Third-party risk under pressure: what geopolitical tensions mean for your supply chain

Why geopolitical risk is now a TPRM problem, not just a trade problem

Your procurement team has always known that single-source suppliers carry risk. For years, that risk stayed on a spreadsheet somewhere, reviewed once a year, rated amber, and largely ignored. Then a tariff announcement landed. Or a country got added to an export control list. Or a critical component suddenly needed a government licence to ship.

Third-party risk management geopolitical exposure is no longer an abstract concern for multinationals. It is a live operational issue for energy companies, manufacturers, and industrial businesses of every size.

Moody's industry practice leads flag third-party risk management as a pressing challenge heading into 2026, citing geopolitical tensions, tariffs, and export bans as the primary drivers of increased TPRM complexity. Next to that, Diligent's ERM trends analysis for 2026 identifies continuous third-party risk monitoring and AI governance as two of the eight critical trends reshaping enterprise risk management.

What these sources describe at a macro level, we see at ground level. Energy and industrial clients are increasingly exposed to supplier risks they have never formally assessed. The tariff volatility of 2024 and 2025 made this visible fast.

This article translates that into practical steps for mid-market companies who need to act, not just monitor.

What has actually changed, and why it matters now

The geopolitical shift is not new. What is new is the speed at which political decisions now translate into commercial consequences.

Three dynamics have converged.

Export bans and controls are moving faster than procurement cycles. The US Bureau of Industry and Security added more than 300 entities to its export control lists in 2024. EU dual-use regulations have been tightened repeatedly. A supplier you qualified two years ago may now require an export licence that takes six months to obtain, if it gets approved at all.

Tariffs have become a negotiating tool, not a stable policy. The 2025 tariff announcements affecting steel, aluminium, semiconductors, and industrial components were not phased in with transition periods. They happened, and companies with exposed supply chains absorbed the cost immediately or scrambled for alternatives.

Supply chain concentration has quietly grown. Decades of just-in-time optimisation pushed companies toward fewer, cheaper, more geographically concentrated suppliers. That used to be efficient, but seems fragile now. Political tensions can trigger regulatory changes that cascade into supply chain disruptions, and concentrated supply chains amplify every cascade. A single production facility in a politically sensitive region can represent 60 to 80 percent of a critical component's supply.

Consider a concrete scenario: a Dutch industrial equipment manufacturer sources specialist sensor components exclusively from a Taiwanese supplier, with a secondary source in mainland China. When US export restrictions on advanced semiconductors tighten, the Chinese secondary source loses access to the manufacturing equipment needed to produce to spec. The Taiwanese supplier's lead times double as demand surges. Neither risk had been formally assessed. Neither had an owner. Neither had a contingency measure attached to it. Most mid-market industrial companies have the same gap and have not found it yet.

How to assess your geopolitical exposure: a practical starting point

Most mid-market companies cannot quickly answer the question: which of our suppliers operate in politically sensitive jurisdictions, and what is our revenue exposure if they cannot deliver? Companies that cannot answer that question are managing a supplier list, not a TPRM process.

Here is a structured way to build that picture.

Step 1: Map your suppliers by geography and criticality

Start with your top 30 to 50 suppliers by spend or operational dependency. For each, identify:

• Country of operation (manufacturing location, not just registered office)
• Whether they are single-source or dual-source
• Which product lines or operations depend on them
• Estimated revenue exposure if supply is disrupted for 30, 60, or 90 days

Most companies already have this data. It is scattered across procurement systems, contracts, and email threads. Pulling it into a single view is the first act of actual risk management.

Step 2: Score each supplier on geopolitical exposure

Once you have the map, apply a simple scoring model. At minimum, score each supplier on:

• Country risk: Is the supplier's country of operation subject to sanctions, export controls, or active trade disputes?
• Regulatory volatility: How frequently has this jurisdiction changed trade rules in the last three years?
• Substitutability: How quickly could you onboard a replacement supplier? Days, months, or years?
• Concentration: What share of this component or service does this supplier represent?

A 1-to-5 score on each dimension, multiplied together, gives you a geopolitical exposure score per supplier. It is not a precise calculation. But it is far more useful than an amber RAG rating with no owner attached.

Step 3: Assign owners and measures

Here is where most TPRM efforts stall. The assessment gets done. The scores get calculated. Then the document goes into a shared folder and nothing changes.

Every supplier with a high geopolitical exposure score needs a named owner, a documented contingency measure, and a review date. The measure might be qualifying a secondary supplier, building a 90-day inventory buffer, or negotiating contractual flexibility on lead times. Without a named owner, supplier risk tends to get absorbed into general procurement activity until something breaks.

Where TPRM goes wrong for energy and industrial companies specifically

Generic TPRM advice tends to focus on financial health screening and compliance checks. That is necessary but insufficient for energy and industrial companies, where the supply chain risks are operational and physical, not just reputational.

A few patterns we see repeatedly.

Treating country risk as binary. Either a country is sanctioned or it is not. But the real risk is in the grey zone: jurisdictions that are not sanctioned but are subject to active trade tensions, where regulatory changes can arrive quickly and without transition periods. Scoring country risk on a gradient, not a binary, gives a more accurate picture.

Screening at onboarding, never again. A supplier that cleared all compliance checks in 2022 may represent significant geopolitical exposure in 2026. Static onboarding screening is no longer sufficient. A regular re-screening cadence, annually at minimum and quarterly for high-exposure suppliers, is not optional anymore.

Conflating supplier risk with supplier performance. A supplier can have excellent on-time delivery metrics and represent a significant geopolitical risk. These are different questions. TPRM needs to sit alongside supplier performance management, not inside it.

Underestimating nth-party risk. Your tier-1 supplier may source critical inputs from a tier-2 supplier in a high-risk jurisdiction. You have no direct relationship with that tier-2 supplier, but their disruption is your problem. Supply chain concentration at this deeper level is one of the most underappreciated risks in energy and industrial supply chains, precisely because it is invisible until it is not.

Getting this into your risk register before it becomes an incident

If your risk register currently has a single line item called "supply chain disruption" rated amber, you are not managing supplier risk. You are acknowledging it exists.

Effective third-party risk management geopolitical exposure means individual supplier risks, with individual scores, owners, and measures. It means your risk matrix shows where supplier concentration and geopolitical exposure actually cluster, so you can see at a glance which areas need immediate action.

Bow-tie diagrams are useful here. For a high-exposure supplier, a bow-tie diagram shows the causes on the left (tariff change, export ban, political instability, logistics disruption), the risk event in the centre (supply interruption), and the consequences on the right (production halt, revenue loss, contractual penalty). Preventive measures sit between the causes and the event. Recovery measures sit between the event and the consequences. In one view, your team sees exactly where the gaps are.

The risk assessment process matters too. An initial assessment showing your current exposure, a target assessment showing where you want to get to after measures are applied, and a visible gap between them gives you something concrete to present to leadership, and a basis for prioritising which supplier risks get addressed first.

Risk Companion's automated health checks will flag risks that are missing owners, overdue for review, or have measures with no due date. For a TPRM programme that is just being formalised, that visibility catches what manual processes miss. See how Risk Companion handles this.

A note on complexity

Supplier risk mapping for a company with 400 active suppliers across 30 countries is not a two-week exercise. Start with your top 20 by spend and your top 10 by operational dependency. Get those formally assessed, owned, and in your register. Then extend the scope. The goal is a register that reflects your actual exposure well enough that the next export control announcement does not catch you off guard.