Question: Are systemic or concentration risks (e.g., over-reliance on one supplier or region) assessed and mitigated?
Why This Matters
Over-dependence creates single points of failure. Diversifying suppliers and regions improves resilience and negotiating power.
Maturity
No visibility into supplier dependence.
Risks noted after issues occur.
Dependency metrics (e.g., spend, region) tracked.
Alternative suppliers identified for critical services.
Concentration data linked to risk and BCP programs.
Predictive analytics for geopolitical and market risks.
How to Level Up
| From → To | Actions | |—|—| | 0 → 1 |List all critical suppliers with country and spend. | | 1 → 2 |Track dependency metrics in register. | | 2 → 3 |Identify back-ups for single-source suppliers. | | 3 → 4 |Integrate data with risk and continuity plans. | | 4 → 5 |Model geopolitical and market scenarios. |
Enablers
- People: Procurement Lead, Risk Manager, Finance
- Process: Identify → Measure → Diversify → Review
- Technology: Vendor register, risk analytics
Evidence
- Dependency report by vendor/region
- Alternate supplier list
- Review meeting minutes
KPIs
- Number of single-source vendors
- Spend percentage by top 5 suppliers
- Regional concentration index
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes | |—|—|—| | Analytics | Metabase | Supplier concentration chart | | Register | Airtable | Add region and spend fields | | Tracking | Google Sheets | Pivot summaries |
Common Pitfalls
- Ignoring geographic and cloud provider concentration
- No alternatives tested
- Data not shared with business continuity team
Compliance Mapping
| Standard | Clauses / Notes | |—|—| | ISO/IEC 27001 | A.5.30 / A.5.19 | | NIST CSF 2.0 | ID.SC-08 | | NIRMATA Mapping | SC-Q11 reduces single-point supply-chain risk. |