How Hidden Vendor Risk Can Wreck Your Sourcing Strategy

Your Approach to Supplier Risk is Broken

You know your suppliers pretty well, right? You vet them at onboarding and review them periodically — at least every contract renewal, and maybe even quarterly. You look at their financials, security and compliance posture, and other basic factors to make sure you don’t miss anything that puts your company at risk. To the best of your ability, you work to keep your company safe from supply chain disruptions, quality control incidents, compliance violations, and security incidents.

And yet these incidents keep happening to organizations just like yours, which vet their suppliers every bit as carefully as you do.

Supply chain attacks

Supply chain attacks like the SolarWinds attack are almost daily news. The trusted company provided its Orion network management system to over thirty thousand public and private organizations. But when SolarWinds accidentally delivered an Orion update compromised by malware, hackers gained access to thousands of networks, and from there, to many of their customers and partners, costing the average victim 11% of annual revenue.

Quality control issues

As damaging as supply chain attacks are, serious quality control issues can be even worse, literally taking decades to remedy and permanently damaging your reputation. One of the most infamous is the Takata airbag recall. The company controlled 20% of the airbag market globally, and was trusted by the major auto manufacturers. However, they used a cheap chemical propellant that could degrade over time, causing airbags to fail to deploy or violently explode, resulting in serious injury or death, a fact which they covered up. When the company’s misconduct was finally uncovered in the mid 2010s, it resulted in massive recalls that are still going on today. More than 100 million recalls were issued globally — 67 million in the US alone. Honda was hit particularly hard, recalling almost 13 million vehicles in the US alone and replacing 21 million airbags.

Supply chain delays

Supply chain delays continue to stack up as global crises multiply. In 2025, Ford, Stellantis (owner of a large portfolio of auto manufacturers, including Chrysler, Dodge, and Jeep), and other major brands were forced to temporarily curtail or suspend production because of bottlenecks in aluminum, rare-earth minerals, and electronic components.

Better risk management is possible

Some crises are unavoidable, because risk itself is unavoidable. But supply chain professionals can do a much better job understanding, predicting, and mitigating supplier risk.

The fundamental problem is how companies treat vendor risk. Risk is addressed as a threshold: you check to make sure it doesn’t rise to unacceptable levels for the supplier’s role, and once you’ve done that, you don’t need to worry about it until the next review. It’s an outdated, superficial approach that lets unacceptable risks accumulate, and fails to account for the economic consequences of risk. And sooner or later it will bite your company too. Here’s how to fix it.

Three Problem With Supplier Risk Qualification

Treating supplier risk as a simple qualification threshold rests on three false premises:

Risks are ongoing
Risks progress slowly enough to wait for the next review
Risks are separate from other concerns like cost and performance

Risks are Ongoing

The risk signals SCM professionals use tend to focus on the company’s steady state performance. They look for things like strong financials, compliance records, and security scores that show a company is generally doing well and mitigating risks.

But there are transitory risk signals that companies can’t track with this approach. Geopolitical conflicts, PR crises, and security incidents can cause serious risks without showing up in your metrics. Even worrying patterns that could indicate a leadership crisis, such as major lawsuits or public scandals, won’t show up in your metrics, except insofar as they affect financials or result in compliance actions.

Risks Progress Slowly Enough to Wait for the Next Review

Periodic risk reviews only work when they build slowly, but that really only characterizes a fraction of risk. A point-in-time financial review can spot a downturn in revenue or market share, but it won’t prepare you for a merger or acquisition, or even supplier bankruptcy in some cases. Security reviews can show the likelihood a vendor suffers an attack, but they won’t tell you if a stakeholder has ties with a hostile foreign nation which might compromise security, or suffers a security incident that doesn’t trigger a breach notification.

Many SCM professionals try to fill in the gaps between reviews with Google alerts or other notifications, but notifications can miss other issues like labor disputes affecting tier-2+ suppliers, and regional conflicts where the vendor’s name won’t generally be mentioned in reporting. And because they target keywords, they’re low fidelity. They bring in a lot of irrelevant notifications, and can leave out important ones if you don’t have the right words flagged. Either you end up wasting a lot of time sorting through false positives, or you target your keywords more narrowly and risk missing important news. They’re better than nothing, but not good enough.

Risks are separate from concerns like cost and performance

It seems intuitive that risk, cost, and performance should be handled in different ways. After all, cost and performance are everyday, quantifiable concerns. Risks, on the other hand, are rare events you’re trying to minimize and (hopefully) eliminate altogether.

But you can never eliminate risk, and your strategy needs to reflect that. Every risk, from a late delivery to a major supply chain disruption, has a certain probability of occurring, and if it occurs it will impose a quantifiable cost. That’s a concrete economic outcome you can calculate, just like any other expense. Just multiply the probability by the cost, and you have a monetary value for the risk that supplier poses, which you can add to cost.

The Consequences: Poor Performance, Higher Cost, & Unpredictability

It costs money to mitigate risk. All else being equal, the less a supplier does to mitigate risk, the lower base cost they can offer. By treating risk as a pass/fail check, you’ll tend to select for riskier suppliers which squeak by the threshold.

In the long-term over your whole vendor portfolio, this will degrade performance, and lead to higher cost and greater unpredictability.

Suppliers fail at times of peak demand

Even with reliable suppliers, peak season is a challenge. A survey of supply chain leaders found that “58% struggled with delivery timing and order accuracy” during the peak season, and 47% failed to handle volume spikes. Staff shortages, inaccurate demand forecasting, and other breakdowns are costly enough under good conditions. A supplier with insufficient controls beneath the surface can make them much worse. That means your suppliers are likely to fail at precisely the time that can harm your company most.

Emergency Orders and Supply Chain Delays

Emergency orders can spike supply costs by anywhere from 20% to 250%, quickly wiping out the marginal gains of optimizing purely for supplier cost. But the real costs come from the disruption. Supply chain delays cost SMBs up to 15% of revenue, and a catastrophic delay from a critical supplier failure could easily cost much more.

Opportunity Costs

The opportunity costs of not understanding supplier risk are harder to quantify, but they can be every bit as damaging. Mitigating supplier performance issues and other problems puts you in a reactive mode. You’re unable to dedicate as much time to optimizing your vendor mix or developing your suppliers, which in turn makes you more vulnerable to future disruptions. Rather than fine-tuning your supply chain, you end up spending all your time putting out fires.

Reputational Damage

Think about the last time a company really let you down as a consumer. Maybe they sold you a defective product or sent you the wrong item, or took way too long to deliver it. Did you stop to wonder whether it was their screw up, or one of their vendors? Probably not, and your customers won’t either. Every vendor mistake that impacts what you get out the door also harms your reputation and future sales. 69% of consumers are less likely or much less likely to shop with a company again if their product is delayed by just two days.

Incomplete Data

One of the biggest challenges in vendor management is getting a full picture of how vendor performance affects your company. While you can track vendor costs and performance, you won’t see the chaos caused by late orders, the way it delays production, or the work done on the ground to move resources around to compensate. And if a vendor screwup leads to increased churn or damages business relationships, you probably won’t have that data either.

Trust But Verify: Staying on Top of Supplier Risk

Your suppliers are running businesses too. Even if you know and trust your vendor contacts, you can’t guarantee you always get the most accurate information. The goal of monitoring isn’t to replace your old vendor management strategy, but to supplement it.

That means you can continue to rely on your vendors to keep you in the loop, while you take in other signals to make sure you aren’t missing anything. Then, when you come across a worrying signal your vendor didn’t inform you of, you can check in with them to learn more. Over time, your vendors will learn to be more proactive with sharing information, and you’ll learn strategies to manage particular vendors to get the information you need. Here are some other strategies to fully address supplier risk.

Treat sourcing decisions as multi-point

On a basic level, you need to broaden your lens beyond costs and SLAs. Sourcing decisions need to quantitatively weigh risk factors including reputation, previous service failures, possible signs of future catastrophic failure like negative economic signals, warning signs like poor cybersecurity posture, and geopolitical factors. But to do that, you’re going to need to do some modelling.

Model risk economically

Instead of treating risk as pass/fail, calculate it as a contributing factor in your pricing. You can do this for supply chain failures by adding two major factors:

Failure cost: This is the total cost of routine failures, which is calculated by multiplying failure rate by cost per failure.
Risk premium: How much a supply disruption or other major setback will cost you.

For example, let’s say you’re sourcing fasteners from a vendor called Fasten Furious Inc. To keep the math simple, we’ll say each fastener costs $1 for its base purchase price.

Now we add the failure cost. Let’s say 1% of their fasteners fail prematurely while your product is under warranty, and every failed fastener costs you $100 to replace the product. You simply multiply 1% by $100, giving you a failure cost of $1 per fastener.

Now, let’s look at the risk premium. Fasten Furious is late enough that they require you to place an emergency order 2% of the time. Emergency orders raise the price by 50% for that particular shipment. So you multiply 50% by 2% by base the cost: 0.5 x 0.02 x $1 = $0.01 risk premium per fastener.

Now we just add base cost, failure cost, and risk premium to get the adjusted price: $1 + $1 +$0.01 = $2.01

Improving economic modelling with loss exceedance curves

Loss Exceedance Curves (LECs) are a frequent tool CISOs use to justify cyber investment, but they can be just as useful in supply chain and procurement (SCP) decisions. An SCP-LEC shows the probability that annual losses from supplier disruptions will exceed a specific dollar amount. By plotting loss against probability, you can anchor strategic decisions in empirical data.

A LEC will show you the worst case scenario for any vendor, and let you drill down to answer more specific questions like, “how likely is a $100,000 loss?” This supports simple strategies that can quickly improve your sourcing. For example, you can plot the loss at 50% and add that to the base cost of two vendors to directly compare them.

It also enables more complex, strategic planning. For example, because loss exceedance changes with order quantity (since a problem with a bigger order will cause a bigger loss) you can tailor your vendor strategy to your risk appetite, balancing orders among vendors to minimize “worst case” risks, while also controlling cost by using riskier vendors in limited applications.

Use negative signals to trigger mitigation

More often than not, risk signals precede actual incidents. Investigate the risk as soon as you see warning signs, so that you can act before a crisis hits.

Sometimes the best course is to contact the vendor directly. For example, if a vendor is laying off a significant part of its workforce, or going through a change in leadership, contact them to make sure they’re on sure footing, and find out how the change could impact their ability to satisfy their SLAs.

In other circumstances, it’s best to work internally across departments to prevent duplication of work. Negative security signals are best handled this way. If a supplier has a cybersecurity incident, work with your cybersecurity team to identify its potential implications for your supply chain.

Once you understand the risk, you have three options: continue monitoring, adjust your sourcing strategy, and work with the vendor to mitigate the issue.

Continue Monitoring

If a plan doesn’t require immediate mitigation, the best course may be to adopt a “wait and see” approach. Put together a case file and keep a close eye on the vendor for the next several months, compiling any further signals that may warrant escalation.

Adjust your sourcing strategy

For severe risks, you may have to cut a vendor out entirely. In other cases, you can mitigate a risk by switching a vendor to a less critical role, or by diversifying your portfolio while you work to mitigate the risk.

Work with the vendor

If you’re old school and pride yourself on your relationships with vendors, this is where you can really put your skills to work. Identify your concerns and put together a clear, measurable plan to address them. This could include a site visit, third-party audit, or a corrective action plan to mitigate service issues.

Use positive signals to boost relationships and sourcing

Good monitoring doesn’t just surface negative signals. You’ll also see growth, new rounds of funding, and reliable vendors moving into new segments. Keep track of positive internal signals as well. If a vendor shows exceptional performance by consistently exceeding SLAs, or coming through for you in an emergency, it’s a sign you can trust them

Use your vendor’s accomplishments to reinforce and improve your relationship. Congratulate them, and investigate ways to enhance your collaboration, such as by increasing their share in your vendor mix.

Know Your Suppliers Like Never Before

Legacy approaches to vendor risk are like crossing your fingers and hoping for the best. Craft empowers you to turn vendor risk mitigation into a science, with quicker, more complete vendor qualification, supplemented with rigorous, continuous risk monitoring, so you can truly optimize your vendor strategy. Contact us for a demo, to experience what cutting edge supplier intelligence can do for your company.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.