At 1:29 a.m. on March 26, 2024, the container ship Dali lost power and brought down Baltimore’s Francis Scott Key Bridge, closing the top US auto port for 11 weeks. Maryland lost roughly $15 million a day, and almost no supply chain risk heat map in the country had that bridge on it.
The gap was not data. Shippers knew Baltimore handled more than 800,000 vehicles a year; what they lacked was a visual that scored the single point of failure high enough for anyone to act. That is the job a heat map does when it is built and maintained properly.
| Supply Chain Risk Heat Map: Key Takeaways |
| A supply chain risk heat map plots every material supply chain risk on a 5×5 likelihood-and-impact grid so the portfolio fits on one page; the March 2024 Baltimore bridge collapse, at $15 million a day, is what an unmapped shared node costs. |
| Scales come first: define five likelihood bands as 12-month probabilities and five impact bands in both dollars and days of disruption, so two independent scorers land the same risk in the same cell. |
| The build runs six steps: define scales and appetite, inventory risks from the register and supplier tiers, score likelihood times impact with named owners, plot the grid, wire KRIs to cells, and set a refresh cadence. |
| Maintenance is the control: disruption alerts rose 38% to 22,522 in 2024 (Resilinc), so critical tiers need monthly rescoring, the full portfolio semiannual, and any affected cell re-plotted within ten business days of a live event. |
| Every zone needs a standing action: red cells (score 15-25) get a named owner and a dated treatment plan, amber gets KRI triggers and documented contingencies, and green earns a watch list. |
| McKinsey Global Institute pegs the cost of shocks at 45% of one year’s EBITDA per decade, with a month-plus disruption arriving every 3.7 years; the heat map is the one-page case for spending against that number before it lands. |
The build takes six steps, from scoring scales to a refresh cadence, and the maintenance is what separates a control from a slide. McKinsey Global Institute data says a month-long disruption now arrives every 3.7 years on average, so the map will get tested.
What a Supply Chain Risk Heat Map Shows and What It Hides
A supply chain risk heat map is a grid, usually 5×5, that plots each supply chain risk by likelihood and impact so the whole portfolio fits on one page. The color zones translate scores into action tiers: red demands treatment, amber demands monitoring, green earns a watch list.
Its power is compression, and so is its weakness. One page wins board attention, yet a single dot can flatten a network of dependencies, which is why ISO 31010 lists the consequence-likelihood matrix as one assessment technique among many rather than the whole method.
Risk Register, Risk Matrix, or Supply Chain Risk Heat Map?
The three tools answer different questions and feed each other. The risk register stores the detail, the matrix supplies the scoring frame, and the heat map is the populated picture leadership actually reads. Confusing them is how a company ends up maintaining three versions of the truth.
| Tool | Question it answers | Where it lives |
| Risk register | What do we know about each risk, owner, and control? | GRC system, full detail |
| Risk matrix | How do we score likelihood and impact consistently? | Methodology document, set once |
| Supply chain risk heat map | Where does exposure concentrate right now? | Board pack and S&OP review |
| KRI dashboard | What is moving between formal reviews? | Monthly operations review |
Grid size is a decision with methodology consequences. The tradeoffs in a 5×5 versus 4×4 risk matrix apply directly here, and a risk assessment matrix template shortens the setup considerably if you are starting the build from a blank sheet.
The Data Behind a Supply Chain Risk Heat Map
Fresh numbers are what keep a heat map honest. Resilinc’s EventWatchAI logged 22,522 supply chain disruption alerts in 2024, up 38% in a single year, with factory fires holding as the top event type for the sixth consecutive year at 2,299 alerts.
The financial stakes are quantified too. McKinsey Global Institute’s value-chain research puts the expected cost of shocks at 45% of one year’s EBITDA per decade, and a single severe event can consume 30 to 50% of it on its own.
Heat Map Inputs: The 2024-2026 Disruption Numbers

Figure 1. The numbers a supply chain risk heat map has to carry: rising alert volume, a 3.7-year disruption clock, and EBITDA-scale stakes.
Six categories cover most of what lands on a US manufacturer’s supply chain risk heat map. Weight them with your own exposure data, because an industry template carries someone else’s network, and the register feeding the map is where its credibility starts.
| Category | Example risks to plot | 2024-2026 signal |
| Upstream suppliers | Single-source components, tier-2 factory fires | Fires #1 event type, 2,299 alerts |
| Logistics and infrastructure | Port closures, bridge and lock outages, carrier failure | Baltimore: 11 weeks, $15M a day |
| Geopolitical and trade | Tariff rounds, sanctions, export controls | US tariff repricing, 2025-2026 |
| Cyber | Ransomware at a 3PL or key supplier | Top CSCO buying consideration |
| Environmental | Hurricanes, floods, drought corridors | Weather alerts up 119% in 2024 |
| Regulatory and ESG | UFLPA detentions, forced-labor tracing | CBP enforcement expanding |
Expect the upstream rows to be undercounted at first. Deloitte’s global third-party surveys keep showing that visibility fades past tier one, so the first draft of the map captures procurement’s line of sight while the deeper supplier tiers stay dark.
Cyber has earned its own row on the map. Gartner reported in March 2023 that cybersecurity had become a primary buying consideration for chief supply chain officers, and a ransomware hit on a lead 3PL plots as high-impact as any factory fire.
How to Build a Supply Chain Risk Heat Map in Six Steps
Building the map is a two-week project when the inputs exist and a two-month one when they do not. The sequence assumes a working risk assessment in supply chain operations and a supplier list with tiers already assigned to it.
| Step | What you do | Output that proves it |
| 1 | Define 5-point likelihood and impact scales in dollars and days, plus zone thresholds tied to appetite | A one-page scoring standard everyone uses |
| 2 | Inventory supply chain risks from the register, supplier tiers, BIA, and disruption history | A candidate list with owners, 30-60 risks |
| 3 | Score likelihood times impact per risk, with evidence and a named scorer | A scored register column, not workshop averages |
| 4 | Plot the 5×5 grid and tier the zones: red, amber, watch, green | The populated heat map, one page |
| 5 | Wire KRIs to cells so placements move when conditions shift | Trigger list mapped to specific risks |
| 6 | Set the refresh cadence by tier and after any live disruption | A dated calendar with named owners |
Step one deserves the argument it usually gets. Define likelihood as a probability over the next 12 months and impact in dollars and days of disruption, anchored to the definition of likelihood in risk assessment, so two scorers reading the same scale reach the same cell.
Standards carry the method past audit. ISO 31000 keeps the scoring process defensible, NIST SP 800-161 supplies a ready supply chain risk taxonomy for steps two and three, and ISO 28000 adds the security-of-supply lens that regulated sectors expect to see referenced.
Setting Likelihood and Impact Scales for the Heat Map
Scales fail when they stay abstract. A band called major means nothing in a workshop, while more than $5 million or 11-plus days of line-down forces a real estimate, and pairing qualitative and quantitative risk assessment keeps each number attached to evidence.
| Level | Likelihood (next 12 months) | Impact (financial) | Impact (disruption) |
| 1 Rare | Below 5% | Under $250K | Under 1 day |
| 2 Unlikely | 5-20% | $250K-$1M | 1-3 days |
| 3 Possible | 20-45% | $1M-$5M | 4-10 days |
| 4 Likely | 45-75% | $5M-$20M | 11-20 days |
| 5 Almost certain | Above 75% | Over $20M | Over 20 days |
Plotting the Supply Chain Risk Heat Map: A Worked Example
Eight risks from an illustrative US manufacturer show the mechanics. A single-source chip supplier scores likely and severe for a 20, deep in the red zone, while a regional carrier insolvency sits at unlikely and serious, a 6 that earns a watch list rather than money.

Figure 2. A worked supply chain risk heat map for a US manufacturer: two red-zone risks carry treatment plans, four amber risks carry KRI triggers.
Placement is an argument, and that is the point. When procurement scores the port closure a 12 and logistics scores it a 20, the debate that follows surfaces assumptions a spreadsheet never would, the same effect a scenario-based risk assessment produces.
The Excel build of this grid takes about an hour. The conditional-formatting approach in the risk heat map template for Excel transfers directly, and it keeps the map in a file procurement, logistics, and risk can all edit under version control.
How to Maintain a Supply Chain Risk Heat Map
Maintenance is where most maps die. A 38% year-over-year jump in disruption alerts means placements age in months, not years, and a map scored last January quietly misprices hurricane season, new tariff rounds, and every supplier whose finances have slipped since the workshop.
| Scope | Cadence | Additional trigger |
| Critical and single-source suppliers | Monthly rescore | Any KRI threshold breach |
| Strategic lanes, ports, and shared nodes | Quarterly rescore | Named-storm or strike watch |
| Full portfolio | Semiannual rescore | Annual strategy or budget cycle |
| Any affected cell after a live disruption | Within 10 business days | Post-incident review findings |
| New critical contract or M&A | At signing | Integration risk assessment |
Wire the map to supply chain key risk indicators so cells move between reviews. Days of supply at single sources, carrier on-time rates, and the financial-stress scores from supplier performance risk management each map to a specific cell, and a breached threshold is a documented reason to re-plot the dot.
What Moved on the Supply Chain Risk Heat Map in 2024

Figure 3. The fastest-moving heat map inputs of 2024: civil unrest and weather grew several times faster than overall disruption volume.
Reprice the fastest movers first. Protests and riots grew 285% and flood alerts 214% in Resilinc’s 2024 data, so likelihood scores set in 2023 for civil unrest and weather were wrong within a year, and how often risk assessments should run stops being a theoretical question.
Acting on the Supply Chain Risk Heat Map Zones
Color without consequence is decoration. Each zone needs a standing action so the Monday after the review looks different from the Friday before, and those actions should already exist inside your supply chain risk management plan, written before the incident that needs them.
| Zone (score) | Standing action | Owner |
| Red (15-25) | Dated treatment plan: dual-source, buffer stock, reroute, or exit; reviewed monthly | Named executive sponsor |
| Amber (10-14) | KRI trigger set; contingency documented and rehearsed | Category or lane manager |
| Watch (5-9) | Quarterly glance; promote on any KRI movement | Risk analyst |
| Green (1-4) | Annual confirmation the score still holds | Register owner |
Treatment for the red zone borrows the standard playbook. Dual-sourcing, inventory buffers, and rerouting options come straight from how to avoid supply chain disruptions, and building a resilient supply chain is the multi-year version of the same move, funded cell by cell.
Escalation belongs on the map too. A red cell that survives two consecutive reviews should move up into the enterprise risk management framework as a top-risk candidate, with the heat map page attached as evidence and a date by which the score has to fall.
Frequently Asked Questions About the Supply Chain Risk Heat Map
What is a supply chain risk heat map?
A supply chain risk heat map is a color-coded grid, typically 5×5, that plots supply chain risks by likelihood and impact so leadership can see where exposure concentrates. Red cells signal risks needing dated treatment plans, amber cells carry KRI triggers and contingencies, and green cells sit on a watch list.
How do you build a supply chain risk heat map?
Define likelihood and impact scales in dollars and days, inventory risks from the register and supplier tiers, score each risk with a named owner, plot the 5×5 grid, wire KRIs to the cells, and set a refresh cadence. Scales come first; scoring before scales produces arguments without answers.
What scales should a supply chain risk heat map use?
Use five likelihood bands defined as 12-month probabilities and five impact bands defined in both dollars and days of disruption. Anchoring each band to numbers, such as likely meaning 45 to 75%, lets two independent scorers land the same risk in the same cell.
How often should a supply chain risk heat map be updated?
Rescore critical and single-source tiers monthly, the full portfolio at least semiannually, and any affected cell within ten business days of a live disruption. Disruption alerts rose 38% in 2024 alone, so an annual-only refresh leaves the map wrong for most of the year.
What is the difference between a supply chain risk heat map and a risk matrix?
The matrix is the empty scoring frame that defines the axes, bands, and zone thresholds; the heat map is that frame populated with your actual scored risks. Teams set the matrix once in the methodology document and rebuild the heat map at every refresh.
Who should own the supply chain risk heat map?
Ownership works best split two ways: the supply chain risk or ERM function owns the method and the refresh calendar, while category and lane managers own the scores in their cells. A single analyst owning every dot is how a map drifts into fiction between reviews.
Pitfalls That Kill a Supply Chain Risk Heat Map
The failure patterns repeat across industries, and most trace back to treating the heat map as a deliverable instead of a control. Each row pairs a pitfall with its root cause and with the fix that keeps the map alive past its first quarter.
| Pitfall | Root cause | Remedy |
| Scoring without defined scales | Bands like major left undefined | Anchor every band in dollars and days |
| One map for every audience | Board and ops need different zoom levels | Portfolio map plus category drill-downs |
| Annual refresh only | Map treated as an audit artifact | Tiered cadence with KRI triggers |
| No owner behind red cells | Color mistaken for action | Named owner and dated plan per red risk |
| Averaging workshop votes | Consensus scoring hides disagreement | Score on evidence and log the dissent |
| Only direct suppliers plotted | Nth-tier nodes invisible to procurement | Add shared ports, lanes, and subcontractors |
The 2026-2027 Outlook for Supply Chain Risk Heat Maps
Live data is replacing the workshop as the scoring engine. Platforms increasingly feed carrier telemetry, weather models, and supplier financial signals straight into likelihood scores, turning the heat map from a quarterly artifact into a monitored surface where a cell can change color midweek.
Tariff volatility is doing the same to impact scores. The 2025-2026 US tariff rounds repriced landed costs on entire lanes within weeks, and CISA’s supply chain security guidance keeps pushing software and logistics dependencies onto the same map that hardware suppliers already occupy.
Boards are asking sharper questions as well. COSO’s ERM guidance frames reporting around portfolio views, and the World Economic Forum’s January 2025 analysis found digital leaders pulling ahead on disruption response, pressure a one-page heat map answers better than any register export.
The Baltimore lesson holds either way. The Dali cost Maryland $15 million a day because a shared node sat on nobody’s map, and a supply chain risk heat map built on defined scales and refreshed on a real cadence is how that node gets a color before it fails.
Infographic: Build and Maintain a Supply Chain Risk Heat Map

Figure 4. The supply chain risk heat map as a six-step loop: four steps build the page, two keep it telling the truth.
Build Your Supply Chain Risk Heat Map with Risk Publishing
Risk Publishing helps US supply chain and risk teams stand up a defensible supply chain risk heat map, from the scoring scales to the managing supply chain risk controls behind the red cells. Review our services, then contact us when your map needs to survive its second quarter.

Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.