A few weeks ago, a faulty update to the content delivery network (CDN) of edge cloud platform provider Fastly brought down the websites of some of the world’s most recognizable brands.
Amazon, Spotify and Reddit – as well as a host of news outlets including the BBC and the New York Times – all experienced increased error reports, while some became inaccessible altogether.
The team at Fastly worked quickly to identify and resolve the issue. But for Amazon, that one hour lost waiting for the fix, represents, according to 2019 revenue, losses of US$26 million in revenue.
The Fastly incident was a real-life example of what analysts refer to as “concentration risk”, which is when an organization is overly reliant on a single service provider for a vital service. There are a multitude of possible concentration risks, but as organisations across the globe dive head first into the digital sphere, and as technologies keep evolving and work from home continues, concentration risks are growing.
“Concentration risk is on the lips of every senior executive and board members right now,” Linda Tuck Chapman, CEO of Third Party Risk Institute, and president of ONTALA Performance Solutions, told Nearshore Americas recently. “The speed of technological change is phenomenal. With questions around work from home, whether to onshore or offshore, as well as many other important questions, businesses are recognising that the way they are structured today makes them vulnerable to multiple risk events.”
Types of Concentration Risk
“Concentration risks can come in a variety of forms,” explained Kimberley Allan, Chief Marketing Officer at Aravo Solutions, a global third-party risk automator. “Regulators in the financial services industry are concerned about concentration risk in the form of overreliance on critical technology providers. But concentration risk can exist when any type of company is overly reliant on a particular service or product provider that they depend on for their business. If that provider cannot deliver, it in turn impacts the company’s ability to provide its product or service. These risks are exacerbated if a company doesn’t have an alternate provider that it can rely on.”
The BPO world suffered from a major geographic concentration risk during the pandemic. The chaotic move to work from home in the Philippines, worsened by a hesitant government approach and subpar communications infrastructure, saw BPOs that, though spread throughout the country, still fell victim to operational loss. The Philippines’ “meltdown” is one reason that Nearshore is back in vogue.
Aside from the pandemic, geopolitical and weather-related risks are other geographic risk types that must be examined by companies when considering their concentration risk, said Allan.
Concentration Risk in the Cloud
The Fastly outage was not the only major event in tech that produced wide-ranging problems for companies in disparate networks. In December last year, hackers infiltrated the software system of US IT resources company, SolarWinds. The hack was initially undetected, with US government agencies – the Pentagon, the Department of Homeland Security, Department of the Treasury and the National Telecommunications and Information Administration – as well as other major IT names including Microsoft, Cisco and Palo Alto Networks, all infiltrated. Hackers were able to access the systems of companies far down the supply chain who themselves were not connected to SolarWinds. The malware hackers installed across systems could take “years” to remove, former White House advisor Tom Bossert said recently.
“What happens if AWS or Azure has a bona fide risk event?” — Linda Tuck Chapman
Concerns around other risk events, hacks or not, are very real, and cloud services are one major source of concern. The world’s major cloud service providers are few, and their clients many. According to tech research firm Canalys, Amazon Web Services (AWS), Microsoft Azure and Google Cloud were the recipients of 58% of global cloud spend in Q1 2021. Worldwide public end-user spending on public cloud will increase by 18% between 2020 and 2021, a Gartner report predicted in November, with Gartner research VP Sig Nag stating that: “The pandemic validated the cloud’s value proposition.”
But Tuck Chapman believes that concentration risk ramps up when so few companies are responsible for the resources of so many critical suppliers to other businesses. Though companies down the supply chain may not directly contract a cloud provider, their services too are disrupted should the first domino fall.
“What happens if AWS or Azure has a bona fide risk event? What will happen? That’s a concentration risk that no one has a clue what to do with. Everybody is using them, but no one can see under the trunk,” she said.
Turnover Puts Knowledge in Jeopardy
When it comes to third-party concentration risk, the tech world’s talent shortage and the general speeding up of cross-industry workforce turnover are also having a negative impact, Tuck Chapman points out.
“The entire workforce is turning over faster and faster, and the gap between perceived capability and actual capability that companies require is getting wider as a consequence,” she said. “On one side there is the exponentially more complex environment that companies are working within, and on the other is this high turnover which leaves few people with the ability and experience to understand what’s actually happening.”
According to the US Bureau of Labor Statistics (BLS), employee turnover has increased almost monthly across industries for the last 10 years
Statistics bear this out. According to the US Bureau of Labor Statistics (BLS), employee turnover – called ‘separations’ by the BLS – has increased almost monthly across industries for the last 10 years. Of all industries, tech has the highest turnover, according to a 2018 LinkedIn study.
To make matters worse, the Society for Human Resource Management suggests that a “turnover tsunami” is expected in the US once the pandemic finally comes to an end. This may well be repeated in other geographies that possess communication infrastructure sufficient to support greater-than-before levels of remote working.
This situation will lead to a cycle that will escalate companies’ reliance upon technology, and make the need of deep understanding and experience from human staff even more apparent.
“In the long-run, we’re going to have to use more technology. It’ll be technology managing technology in a way we have not conceived of yet,” said Tuck Chapman.
Concentration Risk Management
The complexity of extended enterprises and companies that make use of Nearshore services demands that concentration risk is constantly considered and reviewed, the specialists say. The work from home environment, which according to KuppingerCole has resulted in a 54% increase in phishing campaigns, is one such reason for ongoing monitoring. Companies are starting to act on the situation, said Allan.
“A trend I’m seeing is the requirement to better understand risks deeper into the supply chain – to expose things like concentration risk, but also because there’s a growing mandate for companies to apply more governance to their value chain – be it for cyber-supply chain risk management, or in response to more stringent ESG regulations,” she said. “As a consequence, companies will need to better map and manage their fourth, fifth and Nth parties. This is not always easy, but some things that companies may want to start considering is contract language that requires third parties to state what sub-contractors and/or third parties they’re using for the client’s engagement, and ensure they’re mapped, assessed and monitored.”
“There’s a growing mandate for companies to apply more governance to their value chain” — Kimberley Allan
A recent EY study reported that 57% of companies are “facing increasing risk compliance” as a result of the pandemic. Expenditure will likely jump as companies search for a resolution to their exposure, which grows in step with their increased use of third-party technologies.
But Tuck Chapman warns that there is no silver bullet to concentration risk, especially not in the world companies will enter at the other end of the digital transformation.
“It really isn’t about resolving the problem, but understanding each unique situation to a level of certainty where the company can determine whether they’re OK with the risk or not, and if they aren’t, then the actions they can take to improve it,” she said.