From supply chains to software: Why you could be unknowingly putting all your eggs in one basket

According to the Financial Conduct Authority (FCA), the definition of concentration risk is “the risks arising from the strength or extent of a firm’s relationships with, or direct exposure to, a single client or group of connected clients.”

In plain English – it’s putting all your eggs in one basket.

Concentration risk and technology

A useful analogy for understanding this concept is an investment portfolio. One of the fundamentals of good investing is diversification. The investor distributes their funds across a range of assets, spreading their risk. If one investment decreases in value, the portfolio suffers less than if they had put all their funds into a single investment.

Now replace the investor with an organisation and the investments with vendors or suppliers of critical technology or services. Infrastructure providers, software companies and cloud-computing providers are all examples of these technologies and services.

Concentration risk when applied to technology then, is an over-reliance on certain critical vendors or suppliers.

Why is this a problem?

Lack of diversification in critical vendors and/or suppliers leaves organisations vulnerable in several ways.

First, a supplier or vendor will, at some point, suffer a disruption to its service. This could be a security breach, supply chain shortage, or another form of disruption. This can lead to the supplier or vendor being unable to deliver their service or technology.

As a result, the organisation that relies on that supplier or vendor for delivering critical business functions also suffers. The consequences of this can be catastrophic, with potential lost revenue and damage to reputation.

Second, concentration risk isn’t just an issue for individual organisations, its consequences can affect entire markets. Software is a good example. It’s not uncommon for some businesses to use a single software provider as standard across a market sector.

Take Content Delivery Networks (CDN) for example. Cloudflare controls around 80% of the market. In June 2022 Cloudflare experienced an outage in 19 of its data centres, an incident that Downdetector (which ironically, was also affected), said briefly “took out the internet”.

The outage affected websites including Google, Amazon, Facebook, Reddit, Spotify, Twitter, YouTube and countless others. 

Microsoft Windows maintains a similar dominance in the operating system market. As a result, problems can be incredibly far-reaching. A well-known example of this was the “WannaCry” incident of 2017.

The ransomware attack affected more than 200,000 computers in 150 countries. This was done by exploiting a vulnerability in Microsoft Windows operating systems. The attack was able to spread quickly because so many organisations were using the same vulnerable software.

Finally, your supply chain also suffers from concentration risk. You may think you have diversity in your supply chain because you have multiple companies to buy servers and hardware from.

But, if all your suppliers are in turn dependent on a single distributor or vendor, risk is concentrated further up the chain. 

Disruptions within the supply chain are also not just possible, but likely. Analysis from the World Economic Forum found only 12% of leading global companies were sufficiently protected against future disruptions in supply chains. While 88% urgently required additional measures to build resilience.

Global semiconductor shortage

A recent example of concentration risk in the supply chain that has caused mass disruption across multiple industries is the current global shortage in semiconductors.

The Taiwan Semiconductor Manufacturing Company (TSMC), produces around 90% of the most advanced chips found in smartphones, high-end processors and cars. The company began suffering a shortage in production during the Covid-19 pandemic and has created a backlog ever since.

Analysis by Goldman Sachs revealed around 169 industries were affected by the shortage. These include computing, telecoms, household appliances, banking, healthcare, manufacturing and even aerospace. The shortage has slowed production in all impacted industries.

This is a supply chain concentration risk acted out on a global scale. TSMC is currently building new factories in the US to keep up with demand, but this all takes time and the need for chips continues to increase.

Why is this happening?

We live in a globalised world, and within technology, increasingly fewer organisations control larger sections of some markets. Take public cloud providers for example; Amazon Web Services (AWS), Microsoft Azure and Google Cloud collectively, dominate the market.

Concentration risk is exacerbated here because many major SaaS products are hosted through these third-party providers.

When organisations use a range of software services like this it can give the illusion of diversity in their supply chain. The reality is, however, that if all software is hosted through the same platform, it still leaves you vulnerable to concentration risk.

What’s the solution?

The first step is understanding what you’re exposed to and where your vulnerabilities lie.

It’s not enough just to audit your direct suppliers, your entire supply chain needs auditing regularly. That means the companies that supply your suppliers.

The goal here is to lower your overall risk. Organisations need to determine what is an acceptable amount of risk to their business.

Risk assessment, exercising and testing

Regular audits of your critical supply chain are one of the best ways you can understand your risk. An audit will usually contain risk assessment questionnaires to see how your suppliers operate.

The data you extract from the audits will tell you what and where you should focus your efforts. Your audit might reveal a vulnerability with one supplier and by changing suppliers you could help minimise the risk.

However, there’s only so much you can do to protect your business. You can address your individual business risk, but market-wide risk must be addressed by regulators.

Collaborate, don’t outsource

The reality is, most businesses will always be reliant on vendors and suppliers to a certain extent, to remain competitive. However, it’s no longer enough to outsource without being an active partner.

Ultimately, organisations need to work in partnership with their suppliers to ensure both businesses are resilient and can succeed in a crisis.

James Watts is managing director at Databarracks