[SUPPLY CHAIN / LOGISTICS NETWORK] - Collection Map

OSINT-035 Supply Chain & Logistics Risk Assessment - collection workspace. Central topic = the supply chain or logistics network under assessment (replace with client’s network descriptor, e.g. “CLIENT X - ASIA-PACIFIC INBOUND CHAIN”). Branches = data-point categories aligned to the seven risk domains scored in the deliverable. Drop each collected value as a child node; expand it with where it was found and what it links to. Paste raw tool output into the node’s Notes. → feeds deliverable OSINT-035.

00 · Collection Plan - PIRs & EEIs

The questions this collection must answer + the essential elements of information (EEI) for each. Tick as satisfied. → drives §3 Key Judgments, §4 PIRs, §13 Consolidated Risk Register, §14 Overall Rating, §15 Key Findings, §20 Collection Gaps, §21 Assessment & Recommendations.

PIR-1 - Architecture & Critical Node Risk: Where are the single-points-of-failure, concentration risks, and critical dependencies?

  • EEI: map of all supply chain nodes (tier-1 and critical sub-tier), geographies, and corridors
  • EEI: single-source / single-site dependencies identified and quantified
  • EEI: hard-to-substitute inputs or components named and assessed
  • EEI: hub-and-spoke topology mapped; network complexity and opacity assessed
  • EEI: country risk baseline for each sourcing/transit jurisdiction (consume from OSINT-031)

PIR-2 - Supplier / Vendor / Tier-N Risk: Which suppliers pose unacceptable financial, operational, quality, or integrity risk?

  • EEI: financial health and bankruptcy risk for critical suppliers
  • EEI: sole- or limited-source supplier dependency flagged
  • EEI: geopolitical and integrity risk (sanctions, forced-labour, corruption, adverse ownership) for key suppliers
  • EEI: tier-N / sub-tier visibility assessed; hidden concentration identified
  • EEI: reputational or regulatory contagion pathways through the chain identified

PIR-3 - Logistics Corridors & Chokepoint Risk: Which corridors, routes, ports, or border crossings are most exposed?

  • EEI: chokepoints (maritime straits, canals, mountain passes, rail heads, bridges) transited by client goods
  • EEI: corridor security risk (piracy, theft, convoy attack, sabotage, civil unrest) rated per segment
  • EEI: corridor regulatory and political risk (border closures, transit bans, sanctions on carriers/routes)
  • EEI: infrastructure reliability and capacity constraints per corridor segment
  • EEI: multi-modal break-of-bulk and transshipment hub risks identified

PIR-4 - Ports, Borders & Customs Clearance Risk: What is the clearance reliability and hold-up risk at key entry/exit nodes?

  • EEI: congestion, capacity, and labour-disruption risk at key ports/crossings
  • EEI: customs clearance delay rates and documentary compliance risk assessed
  • EEI: tariff, quota, or trade-remedy actions affecting goods at key border nodes
  • EEI: biosecurity, health-measure, or border-security hold-up history
  • EEI: seizure, detention, or forfeiture risk at key nodes

PIR-5 - Inventory, Capacity & Continuity Risk: Is the current inventory buffer adequate to absorb plausible disruption?

  • EEI: inventory buffer levels for critical inputs and finished goods (days-of-cover)
  • EEI: long-lead / hard-to-substitute items and sea-vs-air freight substitution feasibility
  • EEI: production capacity concentration and redundancy across nodes
  • EEI: stock-out risk scenarios for critical inputs assessed
  • EEI: alternative sourcing / production locations identified and feasibility rated

PIR-6 - Technology, Data & Cyber Supply Chain Risk: What is the exposure to cyber attack, OT/IT disruption, or technology dependency?

  • EEI: OT/IT integration and vulnerability at critical supplier sites and logistics nodes
  • EEI: software / firmware / hardware supply chain integrity risk (counterfeit, tampered components)
  • EEI: data flows and data-protection compliance risk across the chain
  • EEI: supplier and logistics-provider cyber hygiene and breach history
  • EEI: IP theft, reverse-engineering, or technology-diversion risk at any node

PIR-7 - Regulatory & Trade Compliance Risk: What sanctions, tariff, export-control, or forced-labour developments affect the chain?

  • EEI: sanctions, embargoes, and export-control restrictions covering jurisdictions, counterparties, goods, or end-uses in the chain
  • EEI: tariff and trade-policy escalation risk (trade wars, retaliation, quota imposition) for key commodity/product flows
  • EEI: forced-labour, modern-slavery, conflict-minerals, and human-rights due diligence obligations mapped to sourcing nodes
  • EEI: customs valuation and classification risk identified
  • EEI: dual-use / strategic-goods / end-use risk assessed for any tech-adjacent inputs

PIR-8 - Trajectory & Inflection: Where is overall supply-chain risk heading, and what would mark a step-change?

  • EEI: structural and proximate drivers of upward/downward risk trajectory named
  • EEI: early-warning indicators and tripwires identified per domain
  • EEI: ACH hypotheses (risk holds / escalates / de-escalates) tested against diagnostic evidence
  • EEI: rating trajectory (Improving / Stable / Deteriorating / Volatile) assessed with likelihood and confidence stated separately
  • EEI: key assumptions checked and linchpin assumptions flagged

Collection gaps / RFIs (running)

  • [open item - e.g., tier-2 supplier visibility for [commodity]] → route to OSINT-010 Vendor Integrity Vetting
  • [open item - e.g., country risk baseline for [jurisdiction]] → route to OSINT-031 Country Risk Assessment
  • [open item - e.g., enhanced due diligence on [supplier]] → route to OSINT-014 EDD

01 · Entity Identity - Client & Supply Chain Descriptor

Who the client is and the precise scope of the supply chain under assessment. → feeds §2 Executive Summary & Scope, §5 Risk Framing, Appendix A.

Client identity

  • Client legal name:
  • Requesting contact / engagement ref:
  • Client industry / sector:
  • Client exposure profile (what is at risk):
  • Risk tolerance / appetite (recorded, not used to adjust scores):

Supply chain / network assessed

  • Network descriptor / label:
  • Geographic scope (origin → transit → destination):
  • Commodity / product line(s) in scope:
  • Tier depth assessed (tier-1 only / tier-2 / tier-N):
  • Nodes / corridors explicitly excluded from scope:
  • Risk horizon (6 / 12 / 24 months):
  • Engagement purpose (decision the rating informs):

Baseline / as-of date

  • As-of date:
  • Date of assessment:
  • Re-score cadence (if any):

02 · Corporate Structure - Supply Chain Network Map ★

Map of the supply chain’s nodes, flows, and tier structure - the node-and-flow diagram that underpins §6 Architecture risk scoring and Appendix B. Clone the block per node.

Supply chain node

→ feeds §6 Supply Chain Architecture & Critical Node Risk, Appendix B Node-and-Flow Map. Clone the block per node.

  • [node - e.g. Tier-1 Supplier: Acme Components Ltd, Shenzhen CN]
    • Node type: [Supplier / Manufacturer / Warehouse / Port / Logistics Hub / Transshipment / Distributor / other]
    • Tier level: [Tier-1 / Tier-2 / Tier-N / Logistics provider]
    • Geography / jurisdiction:
    • Commodity / product / service flowing through:
    • Single-source / sole-source status: [Yes / No / Partial]
    • Substitutability: [Easy / Hard / Irreplaceable]
    • Upstream feeds from:
    • Downstream feeds to:
    • Country risk rating for this jurisdiction (from OSINT-031):
    • Notes / tool output: ← OpenCorporates, national company registries, trade databases
  • [node 2]

Geographic concentration clusters

  • [region / country cluster]
    • Nodes concentrated here:
    • Country risk rating:
    • Concentration risk assessment:

03 · People - Key Contacts, Owners & Counterparty Officers ★

Directors, officers, UBOs, and key operational contacts at critical suppliers and logistics providers - feeds supplier integrity checks and any escalation to OSINT-010 / OSINT-014. Clone the block per person.

Key counterparty individual

→ feeds §7 Supplier / Vendor / Tier-N Risk; escalates to OSINT-010 or OSINT-014. Clone the block per individual.

  • [name - e.g. John Tan, CEO Acme Components Ltd]
    • Role / title:
    • Entity they represent:
    • Contact details (if available):
    • Adverse media / sanctions / PEP flags:
    • Beneficial ownership connection:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← OpenCorporates, Companies House, ICIJ Offshore Leaks, OFAC SDN, PEP databases
  • [person 2]

04 · Registrations & Filings - Supplier & Counterparty Corporate Data

Company registration data for critical suppliers and logistics providers - feeds financial health assessment in §7. Clone the block per entity.

Supplier / counterparty entity

→ feeds §7 Supplier / Vendor / Tier-N Risk, §13 Risk Register. Clone the block per entity.

  • [entity - e.g. Acme Components Ltd]
    • Jurisdiction of incorporation:
    • Registration / company number:
    • Registered address:
    • Incorporation date:
    • Status (active / dormant / dissolved):
    • Directors / officers (current):
    • UBO / beneficial owner(s):
    • Financial filings (most recent accounts, revenue, profit/loss):
    • Insolvency / administration / winding-up notices:
    • Sanctions designations (OFAC / EU / UK / UN): [Clear / Hit / Near-match]
    • Forced-labour / human-rights flags (UFLPA, UK MSA, EU CBAM):
    • Notes / tool output: ← OpenCorporates, Companies House, EDGAR, national registries; OFAC SDN; ICIJ
  • [entity 2]

05 · Digital & Infrastructure - Supplier Cyber & Digital Exposure ★

Digital footprint of critical suppliers and logistics providers - feeds §11 Technology, Data & Cyber Supply Chain Risk. Clone the block per entity.

Supplier / provider domain & digital footprint

→ feeds §11 Technology, Data & Cyber Supply Chain Risk. Clone the block per entity.

  • [entity / domain - e.g. acme-components.com]
    • Primary domain(s):
    • Hosting / ASN / IP block: ← whois, crt.sh, Shodan, Censys
    • Known breach / credential exposure: ← h8mail, HaveIBeenPwned, IntelX
    • OT/IT integration indicators (SCADA exposure, remote-access interfaces visible): ← Shodan, FOFA
    • Software / firmware supply chain flags (known CVEs in products used):
    • Data-sharing obligations / data-flow direction with client:
    • Cyber incident history (public):
    • Notes / tool output: ← whois, crt.sh, Shodan/Censys, IntelX, VirusTotal
  • [entity / domain 2]

06 · Financials - Supplier Financial Health & Country Economic Risk

Financial health indicators for critical suppliers and country-level economic risk inputs - feeds §7 Supplier Risk and §6 Architecture Risk scoring.

Supplier financial health

  • [entity]
    • Revenue (most recent):
    • Profit / EBITDA:
    • Debt / leverage indicators:
    • Credit rating (if available):
    • Insolvency / late-filing flags:
    • Customer / revenue concentration (client as % of revenues):
    • Confidence: [H/M/L]
    • Source grade (Admiralty A–F / 1–6):

Country economic risk indicators (per sourcing / transit jurisdiction)

  • [jurisdiction]
    • GDP growth / recession signal:
    • Currency stability / devaluation risk:
    • Inflation / input-cost pressure:
    • Labour market stability:
    • Country risk rating from OSINT-031:
    • Notes:

07 · Commercial Footprint - Logistics Corridors, Ports & Border Nodes ★

The operational geography of the supply chain - corridors, chokepoints, ports, and border crossings. Feeds §8 Logistics Corridors & Chokepoints and §9 Ports, Borders & Customs. Clone the block per corridor or node.

Logistics corridor / transit segment

→ feeds §8 Logistics Corridors, Chokepoints & Transit Risk. Clone the block per corridor.

  • [corridor - e.g. Red Sea / Suez Canal maritime leg, Shanghai → Rotterdam]
    • Mode (maritime / air / road / rail / pipeline / multi-modal):
    • Origin node:
    • Destination node:
    • Chokepoints transited:
    • Transit jurisdictions:
    • Approximate lead time (days):
    • Freight volume / value at risk:
    • Carrier / logistics provider:
    • Known security risk (piracy, theft, unrest, attack history):
    • Known regulatory / political risk (sanctions on route / carrier, transit bans):
    • Infrastructure reliability rating:
    • Alternative corridor feasibility:
    • Notes / tool output: ← IMO / MCA advisories, BIMCO, Lloyd’s List, Dryad Global, shipping analytics
  • [corridor 2]

Port / border crossing / customs node

→ feeds §9 Ports, Borders & Customs Clearance Risk. Clone the block per node.

  • [node - e.g. Port of Rotterdam, NL]
    • Node type: [Seaport / Airport / Road border crossing / Rail crossing / Inland clearance depot]
    • Country / jurisdiction:
    • Client’s volume / share of throughput through this node:
    • Congestion / capacity rating (current):
    • Labour disruption risk (strike history, union activity):
    • Customs clearance average dwell time:
    • Inspection rate for client’s commodity:
    • Tariff / quota / trade-remedy actions currently in force:
    • Biosecurity / health-measure hold-up history:
    • Seizure / detention / forfeiture incidents (recent):
    • Alternative node feasibility:
    • Notes / tool output: ← WCO, national customs authority data, Port Authority stats, Flexport/Freightos indices
  • [node 2]

Legal and regulatory exposures across the chain - feeds §12 Regulatory & Trade Compliance Risk and §13 Risk Register.

Sanctions screening - jurisdictions and counterparties

  • Jurisdictions in chain screened against current sanctions lists:
    • OFAC SDN / Consolidated: [Clear / Hit / Near-match]
    • EU Consolidated Sanctions:
    • UK HMT Sanctions:
    • UN Security Council:
    • Other (ITAR, EAR, BIS Entity List):
  • Carriers / logistics providers screened:
  • Flag states (maritime) screened:

Export controls / dual-use / strategic goods

  • [item / technology / good]
    • Commodity / ECCN / HS code:
    • Export control classification:
    • End-use / end-user risk:
    • Licence requirement:
    • Notes:

Forced-labour / human-rights / ESG obligations

  • [sourcing jurisdiction / supplier]
    • UFLPA / UK Modern Slavery Act exposure:
    • EU CSDD / Conflict-minerals (3TG) obligation:
    • Audit / certification status:
    • Known adverse indicators:

Tariff & trade-policy risk register

  • [trade flow / commodity]
    • Current tariff rate(s):
    • Pending trade-remedy or escalation risk:
    • Trade-war / retaliation exposure:
    • Notes:

09 · Reputation & Adverse Media

Adverse media, ESG, and integrity signals for critical suppliers and logistics providers - feeds §7 Supplier Risk and §13 Risk Register.

Adverse media - supplier / counterparty

→ feeds §7 Supplier / Vendor / Tier-N Risk. Clone the block per finding.

  • [entity / incident - e.g. Acme Components Ltd - forced-labour allegation, Reuters 2024-08]
    • Entity named:
    • Allegation / issue type: [Corruption / Sanctions evasion / Forced-labour / Financial fraud / Quality failure / Environmental / Other]
    • Publication / outlet:
    • Date:
    • Status (alleged / under investigation / adjudicated):
    • Reputational / regulatory contagion risk to client:
    • Reliability (A–F) / Credibility (1–6):
    • Notes:
  • [finding 2]

ESG / sustainability flags

  • [supplier or node]
    • Issue:
    • Source:
    • Regulatory obligation triggered:

Sub-tier (tier-2, tier-N) and related-entity mapping - feeds §6 Architecture Risk (complexity/opacity sub-risk) and §7 Supplier Risk (tier-N visibility). Clone the block per entity.

Tier-N / sub-tier supplier entity

→ feeds §6 Architecture & Critical Node Risk, §7 Supplier / Vendor / Tier-N Risk. Clone the block per entity.

  • [entity - e.g. Tier-2 raw-material processor: Shenzhen Metals Corp]
    • Tier level: [Tier-2 / Tier-3 / Tier-N]
    • Feeds to (tier-1 supplier):
    • Commodity / material supplied:
    • Geographic concentration with other sub-tiers:
    • Visibility (known to client / inferred / unknown): [Known / Inferred / Unknown]
    • Financial / integrity flags:
    • Country risk rating:
    • Notes / tool output: ← Panjiva/ImportYeti (trade data), OpenCorporates, country business registries
  • [entity 2]

Logistics provider / carrier network

  • [carrier / freight forwarder - e.g. Maersk / DHL / local haulier]
    • Service provided:
    • Jurisdictions operated in:
    • Sanctions screening status:
    • Financial health:
    • Concentration risk (% of client freight):
    • Notes:

11 · Inventory, Capacity & Continuity Data

Collection of inventory buffer, lead-time, and production-capacity data to underpin §10 Inventory, Capacity & Continuity Risk scoring.

Inventory buffer (client-provided or publicly observable)

  • Critical input / component:
    • Current days-of-cover:
    • Minimum viable buffer (days):
    • Replenishment lead time (days - sea / air):
    • Sea-to-air freight substitution feasible: [Yes / No / Partial]
    • Alternative supplier lead time if primary fails:
    • Confidence (data freshness / client-provided accuracy): [H/M/L]

Production capacity nodes

  • [production site / facility]
    • Location:
    • Capacity utilisation rate:
    • Redundant capacity at alternative site:
    • Single-shift / multi-shift dependency:
    • Seasonal or perishable dependency:
    • Notes:

Disruption scenario buffer adequacy

  • [scenario - e.g. Port X closure for 3 weeks]
    • Days of supply disruption modelled:
    • Buffer adequate for scenario: [Yes / No / Marginal]
    • Production impact (days):
    • Revenue at risk (estimate):

12 · Risk Register Inputs - Domain Scoring Workpad

Working scratchpad for scoring each domain sub-risk before populating §13 Consolidated Risk Register. One block per scored sub-risk.

Scored sub-risk entry

→ feeds §6–§12 domain tables and §13 Consolidated Risk Register. Clone per sub-risk row.

  • [sub-risk - e.g. Single-source dependency - Tier-1 Electronic Components - Shenzhen]
    • Domain (§): [§6 Architecture / §7 Supplier / §8 Corridors / §9 Ports-Borders / §10 Inventory / §11 Tech-Cyber / §12 Regulatory]
    • Driver / basis (evidence):
    • Likelihood score (1–5):
    • Impact score (1–5, client exposure basis):
    • Inherent score (L×I):
    • Existing mitigation(s) credited:
    • Residual score after mitigation:
    • Trend (↑ / → / ↓):
    • Analytic confidence (H/M/L):
    • Source grade (A–F / 1–6):
    • Notes / evidence extract:
  • [sub-risk 2]

13 · Early-Warning Indicators & Watch Triggers

Collection workpad for §16 Risk-Escalation & Early-Warning Indicators - specific, observable tripwires to populate the indicator register.

Early-warning indicator

→ feeds §16 Risk-Escalation & Early-Warning Indicators. Clone per indicator.

  • [indicator - e.g. Supplier bankruptcy filing / port labour strike notice / sanctions designation of corridor carrier]
    • Risk / domain (§) it bears on:
    • Score-change signalled (e.g., Supplier/Tier-N residual 12→16):
    • Severity (Critical / High / Medium / Low):
    • Current status (Not present / Emerging / Present):
    • Observable signal / data source to watch:
    • Disposition (Watch / Notify client / Re-score / Escalate to OSINT-031/OSINT-010/OSINT-014/OSINT-018/OSINT-036):
    • Notes / tool output: ← Reuters/Bloomberg alerts, Lloyd’s List, IMO, trade press, shipping AIS
  • [indicator 2]

14 · ACH & KAC Workpad

Evidence array for §18 Analysis of Competing Hypotheses (trajectory hypotheses) and §19 Key Assumptions Check.

ACH - competing hypotheses for rating trajectory

  • Central hypothesis question: [e.g., Will the overall supply-chain risk rating hold at current band / escalate / de-escalate over the horizon?]

H1 - Risk holds at current band

  • Evidence consistent (C) / inconsistent (I) / neutral (N) with H1:
    • [evidence item]:

H2 - Risk escalates a band

  • Evidence C/I/N with H2:
    • [evidence item]:

H3 - Risk de-escalates

  • Evidence C/I/N with H3:

    • [evidence item]:
  • Most consistent hypothesis:

  • Diagnostic evidence that would overturn it:

KAC - key assumptions

  • [assumption - e.g. Client-supplied supply-chain data are accurate and current]
    • Basis:
    • Confidence (H/M/L):
    • Impact on rating if wrong:
    • Linchpin assumption (Y/N):
  • [assumption 2]

99 · Collection Admin

Working register - not a deliverable section, but the audit trail behind it. → feeds §22 Annex A - Sources & Methodology and §23 Annex B, Appendix J - Full Source Register.

Source register

Every material datum traceable to a graded source. Admiralty two-axis grade: reliability A–F, credibility 1–6.

  • [S-1 - source, e.g. OpenCorporates - supplier registration data]
    • Type: [Primary / Secondary / Tertiary]
    • Domain (§) fed:
    • Reliability (A–F):
    • Credibility (1–6):
    • Date accessed:
    • Coverage / limitation note:
  • [S-2]

Evidence archive

  • [capture ref - e.g. SC-001 - screenshot OpenCorporates Acme Components Ltd - 2025-03-12]
    • URL:
    • SHA-256 hash:
    • Timestamp (UTC):
    • Relevance / domain:

Proprietary / licensed data sources used

  • [dataset - e.g. Panjiva trade data / Dun & Bradstreet / Lloyd’s List Intelligence]
    • Licence holder:
    • Access date:
    • Limitation / self-interest caveat:

Client-provided supply-chain data received

  • [data type - e.g. supplier list, tier-1 contracts, inventory levels, lead-time data]
    • Date provided:
    • Verified / unverified:
    • Completeness assessment:
    • Gaps noted:

Open gaps / verification pending

  • [item submitted, not yet returned - e.g. OSINT-031 Country Risk Assessment for [jurisdiction] not yet commissioned]
  • [item - e.g. tier-2 supplier list for [commodity] not provided by client]

RFI log

  • [RFI-1 - routed to OSINT-010 Vendor Integrity Vetting for [supplier]]
  • [RFI-2 - routed to OSINT-014 EDD for [supplier / person]]
  • [RFI-3 - routed to OSINT-031 Country Risk Assessment for [jurisdiction]]
  • [RFI-4 - routed to OSINT-036 Continuous Country Risk Monitoring for [jurisdiction]]