•         Technology concentration is now a board-level resilience concern.
•         Shared providers can create market-wide points of failure.
•         Indirect dependencies are harder to see than direct suppliers.
•         Traditional risk methods often miss systemic exposure.
•         Boards need clearer ownership of critical dependencies.
•  Scenario testing should include ecosystem-wide disruption

Ahead of Next Gen OpRisk Europe, we spoke to Ricardo about why systemic technology concentration risk is becoming a defining resilience challenge for Boards and executive teams. In this conversation, he shares his perspective on hidden dependencies, market-wide vulnerabilities and the practical actions organisations should be taking now.

Technology concentration risk has become a Board-level concern. What has changed in recent years?

Over the last decade, technology has become deeply embedded in how organisations operate, serve customers and deliver critical services. What has changed is not simply the level of dependence on technology, but the degree of concentration behind that dependence.

Many organisations have independently made similar decisions in pursuit of efficiency, scalability and innovation. Individually, these decisions often make sense. Collectively, they can create a very different risk profile. What I have observed in practice is that this shift becomes visible at Board level not when a provider fails, but when an organisation realises that the same disruption could affect many of its peers simultaneously.

The issue is no longer whether an organisation understands its own technology dependencies. The challenge is understanding where those dependencies converge across an industry, a market or a critical infrastructure ecosystem.

This shift is also reflected in recent regulatory developments. Having led DORA implementation across two regulated entities under different supervisory regimes, one of the clearest changes I have observed is the increasing focus on ICT concentration risk as a resilience and governance concern, rather than purely a technology issue.

As a result, technology concentration has moved beyond being a procurement, outsourcing or technology risk topic. It has become a resilience and governance issue that increasingly requires Board attention. When large numbers of organisations depend on the same providers, platforms or infrastructures, the potential impact of disruption extends far beyond any individual firm.

The conversation is shifting from "Are we dependent?" to "How many others are dependent on the same thing, and what happens if that dependency is disrupted?"

The real risk is often not the dependency itself. It is the fact that many organisations have become dependent on the same thing.

Many organisations understand their direct technology providers, but far fewer understand their indirect dependencies. Why is this becoming such a challenge?

Most organisations have made significant progress in understanding their critical third parties. The challenge today is that risk does not stop at the contractual boundary.

A financial institution may know which cloud provider it uses, which software vendors support critical services, and which outsourcing partners deliver key capabilities. What is often less visible are the layers of dependency that sit behind them.

Many providers rely on other providers. Software platforms depend on cloud infrastructure. Critical services may share common data centres, telecommunications networks or specialist technology suppliers. Over time, organisations can become connected through complex chains of dependency that were never designed or managed as a single system.

The challenge is not a lack of information. It is the increasing complexity of the ecosystem itself.

Understanding direct relationships is relatively straightforward. Understanding how dependencies converge across multiple firms, providers and infrastructures is considerably more difficult. Yet this is often where concentration risk becomes visible.

For resilience leaders, the question is no longer simply "Who do we depend on?" It is increasingly "Who do our providers depend on, and where do those dependencies overlap with the rest of the market?"

The issue is often not that a provider fails, but that many organisations depend on the same provider. Why does technology concentration create a different type of risk?

Traditional third-party risk tends to focus on the impact of a disruption on a single organisation. Concentration risk introduces a different dimension: the possibility that the same event affects many organisations at the same time.

If multiple firms depend on the same technology provider, infrastructure platform or critical service, a disruption may no longer remain an isolated operational issue. It can quickly become a market-wide resilience challenge.

What makes concentration risk different is not necessarily the likelihood of failure. It is the scale and simultaneity of the consequences when failure occurs.

A single outage, cyber incident or operational disruption can affect organisations that may have no direct relationship with one another, yet share the same underlying dependency. In highly interconnected sectors such as financial services, those effects can extend beyond individual firms and influence customers, markets and critical services.

This is why technology concentration is increasingly being viewed through a systemic lens. The real question is not whether an organisation can recover from a disruption. It is whether large parts of an ecosystem have become dependent on the same point of failure.

Concentration risk emerges when many organisations become dependent on the same critical capability, often without fully understanding the collective consequences.

Are organisations and regulators paying enough attention to systemic technology concentration risk, or are important blind spots still being overlooked?

There has been significant progress in recent years. Regulators, Boards and executive teams are paying far more attention to operational resilience, critical dependencies and third-party risk than they did a decade ago.

That increased focus is important because it has helped organisations improve visibility over critical services, identify key providers and strengthen resilience capabilities. In many respects, the industry is far better prepared today than it was in the past.

However, systemic concentration risk remains a relatively new challenge. Traditional risk management approaches were largely designed to understand risks within an individual organisation. Technology concentration requires us to think beyond organisational boundaries and consider how decisions made independently by many firms can create shared vulnerabilities across an ecosystem.

This is where some important blind spots still exist. Organisations may have a good understanding of their own critical providers while having limited visibility of how those dependencies overlap with peers, market infrastructures or other critical sectors.

The industry has made considerable progress in managing individual dependencies. The next stage of maturity is understanding the systemic consequences that can emerge when many organisations depend on the same providers, technologies or infrastructures.

The challenge is becoming less about visibility within a firm and more about visibility across a system.

What practical actions should Boards and executive teams take today to better understand and manage systemic technology risk?

The first step is recognising that technology concentration is not solely a technology issue. It is a business resilience issue and, increasingly, a strategic governance issue.

Boards do not need to understand every technical detail of a cloud architecture or technology platform. What they do need to understand is where the organisation's most critical services depend on a small number of providers, infrastructures or shared capabilities.

In my experience, that consolidated understanding rarely exists in a single place. It is often fragmented across technology, operations, risk and procurement functions, each with partial visibility. One of the most important governance decisions an organisation can make is to establish clear executive accountability for bringing those perspectives together.

A useful starting point is to ask a direct question: What would happen if this dependency became unavailable, and how many others would be affected at the same time?

That conversation often leads organisations beyond traditional third-party risk management and towards a broader understanding of systemic exposure. It also tends to reveal accountability gaps: dependencies that everyone was aware of, but no one truly owned.

Having worked extensively with resilience and third-party governance frameworks, one of the most common observations is that organisations often have more information than they think. The challenge is not always visibility. It is converting fragmented information into clear ownership, informed decisions and effective action.

Executive teams should also challenge assumptions around resilience. In many cases, organisations focus heavily on the resilience of individual providers, while paying less attention to the concentration created by relying on the same providers as the rest of the market. Continuity arrangements that assume a provider remains available while competitors recover are often built on a premise that concentration risk makes increasingly unlikely.

Finally, resilience exercises and scenario testing should increasingly consider ecosystem-wide disruption, not just firm-specific events. The objective is not to eliminate concentration risk entirely. In many cases that is neither practical nor desirable. The objective is to understand where concentration matters most, make informed trade-offs and ensure the organisation can respond effectively when disruption occurs.

Resilience is not about avoiding every dependency. It is about understanding which dependencies matter, and making conscious decisions about them.