Ninety-five percent of procurement organizations can see their Tier-1 suppliers. Only 42% can see Tier-2. The gap is not a technology problem. It is an organizational design problem that leaves most supply chains vulnerable to disruptions nobody is watching for.

95%
Tier-1 visibility
42%
Tier-2 visibility
25%
Have >50% Tier-2 visibility

The numbers come from McKinsey's 2025 Supply Chain Risk Pulse and EcoVadis's 2024 Sustainable Procurement Barometer. They tell a story most CPOs already sense: your supply chain map ends at the suppliers you pay directly. Everything below that is a blank spot — and the blank spots are where disruptions start.


The visibility cliff: why Tier-2 data stops where it matters most

Tier-2 visibility improved by 22 percentage points between 2023 and 2025, driven by tariff exposure and compliance mandates. That sounds like progress. But the baseline was so low — roughly 20% — that a 22-point gain still leaves 58% of the supply base invisible.

What causes the cliff? Three structural forces. First, procurement organizations are structured around spend categories, not supply networks. A category manager owns the relationship with the Tier-1 aluminum supplier but has no mandate — and no budget — to map that supplier's bauxite sources. Second, supplier contracts rarely include sub-tier disclosure requirements. Third, even when disclosure clauses exist, they go unenforced because nobody owns the verification process.

"Visibility into Tier-2 increased 22 percentage points from 2023 to 2025, driven by tariff and compliance pressures."
— McKinsey Supply Chain Risk Pulse, 2025

The failure mode: single-tier risk registers create fake confidence

A Tier-1 supplier with a green risk score can sit on top of a Tier-2 supplier that is three weeks from bankruptcy. The scorecard looks clean. The supply chain is not.

Network-science research on supply chains identifies a specific failure pattern: cascading disruptions propagate through the network along paths that single-tier risk assessments cannot detect. A Tier-3 chemical plant shutdown in China affects a Tier-2 resin supplier in Germany, which affects four different Tier-1 component manufacturers — and procurement teams see four simultaneous "unexpected" shortages with no common cause.

Single-tier risk assessment
Each Tier-1 supplier scored independently. No visibility into shared sub-tier dependencies. Four simultaneous disruptions appear unrelated.
Outcome: 2-3 week delay identifying root cause
Multi-tier network mapping
Supplier network modeled as a graph. Centrality analysis flags nodes whose failure would cascade. Shared dependencies surfaced before disruption hits.
Outcome: Root cause identified in hours, not weeks

The four-stage maturity model for multi-tier visibility

Organizations do not go from 42% Tier-2 visibility to full network mapping in one step. The progression follows a predictable sequence — and most teams stall at stage 2.

Stage 1
Tier-1 only
Supplier scorecards cover direct suppliers. No sub-tier data collected.
Stage 2
Survey-based
Annual surveys ask Tier-1 suppliers to self-report Tier-2. Low response rates, unverified data.
Stage 3
Platform-enabled
Third-party data platforms aggregate supplier network data. Coverage expands, verification improves.
Stage 4
Graph-based modeling
Network graph with centrality analysis and cascading failure simulation. Proactive risk detection.

The stall at stage 2 happens because survey-based approaches create the illusion of coverage without delivering reliable data. A Tier-1 supplier that ignores the survey or provides incomplete responses still shows up as "surveyed" in the dashboard. The metric moves. The risk does not.


What good looks like: contractual mandates and network modeling

The organizations that have broken through the 42% ceiling combine two things: contractual sub-tier disclosure requirements and third-party data enrichment. Neither works alone.

Contractual mandates — clauses requiring Tier-1 suppliers to report their own critical suppliers, updated quarterly — provide the legal foundation. But without automated verification, the data decays. Third-party platforms that aggregate supplier network data from trade records, certifications, and public filings fill the gap by cross-referencing self-reported data against external sources.

At the most advanced level, organizations are adopting graph-based risk models. These treat the supply network as a mathematical graph, measuring node centrality to identify suppliers whose failure would cascade, and simulating disruption propagation paths. A supply chain risk model built on centrality analysis surfaced a Tier-3 chemical supplier that served 14 different Tier-1 relationships across three business units — a concentration risk invisible to any single category manager.


What this means in practice

  1. Audit your current Tier-2 coverage. Count how many of your Tier-1 suppliers have documented sub-tier suppliers. If the number is under 50%, you are in the majority — and that is not a good thing. Target 80% within 12 months.
  2. Add sub-tier disclosure to your standard contract template. Require Tier-1 suppliers to report their critical Tier-2 suppliers quarterly. Include audit rights and consequences for non-compliance. This costs nothing to add to new contracts.
  3. Run a network centrality analysis on your top 20 suppliers. A manual exercise: map which of your Tier-1 suppliers share common Tier-2 or Tier-3 sources. Flag any Tier-2 supplier serving more than three of your Tier-1 relationships as a concentration risk.
  4. Pilot a third-party data platform for one category. Pick the category with the highest supply disruption risk. Run a 90-day pilot with a platform that aggregates sub-tier data. Measure how many new Tier-2 suppliers you identify versus your existing map.
  5. Assign ownership. Multi-tier visibility fails when it is everyone's job and nobody's metric. Designate one person — even part-time — to own sub-tier mapping. Tie their performance review to Tier-2 coverage percentage.

What percentage of procurement teams have visibility into Tier-2 suppliers?

McKinsey's 2025 Supply Chain Risk Pulse found that 95% of firms have visibility into Tier-1 suppliers, but only 42% have visibility into Tier-2 or beyond. EcoVadis data shows only 25% of organizations have more than 50% visibility into their Tier-2 suppliers.

Why is Tier-2 supplier visibility important for risk management?

Tier-2 and Tier-3 suppliers are where most supply disruptions originate — from raw material shortages to quality failures and regulatory violations. Without visibility below Tier 1, procurement teams cannot detect cascading failure risks. Network-based risk models show that a single Tier-3 disruption can propagate through the supply chain in days, affecting multiple Tier-1 suppliers simultaneously.

What are the best approaches for mapping Tier-2 and Tier-3 suppliers?

Leading organizations combine three approaches: supplier self-disclosure mandates (contractual requirement to report sub-tier suppliers), third-party data platforms that aggregate supplier network data, and graph-based risk modeling that maps centrality and cascading failure paths across the supply network.

📊
Infographic Available
A visual summary of this article — key data, models, and frameworks in one view.
View Infographic →