We watched a $180M Series C implode in month four. Not because of product-market fit. Not because the team couldn’t execute. The company’s largest supplier – representing 63% of their cost of goods sold – got acquired by a competitor and immediately tripled pricing with 90 days’ notice.
The deal team had spent six weeks on customer concentration analysis. They built elaborate cohort models and NPS surveys. Meanwhile, the entire business model rested on a handshake agreement with a single contract manufacturer in Shenzhen. Nobody asked about supplier diversity until the term sheet was signed.
This happens more than you’d think.
The Blind Spot
Vendor concentration gets maybe two slides in the average operational DD deck. Usually buried after the exciting stuff about growth metrics and customer acquisition costs. We’ll see a bullet point: “Primary supplier: Acme Manufacturing (est. 40-50% of COGS).”
That “est.” should terrify you. It means nobody actually pulled the AP aging report and calculated the real number.
Here’s what we’ve learned after reviewing supply chains for over 200 portfolio companies: if management doesn’t track supplier concentration precisely, they probably don’t manage it either. And when pressed, that “40-50%” estimate usually lands north of 65%.
The vendors who matter most get the least scrutiny. Everyone obsesses over customer concentration because it’s in every investor’s checklist. But your largest customer can only stop paying you. Your largest vendor can stop delivering, raise prices 40%, or get acquired by someone who wants your portfolio company dead.
Why Traditional DD Misses This
Most operational due diligence follows the revenue backwards. Customer concentration, retention metrics, gross margin trends. That’s where the obvious risk lives, so that’s where teams spend time.
Procurement lives in a different org chart entirely. Often under operations or finance, sometimes reporting directly to the COO. It’s treated as a cost-management function, not a strategic risk lever.
We’ve seen pre-investment management presentations that include 30 slides on go-to-market strategy and exactly zero on supply chain resilience. The VP of Sales gets two hours with the deal team. The Head of Procurement gets a 20-minute phone call, if they’re lucky.
This creates asymmetric information risk. Management knows which vendors are irreplaceable. They know which relationships are held together by personal connections or technical lock-in. They know where the single points of failure are. They just don’t volunteer it unless you ask the right questions.
The Framework That Actually Works
We run vendor concentration analysis in three layers: financial exposure, operational criticality, and replacement feasibility. You need all three. Any one dimension alone will lie to you.
Financial exposure is the easy part. Pull the last 12 months of accounts payable data. Calculate each vendor’s share of total spend, share of COGS, and year-over-year growth rate.
The thresholds we use: any vendor above 25% of total spend gets flagged. Above 40% gets escalated. Above 60% means we’re repricing the deal or building vendor transition costs into the model.
But dollars alone don’t tell you enough. We’ve seen companies with a vendor representing only 15% of spend that was completely mission-critical. They supplied a patented component with an 18-month lead time and zero substitutes. Financial exposure looked fine. Operational reality was a knife edge.
Operational criticality requires mapping which vendors sit on the critical path to delivery. Not just who you spend money with – who can halt your entire operation if they disappear.
We ask management to list every vendor whose failure would stop shipments within 30 days. Then we compare that list to their top 20 suppliers by spend. The vendors that appear on both lists are your real risk.
For each critical vendor, we want three pieces of information: lead time to first delivery, minimum order quantities, and technical switching costs. If the answers are “12 weeks,” “500 units,” and “requires re-tooling our entire production line,” you have concentration risk regardless of what the P&L says.
Replacement feasibility is where most teams give up. It requires actual industry knowledge, not just spreadsheet analysis.
We maintain a database of supplier alternatives across the industries we invest in. When a portfolio company says their injection molding supplier is irreplaceable, we can pull up six qualified alternatives with comparable capacity. When they claim their AWS spend is locked in, we’ve done the migration math on egress costs and engineer time.
About 60% of claimed vendor lock-in is real. The other 40% is organizational inertia dressed up as technical necessity. You need domain expertise to tell the difference.
What the Numbers Should Tell You
We’ve built benchmarks from our portfolio data. These vary by industry, but the patterns hold.
For physical goods companies, anything above 35% supplier concentration in a single category is abnormal. Above 50% means you’re either in a constrained market (semiconductors, rare earth materials) or you’ve been lazy about diversification.
For software and services businesses, the calculus is different. Cloud infrastructure concentration is normal – most companies run 80%+ of workload on a single provider. That’s acceptable because migration paths exist, even if they’re expensive.
What’s not acceptable: relying on a single white-label provider for core product functionality. We passed on a Series B because 90% of the company’s AI features were API calls to a startup that had raised $8M and was burning $2M per quarter. Their vendor was less stable than they were.
Payment processor concentration is another area where teams get sloppy. We see startups processing 100% of volume through Stripe. That’s fine until you hit certain volume thresholds or industry categories where Stripe’s risk models get conservative. Then you’re scrambling to integrate a backup processor while your checkout conversion rate craters.
The pattern we watch for: vendor concentration that’s increasing year-over-year. If supplier number one represented 30% of spend two years ago and 45% today, someone made an active choice to increase dependency. We want to know why.
Sometimes it’s defensible. Volume discounts kicked in, or the vendor made infrastructure investments specific to your needs. More often it’s path of least resistance. The existing vendor was easy, and nobody wanted to onboard alternatives.
Real Examples From The Trenches
Case one: Consumer electronics company with 71% of manufacturing through a single Chinese supplier. The relationship was 8 years old, pricing was excellent, quality was consistent. Management considered it a competitive advantage.
We dug into the contract terms. Net 60 payment terms, no exclusivity clause, and the supplier was also producing for two direct competitors. When we asked about backup manufacturers, the CEO said they’d evaluated options three years ago and nobody else could match the price.
Three years is a lifetime in contract manufacturing. We identified four qualified alternatives and ran RFPs. Two came back 8-12% more expensive. One came back 3% cheaper with better payment terms. The CEO was shocked.
The company had been paying relationship tax without knowing it. We diversified to two suppliers (60/40 split) and saved 4% on fully-loaded COGS. The original vendor dropped pricing another 6% within a month of splitting volume.
Case two: B2B SaaS company with a critical dependency on a single data provider. The data represented 70% of their product’s value proposition. Annual contract, auto-renewing, with a 90-day out clause on either side.
The data provider had been acquired 18 months earlier by a PE firm. We pulled their financials and saw they’d loaded up on debt. Their new owners were clearly squeezing for EBITDA.
We asked management what happened if the data provider doubled pricing. The answer: “We’d have to pass it through to customers or accept margin compression.” No plan B.
We found two alternative data sources. Neither was perfect, but together they covered 85% of use cases. We helped the company build a 6-month integration roadmap and negotiated a new 3-year deal with the incumbent that included pricing caps.
Six months after close, the data provider tried to increase pricing by 60%. We walked. The alternative providers were live within 90 days. Crisis averted.
The Questions That Surface Reality
Most vendor risk lives in the gaps between what management tracks and what actually matters. You surface it by asking questions that don’t have easy answers.
“How long would it take to replace your top three suppliers?” If the answer is vague or optimistic, they haven’t actually tested it.
“When did you last run a competitive RFP for your largest vendor relationships?” If it’s been more than 24 months, they’re flying blind on pricing.
“What happens if your primary supplier gets acquired by [specific competitor]?” Name an actual strategic buyer who would create conflict. Watch the body language.
“Show me the disaster recovery plan for supplier failures.” If they don’t have one, or it’s a dusty document from 2019, you’ve found a gap.
“Who owns vendor diversification at your company?” If the answer is “procurement” or “operations” without executive sponsorship, it’s not actually getting done.
The best operators have answers immediately. They’ve mapped dependencies, built relationships with alternative suppliers, and they track concentration metrics monthly. They treat supply chain risk like customer concentration – as an existential threat that needs active management.
The bad operators get defensive. They’ll explain why their situation is unique, why the usual rules don’t apply, why diversification would be too expensive or complicated. That’s when you know you’ve found real risk.
What To Do When You Find It
Finding vendor concentration isn’t a deal-killer. It’s a known risk that you can price and mitigate. But you need to be honest about the cost and timeline.
For concentration above 50% with no clear alternatives, we build 18-24 months of transition costs into the model. That includes duplicate tooling, qualification runs, inventory buffers, and project management overhead. It’s usually 2-4% of annual revenue for manufacturing companies, less for software.
For concentration between 30-50% where alternatives exist, we require a diversification roadmap in the first 100 days post-close. Not a strategy deck – an actual project plan with procurement targets, technical milestones, and executive owners.
For concentration below 30%, we set up monitoring. Quarterly reporting on top 10 vendor spend, annual RFPs for anything above 15% of category spend, and a standing policy that no new vendor can exceed 35% concentration without board approval.
The mistake we see teams make: trying to fix vendor concentration in the 60 days between signing and closing. You can’t. The timelines don’t work. Manufacturing qualifications take 3-6 months. Enterprise software migrations take 6-12 months. Regulatory-approved suppliers in pharma or med-tech can take 18+ months.
What you can do: negotiate contract protections into the existing vendor relationships. Pricing caps, extended termination notice periods, capacity guarantees, alternative sourcing rights. These are bridging tactics while you build real optionality.
The Uncomfortable Truth
Most vendor concentration risk is self-inflicted. It comes from organizations that optimize for short-term convenience over long-term resilience.
It’s easier to keep ordering from the same supplier than to qualify a new one. It’s cheaper to accept auto-renewal pricing than to run a competitive process. It’s faster to say yes to a vendor’s terms than to negotiate protection clauses.
These small decisions compound. Five years later, you have a business that can’t function without a handful of external parties who know exactly how dependent you are.
The fix isn’t complicated. It’s just work that doesn’t feel urgent until it’s too late.
We’ve never seen a portfolio company fail because they over-invested in supplier diversification. We’ve seen plenty stumble because they treated vendor relationships as an operational detail instead of a strategic risk.
When you’re writing the check, you get one chance to see the supply chain clearly. Management is motivated to be transparent, diligence budgets are allocated, and you have leverage to demand changes.
After the deal closes, vendor concentration becomes someone else’s problem to fix with your capital. Much better to find it early and price it right.