Vendor concentration risk is the exposure that comes from having significant spend with a small number of suppliers. When concentration is high, the company is more vulnerable to disruption: a failure, financial distress, or policy change at one of the concentrated vendors can have outsized operational impact.
Concentration emerges naturally as relationships consolidate and as preferred vendors take on more scope. Some concentration is efficient: dealing with fewer vendors reduces administrative cost, supports better commercial terms, and allows deeper strategic relationships. Concentration becomes a risk when it crosses thresholds where alternative sourcing becomes difficult and dependency becomes structural.
Most companies do not actively measure vendor concentration. The spend data exists, the analysis is straightforward, but the discipline of regular concentration reporting at a level that informs CFO and board level decisions is not common in environments.
What Concentration Risk Actually Looks Like
Concentration risk has several dimensions, and each one matters differently to different stakeholders.
Spend concentration
The percentage of total addressable spend with the top suppliers. The top vendor as a percentage of total spend. The top 5, top 10, top 20 as cumulative percentages. These numbers indicate how reliant the company is on its largest supplier relationships.
Category concentration
Within specific categories, the concentration may be much higher than the overall portfolio. A single supplier may represent 80% or more of spend in a specific category even if they are only 5% of total company spend. Category concentration matters because the category is where the operational dependency lives.
Geographic concentration
Spend concentrated in specific regions. Manufacturing concentrated in one country. Services concentrated in one outsourcing hub. Geographic concentration creates exposure to regional events: political changes, natural disasters, infrastructure failures, regulatory shifts.
Capability concentration
Concentration in critical capabilities, separate from spend. A small vendor that provides a critical specialized service may be a concentration risk even though the spend is modest. The risk is the capability, not the dollar amount.
Calculating Concentration Metrics
Several standard metrics quantify concentration. Each tells a slightly different story.
Top N percentage
What percentage of total spend goes to the top 1, 5, 10, or 20 vendors? Simple to calculate and easy to communicate. A top 10 representing 50% or more of spend signals meaningful concentration.
Herfindahl Hirschman Index
A more sophisticated measure that calculates the sum of squared market shares. Higher numbers indicate more concentration. The index responds to both the count of vendors and the distribution of spend across them. Used in antitrust analysis and adapted for vendor portfolio analysis.
Single point of failure analysis
For each significant vendor, what would the operational impact be if the vendor failed? This is less a metric than a structured assessment, but it produces a list of vendors where the impact is material and the dependency is high.
Category by category concentration
The same metrics applied to each major spend category individually. Category concentration is often higher than overall concentration and is where the operational dependency tends to live.
Where Thresholds Should Sit
There are no universal thresholds for vendor concentration. Different industries, different business models, and different risk tolerances produce different appropriate levels. That said, several rule of thumb thresholds inform initial assessment.
- Any single vendor exceeding 10% of total spend warrants explicit review and a documented mitigation plan
- Top 10 vendors exceeding 60% of total spend indicates substantial concentration that warrants attention
- Any vendor in a single source position for a critical category warrants explicit risk acceptance or alternate qualification
- Any geographic region exceeding 40% of supply for a category warrants explicit diversification consideration
- Any vendor representing more than 20% of revenue for the supplier likely creates dependency on the buyer's side as well; the supplier may not have the resilience to handle disruption
These thresholds are starting points for analysis, not bright lines. The right thresholds depend on the specific business context, the criticality of the category, and the available alternatives.
What Audit Committees and Boards Want to See
Vendor concentration increasingly appears on audit committee agendas as part of broader risk oversight. The kind of reporting that lands well at this level.
Portfolio level summary
One slide summarizing concentration metrics: top vendor as percentage of spend, top 10 as percentage, year over year trend. Audit committee members want the headline number quickly.
Critical vendor inventory
List of vendors above defined materiality thresholds with brief context: relationship status, alternatives if any, contingency plan. Allows audit committee to understand specific exposures, not just aggregate numbers.
Recent changes
Vendors that have moved into or out of the critical inventory during the period. New concentrations emerging or successful diversification efforts.
Mitigation status
For identified high concentration risks, the status of mitigation activities. Alternate vendor qualification in progress. Contractual protections strengthened. Insurance arranged. Operational redundancy built.
The reporting should be informative without being alarmist. The objective is to give the audit committee visibility into where dependencies sit and what is being done about them, not to suggest that every concentration is a problem requiring action.
Mitigation Approaches
Once concentration risks are identified, several mitigation paths are available depending on the specific situation.
- Diversification through alternate vendor qualification. Find and qualify a second supplier in the category, even if they receive minimal volume initially. The qualification itself is the value; volume can shift quickly if the primary fails.
- Contractual protection. Strengthen contract terms with concentrated vendors: business continuity obligations, audit rights, escrow arrangements for critical IP, notification requirements for ownership changes or financial distress signals.
- Strategic supply arrangements. For mission critical relationships, consider deeper structural arrangements: supplier financial monitoring, integrated planning, strategic equity relationships, or co investments that align interests.
- Operational redundancy. Build internal capability to step into the vendor's function in extreme scenarios. May be appropriate for very critical functions even when full vendor replacement is impractical.
- Accept and document. Some concentrations are not practical to mitigate further. The appropriate response is documented acceptance: the concentration is recognized, the contingency plan is articulated, and the residual risk is accepted at the appropriate authority level.
The Reporting Cadence
Concentration reporting should appear at defined cadences that allow decisions to be made.
Quarterly to procurement and finance leadership
Detailed quarterly review of concentration metrics, including category level concentration and any changes during the quarter. Drives operational decisions on sourcing strategy.
Semi annually to executive leadership
Higher level view of concentration risks across the portfolio. Focus on material exposures, mitigation status, and any emerging concerns. Drives strategic decisions on supplier strategy.
Annually to audit committee and board
Annual review of vendor concentration as part of broader enterprise risk management reporting. Combined with concentration analysis on the revenue side (customer concentration) to show the full picture of company concentration exposures.
Start Here
Run the concentration analysis on your current spend data. Top vendor as percentage of spend. Top 5 and top 10 cumulative percentages. Category by category top vendor percentages. The numbers usually take an afternoon to produce and tell a clearer story than most expectations.
From the numbers, identify the three to five concentration points that warrant attention. These become the starting point for mitigation work and the foundation for ongoing concentration reporting to leadership.
