Three spreadsheets. That is what stood between a FTSE 100 retailer and a supplier concentration risk that nobody knew existed.

Procurement had a supplier register in Excel. IT security had a separate vendor risk assessment in SharePoint. Finance had a third spreadsheet tracking annual spend by vendor. Each was maintained by a different team on a different update cycle. None of them talked to each other.

When I was brought in to help with their ISO 27001 preparation, we ran a simple analysis: aggregate spend by supplier across all three sources, then cross-reference with the services each supplier supported. The result was sobering. A single cloud infrastructure provider accounted for 34% of their total IT spend and underpinned eleven customer-facing services. Their security team had flagged the supplier for a delayed SOC 2 report eight months earlier, but that flag existed in a different spreadsheet from the one procurement used to manage the relationship. Nobody had connected the dots.

That is a concentration risk. It is also a governance failure. And it is far more common than anyone in a risk committee meeting wants to admit.

Why supplier risk assessment matters more now

I am not going to pretend that supplier risk is a new topic. It is not. But the pressure has increased sharply in the last three years, and if you are in a regulated industry, you cannot afford to treat it as a check-the-box exercise any longer.

Regulatory pressure is intensifying. The FCA's operational resilience framework now explicitly requires firms to identify and manage third-party dependencies. DORA — the Digital Operational Resilience Act — applies the same logic across the EU financial sector from January 2025. The NHS has its own supplier assurance requirements through DTAC and DSP Toolkit. ISO 27001:2022 has strengthened its supplier management controls. The direction of travel is unambiguous: regulators expect you to know your supplier risks and demonstrate that you are managing them.

Supply chain disruption is not theoretical. The last five years have provided ample real-world evidence. The SolarWinds breach demonstrated that a compromised supplier can cascade into thousands of customer environments. The CrowdStrike update incident in 2024 showed that even a routine update from a trusted vendor can ground your operations. These are not edge cases. They are the new normal.

ESG and data handling requirements are expanding. Customers, regulators, and investors increasingly expect organisations to assess their suppliers on environmental practices, labour standards, and data handling. This is not just large enterprises — mid-market firms pursuing public sector contracts or financial services partnerships are finding these requirements in their procurement questionnaires.

A practical risk assessment framework

The framework I use is deliberately simple. Three tiers, five assessment dimensions, and a clear set of actions for each tier. The goal is not comprehensiveness for its own sake — it is proportionality. Your assessment effort should match the risk the supplier represents.

Tier 1: Critical suppliers

These are suppliers where failure would directly and immediately impact your customers, your revenue, or your regulatory standing. The characteristics:

  • Single point of failure — no readily available alternative
  • Annual spend exceeding £1 million (adjust this threshold to your organisation's scale)
  • Handles or processes sensitive data (customer data, financial data, health data)
  • Supports Tier 1 services in your service catalogue
  • Switching would take more than six months

Critical suppliers require the full assessment: financial stability, operational resilience, data handling, compliance posture, and concentration risk. They need formal onboarding due diligence, annual reassessment, and continuous monitoring of material changes. If a critical supplier has a security incident, you should know about it within hours, not weeks.

Most organisations have between five and fifteen critical suppliers. If your list is longer than twenty, your threshold is probably too low.

Tier 2: Important suppliers

Important suppliers cause significant disruption if they fail, but alternatives exist and switching, while expensive, is achievable within a reasonable timeframe. Characteristics:

  • Multiple alternatives exist in the market
  • Switching would take one to six months
  • Annual spend between £100,000 and £1 million
  • Supports Tier 2 services or non-critical Tier 1 dependencies
  • Limited or no access to sensitive data

Important suppliers need a structured assessment at onboarding and an annual review, but the depth can be lighter than Tier 1. Focus on financial stability and service continuity. You do not need a full data handling audit for a supplier that does not touch your data.

Tier 3: Standard suppliers

Commodity suppliers. Easily replaceable. Low spend. No access to sensitive data. Your office supplies vendor, your stock photography provider, your basic SaaS tooling that any of three competitors could replace in a week.

Standard suppliers need a basic assessment at onboarding — confirm they are a legitimate business, check for obvious red flags — and periodic review only if something changes materially. Do not waste time running full risk assessments on suppliers that represent minimal risk. That effort is better spent on your Tier 1 and Tier 2 suppliers.

What to assess

For Tier 1 and Tier 2 suppliers, assess five dimensions. Each should produce a structured record, not a narrative email or a tick-box exercise.

Financial stability. Is the supplier financially healthy? Are they likely to still be in business in three years? Check published accounts, credit ratings if available, and any public indicators of financial distress. For privately held suppliers, ask for financial statements directly. A supplier that refuses to share basic financial information is a red flag, not a privacy concern.

Operational resilience. What happens when their service goes down? Do they have documented disaster recovery and business continuity plans? Have they tested them? What are their RTO and RPO commitments? For critical suppliers, ask to see evidence of their last DR test. If they have never tested their DR plan, assume it does not work.

Data handling. What data do they access, store, or process on your behalf? Where is it stored geographically? How is it encrypted in transit and at rest? What happens to your data when the contract ends? For suppliers handling personal data, confirm their GDPR compliance posture and check whether they have experienced any reportable data breaches in the past three years.

Compliance posture. What certifications do they hold? SOC 2, ISO 27001, Cyber Essentials Plus? When were they last audited, and were there any material findings? Certifications are not guarantees, but the absence of any certification for a supplier handling sensitive data should raise questions. Ask for the certificate, not just the claim.

Concentration risk. This is the one most people miss. How dependent are you on this supplier? If they fail, what percentage of your services are affected? Are you their largest customer (which creates a different kind of risk — your business is material to their survival)? Are multiple parts of your organisation using the same supplier under different contracts without realising it?

Onboarding vs ongoing monitoring

There is a critical distinction between due diligence at onboarding and ongoing monitoring, and most organisations only do the first.

Onboarding due diligence is the assessment you perform before engaging a new supplier. It answers the question: "Should we enter into a relationship with this organisation?" The depth should be proportionate to the tier. For a Tier 1 supplier, this might take two to four weeks and involve financial analysis, security questionnaires, reference checks, and a review of their compliance certifications. For a Tier 3 supplier, it might take a day.

Ongoing monitoring is where the real gap lives. A supplier risk assessment performed at onboarding has a shelf life. Financial conditions change. Security postures degrade. Key personnel leave. A supplier that was low risk when you onboarded them three years ago might be high risk today, and you would not know unless you are actively monitoring.

For Tier 1 suppliers, schedule a formal reassessment annually. Between assessments, monitor for material changes: financial distress signals, security incidents, key personnel departures, regulatory actions, and service performance against SLAs. For Tier 2 suppliers, an annual check-in is sufficient. For Tier 3, reassess only when triggered by a specific event.

The challenge is that ongoing monitoring requires a system. You cannot do it with spreadsheets. Spreadsheets capture a snapshot; they do not alert you when something changes. You need a structured record of each assessment with dates, findings, and actions — and a mechanism to flag when a reassessment is overdue.

Connecting supplier risk to contracts and services

Supplier risk assessment in isolation is half the picture. The other half is understanding what each supplier is connected to.

A supplier record should link to:

  • The contracts that govern the relationship. What are the contractual terms? What SLAs are committed? What are the termination provisions? When does the contract renew?
  • The services that depend on this supplier. If this supplier fails, which of your services are affected? What is the criticality of those services? This connection turns an abstract risk rating into a concrete impact assessment.
  • The business cases that funded the engagement. Why did you engage this supplier in the first place? What was the business justification? Has the rationale changed since the original investment decision?
  • Other suppliers in the same risk category. If you have three critical suppliers all providing cloud infrastructure, that is a pattern worth examining — even if each individual supplier assessment looks healthy.

This traceability chain — from supplier risk assessment, through contracts, to services, to business impact — is what turns supplier risk management from a procurement exercise into an enterprise governance capability. It is also what auditors increasingly expect to see.

The audit angle

If you are in a regulated industry, your supplier risk management is going to be examined. Internal audit, external audit, regulatory review — someone is going to ask you to demonstrate that you assess and monitor your supplier risks systematically.

What auditors want to see:

  • A documented framework. How do you categorise suppliers? What assessment criteria do you use? What is your reassessment cadence? This does not need to be a 50-page policy document. A clear, concise framework that matches what you actually do is worth more than an elaborate policy that nobody follows.
  • Evidence of execution. Show me the assessments. Not a summary — the actual records. When was each Tier 1 supplier last assessed? What findings were recorded? What actions were taken? This is where the immutable audit trail matters. If your assessment records can be modified after the fact, they are not reliable evidence.
  • Evidence of action on findings. If a supplier assessment identified a risk, what did you do about it? Did you escalate it? Did you implement a mitigation? Did you accept the risk with documented justification? Identifying risks and then doing nothing about them is worse than not identifying them at all, because it demonstrates awareness without action.
  • Coverage and gaps. Are all your suppliers categorised? Are all Tier 1 suppliers assessed within the required cadence? If there are gaps, are they acknowledged and planned? Auditors understand that perfection is not achievable. What they will not accept is gaps that the organisation is not aware of.

The organisations that handle audits well are not the ones with the most elaborate frameworks. They are the ones where the framework matches reality — where the documented process is the actual process, and the evidence is captured as a byproduct of how the work is done, not assembled under pressure when the auditor arrives.

Getting started

If you are looking at your current supplier risk management and recognising the spreadsheet problem I described at the start, here is the practical path forward.

Categorise your top twenty suppliers first. Do not try to classify your entire supplier base on day one. Start with the twenty suppliers that represent the most spend, the most critical dependencies, or the most sensitive data access. Assign each one to Tier 1, 2, or 3 using the criteria above. This exercise alone will reveal concentration risks and gaps you did not know existed.

Run a full assessment on your Tier 1 suppliers. For each critical supplier, assess all five dimensions: financial stability, operational resilience, data handling, compliance posture, and concentration risk. Capture the findings in a structured record with a date, an assessor, and a clear outcome. If you find issues, document them and create an action plan.

Connect suppliers to contracts and services. For each assessed supplier, link them to the contracts that govern the relationship and the services that depend on them. This is the step most organisations skip, and it is the step that transforms your supplier risk management from a standalone exercise into part of your governance fabric.

Establish a reassessment calendar. Tier 1 suppliers: annual reassessment plus continuous monitoring. Tier 2: annual check-in. Tier 3: reassess on trigger. Put the dates in the system, not in someone's Outlook calendar. When a reassessment is overdue, it should be visible to the risk owner and their management.

Expand from there. Once your top twenty are assessed and connected, extend to the next tier. Work outward from highest risk to lowest. You will never achieve 100% coverage on day one, and you do not need to. What you need is a clear picture of your critical dependencies, evidence that you are managing them, and a plan for expanding coverage over time.

Supplier risk management is not a project with an end date. It is a capability you build and maintain. The organisations that do it well are not the ones with the most elaborate frameworks — they are the ones where the framework is connected to real decisions and real evidence.

Start with your critical suppliers. Assess them properly. Connect them to your contracts and services. Build the evidence trail as you go. And when the auditor asks — and they will ask — you will have the answers ready. Not because you reconstructed them under pressure, but because they were captured as a natural part of how you manage your supplier relationships.

Three spreadsheets is not a risk management framework. It is a gap waiting to be found. Close it before someone else finds it for you.