Supply Chain Risk: From Heatmaps to Decisions

A pragmatic guide to supply chain risk assessment and management

26 February 2026

Supply chain warehouse storage

Download the guide

Discover our five steps to supply chain risk assessment and action.

Download the Guide

Supply chain risk is escalating

Risk is not a new concept. Many organisations and teams already manage risk every day, navigating challenges like price volatility, delivery delays, quality issues, and employee retention. Yet significant risks can be harder to see. These issues – like child labor, water scarcity, and deforestation – are often buried deep within supply chains, but can still carry substantial operational, regulatory, and reputational implications.

For example:

These aren’t hypothetical risks, they’re headlines. Nine in ten supply chain leaders faced disruptions in 2024, and despite this, only 30% of board members have a deep understanding of supply chain issues. Fewer than 10% of companies assess human rights risks in their supply chain.

Across Europe, laws like the Corporate Sustainability Due Diligence Directive (CSDDD) and the German Supply Chain Act (LkSG), now require companies to look beyond Tier 1 suppliers and evaluate impacts across their entire value chain.

In the US, the regulatory landscape remains fragmented and uncertain: federal ESG rules have been stalled (e.g., S. 985, S. 3987) and several state attorneys general have urged companies not to comply with the CSDDD in formal letters, adding to the uncertainty around cross-border due diligence expectation. Yet uncertainty should not be a reason for inaction. For example, the Uyghur Forced Labor Prevention Act (UFLPA) is currently detaining shipments linked to Xinjiang.

Companies that begin building robust risk assessment frameworks now will be better positioned to adapt, comply, and lead as regulations evolve and investors, consumers, and corporate stakeholders’ concerns increase. The old reactive, audit-heavy approaches are giving way to ongoing, data-driven due diligence. Procurement, compliance, and sustainability teams are under pressure to respond to more data requests, often with fragmented systems and limited visibility.

A well-designed risk assessment changes that. It helps turn messy, incomplete inputs into clear priorities, helping map blind spots and direct focus to the suppliers and issues that matter most, while skipping the costly ad-hoc audits.

A practical guide to supply chain risk assessment

A robust risk assessment follows a clear sequence:

  • Scoping: Define the assessment scope – identify which ESG risks matter most, and which parts of the value chain and business units are in scope.
  • Data Collection: Gather the right information – both internal and external risk data, and information on existing risk mitigation strategies.
  • Scoring & Weighting: Turn data into a complete risk picture by applying a consistent scale, weighting issues by relevance, and defining a robust calculation model.
  • Segmentation & Prioritisation: Focus where it counts – segment suppliers by risk and business criticality, and determine who to engage first.
  • Acting & Monitoring: Move from insight to action – select the right engagement approach, track progress, and refresh assessment regularly.
Steps to supply chain risk assessment

Each of these steps plays a critical role in turning fragmented information into actionable insights. Additionally, not every company needs a state-of-the-art system from day one; many begin with a viable minimum framework that fits current capacity and then scale up as capabilities mature.

Our supply chain risk assessment guide breaks down each step of the risk assessment process into practical prompts and considerations, enabling teams to build – or strengthen – a framework that delivers meaningful, decision-ready outcomes.

DOWNLOAD OUR RISK ASSESSMENT GUIDE

From assessment to action

Completing a risk assessment is only the beginning. The real value lies in how companies act on the insights an assessment generates.

A practical risk management approach translates risk scores into tailored supplier engagement strategies, ranging from desktop reviews and supplier self-assessments, to audits, corrective action plans, and capacity-building initiatives.

Not every supplier needs the same treatment: for example, direct material suppliers may require deeper engagement than service providers. While companies often default to mandating audits, this can be costly and ineffective without first enabling or incentivising suppliers. A balanced approach combines commercial levers, collaboration, and support mechanisms to drive meaningful improvements while strengthening supplier relationships.

Finally, it is essential that systems and processes talk to one another. Risk management is not just about ticking compliance boxes, it’s about making reputable, data-driven decisions that make supply chains stronger and more responsible.

Avoiding common pitfalls

Even well-intentioned supply chain risk assessments can miss the mark.

Common issues and challenges include:

  • Reliance on country-level data without incorporating industry and supplier-specific signals, leading to misclassification and wasted effort.
  • Use of static heatmaps that aren’t updated regularly, despite the rapid pace at which risk landscapes can evolve.
  • Fragmented systems with multiple disconnected platforms and spreadsheets, which increase the likelihood of errors and complicate audit processes.
  • Misinterpretation of regulatory requirements and focussing solely on risk likelihood without adequate consideration of impact severity.

Risk vs. Impact

Risk refers to potential harm to a business or organisation – such as disruptions, financial losses, or legal exposure – while impact refers to the harm a business may cause to people, communities, or ecosystems.

Both dimensions matter, but for distinct reasons:

  • Managing risks protects organisational operations and reputation.
  • Managing impacts fulfills the responsibility to avoid harm, an expectation increasingly reinforced by regulators, investors, and customers.
  • Managing impacts also supports risk management, creating a positive feedback loop between the two.

Quantitative risk assessments using inherent country- or industry-level risk data are best used to evaluate risks to business. By contrast, assessing impacts requires qualitative assessments, including external stakeholder consultations, to understand the scope (the number of people or ecosystems are affected), scale (the severity of the harm), and irremediability (the extent to which the harm can be remedied).

Increasingly, due diligence regulations adopt the language of impact assessments, although this should be differentiated from on-the-ground human rights impact assessments (HRIAs).

How Anthesis can help

Anthesis brings deep expertise across human rights, responsible sourcing, and end-to-end supply chain sustainability to help organisations build resilient, future ready risk assessment frameworks. Our integrated services strengthen due diligence capabilities, enhance visibility across value chains, and transform environmental and social risks into strategic opportunities. Through tailored frameworks, risk scans, and sustainability governance support, Anthesis enables organisations to embed responsible practices, strengthen supplier engagement, and build supply chains that are transparent, compliant, and prepared for the future.

Our Supply Chain Risk Assessment Guide provides a detailed walkthrough of each step of the risk assessment process and highlights practical ways to avoid the most common pitfalls.

Loading…

Explore our Supply Chain Services

Creating ethical, just, and environmentally-friendly supply chains through transparency, traceability, compliance, and supplier engagement.

Explore our Supply CHain Solutions

We are the world’s leading purpose driven, digitally enabled, science-based activator. And always welcome inquiries and partnerships to drive positive change together.

Contact us

Related Content