Concentration risk... If you're at a Bank. You're likely not able to effectively manage or mitigate Concentration Risk within...
That is, most of us use a third party for Core (Fiserv, FIS, Finastra, Jack Henry, etc.)
And your Core provider is likely were All your greatest Concentration Risk resides.
I don't think we can ignore it. But that's why we have elevated due diligence and tighter contract requirements with respect operational and strategically critical systems. It's not like you have have another Core provider on "ready standby" as a conversion of Core takes many many months (sometimes years to convert).
However, there are some benefits that come with Concentration of Products and Services with a single provider. You may have financial benefits with an economy of scale. Data Management becomes easier (some what) as you're living in the "same" system (sometimes). And if you're with a Large Core provider, there's parity of service with your competitors.
I'd spend time and effort understanding what it would take to Exit a relationship. And as part of describing the Concentration Risk; describe the level of effort to move the services to a new provider or a set of multiple providers. Then... What is the likelihood of a very bad day event impacting All the services the vendor provides. If you aren't using a vendor that meets your due diligence measures, then you need to start working a plan to diversify. I think it's more important to have an Exit Strategy defined first. Then, as part of the On-Going monitoring of the risk and due diligence, if there become concerns with the vendors "condition" you can start to execute the Exit Strategy.
Your Risk assessment and Due Diligence processes should include an Exit Strategy... that timeline should also be used to trigger Contract Assessments. That is, if the Exit Strategy has a timeline of 9 months... The you should be looking at the contract and determining if you're going to renew, renegotiate or terminate. And you need to start that review with enough time to Exit. (if you can't walk away, you can't negotiate)
I hope that helps.
------------------------------
Bradley Martin
------------------------------
Original Message:
Sent: 08-18-2022 04:36 PM
From: Anonymous Member
Subject: Concentration Risk
This message was posted by a user wishing to remain anonymous
How are you quantifying concentration risk? I know CR has many facets but we're focusing now on CR within our company -- multiple services from a single vendor. In such a situation, how are you categorizing whether a vendor represents a low, moderate or high concentration risk?