Connect with us
ADVERTISEMENT

Technology At Home

What is concentration risk in technology? | News

ADVERTISEMENT

According to the Financial Conduct Authority (FCA), the definition of concentration risk is “the risks arising from the strength or extent of a company’s relationships with, or direct exposure to, a single customer or group of connected customers.”

In plain English: it’s putting all your eggs in one basket.

Concentration risk and technology

A useful analogy for understanding this concept is an investment portfolio. One of the foundations of good investing is diversification. The investor divides his money among a range of assets, thus spreading the risk. If an investment falls in value, the portfolio suffers less than if they had put all their money into one investment.

Now replace the investor with an organization and the investments with vendors or suppliers of critical technology or services. Infrastructure providers, software companies, and cloud computing providers are all examples of these technologies and services.

Concentration risk when applied to technology is then over-reliance on certain critical vendors or suppliers.

Why is this a problem?

Lack of diversification in critical vendors and/or suppliers leaves organizations vulnerable in several ways.

Firstly, a supplier or seller will at some point be confronted with a service disruption. This could be a security breach, supply chain shortfall, or some other form of disruption. This may result in the supplier or seller not being able to provide its service or technology.

As a result, the organization that depends on that vendor or vendor for the provision of critical business functions also suffers. The consequences of this can be catastrophic, with potential lost revenue and reputational damage.

Second, concentration risk is not only a problem for individual organizations, the consequences can affect entire markets. Software is a good example. It is not uncommon for some companies to default to a single software vendor for a market sector.

Take Content Delivery Networks (CDN), for example. Cloudflare controls about 80% of the market. In June 2022, Cloudflare experienced an outage in 19 of its data centers, an incident that Downdetector (which ironically was also affected) said succinctly “turned off the internet”.

The outage affected websites such as Google, Amazon, Facebook, Reddit, Spotify, Twitter, YouTube and countless others.

Microsoft Windows maintains similar dominance in the operating system market. As a result, problems can be very serious. A well-known example of this was the 2017 “WannaCry” incident.

The ransomware attack affected more than 200,000 computers in 150 countries. This was done by exploiting a vulnerability in Microsoft Windows operating systems. The attack was able to spread quickly because so many organizations used the same vulnerable software.

Finally, your supply chain also suffers from concentration risk. You may think you have diversity in your supply chain because you have multiple companies to buy servers and hardware from.

But if all your suppliers in turn depend on one distributor or supplier, the risk is concentrated further down the chain.

Supply chain disruptions are also not only possible, but likely. Analysis by the World Economic Forum found that only 12% of leading global companies were adequately protected against future supply chain disruptions. While 88% urgently needed additional measures to build resilience.

ADVERTISEMENT

Global semiconductor shortage

A recent example of supply chain concentration risk that has caused massive disruption across multiple industries is the current global shortage of semiconductors.

The Taiwan Semiconductor Manufacturing Company (TSMC) produces about 90% of the most advanced chips in smartphones, high-end processors and cars. The company started with a production shortfall during the Covid-19 pandemic and has built up a backlog ever since.

Analysis by Goldman Sachs revealed that about 169 industries were affected by the shortfall. These include computers, telecoms, home appliances, banking, healthcare, manufacturing, and even aerospace. The shortage has slowed production in all affected sectors.

This is a risk of concentration in the supply chain that is happening on a global scale. TSMC is currently building new factories in the US to meet demand, but this all takes time and the need for chips continues to grow.

Why is this happening?

We live in a globalized world and within technology fewer and fewer organizations control larger parts of some markets. Take public cloud providers for example; Amazon Web Services (AWS), Microsoft Azure and Google Cloud collectively dominate the market.

Concentration risk is magnified here because many large SaaS products are hosted through these third-party providers.

When organizations use a range of such software services, it can create the illusion of diversity in their supply chain. However, the reality is that if all software is hosted on the same platform, you are still vulnerable to concentration risk.

What is the solution?

The first step is understanding what you are exposed to and where your vulnerabilities lie.

It is not enough to just check your direct suppliers, your whole supply chain needs to be checked regularly. These are the companies that supply your suppliers.

The goal here is to lower your overall risk. Organizations must determine what is an acceptable risk for their business.

Risk assessment, practice and testing

Regular audits of your critical supply chain are one of the best ways to understand your risks. An audit usually includes risk assessment questionnaires to see how your suppliers operate.

The data you get from the audits will tell you where and where to focus your efforts. Your audit may reveal a vulnerability in one supplier and by switching suppliers you can help minimize the risk.

However, there’s not much you can do to protect your business. You can address your individual business risk, but market-wide risks must be addressed by regulators.

Collaborate, not outsource

The reality is that most businesses will always depend to some degree on vendors and suppliers to remain competitive. However, it is no longer enough to outsource without being an active partner.

Ultimately, organizations need to work with their suppliers to ensure that both companies are resilient and able to succeed in a crisis.

James Watts is a general manager at Databarracks