Mapping your supply chain: Where to start when you don't know what you don't know (blog 2 of 4)

Supply chain resilience series - blog 2 of 4.

The foundation of supply chain resilience is visibility. You cannot manage what you cannot see. And for most organisations - including many large, sophisticated ones - the actual structure of their supply chain, mapped to Tier 2 and Tier 3 suppliers, is genuinely unknown.

This post explains how to build that map - practically, without specialist software - and what to do with it once you have it.

Why most organisations don't have a complete supply chain map

The answer is usually a combination of complexity and inertia. Managing Tier 1 suppliers (your direct suppliers) is operationally demanding enough. Mapping who supplies your suppliers - and who supplies them - requires time, cross-functional coordination, and a willingness to sit with uncertainty. Most organisations simply haven't prioritised it.

The irony is that Tier 2 and Tier 3 dependencies are often where the most significant risks lie. A sole-source supplier of a critical raw material, located in a politically unstable region, supplying one of your Tier 1 manufacturers, may be entirely invisible to you - until it isn't.

How to build your supply chain map

You don't need specialist software to start. A large whiteboard, sticky notes, or a shared digital drawing tool like Miro are sufficient for most organisations to build an initial map. The process is straightforward, though the conversations it requires are not always easy.

Start with your Tier 1 suppliers - the organisations you buy directly from. Map them clearly, noting what you buy from each, your lead time, and whether they are a sole source or one of multiple options.

Then work backward: who supplies your Tier 1 suppliers? These are your Tier 2 suppliers. If possible, continue to Tier 3. Note that in manual processes, Tier 3 mapping can become complex - don't let perfect be the enemy of good. A complete Tier 1 and 2 map is significantly better than no map at all.

Repeat the process forward through your customer base: your Tier 1 customers and, where relevant, their customers.

Include transportation suppliers and external warehouses - these are nodes in your supply chain just as suppliers are, and disruption at a logistics provider or warehouse can be just as damaging as disruption at a manufacturer.

What to record for each node

For each supplier, logistics provider, and warehouse in your map, collect the following:

• Geographic location - not just the company's headquarters, but the specific facility you depend on
• Key contact information - who you call in a crisis, not just the account manager
• Lead time - time from order placement to delivery
• Single-source status - is this your only option for this input?
• Vulnerability rating - a simple red/amber/green assessment based on factors like political instability in the region, weather risk, financial health of the supplier, and regulatory exposure

This last point - vulnerability rating - is where the map becomes a risk management tool rather than just a directory. You are not trying to produce a sophisticated quantitative model at this stage. You are trying to develop a shared organisational view of where the risk concentrations in your supply chain actually are.

What the map reveals

The most common findings when organisations undertake supply chain mapping for the first time include:

• Unexpected single-source dependencies - inputs that appear to have multiple suppliers but where, on examination, there is actually only one viable source
• Geographic concentration - multiple nominally different suppliers located in the same region, creating correlated risk to a single event
• Invisible critical nodes - logistics providers or sub-tier suppliers whose failure would cascade across multiple product lines
• Gaps in contact information - no established communication protocol with suppliers beyond the account management relationship.

The map is not the goal. The map is what makes the goal - a resilient supply chain - possible to pursue.

From map to action

Once your map is built and your nodes rated, you have the raw material for the next stage of resilience work: Structured risk identification and stress-testing. These are the subjects of the next two posts in this series.

But even before those steps, the mapping process itself has value. It creates organisational awareness. It surfaces conversations that haven't been happening. It identifies the questions you should have been asking. For many organisations, that is where the resilience work really begins.

A note on the automated path

For large organisations with complex global supply chains and ERP infrastructure already in place, dedicated supply chain mapping software and Geographic Information Systems (GIS) provide significantly enhanced capability: Real-time risk overlays, automated Tier 2 and 3 supplier identification, and time-to-recovery modelling at scale. The manual process described here follows the same logic - it just uses different tools.

Whatever path your organisation takes, the imperative is the same: You need to see your supply chain clearly before you can protect it.

Next in the series: Risk identification frameworks - how to move from a supply chain map to a prioritised risk picture. Download the full NIRAS whitepaper below.