The financial industry has traditionally been relying on an enormous supplier ecosystem to provide its services, however, in more recent years derived from the pace of change of technology, there is an emerging threat that could impact the stability of the entire financial market in a blink of an eye.
Supply chain or third-party risk has become one of the top 10 risks for the last few years. However, given the increased dependency on a few critical players related to IT infrastructure, the contagion and concentration risk is reaching a very critical level.
In the UK, the supervisory authorities are working closely with the industry to understand and identify key challenges that members are facing, considering cost, compliance, and operational implications. As a result of these consultations, it is expected that the FCA will publish in the second half of 2023 the potential measures to oversee and strengthen the resilience of the services provided by Critical Third-Party Suppliers (CTPs).
In the EU, the approach is similar. With the Digital Operational Resilience Act (DORA) now in force, financial institutions are required to enhance their critical ICT third-party risk service providers to promote better digital resilience.
Managing concentration risk, especially related to critical suppliers, has become one of the headaches for Heads of Procurement / TPRM functions. In a market where the “power” has shifted to the supplier side, firms need to address this structural risk by adopting a dynamic and holistic approach.
Supplier risk is a critical component of overall business resilience and should not be considered as an isolated risk. Consequently, TPM risk indicators (including concentration) should be measured and monitored as part of the non-financial risk metrics and subsequently be aligned with the risk appetite statement.
How Do You Measure Concentration Risk?
There’s no silver bullet, however, there are common operational indicators that can be used to define the level of concentration in terms of suppliers & services, and the potential consequences for the firm. Each organisation should assess its own supplier ecosystem and determine:
- The vendor or supplier classification, considering the short or long-term view
- Operational dependencies on critical suppliers
- Risk exposure linked to Important business services
- Substitutability / Plan B / Second best
- Regulatory implications for the firm
How Do You Manage Concentration Risk?
Managing concentration risk will depend on the real-world situation for each organisation and the risk appetite/tolerance; however, there are some actions that Senior Management can implement to manage concentration risk better:
- Diversification in terms of companies and services (when possible)
- Perform enhanced Vendor due diligence: move away from the traditional procurement checklist. Understand your real risk exposure.
- Third-party Model: enhance your model and align it to the risk profile of your organisation.
- Build partnerships with suppliers and move away from purely transactional relationships. Critical suppliers should be a trusted partner to assist in delivering your business strategy.
How TORI Can Help
At TORI Global we have developed a global Supplier Model & Third-Party Risk Management (TPRM) Framework that will allow your organisation, not just to de-risk operations but also to increase operational efficiency and business resilience.
Our approach considers not only the regulatory requirements, but also best practice for managing your supply chain through the entire lifecycle from selection to delivery.
Advisory services: having the right operating model and practices to manage your supply chain is essential to reduce potential disruptions. TORI have extensive experience in:
- Supplier model & Third-Party Risk Management (TPRM) Health Checks
- Designing and implementing Target Operating Models: connecting Procurement with TPRM
- Benchmarking against regulatory requirements and industry best practice
Resource Augmentation: providing subject matter expertise that allows flexibility and scale without comprising quality, is the approach we take to support managing your suppliers on these important tasks:
- Vendor Review: onsite / desktop
- Managed Service & Outsourcing
- Service Management & SLAs