Supply chain risk has been in mainstream risk management discourse for several years — accelerated by pandemic-related disruptions, high-profile ransomware attacks on critical suppliers, and the increasing legislative attention being paid to supply chain integrity in critical infrastructure and national security contexts. Despite this, most organisational risk frameworks still address supply chain risk in ways that miss the exposures that actually matter.
Why Standard Frameworks Miss Supply Chain Risk
The standard approach to supply chain risk in enterprise risk frameworks focuses on Tier 1 suppliers — the direct vendors and contractors with whom the organisation has a contractual relationship. This is a reasonable starting point. It is an inadequate endpoint. The supply chains that produce catastrophic disruption are frequently not in Tier 1. They are in Tier 2 and Tier 3 — the suppliers of your suppliers, the service providers your contractors depend on, the software components embedded in the systems your vendors use.
The 2020 SolarWinds supply chain compromise is the canonical example. The organisations affected were not attacked directly. They were attacked through a trusted software update from a Tier 1 vendor that had itself been compromised through its own supply chain. The organisations' vendor risk management programmes had assessed SolarWinds. None of them had assessed the attack surface of SolarWinds' own software development environment. That is a Tier 2 risk that produced Tier 1 consequences.
Extending supply chain risk assessment beyond Tier 1 is technically and practically challenging. Most organisations do not have visibility of their Tier 2 and Tier 3 supply chains. Contractual mechanisms to require supply chain transparency are not universally in place. The analytical burden of assessing a large multi-tier supply chain is significant. These are genuine constraints. They are not reasons to not address the risk. They are reasons to prioritise: to identify the supply chain dependencies that represent the highest exposure and focus assessment effort there first.
The Concentration Risk Problem
Supply chain risk frameworks that treat each supplier as an independent risk frequently miss the concentration risk that arises when multiple critical functions depend on a small number of shared infrastructure providers. Cloud service concentration — where a significant proportion of an organisation's critical systems run on a single hyperscaler platform — is one manifestation. Common software dependencies — where multiple critical systems rely on the same underlying libraries or components — is another.
Concentration risk is not visible in a supplier-by-supplier assessment. It requires a portfolio view — looking across the supply chain to identify where multiple critical dependencies converge on a single point of failure. This is an analytical exercise that requires understanding the architecture of the organisation's technology and service dependencies, not just the contractual relationships with individual vendors.
Geopolitical Dimensions of Supply Chain Risk
Supply chain risk frameworks that do not incorporate geopolitical analysis are increasingly inadequate. The risk that a supplier in a particular jurisdiction may be required to act in ways contrary to the interests of their customer — through legal compulsion, regulatory direction, or intelligence service engagement — is a material risk for organisations with supply chains that extend into certain jurisdictions. This risk is not hypothetical. Legislative frameworks in several countries create obligations on technology companies and telecommunications providers that have direct implications for data security and supply chain integrity.
Organisations operating critical infrastructure, handling sensitive personal data, or providing services to government clients need to address the geopolitical dimension of their supply chain risk explicitly. This does not necessarily require exit from affected supply chains — the commercial realities may make that impractical — but it does require that the risk be assessed and managed, not ignored because it is uncomfortable or complex.
What Better Supply Chain Risk Management Looks Like
Organisations that are managing supply chain risk effectively share several characteristics. They have mapped their critical supply chains beyond Tier 1, at least for the most sensitive and critical functions. They have assessed concentration risk across their supply chain portfolio. They have geopolitical analysis embedded in their supply chain risk assessment for relevant jurisdictions. They have contractual mechanisms that give them visibility into their suppliers' security posture and the right to audit. They have incident response plans that account for supplier failure or compromise as a primary scenario.
None of this is simple. Supply chain risk management at the level of sophistication that the current threat environment requires is a capability investment, not a checkbox exercise. But the gap between current practice and adequate practice is large enough, and the consequences of supply chain compromise serious enough, that it is one of the higher-priority risk management investments available to most organisations.
Tony Ridley provides supply chain risk advisory and critical infrastructure resilience consulting. Contact us to discuss your requirements.