In 2021, a single supplier shutdown in Taiwan disrupted global semiconductor production for 18 months, affecting industries from automotive to consumer electronics. In 2024, geopolitical tensions in the Red Sea forced shipping reroutes that added 10-14 days to delivery times. These are not rare events — they are the new normal.
Supplier risk has shifted from a periodic compliance exercise to a continuous strategic concern. Yet most procurement teams still rely on informal judgment — or worse, no formal risk assessment at all. A structured risk assessment framework turns chaos into a prioritized action plan.
The 5 risk categories every team should assess
Risk assessment starts with defining what you are measuring. We recommend five categories that cover the full spectrum of supplier risk:
1. Financial risk
Can your supplier stay in business? Assess credit ratings, debt levels, revenue trends, and dependency on a single customer. A supplier with 40% of revenue from one client is one lost contract away from collapse. Score drivers: bankruptcy probability, cost volatility, currency exposure.
2. Operational risk
Can your supplier deliver consistently? Evaluate quality systems, production capacity, equipment age, and delivery track record. A supplier running at 95% capacity has no room for demand spikes or machine downtime. Score drivers: quality failure rate, delivery disruption potential, capacity constraints.
3. Geopolitical risk
Is your supplier located in a stable region? Consider trade restrictions, tariffs, political stability, and natural disaster exposure. A supplier in a flood-prone region with a single production site carries fundamentally different risk than a multi-site supplier in a stable jurisdiction.
4. Compliance risk
Does your supplier meet regulatory requirements? Check certifications (ISO, industry-specific), environmental compliance, labor practices, and data protection. A lapsed certification can halt production overnight and expose your company to liability.
5. Cyber risk
Can your supplier protect your data and their own systems? Assess cybersecurity posture, breach history, data handling practices, and intellectual property protections. A breach at a Tier-2 supplier leaked designs for a major automotive OEM in 2023.
The P×I methodology
Once you have identified the categories, the P×I (Probability × Impact) method provides a clear, objective scoring system:
Step 1 — Score Probability (1–4): What is the likelihood of this risk materializing in the next 12 months? 1 = Remote, 2 = Unlikely, 3 = Likely, 4 = Almost Certain.
Step 2 — Score Impact (1–4): If this risk occurs, how severe are the consequences? 1 = Negligible, 2 = Moderate, 3 = Major, 4 = Critical (could halt operations).
Step 3 — Multiply: P × I = Risk Score (1–16). Plot each category on a 5×5 heat map to visualize which suppliers need immediate attention.
A supplier scoring 12+ in any category should have active mitigation plans. A supplier with total score above 30 across all categories should trigger a formal risk review.
When to reassess
Leading organizations reassess critical suppliers quarterly, high-risk suppliers every 6 months, and standard suppliers annually. Companies that reassess quarterly catch risks 3× more often than those with annual cycles.