Supplier risk assessment: How risk scoring helps leaders visualize risk

by Ulf Venne

In a recent KPMG survey, more than three out of four respondents said supplier risk assessment and management is a strategic priority for their business, and six out of 10 said their organization’s most severe reputational risks come from third parties’ failure to deliver.

Your suppliers are the key to your success, but how do you make sure they are the best suppliers you could be partnering with? What kind of risk do they bring to the relationship? Is that risk manageable or could it prevent you from meeting your business commitments? Is your supply chain resilient enough to withstand major or even minor risks? How are you performing as a supplier?

What is a supplier risk assessment?

A supplier risk assessment is a routine practice companies conduct to better understand their suppliers, the risks they may pose, and how the suppliers address those risks. There is no such thing as no risk when it comes to suppliers. Every company has its vulnerabilities, both internal and external, and not everything is predictable. We learned that the hard way with COVID-19.

The point of supplier risk assessments is not to weed out suppliers that pose any risk; it is to compare suppliers’ risks with your company’s risk appetite to determine whether the suppliers are meeting expectations within an acceptable level of risk.

PWC says of supplier risk assessment and management, “It’s not about playing defense – it’s also about playing offense – finding competitive advantage by shaping supply chain resilience strategy focused on disruption avoidance.” Developing this kind of supply chain resilience is a continual endeavor, requiring constant monitoring, communication, and analysis.

In the supplier lifecycle, risk management starts at ground zero: When a company searches for a new supplier by evaluating and rating their production location for potential risks. When deciding on a supplier relationship and initiating a contract, researching historic events gives more detailed clarity on supplier performance, and can help as an additional negotiation point in contract discussions.

infographic showing 5 stages of supplier risk assessment

Figure 1: To embed risk conscious decisions into your supplier lifecycle a high degree of automation, integration into and communication with the core business must be achieved. 

Evaluating supplier risk during the selection process

There are dozens of risks in the supply chain and any one of them can spell disaster for your suppliers and your company. Today’s supply networks are tightly interconnected, and unless a supplier has the systems and processes in place to mitigate risks before they cause disruption, you will be feeling the consequences at some point. In the early selection process – without even involving the prospective supplier – you can already understand some risk exposure in various categories, including:

  • Natural disaster and climate (earthquake, flooding, hurricanes, tropical cyclones, water risk)
  • Socio-political/geo-strategic (war, civil unrest, terrorism, law enforcement, strike)
  • Sustainability (child labor, worker rights, corruption)
  • Logistic (customs, marine, surface, aviation)

These risk scores are derived by analyzing the specific geo-location or region of the supplier, so it is important to know the production location a supplier wants to provide parts from. This should be a required field when submitting an initial offer or requesting supplier-detailed information.


Leveraging these scores, companies can understand early potential pitfalls and determine no-go thresholds. This also will make the bidding process less frustrating for evaluation teams, as they run into a smaller risk of choosing the wrong supplier by looking at actionable data from the beginning.

Diving deep before signing the contract

Once a company is down to the last two suppliers in a selection process, it is time to apply additional resources to understanding supplier-specific risk exposure. Now it is time to focus on financial risk, cyber risk, and diversity from a sustainability perspective. A best practice we see is to also look back at previous years to understand if the supplier faced any critical issues. Through this additional due diligence even more confidence can be reached that one of the suppliers or even both would be a good choice.

At this point, companies with a mature supply chain risk management program also investigate the sub-tiers to understand looming risks upstream. To gain this type of visibility a quick turnaround time is needed to identify sub-tier suppliers, which is only achievable by leveraging expert validated AI automation. With more and more regulations like UFLPA or the upcoming EU-supply chain law putting responsibility on companies for their sub-tier supplier operations, we expect this practice to find wider adoption quickly.

Monitoring supplier risk after onboarding

With the supplier network mapped, it’s time to determine your own internal risk KPIs around each supplier. This process traditionally relies on manually identifying and logging risks into computer spreadsheets. Today, it more often utilizes risk-management software and artificial intelligence to gather data and integrate it into existing supply chain management platforms.

Enriching the supplier scorecard

Catching disruption early saves organizations valuable time, money, and competitive advantage. Here are some sample risk score categories that can arise from internal data or supplier surveys:

  1. On-time delivery performance
  2. Quality performance
  3. Business volume
  4. Business frequency
  5. Supplier relationship (assessment by supplier manager)
  6. Supplier relationship length
  7. Buying power
  8. Critical commodity risk
  9. Business continuity management strength
  10. Sustainability governance maturity
  11. Single source vs. dual source vs. multi source
  12. Material criticality

Note that we don’t list spending here. Ranking suppliers by spend is a common practice, where the more a company spends with a supplier, the more strategic they rate that supplier. But this isn’t always an effective strategy: One example is an automotive company that one year faced numerous public transportation strikes. In response, the company organized taxis for their employees to get to work. Their spending with the local taxi company was so massive that the taxi company became a most-strategic supplier that year. This triggered unnecessary complexity in managing a taxi company.

Instead, it makes more sense to focus on material criticality, based on the materials that suppliers provide. This focuses the risk review on the item instead of the supplier. Assessing material criticality leads us to four important factors to review from a risk perspective. A part is more critical in production depending on:

  1. How substitutable the part is
  2. How long replacement times for the tools are
  3. How many alternate suppliers for the part are available
  4. How complex the entire supply chain is for the part

By evaluating external risks from the beginning of the supplier journey and enhancing the supplier scorecard with additional internal risks, we paint a wider picture of strategic risk exposure and each supplier’s impact.

Figure 2: The risk matrix matures with supplier development. External risks are first available through automation, then expansion into an internal risk assessment provides a holistic picture. 

Monitoring and initiating response

Now it’s time to tailor your organization’s risk appetite for each KPI, setting the thresholds for risk scores. After applying this model to all suppliers, risk management software can score them and send alerts anytime a risk score approaches that threshold. A real-time dashboard can offer stakeholders an instant snapshot of all the risks and scores, creating a big-picture view of the probability and impact of all risks across the supplier network.

When a supplier steps out of compliance with a company’s risk appetite due to increased risk, supplier managers have several immediate options. Here are some examples sorted by effort level:

1)  Request more information: A deep survey asking about supplier actions taken to cope with the increased risk can reveal more details. For example, an increased sustainability risk for a region can be acceptable if the sustainability governance for the supplier is strong.

2) Audit the supplier: In some cases, the survey will not be enough. An onsite audit either executed by the company or a third party can help managers understand the situation in depth.

3) Activate detailed real-time monitoring: High-risk suppliers will need more attention than others, but even small signals can help managers get ahead of any upcoming disruption. Digital risk monitoring can zoom in on risk details, employing automation and efficiencies. Depending on material criticality, the ability to crisis manage, and type of risk, this monitoring may be sufficient.

4) Recommend preventive measures: Leading companies can support their suppliers in improving resilience. This is often a great help, especially for smaller suppliers. Support can range from suggesting a risk and sustainability framework to providing the right contacts to build flood protection. Recommendations can solve issues without being too invasive to the ongoing delivery.

5) Stock up on inventory: Taking on buffer stock to bridge potential outages is a classic way to manage risk. While efficient, this strategy is costly especially while inflation is high. Where possible, companies require suppliers to hold more inventory in a warehouse away from the original storing location, as a compromise for the supplier to keep current business volumes.

6) Build up additional sources: If stocking up inventory is not enough, the next step is to build up another supplier. This takes time and money, and will limit buying power with the existing supplier or suppliers. For mid-term risks including military conflicts, this solution should always be accompanied by other strategies, as onboarding new suppliers can take from six months up to several years, depending on the industry.

7) Offboarding: Of course, some assessments result in a company having to let a supplier go because they pose too great a risk which there is no manageable way to lower. More companies are discovering that a diverse supply chain allows for greater adaptability should they decide to sever a supplier relationship. Nobody wants to be forced to stay with a supplier that poses severe risk to the business.

Shifting from reactive to proactive with supplier risk assessment

Proactive supplier risk assessment complements reactive risk management. Risk assessment is proactive, conducted before actual risk happens. And not all risks can or even should be avoided, so reactive risk management is still needed.

Is it worth investing in strategic risk management? Some risks can be accepted; others are unacceptable as they endanger the entire company on a foundational level. The balance of supply chain risk management is a cost consideration. Is it worth developing a costly second source, or can we react quickly and decisively if something happens? The interplay between external and internal risk factors helps paint this picture and define the strategy.

As a best practice, Chief Procurement Officers ask their teams to review suppliers and their strategic risks monthly to balance time invested versus outcome. A lean central expert team can make recommendations to help drive best-practice adoption and inform decision-making. Mature supply chain risk management programs develop a supply chain Center of Excellence to provide timely information through digital solutions.

The next step is scenario planning, which hinges on similar concepts and similar data points. However, in scenario planning it is far more complex to find a good balance among proactive risk measures, reactive risk measures, and cost. A mature supplier-risk assessment throughout each supplier’s life cycle reduces complexity for scenario planning, putting the focus on inbound lanes, own plants, and outbound logistics.

Using a scoring model in supplier risk assessment brings clarity and speed to decisions. With time being a top priority, the faster an operation can identify and analyze risks, the faster it can make decisions on how to protect the supply chain by choosing suppliers that take risks as seriously as you do.

Explore your supplier network

screenshot of Everstream’s supplier risk assessment software platform that rates supplier risk

Figure 3: Everstream Explore shares supplier risk ratings and scorecards using a weighted risk index for locations, companies, and materials.  

Everstream Explore provides a holistic scorecard methodology, with a weighted external risk index and internal risks for any location, company, or material. Our 30+ automated categories include natural disasters, operational risk, political violence, socio-political and regulatory impact, sustainability, individual safety, and more.

With our survey portal solution, supply chain managers can explore internal risks including business continuity readiness or sustainability maturity. Everstream’s proprietary methodology makes it easy to include your internal data and convert it into actionable risk KPIs.


Share this post