ICAEW.com works better with JavaScript enabled.

Cyber: accountants can mitigate supply chain concentration risk

Author: ICAEW Insights

Published: 10 Oct 2024

Cyber Security Awareness Month: does your business risk relying too heavily on a few key suppliers? Diversifying and strengthening your supply chain could be essential for long-term resilience.

Concentration risk in supply chains, often overlooked, can have catastrophic consequences if not properly managed. As businesses become increasingly dependent on key suppliers, incidents such as the CrowdStrike breach have exposed vulnerabilities, prompting many companies to reevaluate their supplier strategies.

“The principle of concentration risk is really about dependency on one or two key suppliers,” says Asam Malik, Partner, Technology and Digital Consulting at Forvis Mazars. Historically, a business has viewed reliance on a small number of large vendors as beneficial, reducing complexity by minimising supplier handovers and assuming that large providers like Amazon or Microsoft inherently possess resilience. However, the reality is starkly different; even industry giants can have vulnerabilities that disrupt entire supply chains.

Malik emphasises the critical role accountants play in this process. “Accountants need to bring that risk lens to the third-party supplier ecosystem,” he asserts. With their expertise in risk assessment and financial analysis, accountants can help a business navigate the complexities of supplier relationships and mitigate concentration risks effectively.

Begin with a full IT assessment

To effectively manage these risks, Malik stresses that a business must conduct a comprehensive assessment of third-party suppliers across its IT portfolio. It’s no longer enough to simply check a supplier’s security credentials or policies. 

Due diligence must also encompass the interdependence of suppliers: “Most organisations didn’t know CrowdStrike was dependent on another supplier. This [the breach] brought that to light,” Malik says. The effects of concentration risk are far-reaching, he emphasises: “If that concentration crystallises, you’re an organisation with no IT systems at very short notice.” 

In today’s digital world, few organisations can function without their IT systems and the cost of business interruption, even for a short period, can be devastating both financially and reputationally. “Gone are the days where there were manual workarounds. That’s just not an option any more,” Malik warns.

A multi-vendor approach, while more complex and potentially costly, is now viewed as a vital strategy for building resilience: “No matter how big that single vendor is, you cannot take that concentration risk.” Although this may increase short-term costs, the long-term benefits far outweigh the potential disruptions. Malik advises organisations to calculate the cost of not being able to operate for a day or two and use that figure to justify investing in a diversified supply chain.

The need for proactive risk management

He emphasises that a business must transition from a reactive to a proactive approach to concentration risk. “Assume it’s going to happen,” he advises, “and don’t be caught out by it.” This involves thorough due diligence on suppliers and developing robust business continuity plans: “Many organisations haven’t got a plan, and even fewer have tested it.” Testing these plans can significantly reduce exposure to risk.

Artificial intelligence (AI), while a useful tool, is not a panacea for concentration risk. “AI can certainly help make things more efficient, but it won't give you that holistic view,” Malik explains. He cautions that AI systems, especially those trained on historical procurement decisions, may perpetuate the same oversights unless additional data is incorporated into their models.

Regulations such as the Digital Operational Resilience Act (DORA) in the financial sector emphasise the importance of supply chain resilience. Malik believes that broader compliance frameworks, such as those addressing data privacy and AI governance, will increasingly focus on concentration risk as a business becomes more digitalised.

Ultimately, he concludes that accountants are uniquely positioned to lead the way in addressing concentration risks. Their ability to assess risks holistically makes them invaluable in building resilient and secure supply chains for the future.

Latest cyber security articles

Further resources

Resources
Cyber Security Awareness month 2023
Cyber security awarness

Each year ICAEW marks Global Cyber Security Awareness month with dedicated resources to help you know what to do when a cyber attack happens.

Browse resources
ICAEW Community
Data visualisation on a smartphone
Data Analytics

Helping finance professionals develop the advanced data analytics and visualisation skills needed to succeed in this insight-driven era.

Find out more
ICAEW support
A person holding  a tablet device displaying various graphs
Training and events

Browse upcoming and on-demand ICAEW events and webinars focused on making the most of the latest technologies.

Events and webinars A-Z of CPD courses
Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields

Add this page to your CPD activity

Step 2 of 3
Mandatory field

Add activity to my record

Step 3 of 3
Mandatory field

Activity added

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250