Risk Is Relational

Risk is relative to the decision-maker. The same condition that is a hazard to one party is irrelevant — or even beneficial — to another. Lithium from a Chinese supplier is irrelevant to a program buying office furniture and a critical strategic dependency to a program developing battery-powered autonomous systems. Same material. Different risk.

This means the “risk categories” we default to — FOCI, financial, cybersecurity, operational — don’t describe risk. They describe data domains: where evidence lives. They can also represent the state of a company – its objective financial health or cyber posture. A data domain or company state is not risk. You find risk when reading evidence across multiple domains against a specific causal mechanism.

Here’s the same supplier assessed through two lenses:

  • Program A: off-the-shelf commercial CAD licenses for unclassified use. The supplier is replaceable. A 15% foreign state-linked investor barely registers. The pathway to Program A’s valued objects — financial stewardship, administrative efficiency — is weak and easily severed by switching suppliers. Risk: notable/immaterial.
  • Program B: sole-source contract for custom design tooling supporting a sensitive fabrication program. The same 15% investor creates a material capital dependency finding. Capital dependency can shape research direction, hiring, and IP control. The valued objects — technology protection, fabrication advantage, deliverable integrity — sit directly along that pathway. Risk: notable/material — mitigation required.

Same supplier. Same investor. Same equity percentage. Radically different risk because the context has changed.

The Trap of Compression

Faced with this complexity, the analyst reaches for a score. The intent is good — risk is hard to prioritize without one. But scores destroy the causal structure that makes analysis actionable.

Consider: a FOCI-weighted matrix scores Supplier A at 20/100 — moderate exposure from one 1% Chinese equity owner. Supplier B scores 70/100 — heavier FOCI exposure across multiple indicators. What the score produces is “lots of China” versus “a little China.”
Supplier A is being considered for a sole-source contract to develop critical, government-funded technology. Supplier B is being considered for an unclassified administrative tool with no IP exposure.

The analyst investigates. Supplier A’s 1% Chinese investment carries a golden share — a strategic equity stake conferring veto rights, board seats, and outsized governance control. That sole-source critical technology is effectively already under adversarial influence and potentially control. Supplier B’s FOCI indicators, examined in context, are entirely benign: commodity graphene supply from China (70%+ of global production), a passive individual investor with no governance rights, and decade-old co-authorships with no recurring pattern across 300+ publications.

If you scored Supplier A at 20/100, you must explain to a decision board why you’re recommending rejection of a 20 while accepting a 70. You could adjust the methodology — but the need to keep adjusting is not a calibration problem. It is the model telling you the underlying approach is wrong. No weighting scheme substitutes for reading the golden share clause.

The Right Unit: Pathways and Findings

A risk pathway is the causal mechanism through which a hazard reaches a valued object and causes harm. A risk finding is a specific claim, supported by interpreted evidence, that a named pathway is instantiated in this company’s actual structure.

The distinction matters because a data point only becomes evidence when it is interpreted against a specific pathway in a specific context. “The company has a Chinese investor” is a state. It becomes evidence when read against a capital dependency pathway in a program with sensitive IP exposure — and irrelevant when read against the same pathway in a program buying commodity hardware.

A properly formed finding names four things: (1) what is threatened — the specific program, capability, or eligibility at risk; (2) the pathway — the causal mechanism; (3) the evidence — facts tagged as supporting, mitigating, or absent; and (4) the analysis — how the evidence confirms or refutes the finding in this specific case.
Absent evidence matters as much as what was found. A control that should exist but cannot be confirmed is analytically significant. Most risk reports never track it.

Example finding: The government customer’s control over mission-relevant autonomy software could be compromised through a joint development agreement with a Chinese university spinout, which creates a contractual channel for sensitive technical knowledge to move outside the customer’s oversight. Pathway: Contractual IP transfer

The Decision Space

Every risk assessment terminates in one of three decisions: accept, accept with mitigations, or reject. Hold is a decision too — one that always resolves into the other three. Holding in perpetuity is implicit acceptance.

Findings enter the decision space at four levels:

  • Cleared: Doesn’t enter the decision space. The analyst accepts the risk on behalf of the program. An active judgment, not a default.
  • Notable: Enters the decision space. The decision-maker should know before deciding.
    • / Immaterial: Unlikely to change the decision posture. Important for awareness.
    • / Material: Likely changes the decision posture. Mitigation or rejection probable.
  • Prohibitive: Removes the decision. Driven by law, policy, or organizational threshold.

Put plainly: Cleared findings involve analyst-level judgment. Notable findings are about transparency. Material findings are about consequence. Prohibitive findings are about compliance.

The analyst’s job is to give the decision-maker what they need to make a reasonable and defensible decision — not a score, but a specific claim about what is threatened, how, and what the evidence says. Both the recommendation and any divergent decision should be documented. Program defensibility depends on an auditable record that the risk was seen, weighed, and consciously accepted.

What Needs to Change

The goal is not omniscience — waiting for a perfectly clear picture is itself a decision. The aim is to understand risk well enough to make a defensible choice. That requires three structural changes:

  1. Replace scores with criteria. Eliminate low-high scoring. Replace it with hard, objective, knowable thresholds for prohibition and required mitigation. Where criteria are waivable, define explicitly who holds the authority to grant waivers and under what conditions.
  2. Require pathway-based findings. Risk reports should contain pathway-anchored findings — harm, mechanism, evidence, analysis — not matrix outputs. A finding that names what is threatened, how it is threatened, and what evidence supports that claim is auditable, defensible, and actionable. A score is none of those things.
  3. Acknowledge context. There is no universal risk standard. What is immaterial to one program may be prohibitive to another. Categorical exclusion of all adversarial-country supply chain exposure creates massive opportunity cost without proportionate security benefit — graphene from China is not the same risk as a Chinese investor with board control. Context-specific, evidence-based judgment is both more accurate and more defensible than blanket categorical rules.

The same framework that exposes what could go wrong also reveals what could go right. Opportunity is the inverse of risk — the potential for a catalyst to advance something valued rather than harm it. Every supplier decision involves both sides of that ledger. The goal is to give decision-makers the full picture, not a number that flattens it.

Risk has causal anatomy. Scores don’t — and that gap is where analysis fails.