Is your supply chain risk blind—or risk resilient?

Operational risk to supply chains has been growing over the last several years—compounded by the ongoing impact from COVID-19. Organizations need a new approach to manage risk and build resiliency.

For more than a generation, organizations have relied on global, interconnected supply chains to improve margins. Since 2000, the value of intermediate goods traded globally has tripled to more than $10 trillion. During the same period, indicators of supply-chain efficiency—such as inventory levels, on-time-in-full deliveries, and lead times—have improved for those businesses that succeeded in creating lean, global networks.

However, these efficiencies have not come for free. An ever-expanding set of global challenges has increased the surface area and magnitude of supply-chain risks, from climate change and the rise of a multipolar economic system to increased mobility and digitization. These global disruptions have meant that in every year over the past several years, at least one company in twenty has suffered a supply-chain disruption costing at least $100 million.

Fast forward to the coronavirus crisis, whose humanitarian and human-livelihood costs are still rising, even as it also reveals supply-chain vulnerabilities that many companies didn’t realize they had. As a result, building flexibility and resilience in operations has gone from one priority among many to business-critical. In this context, organizations need a new approach to manage supply-chain risk and build resiliency.

In the short term, companies are concerned about the shortages of critical goods. In the long term, as businesses and governments emerge from the current crisis, we anticipate a renewed focus on better quantifying risks, with a mindset similar to buying insurance—by using probabilistic approaches, such as discrete-event simulation, and by redesigning business cases to include potential losses from a lack of resiliency measures. These responses represent a shift in business strategy, with companies showing more willingness to weigh the benefits of investments to navigate future risks against the potential fallout from failing to do so.

Companies will need a much deeper view of their supply-chain vulnerability and exposure to create effective mitigation and business-continuity plans.

Find your vulnerabilities and exposures

Operations risk-management practices that view risk as arising mainly from discrete sources of shock or specific elements of supply-chain design, such as geographic footprint, are too narrow to be sufficient in today’s environment. The most advanced businesses will model the size and impact of various shock scenarios to determine the actions they should take to rebuild their supply chains and mitigate future risks. A comprehensive understanding of supply-chain risk considers two distinct elements: first, the underlying vulnerabilities in the supply chain that make it fragile, and second, the level of exposure or susceptibility to unforeseen events (or shocks) that exploit these vulnerabilities.

Supply-chain vulnerabilities manifest in five main areas: planning and supplier networks, transportation and logistics systems, financial resiliency, product complexity, and organizational maturity. These vulnerabilities include realities inherent to an industry, such as high levels of cyclicality or long lead times, as well as active decisions, such as the level of inventory to maintain, or the approach to product development. Designs relying on single-source components are an obvious chokepoint—but as manufacturers have learned to their peril, even components with seemingly ample supplier ecosystems may be concentrated in a single region, or may themselves depend on commodities that are highly concentrated.

Exhibit 1 illustrates how these vulnerabilities manifest for an illustrative company. While for most dimensions, the company shows lower or industry-average vulnerability—in part because of unusually high financial resilience—its planning capabilities and supplier network are significantly more vulnerable than the industry benchmark. These factors could become more important should financial resilience erode, as would be typical as a crisis wears on.

We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

Exposure refers to unforeseen events that exploit a vulnerability and disrupt a supply chain. There are four main sources of exposure: force-majeure shocks (natural disasters), macropolitical (economic shocks), malicious actors (cyberattacks); and counterparties (fragile suppliers). As shown in the current COVID-19 crisis, these shocks can affect supply and demand in varying and even contradictory ways, with demand in freefall for many classes of goods, even as suppliers strain to deliver medical products and similar necessities.

Understand your supply chain’s structure

Now is the time for business leaders to know their supply-chain structure and understand its vulnerabilities and exposure—and that of their suppliers, and of their suppliers’ suppliers. Many organizations can only speak in general terms beyond the Tier 1 level, even though this is often where the most critical suppliers sit within a network. Creating a comprehensive view of the supply chain through detailed subtier mapping is a critical step to identifying hidden relationships and nodes of interconnectivity that invite vulnerability.

Build transparency through analytics

In many industries, gaining transparency from an outside-in approach is difficult. However, combining the mosaic of publicly available data and networkanalytics algorithms can illuminate the probable supply chain for many companies.

Once visible, network analytics can be used to quantitatively diagnose the relative fragility of the supply chain, and draw meaningful comparisons with peers and industry benchmarks. Supply chains that have higher concentration, interconnectivity, depth (in terms of subtier layers), and codependence—or that show low substitutability and transparency—are the most vulnerable (Exhibit 2). Large organizations often have several different archetypes of supply-chain networks within their overall system, each implying a different degree of resiliency.

We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

Collaboration to build transparency

Companies can work more closely with their Tier 1 suppliers to build more transparency—especially given that Tier 1 suppliers are likely to have similar concerns as their customers about supply issues in the lower tiers. However, collaboration is often viewed as a fraught territory, with supplier networks viewed as proprietary, and to create a more cooperative working environment can involve a deep change of mind-set.

A few guidelines to build transparency across the supplier network can help ease concern. Companies do not need to disclose every detail to their suppliers, but to effectively perform network planning, transparency of inventory levels, capacity, and flexibility can give a lens into potential bottleneck issues. We suggest organizations begin to tackle issues in a structured way, cataloging and addressing known risks while improving the organization’s resilience for the inevitable unknown risks that can become a problem in the future.

Tailoring the organization to maintain transparency over time

More advanced companies have permanent supply-chain risk-management teams and processes in place. The leading automotive OEMs, chemicals, and electronics companies with very complex global supply chains generally belong to this group. The information cascade between the supply-chain risk-management team and other functions, such as marketing, IT, and legal is well-established, with clearly defined interfaces. They work to increase transparency throughout multitier supply chains, with leaders in supply-chain risk management setting up databases of suppliers across tiers that includes each supplier’s location, performance, and audit results.

Challenge established investment and design decisions

Supply-chain risk ultimately lies at the cross-section of vulnerability and exposure. A robust mitigation framework considers these factors and prioritize risk across three dimensions to ensure effective mitigation and continuity planning: the likelihood of the risk manifesting, the financial impact, and the organization’s ability to mitigate.

Typically, companies struggle to quantify risks, and fall back on methodologies that generate a discrete point estimate versus a range of outcomes. This approach often results in systematic over-optimism that minimizes the expected value of catastrophic risks because of a perceived low probability. Given risk management is inherently a probabilistic field, companies need to get comfortable with uncertainty in forecasts and continue to take an insurance-like mindset centered on buying down risk, especially for large risks with lower probability.

For example, in our research, a typical pharmaceutical company could lose up to 25 percent of its earnings before interest, taxes, depreciation, and amortization from a supply shock that disrupts operations for one month (Exhibit 3). Building a series of scenarios and assessing the relative probability of each is critical for bounding the uncertainty to estimate the range of potential costs from unmitigated risks. Companies can undertake supply-chain designs and investment decisions with the costs of these risks factored into the business case.

We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com

Robust mitigation and business-continuity plans, naming individual project owners with concrete timelines and milestones, can be built around the highest priority risks. These plans, as well as the risks that were not prioritized, require increased scrutiny at regular intervals as part of a comprehensive risk-management system.

Risk resilience needs a risk culture

Supply-chain resilience requires a risk-aware culture to help an organization establish and maintain strong defensive layers against unknown risks, as well as respond more quickly in the event of a severe crisis or operational threat. As COVID19 brought to light vulnerabilities in companies supply chains, building resiliency is not only a matter of awareness, but of setting an intent across the organization, clearly communicating to the entire workforce, and taking tangible action to address the immediate and long-term risks.

An essential task is for leaders to clearly define and communicate an organization’s risk tolerance. Risk mitigation often has an associated incremental cost, and so it is important to align on which risks need to be mitigated and which can be borne by the organization. The ideal organizational culture also allows warning signs of both internal and external risks to be openly shared. Management and employees need to feel empowered to pass on bad news and lessons on how they course corrected.

This openness fosters an environment where people understand that they can voice issues and deal with them. Culturally, this can be enabled by creating an ownership environment, where members feel responsible for the outcomes of actions and decisions when a risk event occurs, and work harmoniously towards a rapid resolution.


As the world continues to grapple with the challenges caused by COVID-19, we could start to see discontinuous shifts and a “next normal” beyond the recovery for supply chains. Rather than wait, organizations can begin building resiliency into their supply chains now. Vulnerability will continue to exist within interconnected systems, and global shocks will continue to be unpredictable and increasingly impactful. Efficiency alone cannot cope with this reality. Investing in resiliency and continuity today will pay off as the next crisis inevitably emerges.

Related Articles