Supply Chain Risk
You know what you know. But do you know what you don't know?
A risk assessment can only flag the parts of your supply chain that are mapped. What is not mapped produces no signal at all. That looks like a clean result. It is not.
Most procurement teams do a reasonable job with risk management. Suppliers in high-risk countries are flagged. Categories with known issues are monitored. Follow-up happens where signals have come in. That is not wrong. But it is incomplete in a way that rarely gets discussed.
A risk assessment can only identify risks in the parts of the supply chain that are actually mapped. What remains unmapped does not appear in the assessment. It does not show up as a gap. It looks like a clean result, when in reality it is an invisible one. That is a meaningful distinction.
The blind spot looks like silence
An organisation that has mapped its direct suppliers but not the tiers beyond does not have a risk assessment that says Tier 2 and Tier 3 are low-risk. It has a risk assessment that does not cover Tier 2 and Tier 3 at all. On paper they look the same. In practice they are fundamentally different.
That is exactly what makes the blind spot dangerous. It is not marked as a gap. It looks like silence, and silence tends to get read as the absence of problems.
Real-world scenario
A procurement team buys consumables from a direct supplier that has passed every internal review. The supplier has signed the code of conduct and delivered reliably for several years. What nobody knew was that the supplier had quietly switched raw material sources eighteen months earlier to a region with active risk exposure. Nothing in the system caught it. Silence was interpreted as safety.
When a problem eventually surfaces, the question is always the same: why did you not know? The answer is almost never that the organisation ignored the information. The most common answer is that nobody had asked the question at that tier.
Why do we not see this already?
This is not a question of intent. The problem is structural. Standard tools are built for direct supplier relationships and rarely reach further than that. A code of conduct that a supplier signs is not the same as information about what happens in the tiers beyond.
| Tier | What most organisations know | Visibility today |
|---|---|---|
| Tier 1 | Direct supplier: contracts, audits, code of conduct, contact person | Good |
| Tier 2 | The sub-supplier: sometimes known, rarely mapped systematically | Partial |
| Tier 3+ | Raw material producers: origin regions and production conditions unknown | None |
The empty field is where the risks hide. Not because anyone is concealing them, but because nobody has asked.
Risk does not decrease because you cannot see it. Visibility determines whether you can act before a crisis or whether you are forced to react after the fact.
Three situations where the blind spot becomes an acute problem
When the world changes around you
A region that was stable three years ago may carry significant risk today. An organisation that does not know it has exposure there cannot act proactively. It finds out when the problem has already landed.
When a product category or country draws attention
Organisations that have not mapped their exposure are forced to do so under time pressure. It is far harder to communicate credibly when a mapping is produced reactively rather than as part of ongoing work.
When customers or contracting authorities ask
Requirements to account for origin and risk management across the full chain are becoming more common. An organisation without that information can only state that it does not know, which is itself an answer that damages trust.
Three things you can do to get started
Pick five products and follow them backwards
Choose the products that matter most to your operations or that carry the greatest potential for exposure, based on origin, industry, or raw material category. Ask how far back in the chain you have actually mapped origin and production conditions. Not how far the code of conduct formally extends, but how far real information actually exists.
Ask your direct supplier when the data was last updated
Suppliers change sub-suppliers without informing anyone. What was accurate at the last audit is not necessarily accurate today. Ask when the information about their own suppliers was last verified.
Ask the question one tier further down
Who supplies the raw material to your direct supplier, and where is it produced? It is a simple question that often surfaces information you did not have. It also signals that you are actually looking at the whole chain, not just the first link.
No organisation consciously chooses to have blind spots in its risk assessment. But many organisations have them by default, because they assume that silence means safety. That is the assumption we need to change.
How far back in your supply chain can you actually see?
mitigater maps your supply chain at product level, from finished goods to raw materials, and shows you where the risks actually sit, before they become headlines.