In some situations, it can be preferable to utilize a generalist who can complete many different tasks. For example, imagine that you need to replace your car’s battery, brake pads, and tires. It would be much more convenient to take your car to a single auto mechanic rather than taking it to multiple specialty shops that only perform one function.
Now, imagine a similar situation with an organization’s vendors. For an organization that has a large vendor inventory, it might seem appealing to consolidate its vendors for more efficient operations. However, relying too heavily on a single vendor to perform several, or all critical and/or high-risk functions can expose an organization to vendor concentration risk.
Note: Vendor concentration risk can also refer to geographical concentration, in which a significant number of vendors are in the same area. This could lead to additional business continuity or disaster recovery risk if that area is affected by a significant event like a natural disaster. This blog will focus on concentration risk as it relates to the quantity of vendors.
The Pros and Cons of Vendor Concentration Risk
PRO: Concentrating or limiting the vendor pool might lead to volume pricing discounts resulting from bundled services. Rather than pay five separate vendors for different services, a single vendor may offer an attractive discount if you bundle everything together.
CON: Bundled pricing may seem appealing at first, but this is often revealed to be a pricing strategy that benefits the vendor. The main product could be a loss leader so the vendor will upcharge the additional products or services to make up the difference. A savvy vendor manager or executive will be able to identify this strategy and understand what the true market pricing is on each product or service.
Example: A potential new vendor offers a 10% discount when you bundle three products together, but you discover that two products are priced much higher than the standard market rate. The alternative would be to purchase those products from three separate vendors at a more affordable price.
PRO: Some vendors may have genuine talent in their specialized areas, which would be beneficial for your organization that needs to fill in certain knowledge gaps.
CON: Beware of vendors that are always claiming to be experts on the latest trends and technologies. There’s a risk that the vendor lacks the necessary experience and simply wants to portray themselves as a leader in their field. It’s easier to spot the amateurs if you understand the following:
- The specific purpose for each product or service
- Realistic and industry-standard performance metrics
- Real-life users of the product or service
Example: One of your vendors provides two specialized products for your organization, and they just announced a brand-new offering that uses a different technology. This vendor doesn’t have much experience with this technology, so it would be wise to consider seeking out a different vendor who is a leader in this field.
PRO: A concentrated vendor pool often means you can track performance more easily.
CON: Efficiency within your organization is important, but also consider the efficiency of your vendor if its capabilities are spread too thin. The turnaround time and quality of the product or service should be given considerable weight when selecting a vendor.
Example: Vendor A is $2 cheaper than Vendor B, but Vendor B has a faster delivery time. If you were only concerned with cost and easier performance tracking, you would be overlooking a vendor who can provide a more efficient service. The saying “time is money” might be cliché, but it’s a good rule to work with in most business operations.
Level of Oversight
PRO: Fewer vendors mean less oversight, which translates into savings for both time and costs. Bundling products and/or services with a single vendor would logically reduce your risk assessment and due diligence workload. You may even find costs savings in site visit and full-time employee (FTE) requirements.
CON: In the past, the OCC has cautioned that vendor consolidation may place an increased burden on the vendor to perform. They specifically highlight an increase in vendor operational risk, which continues to challenge organizations because of the following reasons:
- Disruption from increasing cyber threats and potential exposure to natural disasters
- Reliance on concentrations in significant third-party vendors
- The need for sound governance over product service and delivery
- Inability to retain talent
- Failure to periodically test business continuity and disaster recovery plans
Example: Your organization is vetting a new vendor that would provide 70% of your critical services. The risk assessment and due diligence processes are easier to manage with this single vendor, as opposed to diversifying the services to multiple providers. Contracting with the single vendor may require less oversight, but a single cyberattack on this vendor may be catastrophic for your organization, as most of your critical services would be impacted.
Critical Vendors and Concentration Risk
If you bundle multiple products or services into a single vendor and fail to have a reliable back up vendor in place, you may have inadvertently elevated a high-risk vendor into the critical rating. Remember that critical and high risk do NOT mean the same thing. A critical vendor would cause significant business operation challenges in the event of an outage, so it’s especially important that you have an alternate vendor.
A sound vendor management strategy should be balanced and make good business sense for your organization’s needs. While there is focus on the increasing costs of vendor services, lower costs won’t drive value if the vendor fails in terms of quality and service. Communicate with the first line of business to better understand how third parties are used within your organization. This will offer more insight than simply looking to bundle and reduce your vendor inventory.
While your organization’s executive leadership or board of directors is rightly concerned with cost containment, few are willing to sacrifice excellent customer service. A short-sighted vendor management strategy, including vendor procurement, can make it more challenging to reach your overall goals. For this reason, it’s critical that the board and senior management clearly communicate business goals and objectives so you can approach your third-party risk management activities in a more unified way.