---

Supplier risk management is critical for maintaining a stable and resilient supply chain, no doubt there.

Yet, too many companies often overlook some key aspects of supplier risk management and make mistakes that result in significant supply chain disruptions.

Today, we’ll walk you through five common mistakes companies make and the serious consequences that come with them.

Keep reading to discover what you should watch out for and how to protect your company from preventable risks.

Ignoring Non-Financial Risks

Focusing solely on a supplier’s financial stability while overlooking other critical risks can be a costly mistake.

Yes, the numbers on a balance sheet are important.

But what about risks that don’t appear there—like environmental, ethical, or geopolitical threats?

These are the blind spots that can wreak havoc on your supply chain if left ignored.

Take Boohoo as a cautionary tale.

The fast-fashion retailer overlooked serious environmental, social, and governance (ESG) risks in its supply chain.

When it was exposed that workers in one of its Leicester-based supplier factories were paid less than minimum wage and forced to work in unsafe conditions, the backlash was swift and brutal.

Boohoo lost over £1 billion in market value within days, tarnishing its reputation and prompting an investigation into its practices.

Source: The Guardian

But the worst part is that when the scandal broke, the company admitted it wasn’t sure who was supplying all its garments.

Jaswal Fashions, the factory named in the report, claimed it hadn’t operated there in two years.

Only then, Boohoo’s own investigation revealed the garments were being made by a completely unknown company using Jaswal’s former premises.

What does that tell us?

Boohoo didn’t have a clear view of its supply chain.

Illustration: Veridion / Quote: boohoo group plc

Without transparency and thorough risk assessments, they failed to track subcontracting practices or identify which suppliers were cutting corners.

Essentially, their risk management stopped at the surface.

But, why do mistakes like this happen?

Sometimes companies focus too much on short-term cost savings, want to achieve rapid sales, or assume that “everything is fine” if the supplier delivers on time.

This was pretty much the case here, too, according to the Guardian:

Illustration: Veridion / Quote: The Guardian

Because the supplier was constantly delivering what Boohoo needed to achieve target sales, no one questioned its ESG practices.

However, ignoring these and other non-financial risks is like driving without looking at the road ahead—you might be fine for a while, but sooner or later, you’ll crash.

And it’s not just ESG risks that can endanger your company.

Geopolitical risks, natural disasters, or even labor strikes can all disrupt your supplier’s ability to deliver what you need and cause a disruption.

For example, if you source from a region prone to hurricanes or political instability, and you haven’t accounted for that, you’re gambling with your operations.

So, how can you avoid making this mistake?

Besides focusing on suppliers’ financial health, conduct thorough checks on all the other supplier risks, from ESG compliance and supplier labor practices to potential geopolitical threats and even their cybersecurity vulnerabilities.

And don’t treat risk assessment as a one-off task—risks evolve, and your processes need to keep up.

Assuming Established Suppliers Don’t Require Risk Evaluation

It’s easy to assume that long-term or well-known suppliers are safe bets.

But as Huy Fong Foods’ 2024 sriracha shortage shows, even trusted partners can face challenges that ripple into your operations.

Earlier this year, Huy Fong halted all production of its iconic sauces, including sriracha, due to an issue with its chili pepper supplier.

The problem?

The peppers were harvested too late in the season, which would lead to the wrong product color, and they simply couldn’t start production because of that.

Illustration: Veridion / Quote: Food Dive

This incident highlighted deeper vulnerabilities in Huy Fong Foods’ supply chain.

Apparently, the supplier’s challenges stemmed from a labor shortage, which delayed harvesting and reduced quality.

And because Huy Fong had no backup supplier or contingency plan, it was forced to wait until the next harvesting season to resume production.

David Ortega, associate professor at Michigan State University, summarized the problem:

“These are seasonal products; you can’t just switch suppliers from one day to the next.”

This shortage could have been avoided with proper supplier risk assessment.

Operational risks—like labor shortages, capacity issues, or weather impacts—can undermine even the most reliable suppliers.

But without ongoing evaluations, Huy Fong failed to anticipate the problem and diversify its supplier base, leaving the company and its customers in a lurch.

Something similar happened to KFC in 2018.

In the UK, KFC switched its logistics partner to DHL, an established leader in supply chain management.

DHL replaced Bidvest, a company with a proven track record and a network of six warehouses, with DHL’s centralized system relying on a single depot in Rugby.

Just days into the transition, traffic disruptions near the Rugby depot caused severe delays in chicken deliveries, forcing over 600 of KFC’s 870 locations to close.

Illustration: Veridion / Data: Wired

Experts like logistics and supply chain management professor Samir Dani later criticized the decision, noting that managing the length and breadth of the UK with one depot created a single point of failure.

And this is especially problematic in the food industry, where there are strict rules about product quality:

“Companies may operate out of one warehouse, but you have to think about the product. There are legality issues around the quality of the produce and the contamination that can happen is not handled properly. That’s the problem with food, distribution can’t be thought about like any other supply chain.”

All in all, this case highlighted how KFC overlooked critical risks associated with its new, well-known supplier’s infrastructure limitations.

Both examples teach us an important lesson: even established suppliers can falter due to external pressures, labor shortages, or infrastructure choices.

Therefore, regular risk evaluations, diversified sourcing strategies, and robust contingency plans are essential to mitigate such risks.

Not Using Technologies for Risk Management

Many companies still rely on outdated systems, like spreadsheets and manual processes to manage supplier risks.

This is a big mistake.

Why?

Because it’s slow, error-prone, and lacks the real-time insights that modern technology can offer.

Florin Tufan, CEO of Veridion, points out that many companies only learn about risks affecting their suppliers when it’s too late—after the damage has been done.

Illustration: Veridion / Quote: CPO Strategy

This means that businesses are always playing catch-up and struggle to manage risks effectively.

Another challenge is incomplete or outdated supplier data.

In fact, research shows that 60% of businesses don’t even know all the third parties they share sensitive information with.

Illustration: Veridion / Data: Buckely Firm

Without this basic visibility, how can you effectively manage supplier risks?

What companies need is accurate, timely, and comprehensive information—covering everything from financial health to ESG risks, operational disruptions, and geopolitical threats.

But gathering this data manually is too slow, often leaving companies blindsided by potential disruptions.

This is where modern technology, powered by AI and machine learning, transforms supplier risk management.

Take our Verdion, for instance.

This supplier sourcing service and supplier risk data monitoring solution can provide real-time supplier insights with just a few clicks.

Veridion scans the internet every week, processing petabytes of data to keep the information fresh and updated.

Source: Veridion

It provides crucial data on supplier financial health, product risks, operational risks, ESG compliance, and more.

The best part?

With our search APIs, you can access 95% of the data points needed for third-party risk management in under just 2 seconds.

Source: Veridion

This makes it possible to react quickly and make data-driven decisions to mitigate risks.

Relying on outdated systems or manually collecting risk data just doesn’t cut it anymore in today’s business landscape where supply chain disruptions are frequent, unpredictable, and increasingly complex.

If you want to manage risks effectively, you need technology that works in real-time, providing fresh, comprehensive data that helps you stay ahead of potential disruptions.

Not Conducting Regular Risk Assessments

One of the biggest mistakes companies make is assuming that an initial risk assessment is sufficient to manage risks over the long term.

The reality is that supplier risks evolve—often unpredictably—and not conducting regular risk assessments leaves companies vulnerable to disruptions.

Despite this, 73% of companies only assess supplier risks when onboarding or during recertification, according to Gartner.

This means only 27% of organizations are proactively reassessing risks throughout their supplier relationships.

Illustration: Veridion / Data: Gartner

This gap is dangerous because risks such as financial instability, operational disruptions, or compliance issues can arise at any time—and often cannot be identified during onboarding alone.

Chris Audet, current Chief of Research for General Counsel and Chief Compliance Officer within Gartner’s Assurance practice, explains:

“Ninety-two percent of legal and compliance leaders told us that those material risks could not have been identified through due diligence. The only way to surface those risks was through actual engagement with the third party and through ongoing risk identification over the course of the third-party relationship.”

Take cybersecurity as an example.

With third parties having greater access to sensitive data, the risk of breaches or cyberattacks has skyrocketed.

A June 2023 survey by Cyber GRX and ProcessUnity found that 40% of organizations experienced a cyber incident linked to a third party in the past year.

Over 20% of companies faced multiple incidents.

Illustration: Veridion / Data: Cyber GRX

Without regular monitoring, companies can miss vulnerabilities in their supplier relationships, like poor cybersecurity practices, until it’s too late.

While an initial supplier evaluation may confirm the supplier’s compliance or performance at a specific point in time, risks like cybersecurity vulnerabilities can develop over time due to changes in their processes, partnerships, or technologies.

The same logic applies to a wide range of other risks: market fluctuations, operational issues, geopolitical factors, or even natural disasters.

A supplier that seemed reliable last year may now be facing financial trouble or disruptions you never saw coming.

The only way to spot these risks is by regularly assessing supplier risks and continuously monitoring your suppliers’ performance.

Otherwise, you risk being dragged down into costly disruptions.

Failing to Involve Key Stakeholders in the Process

The last mistake on our list that companies make in supplier risk management is not involving the right stakeholders from across the organization.

When departments like procurement, legal, finance, IT, security, compliance, and audit work in silos, companies often miss crucial insights that could help identify and mitigate supplier risks.

Why is this a problem?

Well, each department has a unique perspective on risks and is the most equipped to identify and handle those risks.

For example:

• Legal identifies contractual, compliance, and regulatory risks.
• Finance evaluates financial risks like a supplier’s creditworthiness or stability.
• IT and Security focus on protecting systems and data, making them essential for addressing cybersecurity risks tied to third-party vendors.

So, if you don’t include all of them in supplier risk management, you won’t get a holistic view of supplier risks.

Phillip Addison, Third-Party Cyber Risk Manager at The Hershey Company, further emphasizes the importance of breaking down silos in TPRM:

Illustration: Veridion / Quote: LinkedIn

Essentially, Addison points out that treating risks as isolated issues—like focusing solely on cybersecurity in his case—prevents organizations from addressing the bigger picture.

Instead, companies need a multi-domain approach, where all departments collaborate to align on risk management strategies.

The solution is, therefore, to stop working in silos.

Bring together different teams to collaborate, share information, and approach risk management in a holistic way.

This will help you spot potential risks more effectively and strengthen the company’s overall defense against various supplier risks.

Conclusion

This brings us to the end of our exploration of common mistakes in supplier risk management.

Now, let us ask you:

How many of these mistakes have you recognized in your own organization?

Have you ever faced issues similar to those experienced by the companies we’ve discussed today?

If the answer is even one, it’s time to reassess how you’re managing supplier risks.

Take a moment to evaluate how often you assess your suppliers, who is involved in the process, and which risks are being prioritized.

By taking these steps now, you can avoid costly disruptions down the line and ensure a more resilient and proactive approach to supplier risk management.

Hopefully, this article has provided some valuable insights to help you make that shift.