If you’re concentrating third parties, are you accumulating risk?

Authors
Tynan Beresford-Wylie

Senior Manager, Consulting, Ernst & Young LLP

Passionate about exploring new ideas and encouraging creativity to help others achieve their goals. British expat living in New York and a keen sports fan.

Shriparna Ghosh

Senior Manager, Consulting

Highly experienced Cyber professional. Passionate about building a better working world for everyone around her. Travel enthusiast.

4 minute read 26 Oct 2020
Related topics Consulting Risk Cybersecurity

Explore how and why organizations should assess concentration risk in their third-party risk management programs.

Third-party concentration risks have typically been associated with a high volume of spend with one third party, or using one for many services. Concentration risks may occur when an organization relies too heavily on one supplier to perform several, critical and/or high-risk activities for their operations, or if suppliers are concentrated in geographic locations. Concentration risk can also be defined as the probability of loss arising from a lack of diversification.

If overlooked, serious concentration risk can result in unplanned service outages, disruption of service to customers, brand and reputational damage, reduced negotiating strength and poorly planned transitions to new service providers, and higher costs.

As third-party risk management (TPRM) functions have become more integrated with supply chain and enterprise-wide risk functions, there is an increasing focus on the interconnections across how critical services are delivered, the reliance on third parties (and their fourth parties) for these services, and the overall resilience impact. For example, a pharmaceutical company has a greater concentration risk in the supply chain if there is only one specialist third party that can supply a particular raw material for a leading drug.

Organizations are therefore building concentration risks into their TPRM programs and need to consider how to measure and report these risks, what risk appetites or tolerances they have and the governance procedures to satisfy senior management and regulators.

However, setting thresholds that are too rigid can stifle innovation, so organizations must make decisions on a case-by-case basis. To help mitigate risks and satisfy regulators, organizations should focus on scenario planning, contingency planning and ensuring the right controls and oversight are in place for any concentration risks that are accepted.

Types of concentration risks and industry ability to report

Generally speaking, EY typically sees six types of concentration risks that organizations focus on. The degree to which organizations can measure and report on these risk types widely varies due to the availability and effort involved in collecting the right data.

*Data from the EY TPRM Survey

Thresholds and decision-making process

When considering concentration risk thresholds, they should be fully aligned to the risk appetite of the organization. They should also factor in the ever-evolving landscape of service offerings provided by third parties; being too restrictive or setting fixed limits can prevent organizations from taking advantage of innovations in the marketplace. TPRM programs need to build triggers into the process to generate the right reports. These can then be used to better inform service owners of any over-reliance on a third party and in turn allow any appropriate exceptions to be made.

Concentration risk and resiliency

As a result of COVID-19, operational resilience teams are now focusing on scenario planning and testing, and the resulting concentration risks will play a key part. Difficulties arise due to the sheer number of scenarios based on plausibility, and the extent to which these can be sufficiently tested. It is key to review the alignment between existing resiliency requirements and procedures supporting critical service providers to understand whether they can meet or exceed the organization’s existing resiliency and disaster recovery requirements. To instill confidence, the focus should be on developing contingency or exit plans for third parties that include accurate transition timelines and the effort involved in enacting them.

Effective control to mitigate concentration risk

Ultimately, increased concertation risks, beyond set thresholds, may be a necessary price of doing business and keeping up with market innovations. Organizations will therefore need to factor in the additional costs of being resilient and will need to demonstrate to enterprise risk functions and regulators that these risks are controlled and overseen appropriately.

Leading practice includes creating playbooks on what is required for each type of concentration risk, including:

  • The types of assurance(s)
  • Assessing the benefit, cost and risk implications of implementing multiyear outsourcing strategies (e.g., cloud strategies)
  • Risk management and/or monitoring activities

Concentration risk and TPRM programs

TPRM leaders will need to build an effective process to identify, report and mitigate concentration risks that is fully integrated into the inherent and residual risk processes, the wider supply chain and resilience programs.

Organizations should now have concentration risk identification, management and reporting processes that are appropriate for the character, size and complexity of their business. This will enable business units and procurement teams to make the right strategic decisions that balance innovation, resilience and risk when using third parties.

To learn more about our EY TPRM Survey.

Summary

Over-reliance or high spend on a small number of suppliers and supplier locations can be a threat to resiliency, continuity and reputation. Organizations now need to factor concentration risk into their third-party risk management programs.

About this article

Authors
Tynan Beresford-Wylie

Senior Manager, Consulting, Ernst & Young LLP

Passionate about exploring new ideas and encouraging creativity to help others achieve their goals. British expat living in New York and a keen sports fan.

Shriparna Ghosh

Senior Manager, Consulting

Highly experienced Cyber professional. Passionate about building a better working world for everyone around her. Travel enthusiast.

Related topics Consulting Risk Cybersecurity