Menu
Article supply chain

A quiet playbook for keeping a supply chain standing

Murat Can Dogruyol

• 3 min read
A quiet playbook for keeping a supply chain standing

The last two years of supply chain work have been an exercise in undoing decisions that seemed reasonable in 2018. Long tails with sole-source suppliers, razor-thin buffer stock, optimization for the average case instead of the tail. All of it looks different after 2024's cascading disruptions and the energy price spike that followed. Here's the 2026 playbook I've seen work across a handful of mid-sized operators. It isn't fancy.

The five principles

  1. Visibility before optimization. You can't make a chain resilient if you don't know what's in it. Step zero is always an honest inventory of tier-1, tier-2, and (critically) tier-3 suppliers with their real locations, not the address on the invoice.
  2. Buffer where it hurts most, not everywhere. Holding safety stock across every SKU is expensive and mostly useless. Hold it where the stock-out cost is much higher than the holding cost, typically 15 to 20 percent of SKUs by value.
  3. Dual-source with intent. Not two suppliers in the same port city. Geographically, politically, and where possible technologically different sources.
  4. Contract for the tail, not the mean. Your standard contract should cover the normal flow. A separate tier should cover the "when it goes wrong" case with pre-agreed terms, priced higher.
  5. Run the scenarios continuously. Not once a year. Pipeline the "what if Supplier X goes down for 14 days" into a quarterly rehearsal with a real playbook.
The companies that handled 2024 and 2025 well didn't predict the shocks. They had already decoupled from the parts of the world they couldn't control.

Tier mapping, more painful and more useful

The single most underrated exercise in 2026 is tier-3 mapping. Every operator I've worked with knows their tier-1 suppliers. Most know their tier-2. Almost nobody has a complete picture at tier-3, which is exactly where the 2024 disruptions tended to start.

A minimal tier map looks like this:

supplier: Acme Polymers Ltd
tier: 1
hq: Rotterdam, NL
plants:
  - location: Rotterdam, NL
    capacity_pct: 55
    risk_tags: [flood_zone, eu_ets]
  - location: Tangier, MA
    capacity_pct: 45
    risk_tags: [grid_fragility]

upstream:
  - tier: 2
    name: Nordic Resins AS
    dependency_pct: 70
    hq: Oslo, NO
    upstream:
      - tier: 3
        name: PetChem Urals OJSC
        dependency_pct: 40
        hq: (sanctioned region)
        risk: blocking

alternatives:
  - tier: 1
    name: Hanseatic Specialties GmbH
    hq: Hamburg, DE
    onboarding_time_weeks: 14
    price_delta_pct: +12

The interesting row is the tier-3 entry. You don't have a commercial relationship with that supplier. You may never have heard of them. But if a geopolitical event takes the plant offline, your tier-2 supplier loses 40 percent of its input, and six weeks later your tier-1 supplier's Rotterdam plant stops shipping.

Risk scoring without theater

Most supplier risk scoring is theater: a five-point scale with vague labels that everyone agrees on in a meeting and nobody acts on. A better approach is to score the financial impact of a 30-day disruption, which forces the conversation to be concrete.

def supplier_risk_30d(supplier, demand_plan):
    # Estimate 30-day disruption cost in dollars, not stars.
    # Components:
    #   1. Lost revenue from stockouts on dependent SKUs
    #   2. Expedite costs to bring alternative supply online
    #   3. Contract penalty exposure (downstream)
    #   4. Recovery effort (engineering + procurement hours)
    skus = demand_plan.skus_for(supplier)
    lost_revenue = sum(
        sku.daily_margin * 30 * sku.service_level_target
        for sku in skus if sku.no_alt_within_14d
    )
    expedite = estimate_expedite_cost(supplier, alt_leadtime_days=21)
    penalties = estimate_downstream_penalties(skus, disruption_days=30)
    recovery = 40 * hourly_rate()
    return lost_revenue + expedite + penalties + recovery

Run that over your top 50 suppliers. The ones with a 30-day number in the seven-figure range are the ones where dual-sourcing isn't optional, it's a discussion about which second source, not whether.

What to stop doing

  • Annual-only supplier audits. The world moves faster than your audit cycle. You need passive monitoring between audits.
  • Treating lead-time as a single number. Every supplier has a p50, a p95, and a p99. If you only plan with p50, you're planning to be surprised.
  • Measuring resilience by certifications. ISO 28000 is fine, but the only test that matters is the rehearsal.

Closing note

Resilience isn't a project you finish. It's a quarterly discipline. The 2024-2025 cycle made a lot of executives serious about it. The question in 2026 is whether that seriousness survives the next two good quarters. My bet is that the operators who keep rehearsing will look back in 2028 and be glad they did.

Share