Most organisations can name their top five suppliers. Fewer can answer this: if your primary IT infrastructure supplier failed at 2pm on a Tuesday, and your IT lead was on annual leave, what would happen to your operations over the next 48 hours?
The supplier dependency map is the document that answers that question. Not in theory — in practice, for your organisation, your suppliers, your people.
What a supplier dependency map is
A supplier dependency map is a structured record of your organisation's reliance on external suppliers — which ones are critical, what they provide, how quickly you would feel their absence, and what your options are if they fail.
It is not a supplier list. A supplier list tells you who you pay. A dependency map tells you what you cannot do without them, how fast that becomes a problem, and whether you have any alternatives.
It typically covers:
- The supplier and what they provide
- The business function or process that depends on them
- Maximum tolerable downtime — how long before impact becomes serious
- Whether there is an alternative supplier or workaround
- Who in your organisation manages that relationship
- Current resilience posture — do they have a BCP? Have you seen it?
Why most SMEs don't have one
It is not that organisations do not care about supplier risk. It is that building a dependency map feels like a large, complex project — and it keeps getting deprioritised.
In practice, a useful first version takes one focused session of three to four hours. It does not need to be comprehensive. It needs to cover your critical suppliers — the five to ten that would cause genuine operational disruption if they failed.
The version we produce as part of every Operational Trust Review is not exhaustive. It is scoped to the suppliers that matter most, documented well enough to be useful, and structured for review.
What enterprise clients are starting to ask for
NIS2 has changed procurement conversations. Enterprise organisations in scope are now required to assess supply chain risk — which means they are asking their SME suppliers to provide evidence of resilience posture.
A well-structured supplier dependency map, included in a written report from an independent review, is often the most useful document you can provide in response to a supplier questionnaire.
It demonstrates that you have thought seriously about your own supply chain — which is exactly what enterprise procurement teams need to see.
How to start
If you do not have a dependency map, start with a list of your ten most critical suppliers. For each one, answer three questions:
- What would stop working in my organisation if this supplier went down today?
- How long before that becomes a serious problem?
- Do I have a viable alternative, or would I be stuck?
That is the foundation. The structure can be formalised from there.
If you want a structured approach — with a template, an independent facilitator, and a written output you can share — that is what the Operational Trust Review produces.