Metric Definition
Single-supplier dependency exposure
Track from
Vendor concentration risk
Vendor concentration risk is the exposure a business carries when too large a share of its spend, supply, or critical capability sits with a single vendor. It measures how much damage one supplier failing, raising prices, or walking away would do to operations. The higher the concentration, the more leverage that vendor holds and the harder the business is to keep running without them.
8 min read
What is vendor concentration risk?
Vendor concentration risk is the exposure a business carries when too large a share of its spend, supply, or critical capability sits with a single vendor. If one supplier handles 70 percent of your cloud hosting, manufactures your only component source, or processes most of your payments, that vendor effectively holds part of your business continuity in its hands. Concentration measures how much of your operation depends on a single point.
The simplest measure is spend share. If you spend 2 million pounds a year on logistics and 1.4 million of it goes to one carrier, that carrier represents 70 percent concentration in logistics. The same calculation applies to any category: software, raw materials, manufacturing, or professional services. The higher the share, the larger the gap a sudden loss of that vendor would leave.
Concentration is not automatically bad. A single, deeply integrated vendor can be cheaper, simpler to manage, and more reliable than juggling many. The risk is the lack of alternatives. When concentration is high and switching is slow or expensive, the vendor gains pricing power and the business loses resilience. Vendor concentration risk is the discipline of knowing exactly how exposed you are before a disruption forces you to find out.
Concentration risk is not only about spend. A vendor that takes a small share of your budget but supplies a component with no substitute can be a larger risk than a costly vendor that is easily replaced. Always weight concentration by how critical and how substitutable the vendor is, not by invoice size alone.
How to calculate vendor concentration risk
The headline number is the spend share of your largest vendor, but a useful assessment combines several inputs so that exposure reflects both size and fragility. Each input below sharpens the picture of how much one vendor failing would actually hurt.
- 1
Top vendor spend share
The annual spend with your single largest vendor divided by total spend in that category. This is the core concentration figure. A share above 30 percent in a critical category is usually worth a closer look.
- 2
Category criticality
How essential the category is to keeping the business running. Losing the vendor behind your core hosting stops everything, while losing the vendor behind office stationery stops nothing. Weight concentration by how much an outage would cost.
- 3
Substitutability
How quickly and cheaply you could move to an alternative. A vendor with three ready substitutes is a low risk even at high spend share. A vendor with no qualified alternative is a high risk even at modest share.
- 4
Switching time and cost
The lead time and one-off cost to migrate away. Long contractual lock-ins, bespoke integrations, and lengthy requalification all extend the window during which you are exposed if the vendor falters.
For a portfolio view, the same spend shares can be combined into a concentration index that sums the squared share of every vendor in a category. A category served by one vendor scores near the maximum, while a category split evenly across ten vendors scores low. The index turns a list of suppliers into a single comparable number, which is the basis of the related vendor diversification index.
Vendor concentration risk in a metric tree
A single concentration percentage tells you that you are exposed. It does not tell you where the exposure lives or who should act on it. A metric tree decomposes overall vendor concentration risk into the categories, vendors, and dependency factors that produce it, so the risk becomes a list of specific, ownable actions.
The first level splits the headline risk into spend concentration, supply criticality, and switching difficulty. Each branch decomposes further. Spend concentration breaks down by category and by individual vendor. Supply criticality breaks down by how essential each category is and whether a substitute exists. Switching difficulty breaks down into contract lock-in, integration depth, and requalification time. The tree shows that two vendors with the same spend share can carry very different real risk.
KPI Tree models this by attaching RACI ownership to every branch and pushing an alert to the accountable owner when a vendor crosses a concentration threshold. The category is Decision Intelligence, and the gap it closes is the one between a procurement dashboard showing concentration and a decision to qualify a second supplier before the first one becomes a problem. When the head of procurement can see which specific vendor in which category is the live risk, mitigation becomes a scheduled action rather than a scramble after an outage.
Metric tree insight
The most dangerous vendor is rarely the one with the biggest invoice. Decomposing concentration by criticality and substitutability often surfaces a low-spend vendor that supplies an irreplaceable input. The tree puts that hidden single point of failure in front of the owner who can fix it.
Vendor concentration risk benchmarks
There is no single correct concentration level, because the right number depends on how critical and how replaceable the category is. The benchmarks that travel are the spend-share thresholds procurement teams use as triggers for action and the share of critical categories that should always carry a qualified backup. The ranges below reflect what resilient procurement functions treat as comfortable, watchful, and dangerous.
| Signal | Comfortable | Watchful | Dangerous |
|---|---|---|---|
| Top vendor share of a critical category | Below 25 percent | 25 to 50 percent | Above 50 percent |
| Critical categories with a qualified backup | Above 90 percent | 60 to 90 percent | Below 60 percent |
| Single-source critical components | None | 1 to 3 | More than 3 |
| Switching lead time for the top vendor | Under 1 month | 1 to 3 months | Over 3 months |
A high share in a low-criticality, easily switched category is rarely worth acting on, so do not chase concentration figures uniformly. The categories that deserve scrutiny are the critical ones where switching is slow. A single vendor holding 60 percent of your office software is a minor concern. A single vendor holding 60 percent of a component with a three-month requalification window is the kind of exposure that justifies qualifying a second source before you need it.
How to improve vendor concentration risk
Reducing concentration risk is not about spreading spend thinly across many vendors, which adds cost and management overhead for little gain. It is about removing single points of failure in the categories that matter and keeping a credible escape route from the vendors you depend on most.
Qualify a second source early
For every critical category, keep at least one alternative vendor qualified and ready, even if it carries no current volume. A backup you can switch to in weeks turns a high concentration from a threat into a managed position.
Negotiate exit terms up front
Build reasonable termination rights, data portability, and transition support into contracts before signing. The time to secure an escape route is when the vendor wants your business, not when the relationship is already failing.
Map your single-source inputs
Identify every component, service, or capability with only one supplier and no ready substitute. These hidden single points of failure are where a concentration problem becomes an operational crisis, so surface and prioritise them.
Set concentration thresholds with alerts
Define the spend share at which a category needs a second source, then track it and alert the owner when a vendor crosses the line. A standing threshold turns concentration management into a routine rather than a reaction to a disruption.
Common mistakes when tracking vendor concentration risk
- 1
Measuring concentration by spend alone
Invoice size does not equal risk. A cheap vendor supplying an irreplaceable input is a larger exposure than a costly one with three substitutes. Weight by criticality and substitutability, not just spend.
- 2
Ignoring fourth-party dependencies
Two vendors can look independent yet rely on the same underlying provider. If both your suppliers run on the same single data centre, your real concentration is far higher than the vendor list suggests.
- 3
Treating a backup vendor as ready when it is untested
A named alternative that has never handled a live order is not a real escape route. A backup is only credible once it is qualified and has fulfilled a meaningful volume.
- 4
Reviewing concentration only at contract renewal
Concentration drifts as volumes shift between renewals. Checking it once a year leaves long windows where a category quietly tips into dangerous territory. Monitor it continuously with thresholds.
Related metrics
Inventory turnover
Stock efficiency
Operations Metrics
Metric Definition
Inventory Turnover = Cost of Goods Sold / Average Inventory
Inventory turnover measures how many times a business sells and replaces its inventory during a given period. It is a critical operations and finance metric that reveals how efficiently capital is being deployed in stock.
Free cash flow
FCF
Financial MetricsMetric Definition
FCF = Operating Cash Flow - Capital Expenditures
Free cash flow (FCF) measures the cash a business generates from operations after accounting for capital expenditures. It represents the actual cash available to pay dividends, repay debt, fund acquisitions, or invest in growth.
Gross profit margin
Revenue efficiency after direct costs
Financial Metrics
Metric Definition
Gross Profit Margin = ((Revenue - COGS) / Revenue) x 100
Gross profit margin measures the percentage of revenue that remains after deducting the direct costs of producing or delivering goods and services. It is the first and most important profitability layer in the income statement, revealing whether a business has sufficient pricing power and cost efficiency to fund operations, growth, and profit.
Average order value
Revenue per transaction
Operations MetricsMetric Definition
AOV = Total Revenue / Number of Orders
Average order value measures the mean amount spent each time a customer places an order. It is a core e-commerce and retail metric that directly influences revenue, profitability, and customer acquisition efficiency.
How to build a metric tree
Metric Definition
Build a metric tree to decompose vendor concentration risk into the suppliers and spend categories that drive single-supplier dependency, so you can act on the exposure rather than just monitor it.
Metric trees for finance teams
Metric Definition
Finance teams own supplier risk, so this guide shows how vendor concentration risk fits alongside the other financial metrics the team tracks and acts on.
Turn vendor concentration into a list of owned actions
Model vendor concentration risk as a metric tree in KPI Tree. Decompose exposure by category, criticality, and switching difficulty, assign RACI ownership to each branch, and alert the accountable owner the moment a vendor crosses a concentration threshold so you qualify a second source before it is too late.
