Hello. This category/domain is especially prevalent in Financial Industry regulation. With respect to your Third Party vendors, the start of visibility to Concentration would be via Inherent Risk Assessment. I've seen organizations successfully assess this via dedicated categories and questions for concentration, as well as concentration themes embedded within the Business Continuity / Availability segment. It is important to ensure understanding of disruption impact, recovery time objectives and whether there is an alternate vendor in place.
Beyond inherent risk assessment, Due Diligence validated controls that reduce inherent risk would be both the vendors BC Plan as well as your own (the customers') Disruption and/or Exit Strategy.
With respect to monitoring and reporting, I would suggest evidence that the vendors' BC Program is reviewed. As with all monitoring and re-assessment, the cadence will vary with Risk Levels. Finally, your annual reports may also show evidence critical and high risk vendors with a Concentration risk have tested disruption and exit strategies. I would be interested to hear what others are doing to monitor concentration risk.
Original Message:
Sent: 09-02-2022 02:34 PM
From: Anonymous Member
Subject: Vendor Concentration Risk
This message was posted by a user wishing to remain anonymous
Good afternoon,
Does anyone have mature vendor Concentration Risk procedures and reports they can share?
Thank you!