3 tips to navigate supply chain risk in the modern age

In 2025, no organization is exempt from the ever-deepening ripple effects of ongoing disruption. Global supply chains are weakening, reforming, and sometimes breaking, and not enough business leaders are registering the new reality: Supply chains are no longer simply a pathway for goods and services, but rather a conduit for risk.

Supply chain risk has long been tagged as an operational challenge. Permacrisis’ ongoing parade of disruptions, however, has elevated its status to enterprise-wide strategic imperative. That’s precisely why navigating supply chain risk is the topic of my 2025 Audit & Beyond main stage session.

I invite all of you to join us in person or virtually as my special guests and I strive to connect more of the links across our increasingly complex supply chains.

3 lessons to navigate the modern age of supply chain risk

In this sixth year of nonstop risk-induced disruption, tariff wars, geopolitical tensions, and outright conflicts are destabilizing trade routes and spurring supplier exits. Ongoing economic and regulatory volatility and uncertainty make planning, forecasting, strategy, and compliance an uphill battle. AI-driven innovations simultaneously create new attack surfaces for cyber criminals to exploit, further threatening supply chain resiliency. These disruptions continually reinforce the interconnectedness of modern risk.

This interconnectedness has become a central focus of my work. In fact, I wrote an entire book about it: Connected Risk: Conquering the Perilous Risk Exposure Gap. Supply chain risk exemplifies how risks that seem disparate at first glance can align and converge to create new risks. It deserves a spotlight not enough business leaders are providing. With that in mind, here are some key points to help you elevate the conversation in your organization.

1. Remedying risk blindness requires challenging the status quo

I recently wrote about potential risks for 2026 that nobody is talking about. I’d noticed a troubling trend in my conversations with board and audit committee members: Many still view risk oversight through a pre-pandemic lens focused on more traditional enterprise risks. The risk here is risk blindness — the failure to see emerging threats because they don’t fit familiar models or past experiences. Boards may overlook reputational risks tied to ESG issues, underestimate the volatility of geopolitical conflicts, or fail to understand the second-order impacts of supply chain disruptions or regulatory upheaval.

We can remedy risk blindness by elevating our capacity for strategic foresight. Instead of backward-looking assurance and hindsight, internal audit and risk teams must develop forward-looking insight and foresight that:

• Is unafraid to challenge assumptions. It’s no longer enough to find and fix what’s broken in our supply chains. We also need to question what’s missing, where change is needed, and where assumptions and past experiences may be leading us astray. For example, supply chain redundancy has long been seen as inefficient — but now, it’s a solid strategy for avoiding sudden supply chain collapses.
• Leverages a more connected view of supply chain risk. Risk registers are inadequate. We need “risk radar” systems capable of identifying, monitoring, and surfacing the key risk indicators (KRIs) and other signals that can help us track and measure the underlying risks driving our supply chain outcomes. What signals can we detect, and what do they mean for supply chain security, resilience, and planning?
• Connects the dots — or rather, all the links in the chain. Business leaders may focus so closely on individual links that they lose sight of the entire chain — including where it may have weak spots or be close to breaking. Fortunately, risk and internal audit teams have the crow’s-nest view to identify trends, patterns, and potential issues across functions and geographies. For example, where do significant concentrations, cyber dependencies, and geographic exposures exist?

2. Address weak links in your supply chain

Every link in the chain matters. Business leaders tend to focus on the first-order risks directly impacting them. The new supply-chain order, however, demands that we broaden our perspective to include second- and third-order risks. For example, in September 2025, when a major aviation IT provider was hit with a ransomware attack targeting its widely used check-in and boarding technology:

1. First-order risks caused the provider’s systems to go offline, such that 1000+ computers across several European airports were forced to rely on manual systems for checking in passengers, printing boarding passes and bag tags, and routing luggage.
2. Second-order risks from the disruption led to at least three days of flight delays and cancellations, stranding thousands of passengers, creating long lines for manual check-in, and causing flight backlogs that persisted into the next week. Further, the aviation IT provider was unable to provide assurance that disruptions wouldn’t persist. The BBC reported that the provider “rebuilt its systems and relaunched them only to realise the hackers were still inside the system,” and SecurityWeek reported that some devices were reinfected after cleaning.
3. Third-order risks — the longer-term, follow-on effects of first- and second-order risks — for the provider and its airport clients could include reputational damage, lost customers, and reduced customer trust, or even legal risk, if impacted airports or passengers sue. Airports may also face pressure to invest in redundancies or more resilient IT systems.

Today, such second- and third-order risks are no longer occasional anomalies; they are routine. The message for business leaders is undeniable: Supply chain risks have become enterprise-wide threats demanding enterprise-wide vigilance.

Where are the weak links in your supply chain, and how can they be strengthened?

Internal audit and risk teams should proactively work with cross-functional teams to consider:

• Scenario testing and planning. This is not the time for “wait and see.” Initiate and lead scenario testing to understand and prepare for how geopolitical shocks, cyber incidents, natural disasters, tariffs, and regulatory upheaval may impact supply chain dependencies and resilience.
• Supply chain advisory reviews. Review processes and suppliers to identify opportunities for teams to diversify suppliers geographically, build redundancies into logistics networks, and avoid overreliance on single sources.

3. Build a proactive response strategy

As management consultant Peter Drucker observed, “The greatest danger in times of turbulence is not the turbulence — it is to act with yesterday’s logic.”

Peter’s quote reflects the fundamental peril most organizations face: If business leaders base their supply chain responses and strategies on the lessons of the past, they have little hope of responding effectively in the current environment.

Supply chain risks are everywhere, and the links in our chains are more fragile than we thought. The challenge is daunting, but the calls to action are clear:

• Business leaders must recognize the enterprise-wide nature of the threat, elevate it as a strategic priority, and scrutinize and strengthen each link of the chain.
• Internal audit and risk teams must step up, challenging assumptions and providing the forward-looking insight and foresight needed to enable a connected, comprehensive, and continuous view of supply chain risk.

Join this critical conversation: Register for Audit & Beyond

The Internal Audit Foundation’s 2026 Risk in Focus Report reveals that “supply chain (including third parties)” is the seventh-highest rated area where North American internal audit functions plan to spend the most time and effort in 2026. When isolated to key industries, the ranking is much higher. For example, for manufacturing, mining/energy/water, and health/social work, supply chain is anticipated to be the second-highest priority in the year ahead.

To ensure a broad discussion during my Audit & Beyond keynote on how each link of organizations’ supply chains is being impacted by the growing chain of risks, I’ve invited two special guests to join my keynote: Jeff Sebree, VP Internal Audit at a construction product manufacturer, and Roland Chapin, Supply Chain Risk and Infosec at an aerospace manufacturer.

Register to attend Audit & Beyond to explore the factors driving and complicating modern supply chain risk, and effective strategies for responding.

About the authors

Richard Chambers, CIA, CRMA, CFE, CGAP, is the CEO of Richard F. Chambers & Associates, a global advisory firm for internal audit professionals, and also serves as Senior Advisor, Risk and Audit at AuditBoard. Previously, he served for over a decade as the president and CEO of The Institute of Internal Auditors (IIA). Connect with Richard on LinkedIn.