Your Biggest Vendor Risk Is the One You Cannot Replace

A practical board-level article on concentration risk in technology and vendor relationships, why replaceability matters more than due diligence alone, and what community bank a...

Most boards ask whether a vendor passed due diligence.

Fewer ask a much uglier question: what happens when too much of the institution depends on the same provider, the same platform, or the same narrow slice of the market?

That is concentration risk. And in community banking, it tends to hide in plain sight.

It hides behind long contracts, familiar names, and the comfort that comes from using the same providers everyone else uses. It also hides behind a board assumption: if the vendor is reputable, the risk must be manageable.

That is not how this works.

A reputable vendor can still become a single point of operational pain. A well-run provider can still push a bad update. A widely used platform can still create industry-wide fragility. And a board can feel well covered on vendor oversight while still having no believable answer to a basic question:

What would we do if this provider stumbled in a way that affected customers, operations, or regulators by lunchtime?

That is the governance conversation I want more boards to have.

Vendor risk is not just about whether a company is safe

Most institutions are familiar with classic vendor management questions.

Is the provider financially sound? Did legal review the contract? Did information security complete due diligence? Are service levels defined? Is there audit coverage?

All necessary. None sufficient.

The harder board question is whether the institution has become too dependent on one provider, one category of provider, or one chain of interconnected providers to fail gracefully.

The OCC's third-party risk guidance is blunt on this point. Concentrations can arise when a bank relies on a single third party for multiple activities, especially when several of those activities are critical to operations. The FDIC's 2024 community bank guide makes the same issue practical: third-party relationships can expand capability, but they also reduce a bank's direct operational control.

That phrase matters.

Reduced direct control is manageable when dependency is understood, owned, and planned for.

It becomes dangerous when the board sees a vendor list while management is actually running a dependency stack.

Example one: CrowdStrike showed how one trusted provider can become everybody's problem

Microsoft said the faulty CrowdStrike update in July 2024 affected about 8.5 million Windows devices worldwide.

That number gets attention. The more important lesson is what it revealed.

This was not a story about an obscure vendor no one had heard of. It was a story about a highly trusted provider embedded in critical operating environments across industries. A routine update path became a widespread business interruption event because the concentration was not just vendor-level. It was ecosystem-level.

That is what boards should notice.

A provider can be strong. None of that changes the fact that heavy concentration turns an ordinary failure mode into a shared crisis.

For a community bank or credit union, the local version of that question is simple:

If one widely used provider in your environment had a bad Tuesday, how many customer-facing or regulator-visible processes would feel it before the day ended?

If the answer is "more than we are comfortable admitting," that is a board issue.

Example two: Change Healthcare proved concentration risk is really continuity risk

The Change Healthcare cyberattack in 2024 is another useful board lesson, even outside banking.

UnitedHealth said the incident disrupted claims and payment flows across the health care system and that the company provided more than $6 billion in accelerated funding and interest-free loans to support affected providers.

Different industry. Same governance problem.

When one intermediary sits in the middle of critical financial and operational flows, disruption does not stay neatly contained inside the vendor. It radiates outward into cash flow, customer service, exception handling, executive communications, and reputation.

Boards should pay attention to that pattern because banking has its own versions of it.

Core processors. digital banking platforms. payment intermediaries. fraud tools. identity providers. cloud dependencies sitting underneath multiple vendors at once.

By the time concentration risk shows up as a customer problem, it is already an executive and governance problem.

Example three: the market may be more concentrated than your board packet suggests

NCUA Chairman Todd Harper warned in 2024 that five core processing providers handle more than 90 percent of credit union system assets.

Read that again.

Five providers. More than 90 percent of assets.

That does not mean those providers are weak. It means concentration is structural.

The same dynamic shows up across financial services. Institutions can believe they have diversified vendor risk because they use multiple products, while in reality several critical services trace back to the same provider family, the same infrastructure pattern, or the same limited set of dominant firms.

That is why a vendor inventory is not enough.

Boards need a dependency map.

Not a 40-page appendix no one reads. A plain-English picture of which providers support critical customer services, which ones support multiple business functions, where subcontractors sit in the chain, and which failures would force management into immediate tradeoff decisions.

Because once concentration becomes material, the real issue is no longer vendor selection. It is institutional resilience.

What boards should ask before concentration becomes visible the hard way

This is where governance needs to move from annual review theater to operational clarity.

I would start with five questions.

1. Where do multiple critical services rely on the same provider?

Not just direct contracts. Shared infrastructure, embedded third parties, major subcontractors, and single sign-on or identity dependencies too.

If online banking, fraud controls, customer communications, and recovery workflows all bend around the same provider family, the board should know it.

2. What fails together?

This is the question a lot of reporting skips.

Boards get service-level summaries by function. What they need is a cross-functional impact view.

If this provider has an outage, what stops at once? Customer access. Wire processing. Treasury workflows. Call center operations. Vendor-to-vendor data feeds.

That answer is far more useful than a green dashboard.

3. Who owns the contingency play if a critical vendor stumbles?

Not vendor management in the abstract. One accountable executive.

Who decides when to trigger manual workarounds. Who owns customer communication. Who briefs the board. Who has authority to prioritize degraded operations if not everything can be restored at once.

If ownership becomes fuzzy under pressure, the institution does not have a contingency plan. It has a document.

4. How believable is the exit strategy?

Most contracts contain termination language. That is not the same as an exit plan.

Could the institution retrieve its data in a usable format? How long would a migration actually take? What customer disruption would be unavoidable? What internal skills would be missing on day one of separation? Which other vendors would have to move with it?

An exit strategy that works only in a procurement memo is not an exit strategy.

5. What does the board hear after approval?

Too many vendor conversations peak at contract signature.

Boards should expect periodic reporting on concentration exposure, incident trends, dependency changes, major subcontractor shifts, recovery test results, and whether any provider has quietly become more critical than originally approved.

Dependency grows in silence. Oversight should not.

This is not a call to avoid major providers

That would be unrealistic and, frankly, silly.

Community institutions do not get points for building everything themselves. Strong partners are part of the operating model. They should be.

The goal is not false independence. The goal is clear-eyed dependence.

A board does not need to panic because the market is concentrated. It does need to govern as if concentration changes the nature of operational risk.

That means asking better questions before the outage, before the cyber event, before the vendor failure, and before the exam team asks management to explain a contingency story that only half exists.

In practical terms, the board's job is to understand how much of the institution is riding on that vendor, what breaks if that concentration turns against you, and whether management can keep trust intact when the dependency stops being invisible.

That is the real assignment.

Discussion questions

1. Which provider in your institution would create the most operational confusion if it went down for 48 hours? 2. Does your board see vendor risk one contract at a time, or as a concentration map across critical services? 3. How much of your exit planning is operationally believable versus legally comforting?

Sources

• FDIC, "Third-Party Risk Management: A Guide for Community Banks," May 2024
• OCC, "Third-Party Relationships: Interagency Guidance on Risk Management," Bulletin 2023-17
• OCC, "Supplemental Examination Procedures for Risk Management of Third-Party Relationships," discussion of concentration risk
• Microsoft, "Helping our customers through the CrowdStrike outage," July 20, 2024
• UnitedHealth Group, updates on the Change Healthcare cyberattack, March and April 2024
• NCUA Chairman Todd M. Harper, remarks at Brookings on the agenda for credit union regulation, June 2024