At 04:09 UTC on July 19, 2024, CrowdStrike pushed a defective Falcon sensor update that crashed 8.5 million Windows devices in 78 minutes. Concentration risk in third-party relationships stopped being an abstract exam finding that morning: insurance modeler Parametrix put direct Fortune 500 losses at $5.4 billion.

The failure propagated because one security vendor protected 298 of the Fortune 500, nearly 60% of the list. Delta Air Lines alone canceled roughly 7,000 flights over five days, and cyber insurance covered just 10% to 20% of the total loss by Parametrix’s estimate.

Concentration Risk in Third-Party Relationships: Key Takeaways
Concentration risk in third-party relationships is the exposure created when one vendor, region, or shared subcontractor supports so much of the business that its failure becomes yours; the July 2024 CrowdStrike outage turned it into $5.4 billion of Fortune 500 losses in one morning.
US regulators already test it: the June 2023 Interagency Guidance from the OCC, Federal Reserve, and FDIC directs banks to weigh concentration across the vendor lifecycle, and the EU’s DORA makes pre-contract concentration assessment mandatory for EU-facing firms.
The assessment runs in six steps: inventory every third party, map dependencies and fourth parties, score categories with HHI, test scores against board-approved appetite, prove the exit plans, and monitor with quarterly KRIs.
HHI makes concentration comparable: square each vendor’s share of a service category and sum the results; above 2,500 is highly concentrated, and a 90/10 two-vendor split scores 8,200.
Fourth-party mapping is the weak link: only 10% of organizations assess fourth parties directly, while each third party hides roughly 14 indirect parties, the layer where CrowdStrike-style failures propagate.
Elimination is the wrong target. Aim for deliberate concentration: exposures the board has seen, priced against risk appetite, and backed by a contractually enabled, tested exit.

An assessment discipline exists for exactly this exposure, and US bank examiners now test it under the June 2023 Interagency Guidance. The method below runs six steps: inventory, dependency mapping, HHI scoring, appetite testing, exit planning, and KRI monitoring, each with an output an examiner can inspect.

What Concentration Risk in Third-Party Relationships Means

Concentration risk in third-party relationships is the exposure created when one vendor, one region, or one shared subcontractor supports so much of your operation that its failure becomes your failure. The OCC, Federal Reserve, and FDIC treat it as a core assessment factor, not an afterthought.

It hides because every contract looks sensible on its own. Procurement consolidates spend to win discounts, engineering standardizes on one cloud platform, and each choice stays locally rational until a structured risk assessment adds the dependencies up into a single number.

Change Healthcare made the mechanism concrete in February 2024. The UnitedHealth unit switched 15 billion transactions a year, touching roughly one-third of US patient records, so a single ransomware attack froze claims nationwide and cost UnitedHealth $2.87 billion, per its SEC filings.

The American Hospital Association reported that 94% of hospitals took a financial hit from that one vendor outage. No hospital chose the exposure directly; it arrived through an industry-wide dependency nobody had scored. That is the defining feature of concentration risk: it accumulates through other people’s procurement decisions.

The Five Forms of Third-Party Concentration Risk

Assessment starts by naming what can actually concentrate, because a raw vendor count reveals none of it. Five distinct forms appear across vendor portfolios, and each one demands a different mapping question. The table pairs every form with a live example a US risk team would recognize.

Form What concentrates Recognizable example
Single-vendor One provider runs a critical service for you CrowdStrike endpoints on 298 of the Fortune 500
Geographic Vendors or their sites cluster in one region Advanced semiconductor fabrication in Taiwan
Fourth-party Many of your vendors share one subcontractor Six SaaS tools all hosted in one cloud region
Sector-wide A whole industry clears through one utility Change Healthcare switching a third of US claims
Capability In-house skills to replace the vendor are gone Outsourced mainframe with no internal team left

Most portfolios carry at least three forms at once. A bank can hold what looks like a diversified vendor list and still find that eleven critical vendors run on one cloud region, which is fourth-party concentration hiding underneath apparent diversification.

Why Regulators Now Examine Concentration Risk in Third-Party Relationships

Examiners moved before most risk teams did. The OCC, Federal Reserve, and FDIC issued their Interagency Guidance on Third-Party Relationships on June 6, 2023, and it directs banking organizations to weigh concentration whenever a single vendor supports multiple critical activities.

Europe went further and made the test enforceable. DORA, applicable since January 17, 2025, requires financial entities to assess ICT concentration risk before signing critical contracts, and its reach extends to US providers and to any American firm serving EU financial clients.

Survey data explains the urgency. In Gartner’s quarterly emerging-risk survey, more than half of 294 senior executives ranked cloud concentration among their top five emerging risks, two quarters running. FINRA’s 2025 oversight report presses broker-dealers on the same third-party dependency questions.

Concentration Risk in Numbers: The 2024 Loss Record

Concentration Risk in Third-Party Relationships: Assessment Guide

Figure 1. Two single-vendor failures in 2024 put hard numbers on concentration risk in third-party relationships, and insurance absorbed only a fraction.

Regulatory requirements differ in wording but converge on substance: know where dependencies stack, put the number in front of the board, and prove the exit is executable. The table maps the expectations a US program has to satisfy, and the FDIC’s financial institution letter carries the identical text for state nonmember banks.

Framework Effective Concentration expectation Who it reaches
Interagency Guidance (OCC, Fed, FDIC) June 2023 Weigh concentration across the vendor lifecycle; board-level reporting on critical dependencies All US banking organizations
DORA (EU Regulation 2022/2554) January 2025 Pre-contract ICT concentration assessment; oversight of critical ICT providers EU financial entities and their US providers
FINRA 2025 Oversight Report January 2025 Vendor dependency and outage-recovery questions in exams US broker-dealers
NIST SP 800-161r1 2022, upd. 2024 Supply chain dependency analysis, including single sources Federal agencies and their contractors
ISO 22301 2019 Continuity strategies for prioritized activities and their suppliers Any certified organization

How to Assess Concentration Risk in Third-Party Relationships Step by Step

A workable concentration risk assessment runs in six steps, and the first two consume most of the effort. You cannot score dependencies you have not mapped, and most organizations discover their vendor inventory is scattered across contracts, AP spend files, and unlogged SaaS subscriptions.

Step What you do Output that proves it
1 Inventory every third party: merge the contract register, AP spend, SSO logs, and expense data into one list A single vendor master with a named owner per record
2 Map each vendor to the business services it supports, then trace subcontractors behind critical services A dependency map tied to BIA criticality ratings
3 Score concentration: compute vendor share and HHI for every service category A scored register with an HHI per category
4 Test scores against board-approved concentration limits from the risk appetite statement An exceptions list with named owners and deadlines
5 Document substitution paths for critical dependencies and exercise the highest-risk exits A tested exit or workaround per critical vendor
6 Monitor concentration KRIs quarterly and rescore at every new critical contract A standing board report with trend lines

Treat the six steps as a loop inside your third-party risk management framework rather than a standalone project. The output lands in the vendor register, feeds the enterprise risk management framework, and comes back for rescoring at every new contract.

Step two is where the business impact analysis earns its keep. Tie every vendor to the business services it supports, using the service catalog your BIA already built, so concentration scores inherit criticality instead of treating all spend as equally important.

Anchor the method in existing standards so the output survives both internal audit and an examiner. ISO 31000 supplies the process spine, NIST SP 800-161 covers cyber supply chain specifics, and ISO 22301 sets the continuity bar an exit plan has to clear.

Scoring Third-Party Concentration Risk with an HHI Model

Borrow the Herfindahl-Hirschman Index from antitrust economics for the scoring step. Square each vendor’s percentage share of a service category, sum the squares, and read the result on a 0 to 10,000 scale where anything above 2,500 counts as highly concentrated.

A worked example makes the mechanics concrete. If two vendors split your claims processing 90/10, the category scores 8,100 plus 100 for an HHI of 8,200, while five logistics carriers at 30/25/20/15/10 score a comfortable 2,250. The gap between those numbers is your assessment priority list.

Concentration Risk in Third-Party Relationships: Assessment Guide

Figure 2. HHI scoring for an illustrative insurer: claims processing at 8,200 dwarfs the 2,500 threshold and marks the first exit plan to test.

Blend the index with judgment rather than treating it as the whole answer. Pairing qualitative and quantitative risk assessment catches what the math misses, because a low-HHI category can still contain one irreplaceable vendor whose exit would take eighteen months to execute.

Mapping Fourth-Party Concentration Risk

The subcontractor layer is where most assessments quietly stop, and the numbers show it. Industry TPRM surveys find 59% of organizations handle fourth parties only by reviewing how vendors manage third-party risk themselves, 27% never assess fourth parties, and just 10% run direct assessments.

Concentration Risk in Third-Party Relationships: Assessment Guide

Figure 3. Fourth-party concentration risk assessment in practice: nine in ten organizations never look directly at the layer where failures propagate.

Scale explains the neglect. Each third party carries roughly 14 indirect fourth and fifth parties behind it, so exhaustive mapping is impossible and triage is the strategy. Trace subcontractors only for vendors behind critical services, the same triage that governs risk assessment in supply chain work, then ask which names repeat.

Repeat names are the finding. When the same cloud region, payments switch, or managed service provider appears behind six different vendors, your diversification is cosmetic, and the shared node belongs on the risk register as a single named exposure with its own owner.

Concentration Risk KRIs for the Third-Party Portfolio

Concentration moves, and a scoring exercise that runs once is only a photograph of it. Key risk indicators keep the picture live between annual reviews, and the most useful ones are ratios a procurement analyst can pull from the vendor master in a single afternoon.

Concentration KRI How to compute it Amber threshold
Single-provider critical services Critical services with no viable second source / total critical services Above 20%
Top-5 vendor spend share Spend with the five largest vendors / total third-party spend Above 40%
Category HHI Sum of squared vendor shares within each service category Above 2,500
Untested exit plans Critical vendors without a tested exit or workaround / total critical vendors Above 10%
Fourth-party overlap Maximum number of critical vendors sharing one subcontractor 4 or more
Geographic clustering Critical vendors dependent on one region or data-center corridor / total Above 30%

Wire the thresholds to your appetite statement, not to industry folklore. A board that has approved risk appetite statements with explicit concentration limits can treat a breached KRI as a decision trigger instead of another chart in a quarterly deck. The guidance on developing key risk indicators and the supply chain KRI set cover the calibration mechanics.

Mitigating Concentration Risk Once the Assessment Is Done

Findings only matter if they change contracts and architecture. Four mitigation moves cover the bulk of concentration risk findings, and each carries a real cost the business case has to state honestly, because building a resilient supply chain is never free.

Mitigation Where it fits What it costs
Dual-sourcing or multi-vendor Critical services with viable competitors Duplicate integration and contract overhead
Exit and substitution plans Vendors with no realistic second source Testing time; a retainer for the fallback
Contract hardening Every critical vendor at signing or renewal Termination assistance, data portability, and subcontractor-notice clauses
Resilience testing The highest-HHI service categories Annual scenario exercises with the vendor in the room

Exit planning deserves the most scrutiny because it is the control examiners actually test. A credible plan names the substitute, states the RPO and RTO the fallback can hold, and gets exercised alongside the business continuity plan risk assessment, which is where a scenario-based risk assessment does the proving.

Contract clauses are the cheapest mitigation and the most neglected. Termination assistance, data portability in an open format, and advance notice of subcontractor changes cost almost nothing at signing, and they convert an eighteen-month panic exit into an orderly transition your enterprise supplier risk management program can execute.

Pair every exit plan with a supply chain incident response playbook so the first hours of a vendor outage follow a script rather than a scramble. Firms that had rehearsed recovered within hours on the CrowdStrike morning; firms that improvised took weeks to clear the backlog.

Frequently Asked Questions About Concentration Risk in Third-Party Relationships

What is concentration risk in third-party relationships?

It is the exposure that builds when one vendor, region, or shared subcontractor supports enough of your operation that a single failure disrupts multiple critical services at once. The 2023 Interagency Guidance treats it as a factor banks must weigh across the entire vendor lifecycle.

How do you measure concentration risk in a third-party portfolio?

Compute each vendor’s share of a service category, square the shares, and sum them into an HHI, flagging categories above 2,500. Pair the index with qualitative tests for substitutability, since a low score can still hide one irreplaceable vendor with no realistic exit.

What is fourth-party concentration risk?

It is concentration that accumulates one layer down, where many of your vendors depend on the same subcontractor, cloud region, or data provider. Surveys show only 10% of organizations assess fourth parties directly, which leaves the layer where CrowdStrike-style failures propagate largely unexamined.

What do US regulators expect from a concentration risk assessment?

The OCC, Federal Reserve, and FDIC expect banks to identify concentration across the vendor lifecycle, escalate it to the board, and hold executable exit strategies for critical dependencies. FINRA presses broker-dealers on the same points, and DORA adds explicit pre-contract concentration tests for EU-facing firms.

How often should a third-party concentration risk assessment run?

Rescore at every new critical contract and refresh the full portfolio at least annually, with quarterly KRI reporting in between. Concentration drifts continuously as procurement consolidates spend, so a fixed annual cycle by itself misses the accumulation that happens between reviews.

Can concentration risk in third-party relationships be eliminated?

No, and elimination is the wrong target because consolidation buys real pricing, integration, and oversight benefits. The goal is deliberate concentration: exposures the board has seen, priced against appetite, and backed by a tested exit, rather than exposures that accumulated by accident.

Where Concentration Risk Assessments Go Wrong

Concentration risk assessments tend to fail in predictable ways, and none of the failure modes are especially subtle. Each row below pairs a pitfall with its root cause and with the remedy that the 2024 loss record, from CrowdStrike to Change Healthcare, keeps validating.

Pitfall Root cause Remedy
Counting vendors instead of dependencies Inventory built from AP spend alone Map vendors to business services through the BIA
Stopping at third parties Fourth-party tracing feels unbounded Trace subcontractors for critical services only
Scores without limits No board-approved concentration appetite Set category HHI and spend-share thresholds
Paper exit plans Exit strategies written but never exercised Test the top exits annually, like a DR drill
One-time project Assessment run for an exam, then shelved Quarterly KRIs; rescore at every new contract
Ignoring capability loss Outsourcing strips the skills needed to switch Retain in-house knowledge for critical functions

Concentration Risk in Third-Party Relationships: The 2026-2027 Outlook

AI dependency is the next concentration story. Enterprises are wiring products to a handful of foundation-model and GPU providers, recreating the CrowdStrike pattern one architectural layer up, and examiners have started asking where model dependencies sit in vendor inventories and risk registers.

Cloud oversight is formalizing on both sides of the Atlantic. DORA’s designation of critical ICT providers puts hyperscalers under direct EU supervision, and US agencies keep signaling in the same direction, so cloud concentration numbers that lived in internal decks are becoming regulator-visible facts.

Tooling is catching up as well. Vendor risk platforms increasingly map fourth-party overlap from external telemetry rather than annual questionnaires, a shift EY’s global third-party risk survey tracks, turning the hardest assessment step into a live feed that supports cybersecurity risk management and continuity planning alike.

The durable lesson costs nothing to adopt. Treat concentration risk in third-party relationships as a scored, board-visible exposure with tested and rehearsed exits, and the next industry-wide vendor failure becomes an operational bad week instead of another $5.4 billion balance-sheet surprise.

Infographic: Assessing Concentration Risk in Third-Party Relationships

Process infographic on concentration risk in third-party relationships showing six assessment steps from vendor inventory through HHI scoring to tested exits and KRI monitoring

Figure 4. Concentration risk in third-party relationships as a six-step assessment loop, from a single vendor inventory to quarterly KRI monitoring.

Assess Your Third-Party Concentration Risk with Risk Publishing

Risk Publishing helps US risk and procurement teams turn a scattered vendor list into a defensible concentration risk assessment, from the dependency map to the operational risk controls behind it. Review our services, then contact us when your vendor portfolio needs an HHI score and a tested exit plan.

Index