The New Supply Chain Risk Map:

We gathered directors with subject-matter experts Nadia Ahmad, Bruce Lee, Heather Paquette, and Rob Sloan to explore how physical and digital supply chain disruptions can cascade into consequential issues at the enterprise level and the risk-management tactics boards should take to minimize these risks.

KEY TAKEAWAYS

Macroeconomic & Geopolitical Risk Environment

• The operating environment is shifting from relative stability to sustained volatility (both geopolitically and climate), making geopolitical risk a standing board agenda item

• COVID marked a transition into persistent instability, requiring continuous adaptation rather than episodic crisis response, and exposed significant supply chain vulnerabilities. 

• Scenario planning should incorporate extreme but plausible events, even when timing is uncertain

Supply Chain Resilience & Dependency Risk

• Increasing complexity and hidden dependencies across software, cloud, vendors, and logistics create systemic vulnerabilities that are often not fully understood

• Organizations should ask management how they've addressed their supply chain risks and critical dependencies, including single points of failure across suppliers, IT systems, and logistics networks

• Dual sourcing, alternative manufacturing capacity, and contingency access to production are key resilience levers, though often costly

• Supply chain risk remains underrepresented in enterprise risk discussions despite its ability to halt operations entirely

Cybersecurity & Third-Party Risk Oversight

• Traditional third-party risk approaches, such as questionnaires, are insufficient given expanding attack surfaces and interdependencies

• Known, known-unknown, and unknown-unknown risk categories should guide oversight, particularly across vendor ecosystems and ransomware exposure

• Organizations should test organizational readiness through scenario exercises, including loss of a critical vendor or ransomware shutdown

• Responsibility for security must extend beyond the CISO to include operations, manufacturing, and supply chain leadership

AI Adoption, Risk, and Governance

• Agentic AI significantly elevates risk, particularly when granted autonomy over systems of record or financial processes

• Governance must address identity, access rights, human-in-the-loop controls, and model drift monitoring before scaling deployment

• Boards should understand how AI is being used in the business, how it's being governed and controlled, and ultimately who is accountable.

Risk Frameworks & Board Oversight Effectiveness

• Effective oversight requires a structured framework that prioritizes risks based on impact to revenue, products, and people

• Boards should focus on understanding the risk ranking and resource allocation versus exhaustive risk cataloging

• Benchmarking against peers is necessary, but boards must also assess exposure to existential and strategic risks

• Strategic risk identification remains a capability gap on many boards

Balancing Innovation with Risk Management

• Organizations face a tension between under-adoption of AI and overexposure from premature deployment

• “Shadow AI” reflects bottom-up innovation but introduces unmanaged risk; boards must ensure guardrails without stifling progress

• Risk management should enable progress, with a focus on what must be true for success, not only downside prevention

• Directors should expect management to articulate both opportunity capture and associated risk trade-offs

Leadership, Capability Building & Organizational Readiness

• There’s a growing imperative for CEOs and senior leaders to be hands-on with AI tools to understand both opportunity and risk; passive oversight is insufficient

• Boards should encourage management to develop structured capability building, such as internal cohorts experimenting with AI use cases

• Organizational maturity should guide the pace of AI adoption, as approaches differ significantly between startups and large enterprises. For some organizations, the benefits of autonomous agents may yet not be worth the risk

• Clear accountability is required as roles blur across CISO, CIO, CTO, and audit functions

Workforce & Structural Implications

• AI is reshaping entry-level roles, reducing hiring while increasing productivity expectations

• Talent shortages in critical infrastructure and skilled trades are emerging, impacting long-term capacity

• Cultural and educational shifts may further affect workforce stability and pipeline development

Financial, Legal & Strategic Trade-offs

• Risk appetite varies by ownership model, but accountability does not shift

• AI does not transfer legal liability; responsibility remains with the enterprise, reinforcing the need for governance controls

• Leading organizations are reallocating capital to hedge disruption and capture future opportunities

Implications for Directors

• Elevate geopolitical and supply chain risk to standing agenda items with quantified scenarios

• Require explicit mapping of critical dependencies and contingency plans

• Ensure AI governance frameworks address autonomy, accountability, and operational integration risks

• Push management to balance innovation with disciplined, strategy-linked risk frameworks

• Invest in board and executive education to maintain competency in rapidly evolving technologies
  

Thank you to our partners for making this event possible.