Ask most executives how they manage supply chain risk, and they will point you towards a register, a heat map, or a piece of software that flashes amber when something goes wrong. These tools have their place, but they are not where risk management begins. Risk management begins in the mind. It starts with thinking, and more specifically, with thinking differently about what a supply chain actually is and what it is for.

For too long, we have treated the supply chain as a machine to be optimised. Squeeze out cost, strip out inventory, consolidate suppliers, chase the lowest landed price, and the machine runs leaner every quarter. The trouble is that a lean machine and a resilient one are rarely the same thing. Every buffer you remove in the name of efficiency is a shock absorber you have quietly thrown away. When the disruption comes, and it always comes, the leanest networks are the ones that snap first. So the first act of thinking is to recognise the trade-off honestly rather than pretend it does not exist.

The second act of thinking is to understand your network as it really is, not as the org chart says it should be. Most firms know their tier one suppliers intimately and almost nothing about tier two, three or beyond. Yet the failure that takes you down is far more likely to hide in those deeper tiers, in the single small factory that turns out to supply half the industry with one obscure component. Mapping is unglamorous work. It takes time, it costs money, and it produces no immediate return. But you cannot manage a risk you cannot see, and you cannot see what you have never bothered to look for. Visibility is not a dashboard. It is a discipline.

From visibility comes the harder question of where your real vulnerabilities lie. Not every risk deserves equal attention, and treating them all the same is simply another way of treating none of them seriously. The thinking organisation asks where it would hurt most, how quickly it would hurt, and how long the pain would last. It distinguishes between the high-probability nuisance and the low-probability catastrophe, and it accepts that the catastrophe, precisely because it is rare, is the one nobody has planned for. Black swans look obvious in hindsight. The job of strategy is to make a little room for them in foresight.

This is where planning and strategy must come together rather than sit in separate departments speaking different languages. Strategy determines how much risk the business is willing to take on and what it is prepared to pay to reduce it. Planning turns that appetite into concrete choices about inventory, capacity, sourcing geography and supplier relationships. Dual sourcing, regionalisation, strategic stock, flexible contracts and nearshoring are not abstractions. They are the levers through which a strategic intent about risk becomes an operational reality. Pull them without a strategy, and you simply add cost. Pull them with one, and you buy resilience that pays for itself the day everything else goes wrong.

The relationship with suppliers deserves a particular mention, because resilience is rarely something you achieve alone. A supplier squeezed to the bone on price has neither the margin nor the goodwill to help you when you need it most. Partnership, information sharing and a genuine interest in the health of those you depend upon are not soft sentiment. They are hard risk mitigation. The firms that came through recent disruptions best were frequently those their suppliers chose to protect first. This is why I love the work that Kate Vitasek is doing at the University of Tennessee on Vesting.

None of this is a one off project with a tidy end date. The world keeps moving, suppliers change hands, geopolitics shifts, climate intervenes, and yesterday's robust network quietly becomes today's fragile one. Managing risk is therefore a habit of mind rather than a deliverable, a continuous loop of looking, learning and adjusting. The organisations that do it well have made thinking about risk part of how they think about everything else.

So the message is simple, even if the work is not. Before you buy the software, redraw the map, or rewrite the contract, stop and think. Think about what could go wrong, where it would hurt, and what you are genuinely willing to do about it. Tools execute decisions. They do not make them. The management of supply chain risk has always started, and will always start, with thinking.

By David Food

Keywords: Business Strategy, Leadership, Supply Chain

Follow Us On