[SUPPLY CHAIN / LOGISTICS NETWORK] - Collection Map
OSINT-035 Supply Chain & Logistics Risk Assessment - collection workspace. Central topic = the supply chain or logistics network under assessment (replace with client’s network descriptor, e.g. “CLIENT X - ASIA-PACIFIC INBOUND CHAIN”). Branches = data-point categories aligned to the seven risk domains scored in the deliverable. Drop each collected value as a child node; expand it with where it was found and what it links to. Paste raw tool output into the node’s Notes. → feeds deliverable OSINT-035.
00 · Collection Plan - PIRs & EEIs
The questions this collection must answer + the essential elements of information (EEI) for each. Tick as satisfied. → drives §3 Key Judgments, §4 PIRs, §13 Consolidated Risk Register, §14 Overall Rating, §15 Key Findings, §20 Collection Gaps, §21 Assessment & Recommendations.
PIR-1 - Architecture & Critical Node Risk: Where are the single-points-of-failure, concentration risks, and critical dependencies?
- EEI: map of all supply chain nodes (tier-1 and critical sub-tier), geographies, and corridors
- EEI: single-source / single-site dependencies identified and quantified
- EEI: hard-to-substitute inputs or components named and assessed
- EEI: hub-and-spoke topology mapped; network complexity and opacity assessed
- EEI: country risk baseline for each sourcing/transit jurisdiction (consume from OSINT-031)
PIR-2 - Supplier / Vendor / Tier-N Risk: Which suppliers pose unacceptable financial, operational, quality, or integrity risk?
- EEI: financial health and bankruptcy risk for critical suppliers
- EEI: sole- or limited-source supplier dependency flagged
- EEI: geopolitical and integrity risk (sanctions, forced-labour, corruption, adverse ownership) for key suppliers
- EEI: tier-N / sub-tier visibility assessed; hidden concentration identified
- EEI: reputational or regulatory contagion pathways through the chain identified
PIR-3 - Logistics Corridors & Chokepoint Risk: Which corridors, routes, ports, or border crossings are most exposed?
- EEI: chokepoints (maritime straits, canals, mountain passes, rail heads, bridges) transited by client goods
- EEI: corridor security risk (piracy, theft, convoy attack, sabotage, civil unrest) rated per segment
- EEI: corridor regulatory and political risk (border closures, transit bans, sanctions on carriers/routes)
- EEI: infrastructure reliability and capacity constraints per corridor segment
- EEI: multi-modal break-of-bulk and transshipment hub risks identified
PIR-4 - Ports, Borders & Customs Clearance Risk: What is the clearance reliability and hold-up risk at key entry/exit nodes?
- EEI: congestion, capacity, and labour-disruption risk at key ports/crossings
- EEI: customs clearance delay rates and documentary compliance risk assessed
- EEI: tariff, quota, or trade-remedy actions affecting goods at key border nodes
- EEI: biosecurity, health-measure, or border-security hold-up history
- EEI: seizure, detention, or forfeiture risk at key nodes
PIR-5 - Inventory, Capacity & Continuity Risk: Is the current inventory buffer adequate to absorb plausible disruption?
- EEI: inventory buffer levels for critical inputs and finished goods (days-of-cover)
- EEI: long-lead / hard-to-substitute items and sea-vs-air freight substitution feasibility
- EEI: production capacity concentration and redundancy across nodes
- EEI: stock-out risk scenarios for critical inputs assessed
- EEI: alternative sourcing / production locations identified and feasibility rated
PIR-6 - Technology, Data & Cyber Supply Chain Risk: What is the exposure to cyber attack, OT/IT disruption, or technology dependency?
- EEI: OT/IT integration and vulnerability at critical supplier sites and logistics nodes
- EEI: software / firmware / hardware supply chain integrity risk (counterfeit, tampered components)
- EEI: data flows and data-protection compliance risk across the chain
- EEI: supplier and logistics-provider cyber hygiene and breach history
- EEI: IP theft, reverse-engineering, or technology-diversion risk at any node
PIR-7 - Regulatory & Trade Compliance Risk: What sanctions, tariff, export-control, or forced-labour developments affect the chain?
- EEI: sanctions, embargoes, and export-control restrictions covering jurisdictions, counterparties, goods, or end-uses in the chain
- EEI: tariff and trade-policy escalation risk (trade wars, retaliation, quota imposition) for key commodity/product flows
- EEI: forced-labour, modern-slavery, conflict-minerals, and human-rights due diligence obligations mapped to sourcing nodes
- EEI: customs valuation and classification risk identified
- EEI: dual-use / strategic-goods / end-use risk assessed for any tech-adjacent inputs
PIR-8 - Trajectory & Inflection: Where is overall supply-chain risk heading, and what would mark a step-change?
- EEI: structural and proximate drivers of upward/downward risk trajectory named
- EEI: early-warning indicators and tripwires identified per domain
- EEI: ACH hypotheses (risk holds / escalates / de-escalates) tested against diagnostic evidence
- EEI: rating trajectory (Improving / Stable / Deteriorating / Volatile) assessed with likelihood and confidence stated separately
- EEI: key assumptions checked and linchpin assumptions flagged
Collection gaps / RFIs (running)
- [open item - e.g., tier-2 supplier visibility for [commodity]] → route to OSINT-010 Vendor Integrity Vetting
- [open item - e.g., country risk baseline for [jurisdiction]] → route to OSINT-031 Country Risk Assessment
- [open item - e.g., enhanced due diligence on [supplier]] → route to OSINT-014 EDD
01 · Entity Identity - Client & Supply Chain Descriptor
Who the client is and the precise scope of the supply chain under assessment. → feeds §2 Executive Summary & Scope, §5 Risk Framing, Appendix A.
Client identity
- Client legal name:
- Requesting contact / engagement ref:
- Client industry / sector:
- Client exposure profile (what is at risk):
- Risk tolerance / appetite (recorded, not used to adjust scores):
Supply chain / network assessed
- Network descriptor / label:
- Geographic scope (origin → transit → destination):
- Commodity / product line(s) in scope:
- Tier depth assessed (tier-1 only / tier-2 / tier-N):
- Nodes / corridors explicitly excluded from scope:
- Risk horizon (6 / 12 / 24 months):
- Engagement purpose (decision the rating informs):
Baseline / as-of date
- As-of date:
- Date of assessment:
- Re-score cadence (if any):
02 · Corporate Structure - Supply Chain Network Map ★
Map of the supply chain’s nodes, flows, and tier structure - the node-and-flow diagram that underpins §6 Architecture risk scoring and Appendix B. Clone the block per node.
Supply chain node
→ feeds §6 Supply Chain Architecture & Critical Node Risk, Appendix B Node-and-Flow Map. Clone the block per node.
- [node - e.g. Tier-1 Supplier: Acme Components Ltd, Shenzhen CN]
- Node type: [Supplier / Manufacturer / Warehouse / Port / Logistics Hub / Transshipment / Distributor / other]
- Tier level: [Tier-1 / Tier-2 / Tier-N / Logistics provider]
- Geography / jurisdiction:
- Commodity / product / service flowing through:
- Single-source / sole-source status: [Yes / No / Partial]
- Substitutability: [Easy / Hard / Irreplaceable]
- Upstream feeds from:
- Downstream feeds to:
- Country risk rating for this jurisdiction (from OSINT-031):
- Notes / tool output: ← OpenCorporates, national company registries, trade databases
- [node 2]
Geographic concentration clusters
- [region / country cluster]
- Nodes concentrated here:
- Country risk rating:
- Concentration risk assessment:
03 · People - Key Contacts, Owners & Counterparty Officers ★
Directors, officers, UBOs, and key operational contacts at critical suppliers and logistics providers - feeds supplier integrity checks and any escalation to OSINT-010 / OSINT-014. Clone the block per person.
Key counterparty individual
→ feeds §7 Supplier / Vendor / Tier-N Risk; escalates to OSINT-010 or OSINT-014. Clone the block per individual.
- [name - e.g. John Tan, CEO Acme Components Ltd]
- Role / title:
- Entity they represent:
- Contact details (if available):
- Adverse media / sanctions / PEP flags:
- Beneficial ownership connection:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← OpenCorporates, Companies House, ICIJ Offshore Leaks, OFAC SDN, PEP databases
- [person 2]
04 · Registrations & Filings - Supplier & Counterparty Corporate Data
Company registration data for critical suppliers and logistics providers - feeds financial health assessment in §7. Clone the block per entity.
Supplier / counterparty entity
→ feeds §7 Supplier / Vendor / Tier-N Risk, §13 Risk Register. Clone the block per entity.
- [entity - e.g. Acme Components Ltd]
- Jurisdiction of incorporation:
- Registration / company number:
- Registered address:
- Incorporation date:
- Status (active / dormant / dissolved):
- Directors / officers (current):
- UBO / beneficial owner(s):
- Financial filings (most recent accounts, revenue, profit/loss):
- Insolvency / administration / winding-up notices:
- Sanctions designations (OFAC / EU / UK / UN): [Clear / Hit / Near-match]
- Forced-labour / human-rights flags (UFLPA, UK MSA, EU CBAM):
- Notes / tool output: ← OpenCorporates, Companies House, EDGAR, national registries; OFAC SDN; ICIJ
- [entity 2]
05 · Digital & Infrastructure - Supplier Cyber & Digital Exposure ★
Digital footprint of critical suppliers and logistics providers - feeds §11 Technology, Data & Cyber Supply Chain Risk. Clone the block per entity.
Supplier / provider domain & digital footprint
→ feeds §11 Technology, Data & Cyber Supply Chain Risk. Clone the block per entity.
- [entity / domain - e.g. acme-components.com]
- Primary domain(s):
- Hosting / ASN / IP block: ← whois, crt.sh, Shodan, Censys
- Known breach / credential exposure: ← h8mail, HaveIBeenPwned, IntelX
- OT/IT integration indicators (SCADA exposure, remote-access interfaces visible): ← Shodan, FOFA
- Software / firmware supply chain flags (known CVEs in products used):
- Data-sharing obligations / data-flow direction with client:
- Cyber incident history (public):
- Notes / tool output: ← whois, crt.sh, Shodan/Censys, IntelX, VirusTotal
- [entity / domain 2]
06 · Financials - Supplier Financial Health & Country Economic Risk
Financial health indicators for critical suppliers and country-level economic risk inputs - feeds §7 Supplier Risk and §6 Architecture Risk scoring.
Supplier financial health
- [entity]
- Revenue (most recent):
- Profit / EBITDA:
- Debt / leverage indicators:
- Credit rating (if available):
- Insolvency / late-filing flags:
- Customer / revenue concentration (client as % of revenues):
- Confidence: [H/M/L]
- Source grade (Admiralty A–F / 1–6):
Country economic risk indicators (per sourcing / transit jurisdiction)
- [jurisdiction]
- GDP growth / recession signal:
- Currency stability / devaluation risk:
- Inflation / input-cost pressure:
- Labour market stability:
- Country risk rating from OSINT-031:
- Notes:
07 · Commercial Footprint - Logistics Corridors, Ports & Border Nodes ★
The operational geography of the supply chain - corridors, chokepoints, ports, and border crossings. Feeds §8 Logistics Corridors & Chokepoints and §9 Ports, Borders & Customs. Clone the block per corridor or node.
Logistics corridor / transit segment
→ feeds §8 Logistics Corridors, Chokepoints & Transit Risk. Clone the block per corridor.
- [corridor - e.g. Red Sea / Suez Canal maritime leg, Shanghai → Rotterdam]
- Mode (maritime / air / road / rail / pipeline / multi-modal):
- Origin node:
- Destination node:
- Chokepoints transited:
- Transit jurisdictions:
- Approximate lead time (days):
- Freight volume / value at risk:
- Carrier / logistics provider:
- Known security risk (piracy, theft, unrest, attack history):
- Known regulatory / political risk (sanctions on route / carrier, transit bans):
- Infrastructure reliability rating:
- Alternative corridor feasibility:
- Notes / tool output: ← IMO / MCA advisories, BIMCO, Lloyd’s List, Dryad Global, shipping analytics
- [corridor 2]
Port / border crossing / customs node
→ feeds §9 Ports, Borders & Customs Clearance Risk. Clone the block per node.
- [node - e.g. Port of Rotterdam, NL]
- Node type: [Seaport / Airport / Road border crossing / Rail crossing / Inland clearance depot]
- Country / jurisdiction:
- Client’s volume / share of throughput through this node:
- Congestion / capacity rating (current):
- Labour disruption risk (strike history, union activity):
- Customs clearance average dwell time:
- Inspection rate for client’s commodity:
- Tariff / quota / trade-remedy actions currently in force:
- Biosecurity / health-measure hold-up history:
- Seizure / detention / forfeiture incidents (recent):
- Alternative node feasibility:
- Notes / tool output: ← WCO, national customs authority data, Port Authority stats, Flexport/Freightos indices
- [node 2]
08 · Legal, Regulatory & Sanctions
Legal and regulatory exposures across the chain - feeds §12 Regulatory & Trade Compliance Risk and §13 Risk Register.
Sanctions screening - jurisdictions and counterparties
- Jurisdictions in chain screened against current sanctions lists:
- OFAC SDN / Consolidated: [Clear / Hit / Near-match]
- EU Consolidated Sanctions:
- UK HMT Sanctions:
- UN Security Council:
- Other (ITAR, EAR, BIS Entity List):
- Carriers / logistics providers screened:
- Flag states (maritime) screened:
Export controls / dual-use / strategic goods
- [item / technology / good]
- Commodity / ECCN / HS code:
- Export control classification:
- End-use / end-user risk:
- Licence requirement:
- Notes:
Forced-labour / human-rights / ESG obligations
- [sourcing jurisdiction / supplier]
- UFLPA / UK Modern Slavery Act exposure:
- EU CSDD / Conflict-minerals (3TG) obligation:
- Audit / certification status:
- Known adverse indicators:
Tariff & trade-policy risk register
- [trade flow / commodity]
- Current tariff rate(s):
- Pending trade-remedy or escalation risk:
- Trade-war / retaliation exposure:
- Notes:
09 · Reputation & Adverse Media
Adverse media, ESG, and integrity signals for critical suppliers and logistics providers - feeds §7 Supplier Risk and §13 Risk Register.
Adverse media - supplier / counterparty
→ feeds §7 Supplier / Vendor / Tier-N Risk. Clone the block per finding.
- [entity / incident - e.g. Acme Components Ltd - forced-labour allegation, Reuters 2024-08]
- Entity named:
- Allegation / issue type: [Corruption / Sanctions evasion / Forced-labour / Financial fraud / Quality failure / Environmental / Other]
- Publication / outlet:
- Date:
- Status (alleged / under investigation / adjudicated):
- Reputational / regulatory contagion risk to client:
- Reliability (A–F) / Credibility (1–6):
- Notes:
- [finding 2]
ESG / sustainability flags
- [supplier or node]
- Issue:
- Source:
- Regulatory obligation triggered:
10 · Network & Affiliations - Tier-N Visibility & Related Entities ★
Sub-tier (tier-2, tier-N) and related-entity mapping - feeds §6 Architecture Risk (complexity/opacity sub-risk) and §7 Supplier Risk (tier-N visibility). Clone the block per entity.
Tier-N / sub-tier supplier entity
→ feeds §6 Architecture & Critical Node Risk, §7 Supplier / Vendor / Tier-N Risk. Clone the block per entity.
- [entity - e.g. Tier-2 raw-material processor: Shenzhen Metals Corp]
- Tier level: [Tier-2 / Tier-3 / Tier-N]
- Feeds to (tier-1 supplier):
- Commodity / material supplied:
- Geographic concentration with other sub-tiers:
- Visibility (known to client / inferred / unknown): [Known / Inferred / Unknown]
- Financial / integrity flags:
- Country risk rating:
- Notes / tool output: ← Panjiva/ImportYeti (trade data), OpenCorporates, country business registries
- [entity 2]
Logistics provider / carrier network
- [carrier / freight forwarder - e.g. Maersk / DHL / local haulier]
- Service provided:
- Jurisdictions operated in:
- Sanctions screening status:
- Financial health:
- Concentration risk (% of client freight):
- Notes:
11 · Inventory, Capacity & Continuity Data
Collection of inventory buffer, lead-time, and production-capacity data to underpin §10 Inventory, Capacity & Continuity Risk scoring.
Inventory buffer (client-provided or publicly observable)
- Critical input / component:
- Current days-of-cover:
- Minimum viable buffer (days):
- Replenishment lead time (days - sea / air):
- Sea-to-air freight substitution feasible: [Yes / No / Partial]
- Alternative supplier lead time if primary fails:
- Confidence (data freshness / client-provided accuracy): [H/M/L]
Production capacity nodes
- [production site / facility]
- Location:
- Capacity utilisation rate:
- Redundant capacity at alternative site:
- Single-shift / multi-shift dependency:
- Seasonal or perishable dependency:
- Notes:
Disruption scenario buffer adequacy
- [scenario - e.g. Port X closure for 3 weeks]
- Days of supply disruption modelled:
- Buffer adequate for scenario: [Yes / No / Marginal]
- Production impact (days):
- Revenue at risk (estimate):
12 · Risk Register Inputs - Domain Scoring Workpad
Working scratchpad for scoring each domain sub-risk before populating §13 Consolidated Risk Register. One block per scored sub-risk.
Scored sub-risk entry
→ feeds §6–§12 domain tables and §13 Consolidated Risk Register. Clone per sub-risk row.
- [sub-risk - e.g. Single-source dependency - Tier-1 Electronic Components - Shenzhen]
- Domain (§): [§6 Architecture / §7 Supplier / §8 Corridors / §9 Ports-Borders / §10 Inventory / §11 Tech-Cyber / §12 Regulatory]
- Driver / basis (evidence):
- Likelihood score (1–5):
- Impact score (1–5, client exposure basis):
- Inherent score (L×I):
- Existing mitigation(s) credited:
- Residual score after mitigation:
- Trend (↑ / → / ↓):
- Analytic confidence (H/M/L):
- Source grade (A–F / 1–6):
- Notes / evidence extract:
- [sub-risk 2]
13 · Early-Warning Indicators & Watch Triggers
Collection workpad for §16 Risk-Escalation & Early-Warning Indicators - specific, observable tripwires to populate the indicator register.
Early-warning indicator
→ feeds §16 Risk-Escalation & Early-Warning Indicators. Clone per indicator.
- [indicator - e.g. Supplier bankruptcy filing / port labour strike notice / sanctions designation of corridor carrier]
- Risk / domain (§) it bears on:
- Score-change signalled (e.g., Supplier/Tier-N residual 12→16):
- Severity (Critical / High / Medium / Low):
- Current status (Not present / Emerging / Present):
- Observable signal / data source to watch:
- Disposition (Watch / Notify client / Re-score / Escalate to OSINT-031/OSINT-010/OSINT-014/OSINT-018/OSINT-036):
- Notes / tool output: ← Reuters/Bloomberg alerts, Lloyd’s List, IMO, trade press, shipping AIS
- [indicator 2]
14 · ACH & KAC Workpad
Evidence array for §18 Analysis of Competing Hypotheses (trajectory hypotheses) and §19 Key Assumptions Check.
ACH - competing hypotheses for rating trajectory
- Central hypothesis question: [e.g., Will the overall supply-chain risk rating hold at current band / escalate / de-escalate over the horizon?]
H1 - Risk holds at current band
- Evidence consistent (C) / inconsistent (I) / neutral (N) with H1:
- [evidence item]:
H2 - Risk escalates a band
- Evidence C/I/N with H2:
- [evidence item]:
H3 - Risk de-escalates
-
Evidence C/I/N with H3:
- [evidence item]:
-
Most consistent hypothesis:
-
Diagnostic evidence that would overturn it:
KAC - key assumptions
- [assumption - e.g. Client-supplied supply-chain data are accurate and current]
- Basis:
- Confidence (H/M/L):
- Impact on rating if wrong:
- Linchpin assumption (Y/N):
- [assumption 2]
99 · Collection Admin
Working register - not a deliverable section, but the audit trail behind it. → feeds §22 Annex A - Sources & Methodology and §23 Annex B, Appendix J - Full Source Register.
Source register
Every material datum traceable to a graded source. Admiralty two-axis grade: reliability A–F, credibility 1–6.
- [S-1 - source, e.g. OpenCorporates - supplier registration data]
- Type: [Primary / Secondary / Tertiary]
- Domain (§) fed:
- Reliability (A–F):
- Credibility (1–6):
- Date accessed:
- Coverage / limitation note:
- [S-2]
Evidence archive
- [capture ref - e.g. SC-001 - screenshot OpenCorporates Acme Components Ltd - 2025-03-12]
- URL:
- SHA-256 hash:
- Timestamp (UTC):
- Relevance / domain:
Proprietary / licensed data sources used
- [dataset - e.g. Panjiva trade data / Dun & Bradstreet / Lloyd’s List Intelligence]
- Licence holder:
- Access date:
- Limitation / self-interest caveat:
Client-provided supply-chain data received
- [data type - e.g. supplier list, tier-1 contracts, inventory levels, lead-time data]
- Date provided:
- Verified / unverified:
- Completeness assessment:
- Gaps noted:
Open gaps / verification pending
- [item submitted, not yet returned - e.g. OSINT-031 Country Risk Assessment for [jurisdiction] not yet commissioned]
- [item - e.g. tier-2 supplier list for [commodity] not provided by client]