Supplier Risk in Procurement
Supply chain disruptions can cost companies millions, making supplier risk management a critical priority for procurement teams. This article examines three key strategies for balancing risk and efficiency in supplier relationships, drawing on insights from industry experts. Learn how leading organizations approach geographic distribution, pricing trade-offs, and supplier concentration to build resilient procurement operations.
Mandate Uptime and Regional Split
I balance these three factors by treating reliability and geographic diversification as non-negotiable minimums, then optimizing for price within those constraints. To create reliability as a requirement for our suppliers, I require all our vendors to have an on-time delivery rate of 98% or higher (ISO certification is also required). I have achieved a geographic separation by dividing the contract among China, Taiwan and Germany. Although having only one vendor would provide a cost savings of 7-9%. Only after these two requirements have been met do I begin negotiating on price.
When our primary plant in Taiwan went on a six week, unannounced lock down due to the Covid 19 pandemic in early 2020, our German supplier increased its capacity by 40% over a ten day span at premium pricing. Due to this action, we were able to maintain our inventory levels at our US distribution center as well as save around $2 million dollars in potential lost sales. Although it may be simple arithmetic, most business owners don't realize the value that exists here. As stated above, we paid 8% extra per item than if we had used just one supplier And the payoff was we were still able to continue shipping our products to our customers on time, instead of being forced to explain to our customers why there would be delayed shipments for a few months.
Pay More to Diversify Supply
The tradeoff we made at GpuPerHour that proved its worth was deliberately splitting our GPU supply across three data center partners instead of going all-in with the one that offered the lowest per-unit price. The cheapest provider was about 18 percent less expensive per GPU-hour than our second option. On a spreadsheet, consolidating with them looked like the obvious call. We chose to pay more and diversify anyway.
Our reasoning was simple. We are a rental marketplace, and if our supply goes offline, our customers cannot run their training jobs. A four-hour outage for us does not just mean lost revenue. It means a machine learning team misses a deadline, loses a day of iteration, and starts evaluating competitors. Downtime has a compounding cost that never shows up in a unit price comparison.
We structured the split roughly 50-30-20 across the three partners, weighted by their uptime track records over the previous 12 months rather than by price. The cheapest provider got the smallest allocation because they had the most unplanned maintenance windows, even though each individual outage was short.
The decision paid off during a network-level disruption that hit our primary partner for almost nine hours last October. We were able to reroute about 70 percent of active workloads to the other two partners within 40 minutes using automated failover scripts we had built specifically because we had the multi-provider setup. Customers experienced a brief queue delay, not a full outage. Two of our competitors who were single-sourced with the same provider went completely dark for the duration.
The lesson we took away is that concentration risk is invisible until the disruption hits, and then it is the only thing that matters. We now evaluate every major supplier relationship on three criteria in this order: uptime reliability first, capacity flexibility second, and unit price third. Price matters, but it is the third variable, not the first. The premium we pay for diversification is effectively an insurance policy, and it has already paid for itself multiple times over.
Concentrate to Gain Leverage
I'm Runbo Li, Co-founder & CEO at Magic Hour.
The conventional wisdom is to diversify your suppliers so you're never dependent on one. That sounds smart in a boardroom, but in practice, spreading yourself thin across multiple vendors often means you're nobody's priority when things break. I'd rather go deep with fewer partners and earn the kind of relationship where you get the phone call before the outage hits everyone else.
At Magic Hour, we run millions of AI video generations on GPU infrastructure. Early on, we had to decide whether to spread our compute across a handful of cloud providers or concentrate with one primary partner. We chose concentration. We went deep with one provider, committed meaningful volume, and built a direct relationship with their team. The tradeoff was obvious: if they went down, we went down.
Then it happened. There was a capacity crunch that hit a wave of AI companies all at once. Teams that had spread thin across providers were stuck in generic support queues, fighting for scraps of available compute. Because we'd concentrated our spend and built a real relationship, we got direct access to their engineering team within hours. They prioritized our workloads. We stayed online while others scrambled for days.
The lesson I took from that is simple. Concentration risk is real, but so is "dilution risk," the risk that you're so spread out that no single partner cares enough to save you when it matters. The best hedge isn't always a second vendor. Sometimes it's being important enough to your first one.
When I evaluate any supplier relationship, I think about three things: Can I talk to a human when something breaks? Do they have a financial incentive to keep me happy? And would switching actually be faster than fixing, or is it just a fantasy? Most backup plans look great on a spreadsheet and fall apart in a crisis.
Price matters, but the cheapest option is never cheap when it fails at 2 AM and nobody picks up the phone. Reliability matters, but no system is 100% reliable, so what really matters is recovery speed. And recovery speed comes from relationships, not redundancy.
Don't diversify for comfort. Concentrate for leverage.
Use Contracts to Transfer Exposure
Contracts can shift the cost of failure away from the buyer. Use clear service levels tied to refunds, credits, or damages for misses. Require insurance that fits the exposure and verify certificates and endorsements before any spend.
Add indemnity promises, step‑in rights, and escrow for critical code where needed. Match limits and remedies to deal value and the harm that could occur. Engage legal and update the standard terms before the next award.
Monitor Financial Health Early
Supplier stability starts with steady financial checks. Build a score that blends credit ratings, payment behavior, liquidity ratios, and news signals. Use automated feeds and clear thresholds to flag downgrades or late pay patterns before they become crises.
Pair alerts with playbooks that define steps like placing smaller orders, adding a backup source, or holding extra stock. Review the model often so it reflects market shifts and sector risks. Set up the dashboards and alert rules today.
Harden Vendor Security Controls
Third-party cyber risk can open the door to data loss. Set minimum security rules that match the data shared and the work done. Verify controls through simple questionnaires, evidence reviews, and targeted tests.
Write contracts that require breach notice, right to audit, and quick fixes. Watch for changes with continuous attack surface checks and renew reviews on a set cycle. Start by defining the control baseline and scheduling the first audits now.
Map Subtiers and Spot Choke Points
Problems often start below the first tier of suppliers. Map the chain to key sub‑tiers using bills of materials and shipment records. Link each part to a site and a region so location risks can be seen on one screen.
Highlight choke points where many parts depend on one small firm or one town. Work with tier one partners to gain consent and protect shared data during mapping. Launch a pilot map for a high risk product line this quarter.
Stress Test Plans Against Shocks
Plans work best when tested against bad days. Build a set of realistic shocks like port closures, cyber attacks, or a sudden loss of a plant. Model how each shock would change lead time, cost, and fill rate.
Use the results to size safety stock, sign backup contracts, and pre‑plan routes. Run tabletop drills to check who decides what and how fast. Schedule the first scenario workshop and capture actions by the end of the month.