A critical vendor does not need to fail to damage the institution. It only needs to become difficult to replace. Concentration creates leverage over price, timing, access, evidence and strategic choice. The institution may technically own its data while lacking a practical way to export it. It may have termination rights while no internal person can operate the replacement. It may use several vendors that all depend on the same cloud, identity provider, model or subcontractor. The dependency is therefore larger than the contract list suggests.
Count functions, not suppliers
A vendor register organised by legal entity can conceal common points of failure. Map the functions that must continue and the upstream services on which each depends. Look for concentration across:
- Cloud regions and hosting platforms.
- Identity, domain, certificate and communications providers.
- Managed service and security administrators.
- Payment, custody, market-data and reporting infrastructure.
- AI models, data processors and integration platforms.
- Specialist individuals whose knowledge is not replicated inside either party.
Three separately contracted applications may all stop when one identity tenant fails. Ten advisers may all rely on one data room. Apparent diversification can be architectural concentration.
Leverage appears in five forms
- Economic leverage: renewal price, minimum spend, professional-services dependence and switching cost.
- Operational leverage: the vendor controls access, support priority, recovery or critical configuration.
- Informational leverage: records, logs, metadata or working knowledge cannot be extracted in usable form.
- Contractual leverage: termination, audit, incident and assistance rights are narrow or expensive.
- Temporal leverage: changing provider takes longer than the institution’s tolerance for disruption.
The last form is frequently ignored. An exit that takes eighteen months is not an effective response to a problem that must be solved next week.
Diligence the exit while the relationship is healthy
Ask for more than a clause. Test the mechanics.
- Can the institution export authoritative data, configuration, identities, logs and audit history?
- Are the formats documented and usable without the vendor’s proprietary tooling?
- Which credentials, domains, certificates and encryption keys remain under institutional control?
- What assistance is contractually required, at what price and for how long?
- Which subcontractors or fourth parties must cooperate?
- Can the service run safely during a dispute, insolvency or transition?
- What evidence proves deletion after exit?
If these answers are unknown, the vendor holds an option over the institution’s future behaviour.
Model substitution time
Traditional concentration metrics often use spend. Spend can be small while substitution time is enormous. Estimate the shortest credible path to replace or isolate the vendor under adverse conditions. Include data extraction, procurement, legal work, implementation, validation, training, parallel run and counterparty recognition. Identify the people whose availability controls the timeline. Then compare substitution time with the institution’s maximum tolerable disruption and the likely notice period before service degradation. The gap is the real concentration exposure.
Use architectural and contractual controls together
Contracts can require notice, audit evidence, incident cooperation, portability and transition assistance. Architecture can keep identity, keys, logs, backups and authoritative records outside the vendor’s exclusive control. Neither is sufficient alone. A perfect exit clause cannot reconstruct undocumented configuration. A portable architecture cannot compel a distressed provider to supply evidence or preserve service. DORA’s approach to ICT third-party risk is relevant beyond regulated financial firms because it treats contractual arrangements, concentration, monitoring and exit as part of operational resilience rather than procurement housekeeping.
Build an exit-ready operating posture
- Maintain a named owner for every critical dependency.
- Keep current architecture, data-flow and administrator records.
- Exercise exports and restoration outside the vendor’s primary environment.
- Track fourth-party concentration where several vendors share the same dependency.
- Pre-approve containment options for a vendor incident.
- Refresh substitution-time estimates after material product, contract or staffing changes.
- Escalate concentration that collides with the institution’s strategic plan or regulatory obligations.
The negotiation question
Before the next renewal, ask: if this provider changed price, terms, ownership or service quality tomorrow, what could we credibly do without asking its permission? The difference between the answer and the institution’s stated freedom is the vendor’s hidden leverage.
