3.8. Management of concentration-related risks by individual financial institutions
While the toolkit notes the relevance of concentration, it does not propose a singular and prescriptive manner for individual financial institutions to assess concentration or concentrated- related risks. Additionally, the criticality of different critical services is not binary or equal (e.g. one critical service from one service provider may be significantly more material to one institution than three critical services at another institution).
Financial institutions may choose to increase their use of a given service provider for various reasons, including internal expertise or synergies in deployment of a particular business model or for risk management efficiencies and effectiveness. These attributes can strengthen financial institutions' resilience and improve the efficiency and flexibility of their operations.
At the same time, critical services (or in some cases, a combination of critical and non-critical services) provided from the same service provider may be subject to the same set of risks, and may increase the overall impact of a disruption to any institution, creating concentration and concentration-related risks for individual financial institutions, examined in Section 3.8 [It also considers certain forms of concentration and concentration-related risk for individual financial institutions that may not involve a specific service provider. For instance, a financial institution may be unduly reliant on a jurisdiction or region, such as an offshoring hub, for certain services, including critical services.], and systemic third-party dependencies and potential systemic risks (examined in Chapter 4) [See Financial Stability Institute (2022), Safeguarding operational resilience: the macroprudential perspective, August.].
Therefore, institutions may consider the overall concentration in services as a relevant factor in the risk management of critical services.