Pillar 1 · Supplier Risk · Cornerstone Article
What Is Supplier Risk? A Practical Guide for Procurement Teams
By Alexander Jaiyesimi MSc MCIPS, Founder, SupplierSense
Published: SupplierSense Knowledge Centre · Read time: 12 minutes · Last Updated: June 2026
Introduction
For most of the past twenty years, supplier risk sat within the procurement function as a defensive discipline, a checklist exercise tied to onboarding, refreshed annually, and largely invisible to the rest of the business. That has changed. Supplier risk is now a board-level concern, and the procurement function is increasingly expected to provide the evidence explaining why.
The reason is straightforward. The past decade has given procurement leaders an uncomfortable run of case studies. Carillion entered compulsory liquidation on 15 January 2018, six months after the first of three profit warnings. Greensill Capital collapsed in March 2021. Wilko entered administration in August 2023. ISG, the UK construction group, filed for administration in September 2024, exposing live public-sector projects.
What links these cases is not that the warning signs were invisible. It is that they were visible but dispersed. They were spread across Companies House filings, regulatory disclosures, news reports, credit data, and director changes, which few procurement teams had the time, tools, or mandate to monitor systematically.
This article is a practical guide for procurement teams who want to take supplier risk seriously without drowning in spreadsheets. It explains what supplier risk means, why it has become a board-level priority, the five categories every procurement function should monitor, the warning signs that matter most, and a framework you can apply this quarter.
It is written from the perspective of fourteen years in enterprise procurement, building supplier governance programmes, conducting due diligence on complex supplier portfolios, and observing what works and what doesn't.
Key takeaway
Supplier failures rarely occur without warning. The challenge for procurement teams is identifying and acting on the right signals early enough.
What Is Supplier Risk?
At its simplest, supplier risk is the probability that a supplier will fail to perform as expected, and the impact that such a failure would have on your organisation. That definition sounds obvious. The harder part is making it operational.
In practice, three terms are used interchangeably, but they describe different things.
Supplier risk refers to the exposure posed by an individual supplier, their financial health, operational reliability, regulatory standing, ESG conduct and ownership structure. It is the unit of analysis closest to the procurement function.
Third-party risk is broader. It includes suppliers and extends to vendors, contractors, agents, distributors, joint-venture partners and any external party your organisation depends on. Most third-party risk frameworks originated outside procurement, particularly in financial services, and tend to place greater emphasis on regulatory and operational categories.
Supply chain risk is even broader. It captures supplier and third-party risk, as well as the upstream tiers (your suppliers' suppliers) and the dependencies, chokepoints and geographic concentrations embedded in the broader network.
Procurement teams typically own the supplier risk lens directly, contribute to the third-party risk lens, and influence the supply chain risk lens through category and sourcing strategies.
For the rest of this article, we focus on supplier risk, the direct exposure arising from the suppliers your organisation contracts with, because that is where procurement teams have the most direct levers, the most data, and the most accountability.
Why Supplier Risk Matters More Than Ever
Four forces have moved supplier risk up the board agenda over the past five years.
Regulation has expanded. In the UK, the Modern Slavery Act 2015 introduced a transparency-in-supply-chains obligation under section 54, which applies to commercial organisations with an annual turnover of £36m or more. The Procurement Act 2023 came into force on 24 February 2025 and introduced expanded grounds for exclusion and debarment for public-sector suppliers. The EU's Corporate Sustainability Due Diligence Directive (CSDDD), adopted in 2024, will require many large companies to identify, prevent, and account for human rights and environmental impacts across their value chains, with phased application starting in 2027.
ESG expectations have hardened. Investors, regulators and customers increasingly expect evidence, not assertions, that suppliers meet the standards a buying organisation claims to uphold. Scope 3 emissions reporting has forced procurement to engage with supplier sustainability at a level of granularity that did not previously exist.
Global supply chains are exposed. Geopolitical fragmentation, sanctions, conflict, climate disruption and pandemic aftershocks have made geographic concentration a board-level question. Many procurement teams have discovered, often the hard way, that they could not quickly answer questions about their exposure to a particular jurisdiction or supplier.
Reputational exposure has increased. A modern slavery allegation, a sanctions breach, a tribunal judgment or an environmental prosecution against a key supplier is no longer a procurement matter. It is now a brand issue, a regulatory issue and increasingly a customer-retention issue.
The net effect is that the supplier risk function is being asked to do more with the same resources, in a regulatory environment that no longer tolerates the answer "we sent them a questionnaire".
The Five Types of Supplier Risk Every Procurement Team Should Monitor
Most procurement teams already know they should monitor supplier risk. The harder question is which risk to monitor. Useful frameworks distinguish at least five categories.
Financial Risk
This is the category that procurement leaders most often underestimate, because by the time financial distress becomes publicly visible, it is often late in the cycle. Key indicators include:
• Late filing of statutory accounts at Companies House
• Profit warnings or revised guidance
• Material changes in credit ratings or credit insurer cover
• Deterioration in working capital, cash flow or debt covenants
• County Court Judgments or winding-up petitions
• Changes in the auditor, particularly mid-cycle
Carillion's pre-liquidation period offers a textbook example. The company issued three profit warnings between July 2017 and January 2018, before entering compulsory liquidation on 15 January 2018. The July 2017 warning disclosed an £845m provision against contracts, a signal large enough to warrant immediate action by buying organisations on the supplier side.
Operational Risk
Operational risk captures the supplier's ability to deliver reliably at the expected quality and under expected conditions. Indicators include:
• Capacity constraints or workforce reductions
• Geographic disruption (conflict, natural disaster, infrastructure failure)
• Cyber incidents or data breaches
• Loss of key certifications such as ISO 9001, ISO 27001 or sector-specific licences
• Significant senior leadership turnover
• Business continuity test failures
Cyber risk, in particular, has become the most visible sub-category of operational risk. A ransomware incident at a Tier 1 supplier can halt downstream delivery within days.
ESG and Sustainability Risk
ESG risk has become harder to delegate. It covers:
• Modern slavery exposure in the supplier's own operations or upstream tiers
• Carbon reporting accuracy and Scope 3 contribution
• Environmental prosecutions, breaches or improvement notices
• Human rights concerns, including in higher-risk jurisdictions
• Diversity, pay equity and labour practice disputes
• Failure to publish or update a Modern Slavery Act section 54 statement
Under the Modern Slavery Act 2015, in-scope businesses are required to publish an annual statement detailing the steps taken to ensure that modern slavery is not present in their businesses or supply chains. A supplier without an up-to-date statement is a flag worth investigating.
Compliance and Regulatory Risk
Compliance risk encompasses exposure to sanctions, anti-bribery rules, sector-specific regulations, and procurement obligations. Indicators include:
• Inclusion on UK (OFSI), EU, US (OFAC) or UN sanctions lists
• Beneficial ownership links to sanctioned individuals or entities
• Adverse findings under the Bribery Act 2010
• Exclusion or debarment under the Procurement Act 2023
• Regulatory enforcement action, from the FCA, HSE, ICO or sector regulators
• Tax non-compliance disclosures
Sanctions exposure is the most operationally consequential of these because it is binary: a sanctioned supplier cannot be engaged with, regardless of category or value.
Concentration and Dependency Risk
Concentration risk is the most under-monitored category because it is invisible at the individual-supplier level. It only becomes visible at the portfolio level. Key questions include:
• How many of your top 50 suppliers sit in the same geography, sector or ownership group?
• Is any single supplier responsible for more than 20% of a critical category?
• How many sole-source dependencies exist across your strategic categories?
• Are any of your suppliers themselves dependent on a single Tier 2 source?
A high-performing supplier that you cannot easily replace presents a different risk profile to that of a low-performing supplier with three viable substitutes. Procurement teams that segment their portfolios by performance alone, without overlaying concentration, routinely overlook the risks that matter most.
Why Traditional Supplier Due Diligence Often Falls Short
Most procurement teams have a supplier due diligence process. The honest question is how much of that process is genuinely protective and how much is merely procedural reassurance.
The traditional model has three structural weaknesses.
It is point-in-time. Most supplier assessments are conducted at onboarding and, at best, refreshed annually. But supplier risk does not move on an annual cycle. Beneficial ownership changes, profit warnings, sanctions designations, adverse media and director resignations occur continuously and asymmetrically. A supplier that was low risk twelve months ago may not be low risk this morning.
It depends on the supplier's own disclosure. Questionnaires ask suppliers to self-report on financial health, ESG conduct, ownership and compliance. Even when answered in good faith, this is the weakest possible evidentiary basis. Suppliers in distress rarely disclose it. Suppliers with sanctions-adjacent ownership rarely volunteer it.
It is resource-constrained. Most procurement functions cannot devote the same level of due diligence to every supplier. As a result, strategic suppliers receive repeated attention, while a long tail of medium-risk suppliers, often the source of unexpected exposure, receives cursory treatment.
The deeper issue is that the procurement world has changed faster than the procurement toolset. Modern adverse media monitoring, beneficial ownership data, sanctions list integration and continuous financial-signal tracking are available commercially. They are simply not yet standard procurement practice in most organisations.
This is the gap that modern supplier risk intelligence aims to close: not by replacing supplier due diligence, but by surfacing continuous external signals that traditional due diligence cannot, freeing procurement teams to focus their judgement on the suppliers and signals that truly require it.
The Warning Signs Procurement Teams Should Track
Before listing the warning signs, a personal note. During my time managing supplier governance programmes across architecture, engineering and real estate portfolios, I rarely found that supplier failures occurred without warning. The challenge was never access to information. It was connecting fragmented signals quickly enough to act. The signals below are the ones I have seen matter most.
“The challenge was never access to information. It was connecting fragmented signals quickly enough to act.”
— Alexander Jaiyesimi, Founder, SupplierSense
Across major corporate failures, certain signals recur. None is conclusive on its own. The pattern is what matters.
Late or amended accounts filings. Late filings with Companies House, restated accounts, or qualified audit opinions are among the more reliable early indicators of financial stress. They should be flagged automatically across the supplier base.
Profit warnings. Listed suppliers must disclose material changes to expected performance. A first profit warning is a signal. A second is a pattern. A third, Carillion's trajectory, is a crisis.
Changes in beneficial ownership. A change in Persons with Significant Control (PSC) at Companies House can signal restructuring, distress, a foreign capital injection, or a shift in risk profile. Material PSC changes warrant a manual review, not an automated tick.
Director resignations and turnover. Sudden resignations of the CFO, audit committee chair, or finance director are particularly significant. Resignations clustered in time are even more significant.
Adverse media. Litigation, enforcement actions, tribunal findings, HSE notices, ICO breaches and modern slavery allegations are increasingly searchable and aggregatable. The procurement function should not be the last to know.
Regulatory action. FCA investigations, sanctions and designations, debarment under the Procurement Act 2023, environmental prosecutions, and tax-related enforcement are publicly reported and reliable indicators.
Supplier concentration drift. The supplier you onboarded as 8% of a category three years ago may now account for 22% of that category. Concentration drift is invisible without periodic portfolio-level review.
Credit insurance withdrawal. When a major credit insurer reduces or withdraws cover for a supplier, it is often the earliest market signal that the supplier's risk profile has shifted materially.
Payment behaviour deterioration. Suppliers that begin pressing for accelerated payment, aggressively factoring receivables, or pushing back on standard payment terms may be experiencing cash-flow stress.
Statutory notices. County Court Judgments, winding-up petitions, and HMRC notices are publicly recorded and reliably correlate with financial stress.
The procurement function does not need to monitor every signal manually. It needs a framework that ensures the right signals are surfaced, the right escalation occurs, and the right judgement is applied at the right time.
Building a Practical Supplier Risk Framework
A practical supplier risk framework has six components. None is novel. The discipline lies in operating them as a system rather than as separate activities.
Figure 1. The Supplier Risk Framework as a continuous cycle.
Supplier segmentation. Categorise the supplier base by criticality, spend, substitutability and sector risk. Most portfolios fall into roughly four tiers: strategic, important, transactional and tail. Different tiers warrant different levels of monitoring.
Risk assessment. For each tier, define the relevant risk categories and the data sources that will inform them. Strategic suppliers warrant attention across all five risk categories. Tail suppliers may require only sanctions and adverse media screening.
Continuous monitoring. Establish which signals will be monitored continuously rather than on a periodic cycle. At a minimum, sanctions lists, adverse media and beneficial ownership changes should be monitored continuously for any supplier above a defined threshold.
Escalation protocols. Define what a “trigger event” is and who responds. A profit warning, a sanctions designation or a PSC change should trigger a defined response, not an email that sits in someone's inbox.
Governance. Supplier risk should have a named owner, a defined review cadence, and a route into the broader risk and audit committee structures. Procurement should not bear this alone, but should orchestrate it.
Reporting. Risk reporting should be at the portfolio level, not just at the supplier level. The most valuable supplier risk question a procurement director can answer at the board level is: “What is the shape of our supplier risk exposure, and how has it changed this quarter?”
One earned observation.
The frameworks I have seen succeed in real procurement functions are the ones that survive their first quarter of operational use. Most don't. The most common mistake is over-engineering the documentation and under-engineering the operating discipline. A framework that works is one the team actually uses.
The Future of Supplier Risk Management
Three shifts are already visible in procurement functions that take supplier risk seriously.
From point-in-time to continuous. Annual reassessments are being replaced by continuous monitoring against external data, sanctions, adverse media, beneficial ownership, and financial signals, supplemented by lighter-touch supplier engagement for items only the supplier can provide.
From questionnaire-led to intelligence-led. The centre of gravity is shifting away from supplier self-disclosure and towards external, verifiable signals. Questionnaires still have a role, but they are increasingly a complement to intelligence rather than the primary evidence base.
From supplier-level to portfolio-level. The most valuable view of supplier risk is not the score for an individual supplier. It is the shape of the portfolio, concentration, geographic exposure, sector clustering, ownership patterns, and how that shape is changing.
AI and machine learning are part of this picture, but their practical contribution is less dramatic than the marketing language often suggests. The genuine value lies in aggregating, extracting signals, and prioritising across thousands of suppliers, work that was previously impossible at scale, not in work that was previously done well by humans.
Procurement teams should be cautious of two failure modes: under-investment, which leaves the function exposed to failures that should have been visible; and over-investment in tools that generate more data than the team can act on. The right balance is intelligence that is selective, defensible and operationally useful.
How SupplierSense Helps Procurement Teams
SupplierSense exists to bridge the gap between traditional supplier due diligence and the continuous, intelligence-led approach described in this article.
The platform brings together external supplier intelligence, financial signals, beneficial ownership, sanctions, adverse media, ESG indicators and country risk into a single view that procurement teams can use to prioritise where attention is needed across their supplier portfolio.
What that means in practice:
• Faster supplier screening at onboarding, without supplier questionnaires
• Continuous risk visibility across the supplier base, not just at refresh cycles
• ESG and sustainability visibility on suppliers that won't or can't complete assessments
• Beneficial ownership indicators that surface ownership changes as they occur
• Adverse media monitoring that catches reputational signals early
• Portfolio-level insights that show the shape of risk, not just individual supplier scores
SupplierSense is built for procurement teams in the construction, engineering, infrastructure, and FM sectors, where supplier portfolios are large, suppliers are operationally critical, and the cost of getting supplier risk wrong is measured in projects, not just procurement KPIs.
Key Takeaways
• Supplier risk is now a board-level concern, and procurement leaders are increasingly expected to evidence it.
• Useful supplier risk frameworks distinguish five categories: financial, operational, ESG, compliance, and concentration, and apply each category proportionally to the supplier's importance to the business.
• The largest corporate supplier failures of the last decade had visible warning signs across public data sources. The challenge is not access. The challenge is aggregation, prioritisation and continuous attention.
• Traditional questionnaire-led due diligence has three structural weaknesses: it is point-in-time, relies on supplier disclosure, and is resource-constrained. It is not wrong, it is incomplete.
• The procurement functions that manage supplier risk effectively treat it as a system: segmentation, assessment, continuous monitoring, escalation, governance and portfolio reporting. The discipline lies in the operating cadence, not in the documentation.
• External supplier intelligence has matured to the point that continuous, evidence-led supplier risk monitoring is now operationally feasible, even for lean procurement teams.
Sources
Primary sources consulted in the preparation of this article.
UK Parliament Joint Committee Report
“Carillion” — Second Joint Report of the Business, Energy and Industrial Strategy and Work and Pensions Committees, 16 May 2018.
UK Parliament Treasury Committee
“Lessons from Greensill Capital” — Sixth Report of Session 2021–22, 20 July 2021.
Modern Slavery Act 2015
UK Public General Acts, c.30.
UK Cabinet Office — Transforming Public Procurement
Procurement Act 2023 guidance and implementation timeline.
Companies House — Persons with Significant Control guidance
UK Government guidance on PSC requirements.
Office of Financial Sanctions Implementation (OFSI)
HM Treasury — UK sanctions authority.
Office of Foreign Assets Control (OFAC)
US Department of the Treasury — US sanctions authority.
European Council — Corporate Sustainability Due Diligence Directive
Directive (EU) 2024/1760, adopted 2024.
ISO 20400:2017 — Sustainable Procurement Guidance
International Organization for Standardization.
See What Supplier Risk Looks Like Across Your Portfolio
Most procurement teams already have the information they need to identify supplier risk. The challenge is bringing it together quickly enough to make informed decisions.
Walkthrough
Book a 20-minute walkthrough
See SupplierSense applied to a real supplier portfolio. No prep, no sales pitch.
Book a Walkthrough
Health Check
Request a Supplier Risk Health Check
A one-off engagement that produces a portfolio-level view of your supplier risk exposure.
Request Health Check
Toolkit
Download the Assessment Toolkit
A structured framework you can apply to your supplier base this quarter.
Download Toolkit
