Risk Assessments

This message was posted by a user wishing to remain anonymous

How are you quantifying concentration risk? I know CR has many facets but we're focusing now on CR within our company -- multiple services from a single vendor. In such a situation, how are you categorizing whether a vendor represents a low, moderate or high concentration risk?

Measuring concentration risk can get complex. But, there are ways to keep it fairly simple. Here are some practical ways to identify concentration risk

1. Any vendor providing more than one critical product or service
2. Any vendor providing two or more high-risk products or services
3. Any critical or high-risk vendor providing multiple products or services that is a single point of failure (no redundancy or ability to replace in a reasonable amount of time should the vendor fail)

Any of these situations should represent a high concentration risk.

I hope that is helpful, but I would love to hear other members' thoughts.

Original Message:
Sent: 08-18-2022 04:36 PM
From: Anonymous Member
Subject: Concentration Risk

This message was posted by a user wishing to remain anonymous

How are you quantifying concentration risk? I know CR has many facets but we're focusing now on CR within our company -- multiple services from a single vendor. In such a situation, how are you categorizing whether a vendor represents a low, moderate or high concentration risk?

Concentration risk... If you're at a Bank. You're likely not able to effectively manage or mitigate Concentration Risk within... 
That is, most of us use a third party for Core (Fiserv, FIS, Finastra, Jack Henry, etc.) 
And your Core provider is likely were All your greatest Concentration Risk resides. 
I don't think we can ignore it. But that's why we have elevated due diligence and tighter contract requirements with respect operational and strategically  critical systems. It's not like you have have another Core provider on "ready standby" as a conversion of Core takes many many months (sometimes years to convert). 

However, there are some benefits that come with Concentration of Products and Services with a single provider. You may have financial benefits with an economy of scale. Data Management becomes easier (some what) as you're living in the "same" system (sometimes). And if you're with a Large Core provider, there's parity of service with your competitors. 

I'd spend time and effort understanding what it would take to Exit a relationship. And as part of describing the Concentration Risk; describe the level of effort to move the services to a new provider or a set of multiple providers. Then...  What is the likelihood of a very bad day event impacting All the services the vendor provides. If you aren't using a vendor that meets your due diligence measures, then you need to start working a plan to diversify. I think it's more important to have an Exit Strategy defined first. Then, as part of the On-Going monitoring of the risk and due diligence, if there become concerns with the vendors "condition" you can start to execute the Exit Strategy. 

Your Risk assessment and Due Diligence processes should include an Exit Strategy... that timeline should also be used to trigger Contract Assessments. That is, if the Exit Strategy has a timeline of 9 months... The you should be looking at the contract and determining if you're going to renew, renegotiate or terminate. And you need to start that review with enough time to Exit. (if you can't walk away, you can't negotiate) 

I hope that helps. 


------------------------------
Bradley Martin
------------------------------

Original Message:
Sent: 08-18-2022 04:36 PM
From: Anonymous Member
Subject: Concentration Risk

This message was posted by a user wishing to remain anonymous

How are you quantifying concentration risk? I know CR has many facets but we're focusing now on CR within our company -- multiple services from a single vendor. In such a situation, how are you categorizing whether a vendor represents a low, moderate or high concentration risk?

I would additionally look at concentration risk in terms of relationships between vendors. Who are your vendors vendors (downstream, third party, nth party...).  AWS is the prime example, likely one of your direct vendors but also a vendor to most of your vendor panel. An issue at AWS will therefore have cascading impact to your organization.

The other place to look at concentration risk  is geographically.  Where are your vendors located?  If there was a power outage for example in Texas, which of your critical vendors might be impacted.  As part of this risk analysis I also track physical server locations, primary and back-up.

Shelly

------------------------------
Shelly Chase
AVP Operational Risk
------------------------------

Original Message:
Sent: 08-18-2022 04:36 PM
From: Anonymous Member
Subject: Concentration Risk

This message was posted by a user wishing to remain anonymous

How are you quantifying concentration risk? I know CR has many facets but we're focusing now on CR within our company -- multiple services from a single vendor. In such a situation, how are you categorizing whether a vendor represents a low, moderate or high concentration risk?