key relationships and historical state changes." Generic CSV usually drops half the model.
  • Historical depth. Some vendors retain only the last 12-24 months of operational data in the active store; older records sit in archive and require a separate request to extract. The archive might or might not be in the export.
  • Audit-trail granularity in the export. This is the most commonly cut item. The live system shows every transition; the export shows the final state of each record. If your regulator wants the transition log, you may not get it on export at all.

Estimate: budget the engineering time required to write transforms from the vendor's export format into whatever shape your replacement system needs. For a non-trivial system with five years of operational history, this is rarely less than 6-12 weeks of senior-engineering time. Sometimes much more.

2. Integration rewrite cost

For every integration you built into the vendor's APIs, you rebuild against the replacement's APIs. Count them honestly. The list usually includes more than the obvious ones.

A rough breakdown of where the rebuild work hides:

  • Inbound integrations (your other systems calling the vendor)
  • Outbound integrations (the vendor pushing to your other systems)
  • Webhook consumers (you listening for vendor events)
  • Scheduled ETL pipelines (you pulling vendor data into your warehouse)
  • Single sign-on and identity provisioning (often the most painful)
  • Custom reports built against the vendor's data model

Each of these is its own small project. They do not move in parallel cleanly, because they share dependencies on the replacement system's stability. Quote each at the cost a senior engineer with no context would charge, then add 30 percent for the discovery phase that no team budgets for.

3. Compliance re-filing cost

This one is specific to regulated industries and is the most commonly forgotten line item.

If your regulator certified the system you are leaving, you may need to recertify the replacement before you can fully cut over. Common patterns:

  • Financial services. A core-banking-adjacent system change usually triggers a security review, sometimes a regulator notification, occasionally a penetration test report. The clock from "decision to switch" to "regulator approval" can be 6-18 months depending on jurisdiction.
  • Public sector. Replacement systems often need to clear the same procurement process the original system did, which can require an open tender. The tender process itself can be 6-12 months before delivery starts.
  • Energy and utilities. Operational technology systems frequently need a safety re-review before being trusted with production data. This is rarely fast.

Estimate: ask your compliance team to look up the actual re-certification timeline for your specific regulator, and price it as the cost of running both systems in parallel for that period (often double monthly fees) plus the compliance-team effort to manage the filing.

4. Re-training and operational disruption

The smallest line item, but the most consistently overlooked.

When you swap systems, every operator who learned the old one has to learn the new one. For a 200-person operational team, that's 200 hours of training that comes out of productive capacity, plus the productivity dip during the learning curve (typically 4-8 weeks at reduced throughput).

Most enterprise teams budget the training delivery (a few days of trainer time) and miss the productivity dip entirely. The dip is usually larger than the trainer cost by an order of magnitude.

How to use this in a procurement meeting

Build a single spreadsheet column called Total cost across three years, including exit scenario. Each candidate vendor gets a row. Fill in:

  • Year-one cost (license, implementation, integration build).
  • Year-two cost (license, support, any in-flight customization).
  • Year-three cost (license, support, plus the exit-cost stack above if you exit at end of year three).

A common pattern: the vendor that looked 60 percent cheaper at year-one TCO is 20-30 percent more expensive at three-year-with-exit TCO. That ranking flip is the single most useful output of the exercise.

It is also worth asking each vendor, directly, two questions during diligence:

  1. What is the canonical export format, and can you give us a sample export of a comparable customer's data structure? A vendor confident in their export will produce a sanitised sample. A vendor whose export is weak will explain why this is not a standard request.
  2. In the last 24 months, how many customers have migrated off your platform, and what did that look like? Vendors with confident migration paths can answer this. Vendors who lock customers in often cannot.

The answers to those two questions tell you more about real lock-in risk than the contract clauses do.

A short diagnostic

If your shortlist has more than one vendor scoring within 15 percent on year-one TCO, the exit-cost stack is almost certainly what should decide the call. Build it for both candidates before the procurement committee meeting. If the analysis tips the decision, that is the analysis paying for itself.

If you'd like a worked exit-cost model for a specific procurement decision you are facing, book a 30-minute call.

Get in touch

Tell us about
your project.

We reply within one business day. For procurement and RFP enquiries, we can provide a formal capability statement.

Send project brief →Book a 30-min call

Singapore · Jakarta · Asia-Pacific delivery