Your riskiest supplier is the one nothing has happened to
I modelled a mid-size consumer-goods network and asked which single supplier failure would hurt most. It wasn't the chip vendor under a typhoon or the port everyone war-games. It was the packaging supplier nobody watches — 86% of revenue runs through it, and its failure costs three and a half times more.
Every risk register I have ever seen is really a news feed with a scoring column bolted on. Something happens — a typhoon forms, a supplier gets breached, a port backs up — and the item earns a likelihood, an impact, a colour. The register is honest about what it is: a ranked list of things that have started to go wrong. The problem is that everyone reads it as something else. They read it as a list of what would hurt most. Those are not the same list, and the gap between them is where the expensive surprises live.
I wanted to show the gap rather than assert it, so I built a model. Not a client's — a deliberately synthetic mid-size consumer-goods company: four suppliers, two plants, three distribution centres, five product lines, spread across Asia, Europe and the US. Real structure, invented numbers, so I can publish every figure on this page. Then I fed it a feed of thirty-five disruption events and asked two different questions.
The first question is the one the register answers: what is going wrong right now? The three loudest risks come back exactly where you'd expect — a typhoon tracking toward the Shenzhen electronics supplier, a cyber intrusion at the textile plant, a product recall. All CRITICAL, all clustered on the two marquee suppliers every planner in this company already watches on a Monday morning.
The second question is the one almost nobody asks structurally: if any one supplier simply stopped, which failure would cost the most? That question doesn't care what's in the news. It cares about how the network is wired.
The answer was the packaging supplier.
Not the chip vendor. Not the textile plant under a cyber cloud. Bengaluru Packaging Solutions — corrugate and cartons, the lowest-unit-cost line item in the whole bill of materials, the supplier you'd renegotiate to save a few basis points and never think about again. In this network, 85.9% of revenue flows through it. The electronics supplier everyone frets over? 59%. The reason is unglamorous and total: packaging feeds both plants, and every one of the five products needs a box. It is single-sourced, like every input in this model — but it is the one node where single-sourcing is quietly catastrophic, because there is no product that ships without it.
Numbers make this concrete, and the fair way to show it is to hold the scenario shape constant. Take two suppliers. Fail each one for four weeks. Same outage, same simulation, same network.
The model ships with a single-source failure example built in: Rhineland Precision, a tier-2 precision-hardware vendor — exactly the kind of specialised, hard-to-replace supplier you'd nominate as your scary one. Four weeks down, it costs $529k in lost revenue and service dips to 86%. Uncomfortable, survivable, roughly what you'd brace for.
Now fail the packaging supplier for the same four weeks. Lost revenue: $1.87M. Worst-week service level: 33.8%. Time to survive before service breaches: one week. Time to recover: three. Same scenario shape, three and a half times the damage — and service doesn't dip, it craters to a third of normal, because when the boxes stop, nearly everything stops.
Here is the part that should bother you. On the event-driven register, the packaging supplier appears exactly once — as a MEDIUM — and the event attached to it is good news: a regional airline expanding cargo capacity out of Bengaluru. Nothing bad has happened to it. So the feed-with-a-scoring-column ranks it as a mild positive while the structural analysis ranks it as the single most dangerous node in the business. Both are looking at the same supplier on the same day and reaching opposite conclusions.
This is the whole case for measuring resilience structurally instead of reactively, and it is not exotic maths — it is arithmetic over a graph. Criticality is just the share of revenue that has to pass through a node. Single-source exposure is counting to one. Time-to-survive is asking how many weeks of cover sit between a node going dark and a customer noticing. None of it needs a disruption to have happened first. That's the point: the reactive register can only rank what has already caught fire, and the fire is rarely where the structure is weakest.
I'm not arguing against risk feeds. Watch the typhoon; the recall is real. But if the feed is the only lens, you will spend your attention proportional to the noise a supplier makes, not proportional to the damage it could do — and the quietest suppliers, the commodity inputs you've optimised down to the cent, are exactly the ones with no drama and no backup. The failure mode isn't ignorance. It's that the loud risks crowd out the structural ones, every cycle, because the loud ones come with a date and a headline and the structural ones just sit there being load-bearing.
So the exercise is simple, and worth an afternoon. Ignore the news for a moment. List your suppliers. For each one, ask the boring question — if this simply stopped, what share of revenue stops with it, and how many weeks until a customer feels it? Sort by that. Then compare the top of that list to the top of your risk register. Where the two lists disagree is your real exposure — the supplier nothing has happened to, yet.
The model behind this piece — a self-contained resilience engine that scores network criticality, simulates supplier and port failures week by week, and ranks mitigations by re-running the scenario with each lever applied — is a working demonstration, not a product. Every number here came out of it. If you want the methodology (it follows the Simchi-Levi / Ivanov time-to-recover, time-to-survive tradition), that's the next write-up.