SUPPLY CHAIN & LOGISTICS RISK ASSESSMENT

[SUPPLY CHAIN / LOGISTICS NETWORK - RISK ASSESSMENT TITLE - ENGAGEMENT REF]

The Supply Chain & Logistics Risk Assessment is the flow-and-node analysis of the client’s supply network - it identifies, maps, and scores risk to the client’s supply chain from disruption, dependency, concentration, chokepoints, regulatory exposure, and logistics failure across the end-to-end chain. Where the Country Risk Assessment provides the holistic country-level risk rating for a jurisdiction, this product takes that country-level rating as input and assesses how it specifically affects the client’s supply nodes and corridors transiting that country. Where the Country-Entry Risk Assessment scopes risk to a specific deployment or footprint, this product assesses risk to the supply and logistics network - the flow of goods, services, and materials - which may span multiple jurisdictions. Where the Market-Entry Risk Assessment assesses capital- and commercial-decision risk, this product assesses the operational viability and resilience of existing or planned supply chains. Where the Kidnap & Ransom (K&R) Risk Assessment focuses on threat-actor-specific kidnap, ransom, and extortion risk, this product may flag those threats as they affect supply-chain personnel and logistics operations but does not perform the dedicated threat-actor analysis. The Continuous Country Risk Monitoring (retained service) provides ongoing re-scoring of country-level risk which feeds the supply-chain rating; this product is a point-in-time assessment and should be refreshed accordingly. This is a risk assessment; it is not legal, trade-compliance, insurance, or logistics-operations advice, and it is not a guarantee of supply continuity or a substitute for the client’s supply chain risk management (SCRM) framework.


Document Control

FieldValue
Report Reference[REF-YYYY-###]
Date of Report[YYYY-MM-DD]
Baseline / As-Of Date[YYYY-MM-DD - the date through which the supply chain configuration and risk environment are assessed]
Classification / Handling[CONFIDENTIAL - CLIENT EYES ONLY / TLP:AMBER]
Client[CLIENT NAME]
Requesting Party[CONTACT - ENGAGEMENT REF]
Supply Chain / Network Assessed[Description of the supply chain(s) or logistics network under assessment - e.g., global inbound / regional outbound / specific commodity or product line / defined geography]
Client Exposure Profile[What the client has at risk - e.g., continuity of production / single-sourced components / just-in-time inventory / critical logistics corridors / supplier concentration / reputational or regulatory exposure via the chain]
Engagement Purpose[Decision the rating informs - e.g., resilience planning, supplier diversification, insurance, board risk register, M&A integration, continuous-monitoring baseline]
Risk Horizon[The forward window the rating covers - e.g., 6 / 12 / 24 months]
Scope / Depth[End-to-end / tier-N / node-specific / corridor-specific multi-domain risk rating - see §2 scope]
Prepared By[ANALYST NAME / ID]
Reviewed By[REVIEWER NAME / ID]
Approving Officer[APPROVER NAME / ID]
Version[1.0]
Distribution[NAMED RECIPIENTS]

Handling: [Classification/TLP]. Disseminate only to the named authorized recipients. Reproduction or onward sharing prohibited without originator approval. Where the assessment names individuals (supply-chain counterparties, logistics operators, officials, private persons), it may contain personal data - store and transmit per the client data-processing agreement and applicable data-protection frameworks (GDPR, CCPA, and local equivalents).

Nature of this product (READ FIRST): This is a strategic, open-source-based analytic assessment of risk to the client’s supply chain and logistics network, prepared to inform the client’s supply-chain risk management and resilience decisions. It is not legal advice, trade-compliance advice, insurance advice, logistics-operations advice, a credit or vendor-rating-agency product, or a guarantee of supply continuity. The risk scores are the firm’s structured analytic judgments, calibrated to the stated scales - they are an aid to reasoning and prioritisation, not precise measurements, actuarial probabilities, or statements of certainty. The rating is one input; the client’s legal, trade-compliance, supply-chain, procurement, insurance, and in-country advisers should be relied on for operational and transactional determinations.

Analytic independence & policy neutrality (ICD 203): Scores and judgments are the firm’s independent analytic assessment, reached on the evidence and free of policy advocacy, a client-preferred answer, or any government’s, supplier’s, or competitor’s line. Reporting is distinguished from analyst judgment throughout; uncertainty drivers and change indicators are stated explicitly; alternative explanations are tested, not suppressed. Where the client’s commercial or operational preference points one way, the assessment is not adjusted to suit it.

Sourcing & legality: Findings derive from open, licensed, and lawfully accessed sources - public record, official trade and customs data, reputable media, industry and shipping analytics, academic and institutional reporting, recognised supply-chain risk datasets used within licence, and (where commissioned) discreet in-country human sourcing - current as of the baseline date and graded (Annex A). No classified, proprietary-without-licence, or unlawfully obtained material is used; copyright and database-licence terms are respected. Official trade statistics, customs filings, and state-controlled media are treated as potentially self-interested or subject to reporting lags and are corroborated against independent sources.

Limitation - client supply-chain data: Where this assessment incorporates client-provided supply-chain data (supplier lists, volumes, lead times, inventory data, contracts), those data are taken in good faith as accurate and current; the firm does not independently audit or verify the client’s internal supply-chain data. Reliance on this assessment is contingent on the completeness and accuracy of the client’s supplied data.

Scope of risk-treatment content: Mitigation and risk-reduction options in §17 are advisory and analytic - they indicate the direction and category of measures that would lower residual risk. They are not a supply-chain transformation plan, a logistics relocation plan, a stockpiling or inventory strategy, a procurement or contracting strategy, a trade-compliance program, or a business-continuity plan, and they should not be implemented without a separately scoped, separately governed product and qualified in-country and legal advice.

Perishability: This is a point-in-time rating against a stated horizon. Supply chains reconfigure; suppliers fail; geopolitical conditions shift; corridors close. Scores are time-sensitive - re-verify against current reporting before any consequential or time-critical decision, and commission Continuous Country Risk Monitoring and/or Continuous Counterparty Monitoring for standing currency.

Reliance: Reliance is limited to the named client for the stated purpose; no third-party reliance without originator consent.

Risk Snapshot

FieldValue
Supply Chain / Network Assessed[Description of the chain(s) under assessment - geography, tier-depth, commodity/product scope]
Risk Horizon[6 / 12 / 24 months]
Overall Supply Chain Risk Rating[LOW (1–5) / MODERATE (6–10) / ELEVATED (11–15) / HIGH (16–20) / CRITICAL (21–25)] - [aggregate score]
Rating Trajectory[Improving / Stable / Deteriorating / Volatile - see §14]
Highest-Risk Domain(s)[The 1–2 domains driving the rating - see §13]
Top Residual Risks[The 2–3 ranked residual risks the client most needs to act on - see §13]
Principal Risk Drivers[The structural/proximate forces pushing risk up - see §14]
Highest-Priority Watch Indicators[The 1–3 indicators whose movement would most change the rating - see §16]
Coverage Confidence[HIGH / MODERATE / LOW - access, source diversity, currency, client-data completeness - see §22]
Overall Assessment Confidence[HIGH / MODERATE / LOW - see §22]

Table of Contents

  1. BLUF
  2. Executive Summary & Scope
  3. Key Judgments
  4. Priority Intelligence Requirements (PIRs)
  5. Risk Framing, Taxonomy & Methodology
  6. Supply Chain Architecture & Critical Node Risk
  7. Supplier / Vendor / Tier-N Risk
  8. Logistics Corridors, Chokepoints & Transit Risk
  9. Ports, Borders & Customs Clearance Risk
  10. Inventory, Capacity & Continuity Risk
  11. Technology, Data & Cyber Supply Chain Risk
  12. Regulatory & Trade Compliance Risk
  13. Consolidated Risk Register & Heat Map
  14. Overall Supply Chain Risk Rating & Trajectory
  15. Key Findings Summary
  16. Risk-Escalation & Early-Warning Indicators
  17. Risk Treatment & Mitigation Options (Advisory)
  18. Analysis of Competing Hypotheses (ACH)
  19. Key Assumptions Check (KAC)
  20. Collection Gaps & RFIs
  21. Assessment & Recommendations
  22. Annex A - Sources & Methodology
  23. Annex B - Appendices

(Page numbers populate on export to Word/PDF.)


1. BLUF

2–3 sentences. Lead with the overall supply-chain risk rating and trajectory, the domain(s) and node(s) or corridor(s) driving it, and the single most decision-relevant implication for the client’s stated exposure and purpose - with the recommended posture or next step. Written so the decision-maker can act on this line alone.

[BLUF]

2. Executive Summary & Scope

Triggering requirement and engagement purpose; the client’s supply-chain exposure profile and the decision the rating informs. Scope in/out stated explicitly - the supply chain(s) assessed (geography, tier-depth, commodity/product scope, nodes/corridors included), the risk horizon, the risk domains scored, the client-exposure lens applied, and what is deferred to sibling/downstream products (holistic country risk → Country Risk Assessment; operation-scoped risk → Operational Risk Assessment; investment/market-entry risk → Market-Entry Risk Assessment; K&R-specific risk → K&R Risk Assessment; ongoing country monitoring → Continuous Country Risk Monitoring; the vendor/counterparty integrity screen → Vendor & Third-Party Integrity Vetting; enhanced due diligence on specific suppliers → Enhanced Due Diligence; continuous counterparty monitoring → Continuous Counterparty Monitoring). Narrative synthesis of the rating and the principal residual risks across the domains below, to the ICD 203 floor - reporting separated from analytic judgment, uncertainty drivers named, alternatives acknowledged. State the headline rating, its trajectory, and the top residual risks here.

[EXECUTIVE SUMMARY & SCOPE]

3. Key Judgments

The analytic bottom line on supply-chain risk - the overall rating and its direction, the domains and nodes/corridors that most determine it, and the most consequential residual risks to the client. Each judgment carries likelihood and analytic confidence as separate columns (never combined - ICD 203) and a change-indicator stating what would shift it. Order by decision-relevance. Note: the ICD 203 likelihood term here describes the analytic judgment; the 1–5 likelihood in the risk register (§6–§12) is the scoring input - keep the two distinct and consistent (see §5 for the mapping).

#Key JudgmentLikelihoodAnalytic ConfidenceChange Indicator (what would shift it)
KJ-1[e.g., Overall supply-chain risk is assessed [BAND] over the [horizon], driven primarily by [domain/node/corridor]][ICD 203 term][HIGH/MOD/LOW][ ]
KJ-2[e.g., The highest residual risk to the client’s supply continuity is [risk], scored [residual L×I]][ ][ ][ ]
KJ-3[e.g., The dominant disruption pathway is [pathway], turning on [pivotal event/indicator]][ ][ ][ ]
KJ-4[e.g., Risk in [domain] is [stable/rising/falling] because [driver]][ ][ ][ ]
KJ-5[e.g., The rating trajectory is [improving/stable/deteriorating/volatile], pending [pivotal event/indicator]][ ][ ][ ]

4. Priority Intelligence Requirements (PIRs)

Collection-management spine for a supply-chain risk product: PIR → risk-domain → indicator → source. State each PIR, the answer, key evidence, and analytic confidence. Each PIR maps to one or more risk domains. Summarize in the matrix.

  • PIR-1 - Architecture & critical node risk: Where are the single-points-of-failure, concentration risks, and critical dependencies in the client’s supply chain, and what is their vulnerability over the horizon? [Answer / evidence / confidence]
  • PIR-2 - Supplier / vendor / tier-N risk: Which suppliers, vendors, or sub-tier sources pose unacceptable financial, operational, quality, or integrity risk, and what is their resilience to disruption? [ ]
  • PIR-3 - Logistics corridor & chokepoint risk: Which corridors, transit routes, ports, border crossings, or inland logistics nodes are most exposed to disruption, and what is the likely impact? [ ]
  • PIR-4 - Ports, borders & customs clearance risk: What is the risk of customs delays, border closures, inspection hold-ups, or regulatory non-compliance at the key entry/exit nodes, and what is the clearance reliability? [ ]
  • PIR-5 - Inventory & continuity risk: Is the current inventory buffer, stock level, and production lead-time adequate to absorb the plausible disruption scenarios, and where are the critical shortages? [ ]
  • PIR-6 - Technology, data & cyber supply chain risk: What is the exposure to cyber attack, OT/IT disruption, data breach, IP theft, or technology dependency within the chain, and what is the supplier cyber hygiene posture? [ ]
  • PIR-7 - Regulatory & trade compliance risk: What sanctions, tariff, export-control, embargo, forced-labour, or trade-policy developments affect the chain, and what is the compliance risk to the client? [ ]
  • PIR-8 - Trajectory & inflection: Where is overall supply-chain risk heading over the horizon, and what events/indicators would mark a step-change in the rating? [ ]
PIRRisk Domain(s)Answer (summary)ConfidenceKey Gap
PIR-1Architecture[ ][H/M/L][ ]
PIR-2Supplier/Tier-N[ ][H/M/L][ ]
PIR-3Logistics Corridors[ ][H/M/L][ ]
PIR-4Ports/Borders/Customs[ ][H/M/L][ ]
PIR-5Inventory/Continuity[ ][H/M/L][ ]
PIR-6Tech/Cyber[ ][H/M/L][ ]
PIR-7Regulatory/Trade[ ][H/M/L][ ]
PIR-8Trajectory[ ][H/M/L][ ]

5. Risk Framing, Taxonomy & Methodology

The load-bearing methodology section for a scored product - state the rules before any score appears so the rating is transparent and reproducible. Define, in order:

  • Client exposure & risk lens. What the client has at risk (continuity of supply / production / revenue / reputation / compliance) and therefore the lens through which impact is scored. Risk is scored as risk TO THIS CLIENT’s supply chain, not as generic supply-chain risk in the abstract - state this explicitly.
  • Supply chain scope. The chains, nodes, corridors, tiers, and geographies assessed; any excluded segments and why.
  • Risk taxonomy. The risk domains used (this template uses seven - §6–§12 - which map to standard Supply Chain Risk Management (SCRM) categories: Architecture & Critical Nodes; Supplier / Tier-N; Logistics Corridors & Chokepoints; Ports, Borders & Customs; Inventory & Continuity; Technology & Cyber; Regulatory & Trade Compliance. Note any domain de-emphasised or added for this engagement and why.
  • Scoring scales. Likelihood (1–5) and Impact (1–5) → inherent score (1–25); the band key; and the inherent → mitigation → residual logic. Impact is scored against the client’s exposure (e.g., production days lost, revenue at risk, reputational damage, regulatory penalty), not against abstract notions of disruption. State how the 1–5 likelihood relates to the ICD 203 estimative bands used in the Key Judgments (the mapping table below).
  • Inherent vs. residual risk. Inherent = before client/existing mitigations (e.g., dual sourcing, safety stock, contracts with force majeure clauses); residual = after accounting for mitigations in place. Where the client has not yet implemented a stated mitigation, do not credit it.
  • Risk tolerance frame. The rating is objective (the firm’s assessment of risk level); the client’s risk appetite/tolerance is recorded as context for interpreting it, not used to adjust the scores.
  • Relationship to other products. This consumes country-level risk from the Country Risk Assessment for each jurisdiction in the chain; draws on supplier integrity data from Vendor & Third-Party Integrity Vetting and Enhanced Due Diligence where available; and feeds Country-Entry Risk, Market-Entry Risk, and Continuous Country Risk Monitoring.
  • Principal coverage constraints. Access, client-data completeness, supplier transparency, proprietary restrictions on trade/shipping data.
Framing ElementContent
Client exposure & risk lens[Continuity of supply / production / revenue / reputation / compliance - and the dominant exposure]
Supply chain(s) / network assessed[Geographic, tier, commodity/product scope]
Risk horizon[6 / 12 / 24 months]
Risk domains scored (taxonomy)[Seven default domains; note additions/de-emphasis and why]
Inherent vs. residual basis[Existing mitigations credited / not yet implemented - rules for crediting]
Client risk tolerance (context only)[e.g., Low / Moderate / High appetite - recorded, not used to adjust scores]
Relationship to other products[Consumes Country Risk / Vendor Integrity Vetting / Enhanced Due Diligence / feeds Operational Risk / Market-Entry Risk / Continuous Country Risk Monitoring / standalone]
Principal coverage constraints[Access, client-data completeness, supplier transparency, proprietary data limits]

Likelihood (1–5) ↔ ICD 203 mapping (apply consistently):

ScoreLikelihood (1–5)Approx. ICD 203 band
1Remotealmost no chance / very unlikely (01–20%)
2Unlikelyunlikely (20–45%)
3Possibleroughly even chance (45–55%)
4Likelylikely (55–80%)
5Almost certainvery likely / almost certain (80–99%)

Impact (1–5), scored against client exposure: 1 Negligible · 2 Minor · 3 Moderate · 4 Major · 5 Severe/Catastrophic. Define each band concretely for this client in the source annex (e.g., what a “Major” continuity vs. financial vs. reputational impact means for this supply chain).

6. Supply Chain Architecture & Critical Node Risk

Risk to the client from the architecture of the supply chain itself: single-points-of-failure (single source, single site, single corridor, single port); concentration risk (geographic, supplier, logistics provider); dependency on hard-to-substitute inputs, components, or services; hub-and-spoke network vulnerability; and the effect of network complexity, fragmentation, or opacity on risk visibility. This section maps the chain - the analyst should include a conceptual node-and-flow diagram or table in the report. Country-level risk from the Country Risk Assessment for each jurisdiction is consumed here; this section scores how that country risk materialises for the client’s specific supply nodes.

Sub-RiskDriver / BasisLikelihood (1–5)Impact (1–5)Inherent (L×I)Existing MitigationResidualTrendConfidenceSource Grade
Single-source / single-site dependency[ ][1–5][1–5][ ][ ][ ][↑/→/↓][H/M/L][A–F/1–6]
Geographic / supplier concentration[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Hard-to-substitute input dependency[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Hub-and-spoke / network node vulnerability[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Complexity / opacity risk[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]

Architecture risk assessment: [Synthesis - the net architectural risk picture, the dominant single-point-of-failure, and the concentration that most drives the rating.]

7. Supplier / Vendor / Tier-N Risk

Risk arising from the client’s supplier base (direct, tier-1, and critical sub-tier/tier-N): supplier financial health and bankruptcy risk; operational and quality dependence; sole- or limited-source dependency; geopolitical and integrity risk of specific suppliers (sanctions, forced-labour, corruption exposure, adverse ownership); supplier concentration across a single geography or market; and risk of reputational or regulatory contagion through the chain. Where deeper supplier due diligence is available via Vendor & Third-Party Integrity Vetting or Enhanced Due Diligence, consumes those findings by reference; this section scores the aggregated supplier-layer risk to the chain, not a de novo integrity screen of each supplier.

Sub-RiskDriver / BasisLikelihood (1–5)Impact (1–5)Inherent (L×I)Existing MitigationResidualTrendConfidenceSource Grade
Supplier financial / bankruptcy risk[ ][1–5][1–5][ ][ ][ ][↑/→/↓][H/M/L][A–F/1–6]
Operational / quality dependency[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Geopolitical / integrity risk (specific suppliers)[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Tier-N / sub-tier visibility & risk[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Reputational / regulatory contagion risk[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]

Supplier risk assessment: [Synthesis - net supplier-layer risk, the highest-concern supplier(s) or concentration, and the financial/operational vulnerability that most drives the rating.]

8. Logistics Corridors, Chokepoints & Transit Risk

Risk to the client from the logistics corridors and transit routes through which goods move: chokepoint exposure (maritime straits, canals, mountain passes, bridges, tunnels, rail heads); corridor security risk (piracy, theft, convoy attack, sabotage, civil unrest); corridor regulatory and political risk (border closures, transit-bans, sanctions on carriers or routes); corridor infrastructure reliability (road/rail/pipeline condition, capacity constraints, seasonal disruption); and multi-modal transfer risk (break-of-bulk points, transshipment hubs). Consumes country-level security and infrastructure risk from the Country Risk Assessment for each transit jurisdiction; scores it specifically against this client’s logistics flow.

Sub-RiskDriver / BasisLikelihood (1–5)Impact (1–5)Inherent (L×I)Existing MitigationResidualTrendConfidenceSource Grade
Chokepoint exposure (maritime / land / air)[ ][1–5][1–5][ ][ ][ ][↑/→/↓][H/M/L][A–F/1–6]
Corridor security risk (theft / piracy / attack / unrest)[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Corridor regulatory / political risk[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Infrastructure reliability / capacity constraints[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Multi-modal / transshipment transfer risk[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]

Logistics corridor risk assessment: [Synthesis - net corridor/chokepoint risk profile, the most exposed transit segment, and the chokepoint or disruption pathway that most drives the rating.]

9. Ports, Borders & Customs Clearance Risk

Risk to the client at the entry/exit nodes: port and border-crossing congestion, capacity, and labour-disruption risk; customs clearance delays, inspection rates, and documentary compliance risk; tariff, quota, or trade-remedy actions affecting goods at the border; border-security or health/biosecurity measures causing hold-ups; sanctions or embargo screening at the border; and the risk of seizure, detention, or forfeiture. Consumes the ports, borders, and customs infrastructure baseline from the Country Risk Assessment for each relevant jurisdiction; scores it against this client’s specific port/border dependency and clearance profile.

Sub-RiskDriver / BasisLikelihood (1–5)Impact (1–5)Inherent (L×I)Existing MitigationResidualTrendConfidenceSource Grade
Congestion / capacity / labour disruption[ ][1–5][1–5][ ][ ][ ][↑/→/↓][H/M/L][A–F/1–6]
Customs clearance delay / documentary non-compliance[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Tariff / quota / trade-remedy action[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Border-security / biosecurity / health-measure hold-up[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Seizure / detention / forfeiture risk[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]

Ports, borders & customs risk assessment: [Synthesis - net border/clearance risk profile, the most exposed entry node, and the regulatory or congestion factor most driving the rating.]

10. Inventory, Capacity & Continuity Risk

Risk to the client from inventory and production-capacity exposure: inventory buffer adequacy against plausible disruption scenarios; lead-time dependency (single-source long-lead items, sea vs. air freight substitution feasibility); production capacity concentration and redundancy; stock-out risk for critical inputs, maintenance items, or finished goods; dependency on seasonal, perishable, or hard-to-store commodities; and the feasibility and cost of alternative sourcing or production. Assess the current buffer and capacity posture against the disruption scenarios identified in §6–§9.

Sub-RiskDriver / BasisLikelihood (1–5)Impact (1–5)Inherent (L×I)Existing MitigationResidualTrendConfidenceSource Grade
Inventory buffer adequacy vs. disruption scenarios[ ][1–5][1–5][ ][ ][ ][↑/→/↓][H/M/L][A–F/1–6]
Long-lead / hard-to-substitute dependency[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Production capacity concentration / redundancy[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Stock-out risk for critical inputs[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Alternative sourcing / production feasibility[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]

Inventory & continuity risk assessment: [Synthesis - net buffer and capacity risk, the most critical shortfall scenario, and the substitution or stock-out factor most driving the rating.]

11. Technology, Data & Cyber Supply Chain Risk

Risk to the client from technology, data, and cyber dependencies within the supply chain: OT/IT integration and vulnerability at supplier sites and logistics nodes; software, firmware, or hardware supply chain integrity (counterfeit, tampered, or compromised components); data flows, data-sharing, and data-protection compliance across the chain; supplier and logistics-provider cyber hygiene and breach history; IP theft, reverse-engineering, or technology-diversion risk at any node; and dependency on proprietary or single-source technology inputs. This section flags risk for further investigation; it is not a cyber-security assessment of the client’s systems or a penetration test.

Sub-RiskDriver / BasisLikelihood (1–5)Impact (1–5)Inherent (L×I)Existing MitigationResidualTrendConfidenceSource Grade
OT/IT integration & supplier-system vulnerability[ ][1–5][1–5][ ][ ][ ][↑/→/↓][H/M/L][A–F/1–6]
Software / hardware supply chain integrity[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Data flow / data-protection compliance risk[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Supplier / logistics-provider cyber hygiene[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
IP theft / technology-diversion risk[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]

Technology & cyber supply chain risk assessment: [Synthesis - net cyber/technology exposure, the highest-impact vulnerability, and the data or integrity factor most driving the rating.]

12. Regulatory & Trade Compliance Risk

Risk to the client from regulatory and trade compliance exposure in the supply chain: sanctions, embargoes, and export-control restrictions affecting the chain (jurisdictions, counterparties, goods, end-uses); tariff and trade-policy risk (escalation, retaliation, quota imposition, trade-war disruption); forced-labour, modern-slavery, conflict-minerals, and human-rights due diligence obligations; customs valuation and classification risk; foreign-concentration and dual-use risks; and the compliance burden and penalty exposure from failure at any node. This is risk identification, not legal or trade-compliance advice - flag exposures for the client’s counsel and compliance officers.

Sub-RiskDriver / BasisLikelihood (1–5)Impact (1–5)Inherent (L×I)Existing MitigationResidualTrendConfidenceSource Grade
Sanctions / embargoes / export controls[ ][1–5][1–5][ ][ ][ ][↑/→/↓][H/M/L][A–F/1–6]
Tariff / trade-policy / trade-war risk[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Forced-labour / human-rights / ESG due diligence[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Customs valuation / classification risk[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]
Dual-use / strategic-goods / end-use risk[ ][ ][ ][ ][ ][ ][ ][H/M/L][ ]

Regulatory & trade compliance risk assessment: [Synthesis - net compliance exposure, the jurisdiction/commodity under the most regulatory pressure, and the item most requiring counsel determination.]

13. Consolidated Risk Register & Heat Map

Aggregate every scored sub-risk from §6–§12 into one ranked register, ordered by residual score, so the client sees the whole supply-chain risk picture and the priorities in one place. The heat map plots the distribution across the 5×5 grid. This is the analytic spine of the product - the domain sections build the scores; this section ranks and visualises them.

RankRiskDomain (§)Inherent (L×I)Existing MitigationResidual (L×I)BandTrendConfidence
1[ ][§][ ][ ][ ][Low/Mod/Elev/High/Crit][↑/→/↓][H/M/L]
2[ ][§][ ][ ][ ][ ][ ][H/M/L]
3[ ][§][ ][ ][ ][ ][ ][H/M/L]
[ ][§][ ][ ][ ][ ][ ][H/M/L]

Residual-risk heat map (plot each risk’s residual L×I; cell = count or risk IDs):

Impact ↓ / Likelihood →1 Remote2 Unlikely3 Possible4 Likely5 Almost certain
5 Severe[ ][ ][ ][ ][ ]
4 Major[ ][ ][ ][ ][ ]
3 Moderate[ ][ ][ ][ ][ ]
2 Minor[ ][ ][ ][ ][ ]
1 Negligible[ ][ ][ ][ ][ ]

Register note: [The concentration in the register/heat map - where the residual risk clusters, the count above the client’s tolerance line, and the single risk most driving the rating.]

14. Overall Supply Chain Risk Rating & Trajectory

The headline rating and where it is heading. Derive the overall rating from the domain scores (state the aggregation logic - e.g., weighted by the client’s supply-chain exposure, not a naive average; the highest-impact residual risks dominate). Give the per-domain summary scores, the aggregate rating and band, and the rating trajectory with likelihood and confidence stated separately. Identify the structural and proximate drivers pushing the rating up or down and the pivotal indicators/events that would mark a step-change.

Domain (§)Domain Risk SummaryPeak Residual Sub-RiskDomain BandTrend
Architecture / Critical Nodes (§6)[ ][ ][Low/Mod/Elev/High/Crit][↑/→/↓]
Supplier / Tier-N (§7)[ ][ ][ ][ ]
Logistics Corridors (§8)[ ][ ][ ][ ]
Ports / Borders / Customs (§9)[ ][ ][ ][ ]
Inventory / Continuity (§10)[ ][ ][ ][ ]
Technology / Cyber (§11)[ ][ ][ ][ ]
Regulatory / Trade (§12)[ ][ ][ ][ ]
Trajectory PathDescriptionLikelihoodAnalytic ConfidenceKey Watch Indicators
Most likely[ ][ICD 203 term][HIGH/MOD/LOW][ ]
Most dangerous (rating step-up)[ ][ICD 203 term][HIGH/MOD/LOW][ ]
Improving / de-escalation[ ][ICD 203 term][HIGH/MOD/LOW][ ]

Overall rating judgment: [The aggregate rating, its band, the aggregation logic, the principal drivers, and the trajectory - the figures used in the BLUF and Snapshot. Cross-reference the pivotal indicators to §16.]

15. Key Findings Summary

Consolidated register of the load-bearing findings behind the scores, each graded by evidentiary status and confidence so the reader can see what is established vs. assessed vs. contested. Materiality flags the findings that most drive the rating.

#FindingStatusConfidenceMateriality
1[ ][Established / Assessed / Contested][H/M/L][ ]

16. Risk-Escalation & Early-Warning Indicators

The supply-chain risk analog of a red-flag register: specific, observable indicators whose movement would signal a residual-risk score rising (or a new risk emerging) - the tripwires the client’s supply-chain risk management team should monitor. Each indicator is tied to the risk/domain it bears on, the score-change it would signal, a severity, and a disposition (watch / notify client / re-score / route to a deeper product or sibling). These feed Continuous Country Risk Monitoring and any I&W program.

#Indicator (observable)Risk / Domain (§)Score-Change SignalledSeverityCurrent StatusDisposition
1[ ][ ][e.g., Supplier/Tier-N residual 12→16][Crit/High/Med/Low][Not present / Emerging / Present][Watch / Notify client / Re-score / Route to Vendor Integrity Vetting / Enhanced Due Diligence / Continuous Counterparty Monitoring / Country Risk / Operational Risk / Continuous Country Risk Monitoring]

Severity definitions: Critical - would push the overall rating into a higher band and warrants immediate client notification (e.g., supplier bankruptcy filing, border closure, sanctions designation of a key node, outbreak of conflict in a sourcing region). High - would materially raise a domain score and warrants prompt notification. Medium - significant development requiring a re-score. Low - note and monitor.

17. Risk Treatment & Mitigation Options (Advisory)

Advisory, analytic options that would reduce residual risk - mapped to the ranked risks in §13, by the standard treatment categories (avoid / reduce / transfer / accept). This is direction and category only, not an operational supply-chain plan: it states what kind of measure would lower a given residual score and roughly how much, and routes implementation to the appropriate separately scoped product (supply-chain transformation, procurement strategy, logistics relocation, inventory strategy, trade-compliance program, insurance/risk transfer). Do not write operational procurement, inventory, or logistics TTPs here.

Ranked Risk (§13)Treatment CategoryAdvisory Option (direction only)Expected Residual EffectImplementation Route (separate product)
[ ][Avoid / Reduce / Transfer / Accept][ ][e.g., residual 16→10 if adopted][Supply-chain transformation / Procurement strategy / Logistics relocation / Inventory strategy / Trade-compliance program / Insurance / Operational Risk Assessment / Enhanced Due Diligence / Continuous Monitoring]

Treatment note: [The highest-leverage risk reductions available, what residual risk remains after plausible mitigation (the irreducible floor), and the items that must go to qualified legal, trade-compliance, procurement, logistics, and insurance advisers. Reiterate that this is advisory, not an operational supply-chain plan.]

18. Analysis of Competing Hypotheses (ACH)

Apply to the central supply-chain risk judgment - typically the trajectory of the overall rating (e.g., risk holds at the current band vs. escalates a band vs. de-escalates over the horizon), or the single most consequential and contested sub-risk (e.g., whether a dominant supplier is financially viable, whether a corridor is sustainable). State the competing hypotheses, array the diagnostic evidence for/against each, and identify the most consistent explanation and what evidence would overturn it. Use ACH to discipline the rating against confirmation bias and against the client’s operational preference; do not pad the apparatus where the evidence is one-sided - say so and close.

Evidence / IndicatorH1: [Risk holds at current band]H2: [Risk escalates a band]H3: [Risk de-escalates]
[ ][C/I/N][C/I/N][C/I/N]

(C = consistent · I = inconsistent · N = neutral.) Most consistent hypothesis: [ ] - [rationale + the diagnostic evidence that would overturn it].

19. Key Assumptions Check (KAC)

The assumptions underpinning the scores and the rating - about data reliability, the durability of current supply-chain configurations, the credit given to existing mitigations, the client’s supply-chain data completeness, the absence of exogenous shock, and the stability of the regulatory environment - each with its basis, confidence, and the impact on the rating if it proves wrong. Linchpin assumptions (those that, if wrong, move the rating a band) are flagged.

#AssumptionBasisConfidenceImpact if WrongLinchpin?
1[e.g., Client-supplied supply-chain data (supplier lists, volumes, lead times) are accurate and current][ ][H/M/L][ ][Y/N]
2[e.g., Existing mitigations credited in the residual scores are in place and effective][ ][ ][ ][ ]
3[e.g., Current supplier relationships and logistics contracts remain in force without major renegotiation][ ][ ][ ][ ]
4[e.g., No major exogenous shock (conflict, pandemic, natural disaster, sanctions escalation, trade-war escalation) intervenes][ ][ ][ ][ ]

20. Collection Gaps & RFIs

Where coverage is thin or contested, the impact on the scores/rating, the collection that would close the gap, and where to escalate. Supply-chain risk product gaps are typically client-data completeness, supplier transparency, tier-N visibility, proprietary trade/shipping data access, contested information in sourcing jurisdictions, or a domain needing a deeper or sibling product.

GapDomain (§)Impact on RatingRecommended CollectionEscalation TargetPriority
[ ][ ][ ][ ][Country Risk Assessment / Vendor Integrity Vetting / Enhanced Due Diligence / Continuous Counterparty Monitoring / Operational Risk / In-country HUMINT / Monitoring][H/M/L]

21. Assessment & Recommendations

21.1 Supply Chain Risk Assessment

Overall assessment of supply-chain risk to the client - the headline rating and band, the trajectory, the domains, nodes, and corridors that most drive it, the most consequential uncertainties, and the implications for the client’s stated exposure and purpose. State the figures used in the BLUF and Snapshot, and the coverage/confidence caveats that bound them. Be explicit about the irreducible residual risk that remains even after plausible mitigation.

[ASSESSMENT]

21.2 Recommendations

  • For decision-makers / principals: [What the rating means for the client’s stated purpose (supply-chain resilience posture, diversification decisions, investment in buffer or alternative sourcing, insurance, board risk register); the planning assumption the assessment supports; the conditions under which it should be revisited.]
  • For supply-chain / procurement / logistics operators: [The priority residual risks to treat, the highest-leverage mitigations (by category, per §17), and the indicators to put under watch.]
  • For analysts (next intelligence steps): [Which domains or sub-risks warrant a deeper or sibling product, which suppliers/corridors/nodes warrant deeper due diligence (Vendor Integrity Vetting, Enhanced Due Diligence, Continuous Counterparty Monitoring), which watch indicators to track, and the recommended re-score cadence.]
  • Escalations / downstream products: [Items routed to the Country Risk Assessment for deeper country-level baseline, Country-Entry Risk, Market-Entry Risk, K&R Risk for specific corridor/personnel threat, Continuous Country Risk Monitoring, or specific due diligence on a supplier/counterparty (Vendor Integrity Vetting, Enhanced Due Diligence, Continuous Counterparty Monitoring).]
  • Conditions for reliance / refresh: [The perishability window and the indicators/events (per §16) that should trigger a re-score before reliance on this rating.]

22. Annex A - Sources & Methodology

Collection methods and scope; the source register graded with the Admiralty two-axis code; the reference scales (below); statement of the likelihood-vs-confidence separation and the 1–5 ↔ ICD 203 mapping; the risk taxonomy and scoring methodology (inherent → mitigation → residual; impact scored against client supply-chain exposure; aggregation logic for the overall rating); the frameworks applied (SCRM taxonomy mapping to PMESII-PT for each jurisdiction; node-and-flow analysis structure); coverage and currency limitations (access, client-data completeness, supplier transparency, proprietary trade/shipping data limits, contested information environment in sourcing jurisdictions); and the treatment of official trade statistics, customs data, and state-controlled media as potentially self-interested or subject to reporting lags and corroborated against independent sources.

Source reliability (Admiralty, A–F): A Completely reliable · B Usually reliable · C Fairly reliable · D Not usually reliable · E Unreliable · F Reliability cannot be judged.

Information credibility (Admiralty, 1–6): 1 Confirmed by other sources · 2 Probably true · 3 Possibly true · 4 Doubtful · 5 Improbable · 6 Truth cannot be judged. (Each sourced datum carries a two-character grade, e.g., B2.)

Estimative probability / likelihood (ICD 203): almost no chance / remote (01–05%) · very unlikely (05–20%) · unlikely (20–45%) · roughly even chance (45–55%) · likely (55–80%) · very likely (80–95%) · almost certain (95–99%).

Analytic confidence (evidence base - kept separate from likelihood): HIGH (multiple independent reliable sources, primary documentation, no significant contradiction) · MODERATE (some corroboration, gaps, minor unresolved inconsistency) · LOW (single/uncorroborated source, significant gaps, plausible alternatives open). Never combine a likelihood term and a confidence level in the same sentence.

Risk scoring (the load-bearing scale of this product): Likelihood (1–5) × Impact (1–5) = 1–25; band key: 1–5 Low · 6–10 Moderate · 11–15 Elevated · 16–20 High · 21–25 Critical. Likelihood is scored 1 Remote / 2 Unlikely / 3 Possible / 4 Likely / 5 Almost certain (mapped to ICD 203 bands in §5). Impact is scored 1 Negligible / 2 Minor / 3 Moderate / 4 Major / 5 Severe, against the client’s defined supply-chain exposure (define each band concretely for this client below). Inherent score is before existing mitigations; residual score credits mitigations assessed to be in place and effective. The overall supply-chain risk rating is derived from the domain residual scores weighted by the client’s exposure (state the weighting), not a naive average.

Coverage confidence (product-level): HIGH (strong access, diverse independent sources across all domains, current client data, low contested-information distortion) · MODERATE (adequate coverage with gaps in some domains, partial access, some reliance on client-provided data without independent verification, some contested-sourcing jurisdictions) · LOW (significant access/language barriers, thin or heavily contested sourcing, major gaps in client data, material domains under-covered, currency degraded).

Impact-band definitions (client-specific - complete for this engagement): [Define what Negligible/Minor/Moderate/Major/Severe mean concretely for each exposure type the client holds - e.g., days of production lost, revenue at risk, reputational damage, regulatory penalty, safety of supply-chain personnel.]

Analytic-framework note: The assessment scores risk to the client’s defined supply-chain exposure across a seven-domain taxonomy (Architecture & Critical Nodes / Supplier & Tier-N / Logistics Corridors & Chokepoints / Ports, Borders & Customs / Inventory & Continuity / Technology & Cyber / Regulatory & Trade Compliance) mapped to standard SCRM categories. The collection logic is PIR → risk-domain → indicator → source. Scores are structured analytic judgments calibrated to the stated scales, not measurements; the rating is independent and policy-neutral per ICD 203 and is not adjusted to suit a client-preferred answer.

Searched sources (record source type, provider/title, as-of date, coverage scope, limitations, and any self-interest/reliability caveat): [TABLE]

23. Annex B - Appendices

  • Appendix A - Client Supply-Chain Exposure Profile: the nodes, corridors, suppliers, tiers, commodities, and geographies at risk, as the basis for impact scoring.
  • Appendix B - Supply Chain Node-and-Flow Map: conceptual diagram or table of the assessed chain with critical nodes identified.
  • Appendix C - Full Scored Risk Register: the complete §6–§13 register with inherent score, mitigation, residual score, trend, confidence, and source grade for every sub-risk.
  • Appendix D - Risk Heat Maps: inherent and residual 5×5 distributions, and per-domain heat maps.
  • Appendix E - Risk-Escalation & Early-Warning Matrix: the §16 indicators with current status, score-change signalled, and monitoring notes.
  • Appendix F - Treatment & Mitigation Register: the §17 advisory options with treatment category, expected residual effect, and implementation route.
  • Appendix G - Scoring Methodology & Scale Definitions: the likelihood/impact scales, client-specific impact-band definitions, inherent/residual logic, and the overall-rating aggregation/weighting rule.
  • Appendix H - Country Risk Baseline Reference: pointer to the Country Risk Assessment for each jurisdiction, and any compressed country-risk picture used as input where the parent product was not commissioned.
  • Appendix I - Supplier Integrity Screen Reference: pointer to Vendor & Third-Party Integrity Vetting and Enhanced Due Diligence findings consumed by reference, where available.
  • Appendix J - Full Source Register: every source, Admiralty grade, access date, reference, and any coverage/limitation note.
  • Appendix K - Glossary & Abbreviations.
  • Appendix L - Revision History.

END OF REPORT.

Verification disclaimer: This supply chain & logistics risk assessment is a point-in-time, purpose-scored analytic rating based on open, licensed, and lawfully accessed sources current as of the baseline date, supplemented by client-provided supply-chain data taken in good faith; it is not legal, trade-compliance, insurance, procurement, or logistics-operations advice, a vendor or credit rating, or a guarantee of supply continuity. The risk scores are the firm’s independent, policy-neutral structured analytic judgments calibrated to the stated scales - an aid to prioritisation, not precise measurements or actuarial probabilities. Risk-treatment content is advisory and is not a supply-chain transformation plan, procurement strategy, logistics relocation plan, inventory strategy, trade-compliance program, or business-continuity plan. Supply-chain conditions are perishable - scores are time-sensitive and should be re-verified against current reporting before any consequential or time-critical decision. Official trade statistics, customs data, and state-controlled sources were treated as potentially self-interested or subject to reporting lags and were corroborated where possible. No classified, unlawfully obtained, or out-of-licence material was used in the production of this report.

Document control footer: [REF-YYYY-### · Version · Classification/TLP · Prepared/Reviewed/Approved · Distribution].

Model wiring

Generated from cell frontmatter at publish time.