How to build a structured Risk Management and Business Continuity system for the supply chain: from mapping strategic, operational, financial, and external risks, to analyzing the supply base using the Kraljic matrix, to defining effective contingency plans and applying Pro-FMEA. A practical guide for B2B companies seeking to reduce operational disruptions, enhance reliability for customers and stakeholders, and compete effectively even in scenarios of crisis and geopolitical volatility.
Risk Management is the structured process by which an organization identifies, assesses, and responds to risks that threaten business continuity. Today, it is no longer the exclusive domain of specialists: it is a managerial tool that determines a company’s ability to compete even under adverse conditions.
In recent years, companies have learned—often the hard way—that business continuity can no longer be taken for granted. Shortages of critical materials, supplier unavailability, supply chain disruptions, cyberattacks, market volatility, geopolitical tensions, and skills shortages: what was once considered an exceptional event is now part of the daily competitive landscape.
The data confirms this. According to our biennial Benchmarking Study | What’s Next in Operations? — conducted on over 100 companies across 22 industrial sectors, with a sample comprising 85% C-level executives and 83% companies with over 100 employees, predominantly B2B (87%) — only 55% of companies have implemented Business Continuity systems. The average Supply Chain Maturity Level stands at 67%, indicating widespread fragility in terms of responsiveness and digitalization, with heavy reliance on manual processes and difficulties in managing fluctuations in demand and supply issues.
The real question, then, is not whether a disruption will occur, but how prepared the company is to prevent, manage, and overcome it.
One of the most common mistakes in organizations is treating risk as a secondary variable, to be covered by a generic "contingency" fund or addressed only when it arises. It is a convenient but dangerous approach. An unspecified financial reserve does not replace a prevention system and, above all, does not build organizational capacity.
Managing risk effectively means making a cultural shift: recognizing that business continuity is not simply about reacting to an incident, but about the ability to prepare in advance what is needed to continue operating even under adverse conditions.
A reactive approach leads to decisions made under pressure, unexpected costs, eroded margins, delays, penalties, and reputational damage. A preventive approach, on the other hand, allows for assessing threats in advance, developing coherent countermeasures, reducing the likelihood of an event occurring, and limiting its impact should it happen. In other words: it’s not just about defending against risk. It’s about managing it.
While business continuity is a cross-functional responsibility, it is in procurement that many critical issues become decisive. Purchasing is no longer a purely transactional function: it is a strategic lever that directly impacts the company’s ability to ensure service, quality, flexibility, and economic sustainability.
Contemporary supply chains are more extensive, more interconnected, and more vulnerable. The outsourcing of non-core activities, pressure on lead times, increasing customization, logistical complexity, dependence on distant markets, and the financial fragility of some suppliers have vastly expanded the scope of supply risk.
Added to this are external factors that are difficult to control: price volatility, currency fluctuations, regulatory changes, environmental events, geopolitical tensions, and cyber risk. All of this demands a fundamental reevaluation of how the supplier base is designed, assessed, and managed. It is no longer enough to simply seek the best price: it is necessary to understand which supplies are truly critical, where vulnerabilities lie, and where to balance efficiency and robustness.
Supply chain resilience is now a matter of organizational and strategic design.
A common mistake is to view supply risk management as a problem limited to material availability. In reality, the risks impacting business continuity are numerous and interdependent:
The managerial challenge lies in ceasing to view risk as an isolated event and beginning to view it as a system.
To make risk management truly useful for Operations, a method is needed. An effective approach goes beyond simply taking a snapshot of risk; it guides the organization through a structured five-step process:
🎬 Want to see these 5 steps applied in practice?
Watch Bonfiglioli Consulting’s Digital Talk on Demand: Business Continuity System for an Antifragile Supply Chain.
Access the free video →
One of the most important contributions of risk management is the introduction of prioritization criteria. Not all risks deserve the same level of attention or the same level of investment.
A qualitative assessment matrix allows you to cross-reference two fundamental dimensions: probability of occurrence and severity of impact. It is an essential step that enables the organization to distinguish between risks that can be monitored through routine management, risks that require periodic attention, and risks that demand proactive plans and frequent interventions.
But the assessment cannot stop at internal perception. Market information, external sources, historical data, price data, currency trends, sector intelligence, and predictive models are needed. In an unstable environment, the quality of decisions also depends on the quality of the signals the company is able to detect. For this reason, Procurement must evolve toward a Business Intelligence approach: not just managing orders, but interpreting the context.
Not all items and not all suppliers carry the same weight in the business. Continuing to manage them with a one-size-fits-all approach means wasting attention where it’s not needed and underestimating what’s truly critical.
The Kraljic Matrix is one of the most effective tools for segmenting procurement categories based on two variables: business impact and supply market complexity. Its utility is concrete: it allows for the assignment of differentiated strategies depending on the nature of the risk.
Where market risk is high and the impact on the business is significant, the relationship must be managed strategically—with supplier development plans, partnerships, and shared visibility. Where the impact is more limited, the approach can be more tactical or transactional. The goal is not to classify for the sake of it: it is to use segmentation to guide decisions on where to invest, where to maintain a presence, where to diversify, and where to simplify.
The value of risk management is measured when it translates into concrete action. An effective contingency plan is not a generic document, but an operational tool. It must clarify what to do, who does it, when to activate it, and with what objectives.
The essential elements are:
The key point is that actions must not be improvised: they must be consistent with the nature of the risk and the assigned priority level.
Among the most useful tools for making prevention a reality is Pro-FMEA (an adaptation of the FMEA method—Failure Mode and Effects Analysis—applied to procurement). Its value lies in making risk analyzable in a structured way, before it results in damage.
In supplier relationships, the most common failure modes are well known: non-delivery, late delivery, non-compliant delivery, increased direct and indirect costs, and compliance issues. The Pro-FMEA approach allows you to:
The strength of this tool lies in shifting the conversation from the vague "there might be a problem“ to the concrete ”this is the failure, these are the causes, this is the effect, this is the priority, this is the action.“ This is where risk management ceases to be theory and becomes an operational discipline.
No business continuity system can function without visibility. And today, visibility also relies on digital tools. Dashboards, business intelligence tools, KPI monitoring, vendor ratings, real-time segmented portfolios, service and quality indicators: all of this makes risk more transparent and enables a more timely response.
Digital solutions do not replace managerial judgment, but they enhance its quality. They allow for the detection of early warning signs, the measurement of supply base performance, the verification of the effectiveness of corrective actions, and the activation of escalation mechanisms. At the same time, technology must be integrated into a coherent organizational model: roles are needed to take responsibility for it, along with regular management routines—flash meetings, periodic reviews, and daily management.
Sustained continuity over time is not achieved solely through radical interventions. It is built through disciplined, fact-based daily management.
When risk management and business continuity are addressed methodically, the benefits go far beyond the reduction of threats. The organization gains:
The most advanced companies have understood this: they don’t seek a perfect supply chain, because they know it doesn’t exist. They build a supply chain capable of absorbing shocks, adapting, learning, and bouncing back. And it is precisely this ability that makes the difference between those who suffer from complexity and those who manage it.
Want to build a concrete Risk Management system for your supply chain?
Contact us →
Want to explore these tools in a practical, hands-on way?
Watch Bonfiglioli Consulting’s Digital Talk on Demand: Business Continuity System for an Antifragile Supply Chain. Practical methodologies for building operational resilience and managing risks before they become emergencies.
Supply chain risk management is the structured process by which an organization identifies, assesses, and manages risks that could threaten operational continuity. It includes mapping vulnerabilities, assessing the likelihood and impact of critical events, and defining response and prevention plans.
A Business Continuity System is the set of processes, tools, and operational plans that enable an organization to continue operating—or to quickly resume operations—following a critical event. It is important because it reduces downtime, limits financial and reputational damage, and increases the confidence of customers, partners, and stakeholders.
Supply chain risks fall into four main categories: strategic risks (costs, quality, sustainability), operational risks (processes, compliance, human capital), financial risks (supplier solvency, supply chain liquidity), and external risks (geopolitical, environmental, regulatory, and technological factors that can be analyzed using the PESTEL framework).
The Kraljic matrix is a tool for segmenting the procurement portfolio that classifies product categories based on their impact on the business and the complexity of the supply market. In risk management, it allows you to identify which suppliers and categories require a more intensive monitoring strategy and where it is appropriate to diversify, develop partnerships, or simplify management.
Pro-FMEA is an adaptation of the FMEA (Failure Mode and Effects Analysis) method applied to procurement. It allows you to identify potential failure modes in supplier relationships—such as non-delivery, non-conformity, or cost increases—estimate their severity, probability, and detectability, and build a risk priority index to guide corrective actions before the problem occurs.
An effective contingency plan must include: a business continuity policy with objectives and guiding principles, a mapping of critical procurement processes, the maximum tolerable downtime, continuity solutions (dual sourcing, selective inventory increases, agreements with alternative suppliers), clear operating procedures with defined roles and responsibilities, and escalation and communication plans.
According to Bonfiglioli Consulting’s biennial Benchmarking Study, conducted on over 100 companies across 22 industrial sectors, only 55% of companies have implemented Business Continuity systems. The average Supply Chain Maturity Level stands at 67%, highlighting a widespread fragility in the ability to respond to operational disruptions.
A reactive approach to risk means intervening only after a critical event has already occurred, with decisions made under pressure and unexpected costs. A proactive approach, on the other hand, allows for assessing threats in advance, developing coherent countermeasures, reducing the likelihood of the event occurring, and limiting its impact. The difference is not merely operational: it is cultural and strategic.
ai translated