Concentration risk in supply chains, often overlooked, can have catastrophic consequences if not properly managed. As businesses become increasingly dependent on key suppliers, incidents such as the CrowdStrike breach have exposed vulnerabilities, prompting many companies to reevaluate their supplier strategies.

“The principle of concentration risk is really about dependency on one or two key suppliers,” says Asam Malik, Partner, Technology and Digital Consulting at Forvis Mazars. Historically, a business has viewed reliance on a small number of large vendors as beneficial, reducing complexity by minimising supplier handovers and assuming that large providers like Amazon or Microsoft inherently possess resilience. However, the reality is starkly different; even industry giants can have vulnerabilities that disrupt entire supply chains.

Malik emphasises the critical role accountants play in this process. “Accountants need to bring that risk lens to the third-party supplier ecosystem,” he asserts. With their expertise in risk assessment and financial analysis, accountants can help a business navigate the complexities of supplier relationships and mitigate concentration risks effectively.

Begin with a full IT assessment

To effectively manage these risks, Malik stresses that a business must conduct a comprehensive assessment of third-party suppliers across its IT portfolio. It’s no longer enough to simply check a supplier’s security credentials or policies. 

Due diligence must also encompass the interdependence of suppliers: “Most organisations didn’t know CrowdStrike was dependent on another supplier. This [the breach] brought that to light,” Malik says. The effects of concentration risk are far-reaching, he emphasises: “If that concentration crystallises, you’re an organisation with no IT systems at very short notice.” 

In today’s digital world, few organisations can function without their IT systems and the cost of business interruption, even for a short period, can be devastating both financially and reputationally. “Gone are the days where there were manual workarounds. That’s just not an option any more,” Malik warns.

A multi-vendor approach, while more complex and potentially costly, is now viewed as a vital strategy for building resilience: “No matter how big that single vendor is, you cannot take that concentration risk.” Although this may increase short-term costs, the long-term benefits far outweigh the potential disruptions. Malik advises organisations to calculate the cost of not being able to operate for a day or two and use that figure to justify investing in a diversified supply chain.

The need for proactive risk management

He emphasises that a business must transition from a reactive to a proactive approach to concentration risk. “Assume it’s going to happen,” he advises, “and don’t be caught out by it.” This involves thorough due diligence on suppliers and developing robust business continuity plans: “Many organisations haven’t got a plan, and even fewer have tested it.” Testing these plans can significantly reduce exposure to risk.

Artificial intelligence (AI), while a useful tool, is not a panacea for concentration risk. “AI can certainly help make things more efficient, but it won't give you that holistic view,” Malik explains. He cautions that AI systems, especially those trained on historical procurement decisions, may perpetuate the same oversights unless additional data is incorporated into their models.

Regulations such as the Digital Operational Resilience Act (DORA) in the financial sector emphasise the importance of supply chain resilience. Malik believes that broader compliance frameworks, such as those addressing data privacy and AI governance, will increasingly focus on concentration risk as a business becomes more digitalised.

Ultimately, he concludes that accountants are uniquely positioned to lead the way in addressing concentration risks. Their ability to assess risks holistically makes them invaluable in building resilient and secure supply chains for the future.