What is Concentration Risk – And What Does My Regulator Have to Say About It?

Vendor risk management is an ongoing process—one that begins with due diligence before a contract is signed and continues with monitoring throughout the length of the relationship. This blog series on the Top 10 risks will help you more effectively address how third-party vendor risk throughout every department in your financial institution.

#4 Concentration Risk

When most bankers and credit union executives think of concentration risk, they think of lending—but concentration risk has a different meaning when talking about third-party vendor management.

Regulators are looking at two main concerns:

  • Over-reliance on a single vendor. This is a classic case of putting all your eggs in one basket. If an institution relies heavily on a single provider for many products and services—especially critical ones—that institution might be unable to conduct business if something catastrophic happens to that vendor.
  • Geographic concentration. If both an institution and its third-party vendors and subcontractors are in the same region, it’s possible the same event could impact everyone’s operations since they all rely on the same power and telecommunications infrastructure.

Chances are you’re looking at this list and thinking you’ve already covered this territory with operational, credit and transaction risk—and you’d be right. In fact, the OCC includes concentrations under operational risk.

But the Federal Reserve takes a different position, expecting banks to specifically consider concentration risk when considering new vendors and managing existing ones. The good news for banks regulated by the Federal Reserve is that this shouldn’t require too much extra effort as long as the risk management is working cohesively with information shared freely. The bad news is it’s still some extra work.

So how do institutions manage concentration risk? There are two choices:

  • Diversify vendors; or
  • Have a solid back up-plan in place.

That decision should be based on a bank’s strategic goals and risk tolerance. But no matter the choice, make sure you can demonstrate thorough due diligence and documentation.