Risks that can arise when systems are constructed using COTS include:
1. Vendor risks: Failure of vendor to provide support when required Vendor goes out of business or drops product from its portfolio
2. Product risks: Incompatible event/data model with other systems Inadequate performance when integrated with other systems Product is undependable in intended operating environment
3. Process risk: Time required to understand how to integrate product is higher than expected.
The risks can be addressed by only dealing with vendors that use an escrow system so that source code is available if they go out of business, by extensive research and testing of product capabilities before use, discussion with other users etc. In general though, because COTS are provided by external vendors, risk reduction is difficult.