Key Takeaways: Concentration Risk Management
- Concentration risk management requires a multi-dimensional view covering vendor, geographic, sector, technology platform, and revenue source dependencies simultaneously.
- The July 2024 CrowdStrike outage cost Fortune 500 companies $5.4 billion and demonstrated how a single vendor failure can cascade across entire industries within hours.
- Use the Herfindahl-Hirschman Index (HHI) as your primary quantitative tool to measure concentration levels across vendor spend, geographic exposure, and sector allocation.
- Regulatory pressure is accelerating: the EU Digital Operational Resilience Act (DORA) now mandates ICT concentration risk assessments, and Basel Committee guidance on third-party risk sets a global baseline.
- Set concentration risk KRIs with explicit red/amber/green thresholds tied to your risk appetite statement, and report them to the board quarterly alongside stress-test results.
- Build exit strategies and alternative-vendor playbooks before you need them; organizations that pre-plan vendor transitions recover 60% faster from concentration-triggered disruptions.
- Integrate concentration risk into your existing ERM framework using ISO 31000 risk treatment principles rather than treating it as a standalone compliance exercise.
When CrowdStrike pushed a faulty Falcon sensor update at 04:09 UTC on July 19, 2024, roughly 8.5 million Windows systems crashed simultaneously.
Delta Air Lines, with 60% of its mission-critical systems dependent on a single vendor, lost $380 million in revenue and incurred $170 million in additional expenses in the span of five days.
The total bill for Fortune 500 companies alone reached $5.4 billion, according to Parametrix estimates reported by Fortune. Only 10-20% of those losses were insured.
That single event is the clearest case study in modern concentration risk management failure. It exposed what risk practitioners have warned about for years: when organizations allow critical dependencies to cluster around a handful of vendors, geographies, or sectors, they create fragility that no amount of insurance can fully cover.
Concentration risk management is the disciplined process of identifying, measuring, monitoring, and mitigating these dangerous dependencies before they crystallize into loss events.
This guide provides a practitioner-level framework for managing concentration risk across its three primary dimensions: vendor, geographic, and sector concentration. You will find quantitative measurement tools like the Herfindahl-Hirschman Index (HHI), regulatory mapping from DORA to Basel Committee third-party risk principles, board-ready KRI frameworks, stress-testing methodologies, and real-world case studies.
Whether you are a CRO presenting to the board, an operational risk manager building a risk register, or a third-party risk analyst evaluating vendor portfolios, this article gives you the tools to act.
What Is Concentration Risk? Definitions and Dimensions
Concentration risk arises when an organization’s exposure to a single counterparty, geographic region, industry sector, or technology platform is large enough that its failure or disruption would materially impair the organization’s ability to meet its objectives.
The BIS Joint Forum Risk Concentrations Principles define it as “any single exposure or group of exposures with the potential to produce losses large enough to threaten a financial institution’s health or ability to maintain its core operations.” While that definition originates in banking, the principle applies to every sector.
Under ISO 31000:2018 risk management principles, concentration risk is the effect of uncertainty on objectives that arises specifically from insufficient diversification of risk sources.
The COSO ERM framework frames it as a portfolio-level risk that must be assessed in aggregate, not just at the individual risk level. Both frameworks emphasize that concentration risk management must be integrated into the broader enterprise risk management framework rather than siloed in procurement or IT.
| Dimension | Definition | Example |
|---|---|---|
| Vendor / Supplier | Over-reliance on a single or small number of vendors for critical goods, services, or technology | 60% of IT infrastructure on one cloud provider; single-source raw material supplier |
| Geographic | Critical operations, suppliers, or markets clustered in the same region, country, or jurisdiction | All manufacturing in one province; 70%+ of semiconductor supply from Taiwan |
| Sector / Industry | Revenue, investment, or counterparty exposure concentrated in a single industry vertical | Pension fund with 40% allocation to commercial real estate; bank loan book 65% in energy |
| Technology Platform | Dependency on a single operating system, database, or SaaS platform for mission-critical processes | CrowdStrike Falcon on all endpoints; single ERP for global operations |
| Revenue Source | Disproportionate share of revenue from a single client, product, or channel | One customer accounts for 35% of annual revenue; single product drives 70% of profit |
| Regulatory Jurisdiction | Operations governed primarily by one regulatory regime, creating cliff-edge risk from policy changes | All data processing in EU subject to GDPR; all banking licenses in one country |
Effective concentration risk management demands that you map all six dimensions simultaneously.
A vendor that also represents geographic and technology-platform concentration is a triple-counted dependency that warrants immediate attention. This multi-dimensional mapping is what distinguishes mature risk identification from check-the-box compliance.
The Financial Cost of Concentration Risk Failures
Figure 1: Major concentration risk events have cost organizations billions. The CrowdStrike outage (2024) and NotPetya cyberattack (2017) illustrate how vendor and technology concentration risk can cascade into systemic financial losses.
Why Concentration Risk Management Matters in 2025-2026
Three converging forces make concentration risk management more urgent today than at any point in the past decade. First, digital consolidation has dramatically increased vendor concentration in cloud services.
The vendor risk management market reached $13.47 billion in 2025 precisely because organizations recognize that financial institutions, healthcare providers, and government agencies now share the same handful of cloud providers. When many organizations rely on the same infrastructure, a single outage or cyber event can ripple across entire sectors.
Second, supply chain concentration remains exposed. A study of global value chains found that for 180 traded products, one country accounts for 70% or more of exports, creating potential supply bottlenecks.
The 2021 Suez Canal blockage demonstrated this with $9.6 billion in trade delayed daily. The BCI Supply Chain Resilience Report found almost 80% of organizations’ supply chains were disrupted in the past twelve months, with 68% expecting escalation in 2025.
Third, regulatory mandates are accelerating. The EU’s Digital Operational Resilience Act (DORA) became enforceable in January 2025, explicitly requiring financial institutions to assess and manage ICT concentration risk.
European Supervisory Authorities designated critical ICT third-party providers by July 2025. Meanwhile, the Basel Committee issued principles for third-party risk management in banking, establishing a global supervisory baseline.
In the US, the OCC’s Concentrations of Credit handbook and SEC 2026 examination priorities both flag concentration risk as a supervisory focus area.
Concentration Risk Exposure by Dimension
Figure 2: Vendor and supplier concentration remains the highest-priority dimension for practitioners in 2025, followed by geographic and sector concentration. Effective concentration risk management requires monitoring all dimensions simultaneously.
How to Measure Concentration Risk: The HHI and Beyond
You cannot manage concentration risk if you cannot measure it. The most widely used quantitative tool for concentration risk management is the Herfindahl-Hirschman Index (HHI), originally developed for antitrust analysis and now standard in credit risk and enterprise risk management.
The HHI is calculated by summing the squares of each entity’s proportional share in the portfolio. For vendor spend, you square each vendor’s percentage of total spend and add the results.
| HHI Score Range | Interpretation | Action Required |
|---|---|---|
| Below 1,000 | Low concentration. Well-diversified portfolio with no single entity dominating. | Monitor annually. No urgent action, but set thresholds to prevent drift. |
| 1,000 – 1,800 | Moderate concentration. One or two entities hold significant share. | Quarterly review. Develop contingency plans for top exposures. |
| 1,800 – 2,500 | High concentration. Portfolio dominated by a few entities. Amber on KRI dashboard. | Board escalation. Activate diversification strategies. Stress-test top-3 exposures. |
| Above 2,500 | Very high concentration. Near-monopoly dependency. Red on KRI dashboard. | Immediate board attention. Mandate exit planning. Restrict new commitments. |
Beyond the HHI, practitioners should deploy complementary metrics. The Concentration Ratio (CR-n) measures the combined share of the top n entities, such as the percentage of vendor spend held by the top 3 vendors.
The Single Name Exposure metric tracks maximum exposure to any single counterparty as a percentage of total portfolio or revenue. The Geographic Entropy Index uses Shannon entropy to quantify geographic diversification.
All of these feed into your KRI dashboard with red/amber/green thresholds tied directly to the organization’s risk appetite statement.
For practical implementation, build these calculations into your risk register template. Each concentration risk entry should document the dimension (vendor, geographic, sector), the current HHI score, the risk appetite threshold, the trend direction, and the assigned risk owner.
Monte Carlo simulation can then model the probability distribution of losses under various concentration scenarios, giving the board quantified tail-risk estimates rather than qualitative heatmap colors alone.
Vendor Concentration Risk Management: Identification and Mitigation
Vendor concentration risk is the most commonly encountered and most frequently underestimated form of concentration risk. The 2026 Black Kite Third-Party Breach Report found that for every single vendor breached, an average of 5.28 downstream companies were publicly compromised, the highest cascade ratio observed to date.
Third-party breaches doubled from 15% to 30% of all incidents between 2020 and 2025, and the average disclosure window worsened from 76 days to 117 days.
Effective vendor risk management for concentration risk requires a structured approach. Start with a complete inventory of all vendors, classifying each by criticality tier (critical, important, standard) based on the business impact analysis.
For each critical vendor, map: what percentage of total spend they represent, how many critical business processes depend on them, what geographic location(s) they operate from, whether they serve as a fourth-party to your other vendors, and what your contractual exit terms and transition timeline would be.
| Mitigation Strategy | Description | Priority |
|---|---|---|
| Multi-vendor sourcing | Maintain qualified alternatives for every critical vendor. Allocate a minimum percentage (e.g., 20%) of spend to secondary providers. | High – Immediate |
| Contractual protections | Include termination-for-convenience clauses, data portability rights, transition assistance obligations, and SLA breach remedies with financial teeth. | High – Immediate |
| Exit strategy playbooks | Document vendor-specific exit plans with step-by-step runbooks, tested at least annually. Include data migration, system cutover, and communication templates. | High – Within 90 days |
| Fourth-party mapping | Identify and monitor your critical vendors’ own key dependencies. A vendor’s single point of failure is your hidden concentration risk. | Medium – Within 6 months |
| Concentration limits | Set maximum vendor spend thresholds (e.g., no single vendor exceeds 25% of total IT spend) aligned with risk appetite. | High – Immediate |
| Continuous monitoring | Move from annual vendor assessments to continuous monitoring using vendor risk intelligence platforms and real-time KRIs. | Medium – Within 6 months |
Organizations that pre-plan vendor transitions recover significantly faster from concentration-triggered disruptions.
The vendor risk assessment process should evaluate not just the vendor’s current performance but its own concentration risk profile: is the vendor itself over-dependent on a single data center, geographic location, or cloud provider? Your vendor’s concentration risk is your fourth-party concentration risk.
Geographic Concentration Risk: Mapping and Managing Location Dependencies
Geographic concentration risk materializes when critical operations, suppliers, customers, or data centers cluster in the same region. The March 2021 Suez Canal blockage demonstrated this vividly: a single vessel grounding disrupted $9.6 billion in daily trade, affecting supply chains globally.
The semiconductor supply chain’s dependence on Taiwan and South Korea means that a geopolitical or natural disaster event in the region could halt production of everything from automobiles to medical devices.
To manage geographic concentration risk effectively, create a geographic dependency map that overlays your critical activities identified in the business continuity risk assessment with the physical locations of your operations, vendors, data centers, and key customers.
Calculate a geographic HHI by squaring each region’s share of your critical dependencies. If your top two regions account for more than 60% of critical dependencies, you have a geographic concentration risk that warrants board-level attention and active risk mitigation strategies.
Geographic concentration risk management intersects directly with business continuity planning. Your RTOs and RPOs must account for geographic correlation: if your primary and backup data centers are in the same earthquake zone or flood plain, your BCP risk assessment is incomplete.
Effective geographic diversification means ensuring backup capabilities are in a different risk zone, and that your vendor management KRIs include geographic dispersion metrics.
Concentration Risk Management Maturity Across Organizations
Figure 3: Most organizations remain at initial or developing maturity for concentration risk management capabilities, with stress testing and quantitative measurement (HHI/metrics) showing the largest gaps.
Sector Concentration Risk: Portfolio and Revenue Dependencies
Sector concentration risk arises when an organization’s revenue, investment portfolio, loan book, or counterparty exposure is disproportionately allocated to a single industry vertical.
Pension funds with over 40% allocation to commercial real estate, banks with loan books concentrated in energy lending, and insurance companies with sector-heavy investment portfolios all face this form of concentration risk.
The OCC Concentrations of Credit guidance specifically requires banks to have strategic plans addressing desired asset concentrations with commensurate risk limits.
For non-financial organizations, sector concentration risk often manifests as customer concentration. If a single client or industry segment represents more than 15-20% of revenue, that belongs on the risk register with an assigned risk owner.
The risk management lifecycle requires continuous reassessment as your client base and market conditions evolve. Sector concentration risk management integrates naturally with strategic planning: diversification into adjacent sectors is both a growth strategy and a risk mitigation strategy.
Measuring sector concentration follows the same HHI methodology. Calculate sector HHI for your revenue sources, your loan or investment portfolio, and your supplier base.
Compare these against industry benchmarks and your own risk appetite statement. The FCA examination manual on concentration risk provides regulatory benchmarks for financial institutions.
Concentration Risk KRIs: Building a Board-Ready Dashboard
A concentration risk management KRI framework translates raw dependency data into actionable signals for the board. Each KRI must define explicit green (within appetite), amber (approaching threshold), and red (breached) thresholds connected to the organization’s risk appetite.
The KRI development process should start with the organization’s top risks and work backward to leading indicators.
| KRI | Green | Amber | Red | Frequency |
|---|---|---|---|---|
| Vendor HHI (IT spend) | < 1,000 | 1,000 – 1,800 | > 1,800 | Monthly |
| Top-3 vendor spend % | < 40% | 40% – 60% | > 60% | Monthly |
| Geographic HHI (critical deps) | < 1,500 | 1,500 – 2,500 | > 2,500 | Quarterly |
| Single vendor revenue % | < 15% | 15% – 25% | > 25% | Monthly |
| Sector HHI (loan/portfolio) | < 1,200 | 1,200 – 2,000 | > 2,000 | Quarterly |
| Critical vendors without exit plan | 0 | 1-2 | 3+ | Quarterly |
| Fourth-party overlap count | < 3 | 3 – 5 | > 5 | Quarterly |
| Data center geographic diversity | 3+ zones | 2 zones | 1 zone | Quarterly |
Integrate these concentration risk KRIs into your existing risk metrics dashboard. The dashboard should show trend direction (improving, stable, deteriorating) for each KRI alongside the current RAG status.
Board reporting should include a one-page concentration risk summary highlighting any red or amber KRIs, root cause, mitigation action underway, and expected timeline for returning to green. This follows the “What, So What, Now What” decision framework that boards need to act on risk management reports.
Third-Party Breaches and Downstream Concentration Impact
Figure 4: Third-party breaches now account for 30% of all incidents (up from 8% in 2019), and each breach compromises an average of 5.28 downstream organizations. This cascade effect is the signature of vendor concentration risk.
Regulatory Landscape for Concentration Risk Management
The regulatory push on concentration risk management has intensified across jurisdictions. Understanding the landscape is essential for organizations operating across borders.
The following table maps the key regulatory instruments addressing concentration risk either directly or as part of broader operational resilience and cybersecurity risk management requirements, governed through a mature information security management system.
| Regulation / Guidance | Jurisdiction | Concentration Risk Requirements |
|---|---|---|
| DORA (EU 2022/2554) | EU | Mandates ICT concentration risk assessment. ESAs designate critical ICT third-party providers. Requires exit strategies and alternative arrangements. |
| Basel BCBS d577 | Global | Principles for third-party risk management in banking. Requires board oversight of material outsourcing and concentration monitoring. |
| OCC Bulletin 2006-46 + Comptroller’s Handbook | United States | Interagency guidance on CRE concentration risk. Requires strategic plans addressing desired concentrations, stress testing, and capital planning. |
| SEC 2026 Exam Priorities | United States | Flags concentration risk in broker-dealer operations. Focus on third-party vendor dependencies and operational resilience. |
| EBA CEBS GL 31 | EU | Guidelines on management of concentration risk under Pillar 2. Requires intra-risk and inter-risk concentration measurement. |
| MAS TRM Guidelines | Singapore | Technology risk management including cloud concentration. Requires assessment of single-provider dependencies. |
The common thread: regulators expect organizations to identify concentration risks, set limits, stress-test exposures, develop exit strategies, and report to the board.
Aligning with ISO 31000 risk treatment principles and these regulatory expectations builds a defensible compliance position while strengthening operational resilience. The NIST Cybersecurity Framework and NIST CSF 2.0 implementation guide provide additional structure for the technology-concentration dimension.
Stress Testing and Scenario Analysis for Concentration Risk
Stress testing bridges measurement and action in concentration risk management. The risk assessment process must include forward-looking scenarios testing what happens when concentrated exposures crystallize simultaneously. Static HHI scores tell you where concentration exists today; stress tests tell you what it could cost tomorrow.
Design concentration-specific stress scenarios across three categories. Idiosyncratic scenarios test the failure of a single critical vendor, supplier, or counterparty (e.g., “What if our primary cloud provider experiences a 72-hour global outage?”).
Systemic scenarios test sector-wide or region-wide shocks (e.g., “What if a major earthquake disrupts all suppliers in the Pacific Ring region?”). Reverse stress tests work backward from a defined loss level to determine which combination of concentration failures would produce that loss (e.g., “What concentration failures would reduce our revenue by 30% within 90 days?”).
For each scenario, quantify impact across financial (revenue loss, cost escalation, capital impairment), operational (service disruption duration, customer impact, regulatory breach), and reputational (media coverage, customer churn, credit rating action) dimensions.
Use Monte Carlo simulation to generate probability distributions when point estimates are insufficient. Present results to the board as scenario summaries that state the trigger event, modeled impact range (10th to 90th percentile), and recommended mitigating actions. This transforms concentration risk management from a reporting exercise into a strategic decision tool aligned with the risk management process flow.
Frequently Asked Questions About Concentration Risk Management
What is concentration risk management?
Concentration risk management is the systematic process of identifying, measuring, monitoring, and mitigating dependencies that are large enough to materially impair an organization’s operations if they fail.
It covers six primary dimensions: vendor/supplier, geographic, sector/industry, technology platform, revenue source, and regulatory jurisdiction. Under ISO 31000, concentration risk is the effect of uncertainty on objectives arising from insufficient diversification.
Effective concentration risk management integrates into the broader enterprise risk management framework rather than operating as a standalone compliance activity.
How do you calculate concentration risk using the HHI?
The Herfindahl-Hirschman Index (HHI) for concentration risk is calculated by squaring the proportional share of each entity in the portfolio and summing the results. For example, if three vendors hold 50%, 30%, and 20% of your total IT spend, the HHI is (50)² + (30)² + (20)² = 2,500 + 900 + 400 = 3,800, indicating very high concentration.
The U.S. Department of Justice considers scores above 2,500 as highly concentrated. Apply this methodology to geographic exposure, sector allocation, and revenue sources to build a comprehensive measurement framework.
What regulations require concentration risk management?
Multiple jurisdictions now mandate concentration risk management. The EU’s DORA (effective January 2025) explicitly requires ICT concentration risk assessment and designates critical third-party providers.
The Basel Committee’s BCBS d577 principles establish a global baseline for third-party risk in banking. The US OCC Concentrations of Credit handbook and SEC 2026 examination priorities address concentration risk in financial services.
The EBA’s CEBS GL 31 guidelines cover Pillar 2 concentration risk, and Singapore’s MAS TRM guidelines address technology concentration risk.
How does concentration risk management relate to business continuity?
Concentration risk management and business continuity are deeply interconnected. A concentrated dependency on a single vendor, geographic region, or technology platform means that a disruption to that single point will simultaneously affect multiple critical business processes.
The business impact analysis (BIA) should identify concentrated dependencies and feed them into concentration risk KRIs. Recovery strategies must account for concentration by ensuring backup capabilities are not in the same risk zone as primary operations. Organizations should stress-test their BCPs specifically for concentration-triggered scenarios.
What KRIs should I track for vendor concentration risk management?
Key risk indicators for vendor concentration risk management should include: vendor HHI score for IT and total spend (monthly), top-3 vendor spend percentage (monthly), number of critical vendors without tested exit plans (quarterly), fourth-party overlap count (quarterly), single-vendor revenue dependency percentage (monthly), and data center geographic diversity score (quarterly).
Each KRI must have explicit green, amber, and red thresholds tied to the organization’s risk appetite statement, with defined escalation procedures when thresholds are breached.
What is fourth-party concentration risk?
Fourth-party concentration risk occurs when your critical vendors themselves depend on the same sub-providers, creating hidden concentration that does not appear in your direct vendor analysis.
For example, if three of your critical SaaS vendors all host on the same cloud platform, a platform outage could simultaneously disable all three.
The CrowdStrike outage demonstrated this when organizations not directly using CrowdStrike were still affected because their vendors were. Effective concentration risk management requires mapping at least one tier of sub-provider dependencies for all critical vendors.
How often should concentration risk be reported to the board?
Concentration risk management should be reported to the board quarterly at minimum, with event-driven escalation when any KRI breaches its red threshold.
The quarterly report should include a one-page summary showing all KRIs with RAG status, trend direction, and any breaches since the last report.
Stress-test results should be presented semi-annually. Between board meetings, the risk committee should receive monthly dashboards with drill-down capability. Material changes in concentration exposure should trigger ad hoc reporting regardless of the regular cycle.
How can small organizations manage concentration risk with limited resources?
Small organizations can implement effective concentration risk management by focusing on the highest-impact dimensions first.
Start by listing your top 10 vendors by spend and calculating a simple HHI score. Identify any single vendor that accounts for more than 25% of total spend or supports more than 3 critical business processes.
For geographic risk, map where your top 5 vendors are headquartered and their data center locations. Set simple concentration limits and review quarterly. Even a spreadsheet-based concentration risk register with quarterly board reporting provides meaningful risk reduction.
Common Pitfalls in Concentration Risk Management
| Pitfall | Root Cause | Remedy |
|---|---|---|
| Measuring only vendor spend, ignoring criticality | Procurement-led assessments focus on financial exposure rather than operational dependency and business process impact. | Integrate BIA results with vendor data. Weight concentration by process criticality, not just spend. |
| Ignoring fourth-party dependencies | Vendor assessments stop at the direct provider without mapping sub-provider dependencies. | Require critical vendors to disclose material sub-providers. Include fourth-party overlap as a KRI. |
| Static annual assessments | Concentration risk is treated as a point-in-time compliance exercise rather than a dynamic, continuously monitored exposure. | Implement continuous monitoring with automated KRI feeds. Move to quarterly board reporting with monthly dashboards. |
| No exit strategy for critical vendors | Organizations assume vendor relationships are permanent and do not plan for transition scenarios. | Develop and annually test exit strategy playbooks for every critical vendor. |
| Geographic backup in the same risk zone | Primary and backup operations are in the same earthquake zone, flood plain, or political jurisdiction. | Map all backup capabilities to geographic risk zones. Ensure primary and secondary sites differ. |
| Siloed concentration risk management | Vendor risk, credit risk, and operational risk teams each assess concentration independently without a consolidated view. | Establish a cross-functional concentration risk working group under the CRO. Consolidate into a single dashboard. |
| Over-reliance on contractual protections | Assuming SLA penalties and liability caps will make the organization whole after a disruption. | CrowdStrike’s liability was capped at “fees paid.” Build operational resilience, not paper resilience. |
Looking Ahead: Concentration Risk Management Trends for 2025-2027
The next two years will see concentration risk management move from a niche practice to a board-level strategic priority across all sectors. DORA’s enforcement phase, beginning in earnest in 2026, will force European financial institutions and their global service providers to demonstrate robust ICT concentration risk assessment and management capabilities.
Organizations that have not built these capabilities face both regulatory enforcement and competitive disadvantage.
AI concentration risk is emerging as a new dimension. As organizations deploy large language models and AI-driven decision systems from a small number of providers, they are creating a new form of technology-platform concentration risk.
The NIST AI Risk Management Framework and EU AI Act both address dependencies on AI providers, and forward-looking organizations are including AI provider concentration in their risk registers now, before regulatory mandates require it.
Cloud concentration will intensify as a supervisory focus. The designation of critical ICT third-party providers under DORA is just the beginning. Expect supervisors in the US, UK, and Asia-Pacific to develop similar frameworks, creating a global regime for cloud concentration oversight.
Organizations should be building multi-cloud strategies and testing cloud-exit capabilities now. The risk management implementation roadmap for 2026-2027 should include cloud concentration stress testing as a standard exercise.
Finally, the integration of concentration risk management with enterprise risk management will deepen. The siloed approach where procurement manages vendor risk, treasury manages counterparty risk, and IT manages technology risk is giving way to an integrated concentration risk management function under the CRO.
Organizations that make this shift first will be best positioned to identify correlated concentrations and make risk-informed strategic decisions about diversification, M&A, and geographic expansion.
Need help building a concentration risk management framework for your organization? Our risk management consulting services include concentration risk assessment, KRI framework design, stress-testing program development, and board reporting templates. Contact us to schedule a consultation and take the first step toward measurable concentration risk reduction.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.