Single source dependencies are the most acute form of vendor concentration. A single source vendor is one for whom the buyer has no qualified alternative supplier and no immediately available substitute capability internally. If the single source vendor fails, the function they provide stops until an alternative is identified, qualified, and operationalized.
Some single source dependencies are inevitable. Specialized capabilities, proprietary technologies, regulatory requirements, or simply market concentration may mean that only one viable supplier exists for a specific need. Other single source dependencies are accidental: they emerged because procurement consolidated to a preferred vendor and never qualified alternates, because acquisitions inherited single source positions, or because nobody ever asked the question.
Identifying single source dependencies and deciding what to do about each one is one of the most important risk management exercises a procurement function can do. The exercise itself is straightforward; the discipline to do it consistently is rare.
How Single Source Positions Develop
Four patterns drive vendors into single source positions, sometimes intentionally and sometimes not.
Deliberate consolidation
Procurement deliberately consolidates spend with preferred suppliers to capture better pricing, simplify the supplier base, and build deeper relationships. The consolidation is rational on its merits. The side effect is that alternate suppliers, previously qualified, fall out of qualification through disuse.
Technical lock in
The supplier's capability becomes embedded in the buyer's operations. Custom integrations, proprietary protocols, specialized training of the buyer's staff, or data formats that only the supplier can read. Even when alternates exist in the market, switching becomes expensive enough that the buyer effectively has no alternative.
Acquisition inheritance
An acquired company brought single source positions that the buyer inherited. The acquired company's procurement decisions become the buyer's exposures. Often these are not surfaced during diligence because they look like normal supplier relationships.
Market structure
Some categories have inherently concentrated markets. Only a few suppliers exist with the required capability. The buyer's single source position reflects the market itself, not a choice the buyer made. Common in highly specialized or regulated categories.
Identifying Single Source Dependencies
Identification is the prerequisite for any further action. Three approaches surface single source positions reliably.
Category by category review
Work through major spend categories systematically. For each category, ask: how many qualified suppliers do we have? How many are currently active? If the primary failed tomorrow, which qualified alternate would step in? Categories where the answer is unclear or where there is no qualified alternate are single source positions.
Critical capability review
Some single source positions sit outside major spend categories. A specialized testing service, a niche software tool, a regulatory consultant. Walking through critical operational capabilities and identifying the supplier for each surfaces these.
Business continuity planning input
If the business has a business continuity planning function, their work typically identifies critical vendors. Cross referencing the BCP critical vendor list against procurement's view often reveals single source positions that procurement did not explicitly recognize.
The Decision Framework
Not every single source dependency needs to be eliminated. The right response depends on the specific circumstances. Four responses cover the typical cases.
Accept and document
For dependencies where alternatives genuinely do not exist or where the cost of qualifying alternatives exceeds the risk reduction, accept the dependency and document the acceptance. The documentation includes the rationale, the contingency plan, and the authority level approving the acceptance.
Qualify alternate suppliers
Identify potential alternate suppliers and complete the qualification process even without immediately shifting volume to them. The qualified alternate provides optionality if the primary fails. May involve initial volume to maintain the qualification, or may sit as documented qualification without active spend.
Restructure the relationship
Modify the relationship structure to reduce dependency risk without changing suppliers. Strengthen contractual protections including business continuity obligations and escrow arrangements. Negotiate transition support obligations that activate in failure scenarios. Build internal capability to operate the function during transitions.
Replace the supplier
Make the strategic decision to replace the single source vendor with an alternative. May involve technical migration costs, organizational change, and time to complete. Appropriate when the dependency carries unacceptable risk and other mitigations are insufficient.
Cost vs Risk in the Mitigation Decision
Single source dependency mitigation has real costs. Qualifying alternate suppliers requires investment. Maintaining qualified alternates requires ongoing volume. Restructuring relationships involves negotiation and possibly less favorable commercial terms.
The cost analysis needs to include both the direct mitigation costs and the foregone benefits of consolidated single sourcing. The risk analysis needs to include both the probability of failure and the impact if failure occurs. The decision is a judgment about whether the mitigation cost is justified by the risk reduction.
For low impact single source positions, acceptance is often the right answer. For high impact positions, even substantial mitigation cost is usually justified because the failure scenario is severe enough that any reasonable probability of occurrence makes the expected cost meaningful.
Contractual Protections for Single Source Relationships
Where the dependency is being accepted or where mitigation is partial, contractual protections become particularly important.
- Business continuity obligations: the supplier commits to specific resilience standards (geographic redundancy, business continuity plans, regular testing)
- Notification requirements: the supplier commits to notify the buyer of significant changes (ownership, financial distress, major operational changes) within defined timeframes
- Source code or IP escrow: for software and technology relationships, escrow arrangements that provide buyer access in failure scenarios
- Transition support: in termination or failure scenarios, the supplier commits to specific transition support to a successor
- Step in rights: in specific failure scenarios, the buyer has rights to step into supplier operations or assume control of key functions
- Audit rights: the buyer has rights to audit the supplier's operations, capabilities, and continuity readiness
These provisions do not eliminate the dependency, but they meaningfully reduce the residual risk and provide a clearer path forward if issues materialize.
Ongoing Monitoring of Single Source Suppliers
Single source suppliers warrant more intensive ongoing monitoring than the broader supplier portfolio. The monitoring focuses on early warning signals.
Financial health indicators
Credit ratings if applicable, payment patterns to their own suppliers, public financial disclosures, market intelligence on the supplier's commercial health. Material changes should trigger reassessment.
Operational performance signals
Performance trends, capability investment patterns, key personnel changes, customer references including current customers willing to discuss the relationship.
Market and competitive position
Market share trends, competitive positioning, technology investment, response to market changes. A supplier losing competitive position may be early in a decline that could affect their service to existing customers.
External signals
News coverage, regulatory actions, litigation, social media patterns. External signals often precede internal indicators of problems.
Start Here
Build the inventory of single source dependencies first. The exercise itself is uncomfortable because it forces explicit acknowledgment of dependencies that may have been assumed away. The honest inventory is the starting point.
From the inventory, prioritize by impact. The single source positions with the highest operational impact get attention first. The decision framework (accept, qualify alternate, restructure, replace) gets applied to each one with appropriate documentation.
