Technology Portfolio Management (TPM) Best Practices

Overview

Vendor concentration risk — the risk created by organizational dependence on a small number of technology vendors for a disproportionate share of critical capabilities — is a portfolio-level risk that is invisible without the aggregate analysis that the Technologies Inventory family and its vendor connections enable. Individual technology assessments evaluate the vendor health of each specific technology’s vendor. Portfolio-level vendor concentration analysis evaluates the aggregate organizational exposure to each vendor across all the technologies the vendor provides, revealing the portfolio-wide impact that a single vendor failure, acquisition, or adverse commercial decision could create.

Best Practice

Conduct vendor concentration analysis as a standard component of the annual technology portfolio review, aggregating the Technologies Inventory adoption data by vendor to produce a portfolio-level view of vendor concentration. The concentration analysis should identify: the vendors on whom the organization has the highest aggregate financial dependency, measured by total spend across all technologies from each vendor; the vendors on whom the organization has the highest operational dependency, measured by the business criticality and adoption concentration of the applications depending on each vendor’s technologies; and the vendors on whom the organization has the highest strategic dependency, measured by the Move-To Strategic Dispositions assigned to the technologies each vendor provides. Report vendor concentration as a portfolio-level risk metric with defined concentration thresholds above which the concentration is considered governance-significant, and develop mitigation strategies for any vendor whose concentration exceeds the threshold.

Benefit(s)

Portfolio-level vendor concentration analysis gives the organization visibility into systemic dependency risks that individual technology assessments cannot surface. A vendor that provides multiple technologies across several taxonomy categories, each individually assessed as well-governed, may collectively represent a concentration risk that warrants portfolio-level mitigation. When vendor concentration is identified and governed, the organization has time to develop and execute mitigation strategies — diversifying to alternative vendors, maintaining portability capability, negotiating stronger exit provisions — before concentration risk becomes a crisis.