5.2 Risk Identification & Assessment
Key Takeaways
- Supply chain risk is the probability and impact of an event that disrupts the flow of products, services, information, or funds; CSCP groups risks into supply, demand, operational/process, environmental (including natural hazards), geopolitical/financial, and cyber/information categories.
- Risk identification techniques include supply chain mapping, brainstorming and expert input, historical incident and loss data, checklists, and scenario analysis to surface threats before they materialize.
- Risk assessment scores each risk by probability (likelihood) and impact (severity), often multiplied into a risk priority so the organization can rank and focus on the most significant exposures.
- A risk register documents each identified risk with its category, cause, probability, impact, owner, current controls, and planned response, creating a living record for monitoring.
- Supply chain mapping beyond Tier 1 suppliers reveals hidden concentration, single points of failure, and sub-tier dependencies that aggregate risk reports often miss.
Risk Identification & Assessment
Quick Answer: Supply chain risk is the likelihood and consequence of an event disrupting the flow of products, services, information, or funds. The Certified Supply Chain Professional (CSCP) exam expects you to categorize risks (supply, demand, operational, environmental, geopolitical/financial, and cyber/information), identify them using techniques such as supply chain mapping and scenario analysis, assess each by probability and impact, and document them in a risk register that drives ongoing monitoring.
The Supply Chain Risk module is roughly 10% of the CSCP exam. Section 5.2 covers the first half of the risk cycle: finding and evaluating risk. Section 5.3 covers responding to it.
What Counts as Supply Chain Risk
A supply chain risk is the probability of an event and the magnitude of its consequences on the flow of products, services, information, or funds through the supply chain. Two ideas matter for the exam:
- Risk has both a likelihood and an impact dimension — a rare event with catastrophic impact can outrank a frequent minor one.
- Risk includes upside uncertainty in some frameworks, but CSCP questions focus mainly on managing the downside (disruption) while keeping the supply chain efficient.
Risk Categories
Classifying risk makes it identifiable and assignable. The CSCP body of knowledge groups supply chain risk into broad categories.
| Category | Description | Examples |
|---|---|---|
| Supply (upstream) | Disruption in inbound material, components, or services | Supplier failure, single-source dependence, quality escape, capacity shortfall |
| Demand (downstream) | Volatility or loss on the customer side | Forecast error, demand collapse, customer concentration, bullwhip distortion |
| Operational / process | Internal execution and process failures | Equipment breakdown, labor disruption, IT outage, quality system failure |
| Environmental / hazard | External natural or physical events | Earthquakes, floods, severe weather, pandemics, fire |
| Geopolitical / financial | Macro and country-level exposure | Tariffs, sanctions, trade policy shifts, currency swings, supplier insolvency |
| Cyber / information | Threats to data, systems, and connectivity | Ransomware, data breach, system intrusion, loss of supply chain visibility |
Exam questions frequently describe a scenario (e.g., a tariff change, a flood at a sole-source plant, a ransomware attack on an order system) and ask you to classify the risk or choose a category-appropriate response.
Risk Identification Techniques
You cannot manage a risk you have not identified. CSCP recognizes several complementary techniques.
- Supply chain mapping — diagramming the flow of materials, information, and funds across tiers to expose dependencies and single points of failure.
- Brainstorming and expert input — structured workshops with cross-functional and partner participation to surface threats experience suggests.
- Historical and loss data — analyzing past incidents, near-misses, and claims to find recurring exposures.
- Checklists and standards — using established risk taxonomies and audit checklists so common categories are not missed.
- Scenario and what-if analysis — postulating disruptions ("what if our Tier-2 chip supplier shuts down for 8 weeks?") and tracing consequences.
- Process analysis (e.g., FMEA-style) — Failure Mode and Effects Analysis examines each process step for ways it can fail, the effect, and the likelihood/detectability.
The most exam-relevant technique is supply chain mapping, because aggregate spend or supplier reports often hide that many Tier-1 suppliers depend on the same sub-tier source — a concentration that only mapping reveals.
A company sources a part from three different Tier-1 suppliers and believes its supply is diversified. A supply chain mapping exercise finds all three Tier-1 suppliers buy the critical raw material from the same Tier-2 mine. What risk has been uncovered?
Risk Assessment: Probability and Impact
Once identified, risks are assessed so the organization can prioritize. The standard CSCP approach evaluates two dimensions:
- Probability (likelihood) — how likely the event is over a defined horizon.
- Impact (severity / consequence) — financial loss, service disruption, lead-time damage, reputational harm if it occurs.
A simple, widely tested model is Risk Priority = Probability x Impact, often visualized on a risk matrix.
| Impact \ Probability | Low | Medium | High |
|---|---|---|---|
| High impact | Monitor / plan | Mitigate | Mitigate urgently |
| Medium impact | Accept / monitor | Monitor / mitigate | Mitigate |
| Low impact | Accept | Accept / monitor | Monitor |
Some organizations add detectability or velocity (how fast the risk hits and how much warning you get) to refine prioritization. The key exam idea: rare high-impact events can outrank frequent low-impact ones, so impact is weighted, not ignored.
The Risk Register
The risk register is the central document that turns assessment into a managed process. It is a living record, reviewed regularly, not a one-time report.
A typical risk register entry includes:
| Field | Purpose |
|---|---|
| Risk ID & description | Uniquely names the risk |
| Category | Supply, demand, operational, environmental, geopolitical, cyber |
| Cause / trigger | What event would set it off |
| Probability | Assessed likelihood rating or score |
| Impact | Assessed severity rating or score |
| Risk priority | Probability x impact (or matrix zone) |
| Owner | Person accountable for the response |
| Current controls | Existing safeguards already in place |
| Planned response | Mitigation/contingency action (see 5.3) |
| Status / review date | Tracking and next reassessment |
The register links Section 5.2 (identify and assess) to Section 5.3 (mitigate and monitor): every register entry should have an owner and a response, and should be revisited as conditions change.
Two risks are assessed. Risk A: high probability, low impact. Risk B: low probability, very high impact (could halt production for months). How should a CSCP-aligned risk assessment treat these?