Third-Party Concentration Risk: What is it and why should you care?

There are many risks you need to be aware of in order to effectively manage your third parties. These include financial, operational and reputational risks just to name a few (read this blog to learn more about the key third-party risks you should be managing). One risk in particular that is often overlooked is called Third-Party Concentration Risk. Let’s take a look at why you might want to consider spending more time properly identifying, and managing, concentration risk with your vendors.

Third-Party concentration risk can mean a few different things, so let’s start by walking through how to spot it. There are three primary types of concentration risk:

#1: Over-reliance on one vendor for critical services

Finding a vendor that you can trust is great. It’s even better when that vendor has the resources and expertise to provide more than just one service to your organization. But be careful… relying too much on one vendor for all, or most, of your critical functions presents risk. Here are two scenarios to think about:

• What happens if your organization uses a vendor for three critical services, and a data breach occurs that is tied only to one of those services. Do you continue using that vendor for the other two services?
• What happens if the vendor that provides multiple critical services to your organization goes out of business? How severe will the impact be to your organization?

#2: Fourth-party concentration

Knowing your own third parties can sometimes be a challenging task on its own. But do you know your vendor’s vendors (i.e. your fourth parties)? Let’s say you’ve done a great job ensuring that you have a diverse group of vendors who provide services to your organization (concentration risk #1 from above has been significantly limited). From the surface you would have no idea that a potential concentration risk exists. However, after digging a little deeper you may find out that many of your critical vendors use the same vendor for their critical functions. An impact to the operations of one of your fourth parties could affect many of your third parties!

In general, it’s a smart idea to understand who your fourth parties are. Do you know if your vendors are passing your confidential or sensitive information on to other vendors? Do you know if your vendor is truly providing the services you are paying for, or if they are outsourcing much of the work to other vendors? Add fourth party concentration risk to the mix, and now you may want to think more seriously about identifying who your fourth parties are.

#3: Being in the same geographic location as your vendors

This type of concentration risk of course depends on your industry and the type of work you do, but in general you don’t want all of your vendors to be located in the same geography as your organization. What happens if a severe whether event has a detrimental impact on your geography? Not only are your organization’s operational functions impacted, but the functions that you may have outsourced to vendors in the same geography are impacted as well.

The key to identifying any type of concentration risk (whether it is specific to services being provided, fourth parties or geography) is documentation!! You need to be able to easily identify who your vendors are, where they are located, what products/services they provide and if they utilize any subcontractors/fourth parties. Implementing a vendor management system makes this a breeze, and it’s something we recommend not only as a best practice to our clients, but also as a core component of a successful Vendor Management Program.

Once concentration risks have been identified, the primary way to manage concentration risk is to have contingency plans and business continuity plans in place for your critical vendors that present concentration risk, and to use a vendor management system to store and assess these plans.