Explore how and why organizations should assess concentration risk in their third-party risk management programs.
Third-party concentration risks have typically been associated with a high volume of spend with one third party, or using one for many services. Concentration risks may occur when an organization relies too heavily on one supplier to perform several, critical and/or high-risk activities for their operations, or if suppliers are concentrated in geographic locations. Concentration risk can also be defined as the probability of loss arising from a lack of diversification.
If overlooked, serious concentration risk can result in unplanned service outages, disruption of service to customers, brand and reputational damage, reduced negotiating strength and poorly planned transitions to new service providers, and higher costs.
As third-party risk management (TPRM) functions have become more integrated with supply chain and enterprise-wide risk functions, there is an increasing focus on the interconnections across how critical services are delivered, the reliance on third parties (and their fourth parties) for these services, and the overall resilience impact. For example, a pharmaceutical company has a greater concentration risk in the supply chain if there is only one specialist third party that can supply a particular raw material for a leading drug.
Organizations are therefore building concentration risks into their TPRM programs and need to consider how to measure and report these risks, what risk appetites or tolerances they have and the governance procedures to satisfy senior management and regulators.
However, setting thresholds that are too rigid can stifle innovation, so organizations must make decisions on a case-by-case basis. To help mitigate risks and satisfy regulators, organizations should focus on scenario planning, contingency planning and ensuring the right controls and oversight are in place for any concentration risks that are accepted.
Types of concentration risks and industry ability to report
Generally speaking, EY typically sees six types of concentration risks that organizations focus on. The degree to which organizations can measure and report on these risk types widely varies due to the availability and effort involved in collecting the right data.