Your risk map is built on spend data. The suppliers that will actually stop your operations aren't on it.
Most risk frameworks start with the same assumption: the bigger the spend, the bigger the risk. Your top 50 suppliers get quarterly scorecards, annual audits, and dedicated SRM (Supplier Relationship Management) resources: the people and tools whose job is to actively manage that relationship. Everything below the threshold gets a form email once a year, if that.
Here is what the data says about that assumption: according to a 2025 Sphera survey of 500 senior supply chain decision-makers, 85% of critical supply chain risks originate below Tier 1. Not from your top 50. From the suppliers nobody was watching closely enough.
The problem isn't that teams are careless. It's that the frameworks themselves are built on the wrong variable. Spend is visible. Centrality isn't. And in decentralized supply chains, the nodes that fail catastrophically are almost never the ones your procurement dashboard flagged as critical.
A nexus supplier is deceptively simple to define: it's a supplier whose criticality comes not from how much you buy from them, but from how many relationships, information flows, and coordination dependencies run through them. Mid-tier by spend. Often missing from your ERP entirely. Remove them and three or four other relationships stop functioning correctly within days.
The reason these suppliers stay invisible is almost embarrassingly mechanical: enterprise procurement systems only track suppliers with active purchase orders. No PO, no visibility. Nexus suppliers live in that gap. A regional logistics coordinator managing the handoff between your contract manufacturer and your freight forwarder. A quality testing lab that four of your Tier 1 suppliers rely on before shipping to you. A small software vendor whose API connects two systems that would otherwise require manual intervention at scale. None of these appear important in a spend cube. All of them are irreplaceable in practice.
The harder your team works to diversify at the surface, the more nexus dependencies you may be unknowingly co-creating below it.
Apparent diversification is the real trap. Why does sourcing from three separate Tier 1 suppliers feel like risk management when all three draw from the same Tier 2 component supplier in the same geography? It doesn't add resilience. It adds procurement complexity while the concentration sits below the line of visibility, invisible in your risk register until something breaks. At that point, the nexus supplier becomes visible in the worst possible way: as the single point of failure your entire escalation process is now organized around.
Spend-based tiering wasn't a bad call. Ten years ago it was, for most teams, the fastest and least painful proxy available: limited data, limited time, and top-50-by-spend was the version of risk management you could actually execute in a quarter. Nobody chose badly. But the world underneath that shortcut has moved and the shortcut hasn't. Supply networks are more decentralized than they were a decade ago, disruptions compound faster, and AI now makes it practical to work from the actual dependency structure instead of the proxy that stood in for it. Keep using spend as the entry criterion for risk attention and the blind spot doesn't shrink. It just gets easier to justify.
McKinsey's 2025 Supply Chain Risk Pulse found that only 42% of organizations have meaningful visibility past their direct suppliers, even as 95% report confidence in their Tier 1 view. The majority are managing risk on a map that covers, at best, the first layer of a multi-tier network. The rest is inference and assumption. And Resilinc's 2025 data shows disruptions climbing 38% year over year, with a growing share serious enough to force teams into ad hoc, reactive response. That is not a risk management strategy.
| Dimension | Spend-Based Tiering | Network Centrality Mapping |
|---|---|---|
| What it measures | Purchase order volume and contract value | Relational and informational dependencies across tiers |
| Data source | ERP / procurement system | Process interviews, logistics flows, quality chains |
| Visibility depth | Tier 1 only (58% of organizations, by implication) | Tier 2–4, where 85% of critical risks originate |
| Nexus supplier detection | Systematically misses them (no PO, no record) | Designed to surface them before disruption |
| Diversification effect | Can create illusion of resilience while masking Tier 2–3 concentration | Reveals shared dependencies behind apparent diversification |
| Time to identify a gap | After disruption (reactive) | Before disruption (diagnostic) |
Sources: McKinsey Supply Chain Risk Pulse, 2025 (Tier 2+ visibility); Sphera, 2025 survey of 500 senior supply chain decision-makers (sub-Tier 1 risk origin)
The financial argument is not abstract. Industry lead-time benchmarking from 2025 puts average raw material lead times at roughly 81 days, up about 25% from pre-pandemic norms of around 65 days. Take a hypothetical manufacturer with a €50M annual COGS base operating on that lead time: a single 10-day production halt works out to approximately €1.4M in lost output, before expediting costs and air freight premiums. In my experience running these numbers with finance teams, the expediting cost alone on a 10-day halt frequently lands in the 3–5x range of the direct disruption cost once freight premiums are added (a rule of thumb worth stress-testing against your own freight contracts rather than taking as given).
The subtler hit is on working capital. Teams without nexus visibility compensate with safety stock. They hold buffer across the network because they can't predict where the next failure originates. Rational given incomplete information. Expensive regardless. A €10M inventory base carrying 20% more buffer than necessary due to unresolved network opacity ties up €2M in cash that earns nothing and ages on the shelf. Fix the map and you have a credible case for releasing that buffer, improving ROCE, and reducing carrying cost drag on the P&L. I've watched that conversation with a CFO go very differently once you can show the visibility gap is the direct cause of the overstock, not just a general hedge against uncertainty. It's usually a fifteen-minute conversation, not a full re-forecast, but it's the fifteen minutes that decides who owns the next buffer-reduction decision.
When you ask the right questions in a supplier conversation, nexus suppliers identify themselves. I've run network mapping exercises where the breakthrough came not from a sophisticated graph analysis tool but from a single question to a Tier 1 supplier's operations lead: "If you had to stop production for two weeks, which three suppliers would cause you the most pain to replace?" The answers are almost never the ones at the top of their own spend reports. They name a logistics coordinator, a specialist testing lab, a single-source component maker with a six-month lead time that nobody upstream ever thought to flag.
The information exists. It lives in the heads of people we rarely think to ask. I've seen teams spend months building supplier risk surveys for their top 50 by spend and miss every single actual critical dependency in the process. A handful of structured conversations with the right mid-tier suppliers, framed around operational dependency rather than compliance, is worth more than any dashboard built on spend data alone.
The part I can't cleanly separate is whether that blindspot is an information problem or an incentive problem. The operations lead at your Tier 1 supplier knows exactly which sub-supplier would sink them. But your procurement team is measured on cost and on-time delivery from Tier 1. Nobody's scorecard rewards them for digging two tiers deeper. So the question I keep coming back to: how many of the nexus suppliers sitting invisibly in your network are invisible not because the data doesn't exist, but because nobody's job description currently includes finding them?
The preparation gap most teams face before acting on nexus supplier identification is not a lack of data: the relevant data is scattered across formats that don't talk to each other. Logistics invoices, quality audit trails, production incident logs, and planning exception reports all contain signals about which suppliers generate the most operational friction. Nobody has connected them. An AI assistant can close this gap faster than any manual process, but only if you feed it the right inputs first. Before running any analysis, gather three months of production exception reports, your last 12 months of logistics invoice data, and any supplier-related escalation tickets from your quality or planning teams.
First: upload the production exception reports and ask the AI to extract every instance where a delay, shortfall, or quality hold was attributed to a specific supplier or intermediary. Ask it to count frequency by supplier name and flag any supplier mentioned in more than 3% of exceptions who does not appear in your top 20 by spend. This takes 2–3 hours of data preparation and about 20 minutes of analysis. The output is a ranked shortlist of friction-generating suppliers your spend data never surfaced.
Second: take your logistics invoice data and ask the AI to identify recurring intermediaries: freight coordinators, customs agents, testing labs, or consolidators who appear on invoices across multiple Tier 1 supplier shipments. Any intermediary handling freight or documentation for three or more of your direct suppliers is a structural nexus point. Ask the AI to map which of your Tier 1 suppliers depend on the same intermediary. This reveals the shared-dependency clusters that make apparent diversification illusory.
Third: bring the shortlist from steps one and two into a structured prompt and ask the AI to build a one-page conversation guide for each nexus candidate: five questions focused on their own supply dependencies, capacity constraints, and financial stability signals. The AI can also synthesize the outputs from those conversations into a simple risk register entry that captures centrality score alongside the standard spend and lead time fields. Total elapsed time for all three steps: roughly one working day.
The specific failure mode here is misattribution in unstructured text. Production exception reports and escalation tickets are written in shorthand, with inconsistent supplier naming, abbreviations, and references to internal codes rather than legal entity names. An AI assistant matches on what it sees in the text, which means a supplier referenced as "the Brescia plant," "BRS-02," and their actual company name across three different documents will appear as three separate entities in the analysis. Normalize supplier naming before the analysis, not after. Skip this step and the frequency counts are meaningless: you'll miss the most chronic offenders entirely.
Chain Reaction is a free weekly newsletter for senior supply chain professionals. Signal to action, every issue.
Subscribe to Chain Reaction → Found this useful? Forward to a colleague · Manage your account