What Should a Good Risk Analysis of Semiconductor Suppliers Include? (Part 1)

This article is part one of a two-part series featuring insights from Z2Data CEO Mohammad Ahmad exploring how a new generation of disruptions are changing the way companies think about and implement a supplier risk analysis, and what manufacturers need to do to successfully conduct risk assessments of their semiconductor suppliers. Read Part 2, Developing and Implementing a Risk Model for the Semiconductor Supply Chain, here.  

The semiconductor shortage that began in 2020 and bled all the way into 2023 was a supply chain calamity by almost any measure. The historic disruption kneecapped production and warped supply and demand dynamics for a vast cross-section of large-scale industries, costing the U.S. economy in excess of $200 billion in 2021 alone and leading to thousands of lost jobs and largely irreversible price hikes on essential products. 

For many organizations, that experience, as well as other struggles with sourcing and procurement over the past four years, embodied the growing potency and prevalence of supplier risk. Businesses that might have once been content to address disruptions in an informal, ad-hoc way were suddenly recognizing the urgency—the strategic imperative, even—of adopting a more proactive, foresighted approach to gauging threats posed by their supply chain and the companies sustaining it. There was a collective realization, in other words, that businesses could identify, assess, and mitigate risk before it crashed into their operations in the form of a factory shutdown, a regulatory snafu, or an obsolescence crisis. 

What Is a Supplier Risk Analysis? 

Fortunately, manufacturers, importers, and other stakeholders seeking to analyze risk among their suppliers have an established history to draw on. Supplier risk analyses have been around, in one form or another, for decades. A risk analysis—also referred to as a risk assessment—is a framework or set of criteria for recognizing and evaluating the risks posed by a specific supplier. These structured assessments are a critical aspect of the larger field of supply chain risk management, which the National Institute of Standards and Technology (NIST) usefully defines as a “systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout the supply chain and developing mitigation strategies to combat those threats.”

A risk analysis—also referred to as a risk assessment—is a framework or set of criteria for recognizing and evaluating the risks posed by a specific supplier.

Supplier risk assessments are a cornerstone of good supply chain risk management. By developing and implementing these targeted reviews, organizations are able to put prospective vendors through a standardized vetting process and gain a comprehensive and precise understanding of how specific historical vulnerabilities could recur in costly ways. It’s also one of the most effective strategies for maintaining a more dynamic, agile stance toward your supply chain. 

“It’s very important because ultimately you are able to stay ahead of potential issues that would impact your supply chain, which would impact the delivery or manufacturing of your end product,” said Mohammad Ahmad, CEO of supply chain risk management platform Z2Data. But these assessments function as more than just risk profiles, Ahmad explained. They’re also exhaustive dossiers on suppliers that can inform critical decision-making in a wide variety of scenarios. “One really big challenge nowadays is, how much do you really know about your suppliers?” he said. “Everybody wants visibility into their suppliers.”

“One really big challenge nowadays is, how much do you really know about your suppliers?” he said. “Everybody wants visibility into their suppliers.”

Supplier risk analysis is hardly a new practice. It is, however, a tool that’s increasingly shifting from a discretionary measure to something more frequently perceived as integral to effective supply chain risk management. In a decade as layered and turbulent as the 2020s have been thus far, businesses with the resources to pinpoint and analyze risk—and in so doing achieve transparency with their suppliers—are operating at a critical advantage.

The Most Important Criteria for a Supplier Risk Analysis

Historically, manufacturers carrying out a risk analysis focused on a few core aspects of their suppliers, including company financials, product quality, and reputation. Companies evaluated the level of exposure their suppliers had, and then generated a composite score that sought to accurately capture the supplier’s collective risk profile. 

Today, the risk landscape for manufacturers and the supply chains they rely on is denser and more unforgiving. The raft of longstanding threats outlined above is being compounded by emerging concerns unique to our contemporary environmental and geopolitical climates, with human actors and natural forces combining to amplify volatility.  As a result, companies are now having to expand their list of risk criteria to include factors like a history of regulatory compliance and geographical locations. The latter category has become especially important, because it indicates a supplier’s susceptibility to related threats like natural disasters, geopolitical issues, and trade conflicts. 

Today, the risk landscape for manufacturers and the supply chains they rely on is denser and more unforgiving.

Businesses have always had to grapple with the potential that suppliers would be impacted by extreme weather events like typhoons, tornadoes, and floods. The growing influence of climate change, however, has accelerated the frequency of these destructive catastrophes. According to the United Nations Office for Disaster Risk Reduction (UNDRR), the number of “large-scale disasters” the planet is facing every year has more than tripled since the turn of the century, and now sits between 350 and 500 annually. Any number of climate projections, meanwhile, see those figures climbing aggressively in the years to come. 

Over the past half-decade, leading governments and influential international organizations have started embracing more substantive measures for holding corporations accountable for their role in contributing to rising temperatures and an altered climate. Movements in sustainability and ESG (environmental, social, and governance) are gradually being codified in the form of concrete, legally enforceable regulations all over the world. This growing fleet of nascent regulations is serving as another novel category of risk for manufacturers and other supply chain stakeholders, who must now adhere to a slew of new sustainability mandates. As directives like CSRD, CS3D, and the SEC’s new climate disclosure requirements begin entering into force all over the world, suppliers are being forced to navigate a new zone of vulnerability.

As directives like CSRD, CS3D, and the SEC’s new climate disclosure requirements begin entering into force all over the world, suppliers are being forced to navigate a new zone of vulnerability.

As though that weren’t enough, there’s also the rapid emergence of cybersecurity risks. This emerging threat was chillingly crystallized by several recent cyberattacks of unprecedented scope and scale. The SolarWinds attack by a coterie of Russian operatives in 2020 and the data breach of Microsoft Exchange in 2021 by a hacker group affiliated with the People’s Republic of China’s Ministry of State Security demonstrated the unnerving advancement of cyberwarfare over the past decade. As these hyper-sophisticated hacker groups and their powerful government sponsors grow more brazen and ambitious in their cyber-espionage campaigns, multinationals all over the world are at heightened risk of data leaks, malware attacks, and sweeping security failures. 

U.S. manufacturers and other businesses that depend on multiple suppliers and sub-tiers today are facing a simple, incontrovertible truth: supply chain risk management has clearly evolved. Those seeking to put together their own supplier risk analysis should be looking beyond the disruptive forces that have plagued supply chains for decades. Firms need to recognize the bevy of new threats now endemic to many manufacturing networks. 

U.S. manufacturers and other businesses that depend on multiple suppliers and sub-tiers today are facing a simple, incontrovertible truth: supply chain risk management has clearly evolved.

Collectively, there are now at least a half-dozen supply chain risks that should be incorporated into any comprehensive risk analysis: 

• Financial health and/or bankruptcy risk
• Extreme weather and climate-related events
• Geopolitical concerns
• ESG and sustainability 
• Cybersecurity
• Trade compliance
• Data transparency 

Gathering Data for Risk Assessments 

Once businesses understand the value of gauging risk among their suppliers and the specific categories of risk that should be analyzed and assessed, they’re ready to actually carry out an assessment. The first and almost certainly the most important step in conducting a risk analysis  is gathering data on your suppliers. There are an array of different strategies for pulling together this information, and businesses shouldn’t overcommit themselves to a single approach. Rather, they should take advantage of multiple methods of data-gathering, starting with accessing publicly available information. This type of intelligence could include financial data, geographical locations of headquarters and manufacturing facilities, and ESG reporting (which will become increasingly publicized in the months and years to come). 

After collecting all available public-facing data, companies should assess where the gaps are and reach out to suppliers for any information they weren’t able to procure on their own. Businesses often carry out this second step using questionnaires that ask manufacturers a wide range of questions related to their security controls, risk mitigation measures, and supply chain management. 

The Shared Information Gathering (SIG) questionnaire, for example, is a third-party risk management tool developed by the Shared Assessments organization. It includes hundreds of questions designed to yield practical insights across 21 core domains, including the following:

• Compliance Management
• Environmental, Social, and Governance (ESG)
• Enterprise Risk Management
• Cybersecurity Incident Management 
• Network Security
• Operational Resilience 

While questionnaires are integral to data-gathering, they should not be an organization’s sole means of obtaining information about their suppliers. “I don’t think it should be your only source,” Ahmad said. “You need to have multiple sources of information so that you can make a risk-based decision on whether or not you need to go deeper.”

Building An Overarching Risk Assessment Process: Part 2

But identifying areas of risk and procuring all the relevant data related to those risks are only the first steps in the overarching risk assessment process. Once manufacturers have successfully carried them out, how do they go about developing a risk model and actually implementing a risk assessment? 

We cover these questions—as well as outline some of the most prevalent risks unique to the semiconductor supply chain—in part two of our article, Developing and Implementing a Risk Model for the Semiconductor Supply Chain.