Developing and Implementing a Risk Model for the Semiconductor Supply Chain (Part 2)

This article is part two of a two-part series featuring insights from Z2Data CEO Mohammad Ahmad exploring how a new generation of disruptions are changing the way companies think about and implement a supplier risk analysis, and what manufacturers need to do to successfully conduct risk assessments of their semiconductor suppliers. 

After an organization has identified the most significant risks within their supply chain and obtained the necessary intelligence on their suppliers, they need to have a way of determining what all that information means. That is, they need to be able to quantitatively evaluate it. This is where a risk matrix comes into play. A risk matrix is an infographic tool organizations can utilize to understand—to a precise, nuanced degree—the threat level posed by a specific risk. The matrix will normally have two axes, one featuring the probability of a risk occurring and the other showing the severity level of the risk’s impact. 

A risk matrix is an infographic tool organizations can utilize to understand—to a precise, nuanced degree—the threat level posed by a specific risk.

A risk matrix should be incorporated into a larger risk model that organizations use to carry out their supplier assessments. In order to maintain objectivity and ensure that all suppliers are assessed on a level playing field and according to the same criteria, these models should be standardized. They also need to be incorporated into a consistent, repeatable process that can be seamlessly mapped onto any prospective supplier or vendor. “It should be something that’s automated, scalable, and sustainable,” Ahmad said. 

“It should be something that’s automated, scalable, and sustainable,” Ahmad said.

Confronting Inherent Risks: Threats Unique to Semiconductor Suppliers

For many industries, companies evaluating the risks presented by their suppliers can generally focus on the same four or five categories. These include many of the varieties of disruption discussed throughout this piece, including financial stability, trade compliance, geopolitical issues, and climate-related vulnerabilities. Organizations assessing potential hazards along the semiconductor supply chain, however, must assume a more tailored, even exhaustive approach to risk management. That’s because suppliers operating in the semiconductor field are susceptible to a clutch of sector-specific threats that must be duly investigated, assessed, and integrated into the manufacturer’s risk model. 

For many industries, companies evaluating the risks presented by their suppliers can generally focus on the same four or five categories. These include many of the varieties of disruption discussed throughout this piece, including financial stability, trade compliance, geopolitical issues, and climate-related vulnerabilities.

For Ahmad, there are a handful of interrelated questions manufacturers need to be asking when developing a supplier risk assessment for semiconductor firms. “Are they a top supplier in the product you’re procuring from them? Are they mid-tier? Are they small? Is it a major part of their business?” Because of the complexity of the semiconductor supply chain and the depth of sub-tiers that are sustaining that complexity, manufacturers also need to be thinking about their suppliers’ dependencies. 

Integrated device manufacturers (IDMs)—those companies that carry out all the semiconductor manufacturing processes in-house, including design and fabrication—are going to have fewer dependencies than fabless firms that rely on foundries. Those fabless manufacturers typically have more vulnerabilities because they’re manufacturing processes are distributed across a greater number of factories and facilities, giving them more single points of failure. This represents a meaningful disparity from a supply chain risk management perspective, and should be taken into account when assessing risk. 

Integrated device manufacturers (IDMs)—those companies that carry out all the semiconductor manufacturing processes in-house, including design and fabrication—are going to have fewer dependencies than fabless firms that rely on foundries.

In addition to understanding the key distinctions between IDMs and fabless firms, companies need to familiarize themselves with a category of risk that—while hardly prevalent in every supply chain—has a disproportionately large footprint in the semiconductor industry. Hundreds of thousands of electronic components reach obsolescence every year. Z2Data’s recent report, Obsolescence Trends in 2024, found that nearly half-a-million parts went EOL in 2023. It’s important to bear in mind, however, that lifecycles and obsolescence trends are not spread evenly across supplier networks. 

Organizations interested in being as thorough as possible in their supply chain risk management measures should be investigating their suppliers’ histories around obsolescence. Manufacturers whose parts frequently go obsolete early, or who have a history of providing inaccurate EOL forecasting for their components, are imposing undue risk on their customers. Unexpected obsolescence can jeopardize product designs and bills of materials (BOMs), siphoning away critical resources to the task of identifying cross-references and engaging new suppliers. Gleaning the differences in these obsolescence trends among suppliers—and reflecting those differences in risk matrices or other risk models—is an invaluable part of comprehensive supply chain risk management. 

Finally, companies sourcing from the semiconductor supply chain should be aware of the ongoing threat posed by the industry’s finite production capacity. Insufficient capacity was the fulcrum for the crippling shortages of the past few years, as the collective output of the world’s foundries and IDMs could not keep up with soaring levels of demand. Fortunately, global production capacity has started catching up to the world’s insatiable appetite for chips, and manufacturing output continues to grow. In 2024, the total capacity is expected to top 30 million wafers per month (WPM)—a 6% increase over 2023 levels, and a record for the sector. 

While Ahmad acknowledged that the industry had reclaimed a certain degree of supply-and-demand equilibrium, it remains exceedingly difficult to predict how those dynamics will shift over the next few years. “Things are a little bit softer right now because there was such an increase in production in the past couple of years due to the shortages,” he said, “but demand is going to increase regardless, and who knows if capacity will catch up.” Further, the fact that capacity has stabilized for the industry as a whole doesn’t necessarily guarantee that it will remain steady for specific segments and at specific technology nodes. Businesses that depend on the semiconductor supply chain need to take it upon themselves to analyze supply trends and manufacturing projections for the electronic components most critical to their operations. 

“Things are a little bit softer right now because there was such an increase in production in the past couple of years due to the shortages,” he said, “but demand is going to increase regardless, and who knows if capacity will catch up.”

Staying Focused on the “Long-Term Plan” in Supply Chain Risk Management 

Since the global supply chain went haywire during the pandemic, costing companies billions and forcing them to reexamine their procurement processes and contingency strategies with a more discerning eye, supply chain risk management has developed a significantly larger profile. As one of the foundational elements of SCRM, supplier risk assessments have experienced a corresponding growth in recognition and adoption. Businesses and their strategic sourcing teams are finally reconciling themselves to the fact that price and availability are not the only factors to consider when establishing supplier relationships. Identifying and assessing risk can be equally pivotal for an organization’s overall health, long-term growth prospects, and bottom-line. 

Identifying and assessing risk can be equally pivotal for an organization’s overall health, long-term growth prospects, and bottom-line. 

But companies integrating risk analysis as a core supply chain risk management tool—and undertaking the in-depth measures necessary to assess vulnerabilities among suppliers—will have to negotiate the growing pains inherent in a developing field. They may find their suppliers evasive or taciturn in responding to inquiries, compliance hard to evaluate in a rapidly proliferating regulatory landscape, and fragmentary intel that falls short of informing a complete risk profile. For obstacles like these, Ahmad preaches patience, diligence, and a persevering approach. “If there’s incomplete data today, it’s okay just as long as you're continuously building it,” he said. “You are eventually going to get to that level where it’s thorough. Don’t lose sight of the long-term plan.”

“You are eventually going to get to that level where it’s thorough. Don’t lose sight of the long-term plan.”