Fireside Chat with Gartner Expert Suzie Petrusic: Navigating Risk in the Evolving World of CSCOs

Hi everybody, I'm Bob Bowman, editor-inchief of Supply Chain Brain. I want to welcome you to this fireside chat with Gartner supply chain expert Susie Patrusk on the topic of navigating risk in the evolving world of CSCOs or chief supply chain officers. This is episode one of four Gartner fireside chats we'll be presenting this year. Quick reminder, there will be an audience question and answer session at the end of this presentation. Audience members are encouraged to submit their questions at any time during the presentation by clicking on that Q& A icon at the bottom of your screen. Again, I'm pleased to be joined today for this exclusive fireside chat by Gartner expert Susie Petrusk to discuss the latest trends, challenges, and opportunities facing chief supply chain officers today with a focus on risk management in uncertain times. Now, the best place to learn about managing risk is by attending the Gartner Supply Chain Symposium and Expo. That's two events, May 4th through 6, 2026 in Orlando, Florida, and May 18 through 20th, 2026 in Barcelona, Spain. You're going to be listening to discussions about harnessing AI and innovation, about inspiring resilient learns, driving crossfunctional impact, and building future ready organizations. This is the top these are the top two events of the year every year and it's happening again in May in Orlando and Barcelona. So be sure and be there. Now this webinar is being brought to you by GE. GE empowers global enterprises with AI powered procurement and supply chain software that drives efficiency, speed, and resilience at scale. Our cloudnative platforms provide end-to-end visibility and intelligent automation. across sourcing, contracting, planning, and execution. Used by Fortune 500 and global 2000 organizations, GE solutions unify teams, streamline operations, and unlock measurable value from cost savings and risk reduction to improve supplier collaboration and stronger bottomline performance. Learn more at www. gp. com. So, in this fireside chat today, we're going to review the evolving landscape of supply chain risk, its impact on global operations, and the strategies that CSOs are using to stay ahead. As I noted previously, audience members will have the opportunity to ask Susie live questions as we explore how industry leaders are addressing the most pressing risks in supply chain management. With that, allow me to introduce you to Susie Patrusk, senior director analyst at Gartner. As a risk expert in Gartner supply chain practice, Susie worked with chief supply chain officers and their teams on supply chain risk management in this postcoid environment of VUA. That's volatility, uncertainty, complexity, and ambiguity. She helps supply chain leaders design and execute truly endtoend and profitable riskmanagement strategies. She's authored or co-authored many research and case studies on topics such as risk, supply chain maturity, the future of supply chain, digital transformation and decision-making, and supply chain constraints. She's a three-time recipient of practice and Gartnerwide research excellent awards. Welcome, Susie. Thank you so much for being with me today. — Thanks for having me, Bob. It's great to be here. — Great. — Yeah, great to be with you. Enough of me. Okay. So, let me indeed take this exercise my privilege to ask you a number of questions on this critical issue of supply chain risk. Let's just start by getting kind of like a big picture. Susie, where are the biggest risks for supply chain today? — Yeah, I mean, it's not going to be a surprising list for you here. What we hear from a lot of our clients is the biggest risk they're worried about, the one that's keeping them up at night is geopolitical risk for today. And other risks that I see on the horizon would include also those kind of increasingly violent weather events due to climate change. Of course, there are the run-of-the-mill supply chain disruptions that uh you know like natural disasters, labor actions, logistical constraints, and so forth. And I think these are going to continue to happen. But I think what we're seeing is that geopolitics primarily and then that weather and climate change secondarily are kind of more structural drivers of these run-of- run-of-the-mill events at the surface. And so that geopolitical strife and weather are the two that I would put as probably the most important emerging issues moving forward. — It sounds like you're saying you're those are the differentiators in terms of how risk is changing from in the past. I mean, clearly we've always had supply chain risk in those areas, but those two areas are particularly serious now, are they not? — Yeah. Yes. I agree. And I think that it's changed from the past. So, if you think back to the old days that we probably all wish we still had around

2016 and prior, right, prior to the trade wars, prior to COVID, — supply chains were experiencing risks, but they were the kinds of risks that you could hold a little additional inventory. You could have some supplier risk management. You might think about your site level business continuity plans and those were really enough to get you through. You would have enough time to kind of recover before the next crisis would hit your organization. I think as we all know those days are over. A lot of organizations don't have the time to recover now and they're trying to stretch those three things across a global endtoend supply chain and they're breaking and that's kind of what we're facing today. So, it's very it is a very different environment. — I'm betting if we were to dig up the things we said back then, like around 2016, these are the most challenging times we've ever faced. Little did we know, Susan. My goodness. Okay, so with that in mind, you've set the table for us as they scared the heck out of us. Now, — where do we go from here? Where do you start? How do you go about creating an awareness within your organization of the need to vigorously and proactively address supply chain risk? — Sure. Yeah. So, I'm gonna give you a little bit of a counterintuitive answer here, and I'm going to tell you, don't start with risks, — which if we're honest, unless you're in an active crisis, it usually puts people to sleep or gives them a chance to catch up on their email during a meeting, right? You might find that there are some people in your organization who are kind of intellectually interested in a conversation about risk, but they're probably not going to engage with you in a meaningful way. So when it comes to really getting some energy around risk, what we encourage our clients to think about is really to start with the things that you care about and that your organization cares about. So critical revenue, critical services, products, strategic objectives that are the most important to the organization. If you focus there, which is what your business partners are thinking about all day, and then you talk about the impact of risks to their ability to actually get to that revenue, then you are probably going to kind of change the nature of that conversation because you're talking about things that they care about and what's at risk. They will then begin to want to talk to you about the risk itself, how you can think about mitigating it. So, we don't want to start with generic risks. Oh, geopolitical risk. They're not going to make that's sense. But if we say geopolitical risk is going to reduce your revenue by five percentage points in year-over-year growth for this particular product that you own. Now, they're going to listen to you in a little bit of a different way. You're going to grab their attention in a different way. And we want to think about risks backwards from there. — Interesting. I mean what you're applying here is that you need to achieve an understanding of your complete endto-end supply chain that a lot of organizations might not have done which surprises me. I mean that just seems totally evident that you would have that but so many organizations have so little visibility what's going on be beyond like tier one suppliers they need to engage in that exercise first. So — sure. Yeah. Absolutely. Yep. It's it is mapping back. So and it is a different way of understanding your organization. We think about plan, source, make, deliver. Where does all of this happen? What does our network look like? — What we're suggesting our clients need to do instead is to think here's the revenue that we're delivering. It's our critical revenue. Not all revenue is equal. What is your highest profitability revenue, your highest criticality revenue? and then mapping back into the supply chain what parts what specific parts of my supply chain deliver that revenue. And now we can focus in and say what are the risks threatening that filtered version of my supply chain which really takes down the kind of task that you have ahead of you to be a little bit smaller than what it feels like today. — Interesting. you're kind of suggesting we take a numbers approach upstream because downstream there's been a lot of talk over the years about this idea of customer segmentation like which customers are most important to you which ones deliver the most revenue but you're saying look backwards you know with the things back there it also delivered the most revenue so that's a great way to approach it okay so how then does an organization even begin to assess the potential likelihood number one and as you say the attending cost of each identified risk Yeah. So, um I'm going to throw you another counterintuitive answer here. — The theme of today counter — there are a lot of missteps that an or that an organization will take uh in trying to manage supply chain risk. And one of them is unfortunately that very handy risk likelihood risk impact matrix. It's a tool that used to work but it's just no longer a fit for

purpose. And there are kind of two reasons why. So the first one is that with a global supply chain that is actually the battlefield on which geopolitics is happening today, most of your risks are going to be high impact and they're probably likelihood, right? And so the matrix isn't doing its job, which really isn't about being accurate about the risks, but helping you prioritize them. If everything is high likelihood and high impact, that matrix isn't helping you do that prioritization. — Mhm. — The second thing is if we're really honest about it, likelihood estimates are guesses, right? And they're usually pretty bad ones. Unless you have a relevant data set, it's probably a fool's errand to use likelihood to help you try to prioritize risks. Think about it for a second. COVID a low likelihood event — that some people had on their radar, but I don't think anybody actually said, "This is high enough likelihood that's going to motivate me to action in order to manage and mitigate. " Right? What about a bridge collapse or a freeze in Texas — or a war on European soil? All of these things have happened and our likelihood estimates are different across all of them, but probably all equally wrong at the end of the day. And so likelihood estimates, if we're kind of soberly assessing how well they are performing and guiding our behavior, it's not that great. Now, I'm sure you're asking, what do you do instead, right? — I am. — Okay. Yeah. So, I have some good news. You don't really need likelihood either. So think about it for a second. If you're focusing your risk management resources and your program on what the enterprise cares about the most, do you really care how likely it is for a risk to emerge? — Mhm. — Now, some of you might be thinking, "Yes, Susie, actually yes, I do. I do still care about likelihood. " But let me put it to you in a different way. Let's pretend for a moment that I own a Bentley and it's parked out in front of my house. — Now, I've got risks out there. Hail storms, kids on bikes, baseballs, hockey pucks. — Do I care how likely those events are? It's my Bentley, right? I'm just going to park it in the garage and I'm going to put some insurance on it. Not because the risks are higher or lower likelihood, but because I care about it the most. — So when you really focus on the things that you care about, you shouldn't really need a likelihood estimate. You're probably going to find the motivation you need to protect it without really guessing at whether or not there's an event that's likely to happen. So I usually look at likelihood estimates as kind of a symptom or a signal of ambiguity around strategic importance or misalignment strategically with your business partners on what you care about and how much you're willing to pay to protect it. — Well, to approach it from the standpoint of likelihood implies that you even know what the possible things that can happen are. How many times have we been gobsmacked now in the last few years by things we had no idea were coming down the pike — say a co 19 pandemic was unlikely and you know um so-called black swan event right um but you know it's that old idea like do you prepare for specific things or do you make yourself agile and secure enough to take whatever comes down the pike with regardless of whether you even envisioned it happening before so — sure yeah — yeah that's really good thank you so much for that Okay. So, that being the case, we don't have that old matrix, but we do have this thing now called technology — and I'm wondering what role it can play in this effort because we are only human after all and AI is coming along with all these great things it's promising us. Is it the answer — and what might be its limits? Tell me about the role of technology in this regard. — Sure. Yeah. And it technology as with almost all technology, if you have good governance and good process and good strategic alignment already established in your organization around risk, you will be able to use technology to your benefit. It will become a real asset for your teams. It's going to help you monitor. sense. It's going to help you be able to respond earlier. It's going to help you understand even what your network looks like. that nth tier supplier that you didn't know you had in a particularly risky part of the world. So, it can really help you and we see organizations using it to those purposes. Mapping out the supply chain, thinking about alerts and monitoring, but I have two watch outs for you. If you don't have that strategic focus on what you care

about the most and you don't have alignment across your business partner stakeholders, the technology will likely overwhelm your teams or simply go unused. It will overwhelm them with alerts. You're going to find out about risks to things that you don't care about. And it's going to be really hard for you to differentiate what are the things that are threatening the things you do care about. And so that ability to kind of sense and discern what are the alerts that you need to pay attention to, — you won't be able to do that again if you don't go back to that strategic alignment before that we talked about. What do you care about the most? So if you can tune the technology to monitor risks to what you care about the most, it can be a very good tool for your teams to use. The other thing I would say is to beware about false claims about what it can do. It cannot predict the future. future and it can't tell you or your teams what you should do to respond. Your business tells you what you should do. The technology tells you what's happening. It's going to be very difficult for that technology to be able to tell you what your business should do to respond to threats to your revenue. So, I go back again to that strategic alignment. If you have alignment and clarity on what you care about, then you're able to apply that technology to help you determine what you should do, but you got to really have that strategic alignment and clarity to start. — Yeah, that's great advice. In other words, you're saying avoid the hype. And uh you know who is the master of defining hype? Gartner. The Davis Gartner hype cycle, right? — Hype cycles. Yes, that's right. — That's right. So, I love that advice. I think that anytime you hear smart advice about technology, it's always don't start with the technology. Start with that intelligence and that understanding that you're describing to us and then bring technology to bear based on that understanding. So, thank you. But what about AI specifically, Susie? Is that the magic wand out of all technology? Is that going to save us? give us these insights that we could never have gotten any other way? — I don't think so. I think what it can do, so what where we see AI being I think the most useful in terms of risk management is it does actually help you kind of predict where your nth tier suppliers are. And I think the accuracy rates of those predictions are pretty high as I understand it. So it it can help in terms of trying to create visibility into your extreme upstream uh supply chain network. Mhm. — AI is only as good as the data that it has. And that doesn't just mean that you have a data problem, which a lot of organizations do, and they'll readily admit that. That's a small problem compared to the fact that most of what's happening in the supply chain is outside of digital's visibility in the first place. We're not capturing it digitally. And so your ability to use AIdriven models in order to help you determine what to expect as an outcome or what the likely impact on different KPIs might be of the different choices that you're you're considering as a response. Those are going to be limited by that what I call a digital to reality gap. If that gap is wide, and if we're honest, in supply chain, it usually is, you're going to be limited in the use cases that you can apply AI to actually help you in a meaningful way. And so again, I I would say, you know, you're going back to how much of the reality is actually captured so that the models aren't telling you what to do in a supply chain that literally doesn't exist, which is kind of the situation that it is today. — It's interesting. I mean technology like AI on one hand, let's say digital twins on the other. They're being sold to us as tools for creating these so-called what-if scenarios that we can then like ca, you know, cast our minds over all these possibilities and plan accordingly. But you were saying earlier in this conversation that we don't even know what's likely and so that seems to be almost irrelevant. I don't know that we have to temper our belief that is the uh the magic bullet also. — Yeah. Human intelligence is going to continue to be an extremely important element of supply chains and risk management for a long time. — Can I quote you on that? I love that. — Please do. Yes, please do. — All right. So, Susie, having identified all these various risks, we finally have done that. Now, we've got our ducks in the line. Probability, cost of the organization of disruptions. How then do you go about mitigating their potential impact other than putting the Bentley in the garage? — Yeah, sure. Of course. Yeah. So, I I'll give you a metaphor to think about this. Think about it like a boxer who needs three things to be able to succeed in a match, right? They need fuel as a source of energy. They need the brains to kind of sense and then respond what's

about to come and what is the actual best move in order to respond to what your counterpart is doing. And then they need the muscle to actually execute that move. Okay? You can't do it with weak muscles. You got to have strong muscles to be able to m to manage it. So similarly in the supply chain our fuel is our redundance and our resilience. It's the resources that we have to draw from. It's the additional inventory we're holding. It's the additional suppliers we have on boarded already. It's the manufacturing capacity that we are holding back on. Right? And so that's kind of the energy that we put into it, the fuel. Then we have our visibility. That's our brain. It helps us sense what's happening and then it tells us what to do about it. What can we do? What should we do? — And then in supply chain, our muscle is our agility. It's our flexible processes that stretch a little bit enough to accommodate novel situations where there's an unexpected disruption, but that doesn't break under the tension. Okay? So visibility, resilience, and agility are kind of like the fuel, the brains, and the muscle of a boxer. So that's how we mitigate. We bring those things together and they enable us to respond well after we're experiencing a harmful event. — Now, the interesting thing for me in kind of answering this question and I get a lot of clients who come to me feeling like they actually don't know how to build all of that, but isn't this what supply chains are really good at? This is what we know how to do. onboard an additional supplier. We know how to plan for additional inventory needs. We know how to hold back manufacturing capacity or to think about additional lanes or 3PLs or different network designs that are going to help us manage this world. Right? So at the end of the day, we don't really struggle to build the resilience, the visil visibility and agility. This is what we're really good at. These are capabilities that we've known how to manage before. So I kind of say that because I just want to say it's not that resilience is hard. It's not the risk management that's hard. We struggle because all of those things cost money. — Yes. — And we don't have the alignment we need to go spend money on them. That's not about mitigation being hard. Right. To my earlier point, that's a strategic alignment issue. And that's why I keep saying build your risk strategy. focus on what you care about and that will unleash your already very talented supply chain staff to go do what they do best. — Let me follow up on that money thing for a moment because it's a costbenefit analysis. I mean, you can spend tons and tons of money, but there's got to be a point at which you're saying, you know, I can't do anymore. I do I've got a bottom line to worry about. I've got quarterly results and shareholders and investors. You know, as you say, preparing for supply chain disruptions can be expensive. So, how do you balance the cost of readiness with the need to operate profitably in the short term? And for that matter, how do you sell the whole thing to senior management on an ongoing basis? — Yeah. So, there are kind of three pitfalls uh aside from not really focusing on what the business cares about. We've already talked about that one a couple times. That's the first pitfall. So, you really, really have to think about the thing you care about. You're going to put time, money, resources into protecting your Bentley, not your 30-year-old Honda Civic that has a 100,000 or 200,000 miles on it. — You're really going to focus on that Bentley. Same thing in your business. You've got to focus on the thing you care the most about. The second pitfall is that we choose mitigations functionally based on how well they help the function, not the supply chain end to end mitigate a risk. So we think about, well, if I'm in procurement, I'm going to bring on additional suppliers. If I'm in planning, I'm going to hold inventory. That's the lever that I have. I have one lever and that's it. Same thing with manufacturing. I'm going to hold back some additional capacity so that I can absorb. What we don't do often is quantify and make visible the tradeoffs necessary for the mitigation. It's costs in financial terms or costs in terms of KPIs that we're not going to be able to deliver on because we need to have that mitigation in place. Okay, so that's the second pitfall. The first is we don't think about what we care about. The second is we don't think about the cost of the mitigation. The third one is that we often try to take that decision in the supply chain. But really the supply chain has no business making this decision. The supply chain should

absolutely be a partner with the business providing strategic recommendations about how to mitigate different risks, what the trade-offs are that are involved, but we should push the decisions through to the business because at the end of the day, it's the P& L owner's responsibility for both the top and the bottom line performance that's going to determine how much mitigation we need at the end of the day. You would never ever ask your kids how much insurance premium you're willing to pay to protect your Bentley because they don't write the check at the end of the day, right? Supply chain, not to say that we're kids. It's a poor metaphor. We're not kids. We're not the children of the situation, right? But we also aren't the purseholder. We're not the ones who are going to write the check for it. We might be responsible for reducing costs, — but somebody else in the business is ultimately responsible for that. And for that reason they should be the decision maker because it's at again at the end of the day it is their opinion about how comfortable they are not with the risk but with the cost to mitigate that risk. — Yeah. — That is the most important driver. — Yeah. Well, I'm sure it's techn Bentley. I can tell you. — Yes. — They can have the Honda. — Yes. Exactly. There you go. Yeah. — Okay. Well, that's a really interesting perspective, Susie. It leads to the question of not only who should launch a risk initiative, who should maintain it, who should oversee it, and who should make the final determinations. Uh we some organizations even have what they call a chief risk officer, but we're talking today to chief supply chain officer. So — who's in charge? — Yeah. No, I mean, so this is going to be very specific to whatever organization you are working in. to speak in kind of broad strokes about this. I will say enterprise risk management typically focuses on risks not value and supply chain as a risk is kind of an emerging risk for a lot of enterprise riskmanagement folks. So what we find is that organizations are looking to their enterprise risk management folks for guidance but what they're getting are fluffy risks. So they'll say from they'll you know they'll get from enterprise risk management what's our exposure to cyber security risk and if you can even translate that into supply chain terms which is really hard to do the answer at the end of the day is kind of like well there's risk everywhere. — Same thing with geopolitical risk. it it's affecting everything and it and so again these kinds of f the focus on risk isn't helping you prioritize what you need to do but enterprise risk management doesn't often have helpful guidelines for supply chain folks in order to be able to actually move the needle forward. So, working with erm, you should do that, but just be aware that they may not fully understand how the supply chain works, and so what they're going to ask you to do or guide you to do may not actually translate operationally for you in a very clear way. Also, remember that erm is usually primarily focused on reporting. So they're trying to inspire confidence in the board, in your shareholders, in your stakeholders, in the business that risk is being managed effectively. Not to say they don't care about the mitigations. They do. Of course they do. You're all working for the same outcome. But their primary focus is on that reporting aspect and the legal and compliance aspect. Okay? So do work with erm, try to, you know, use the resources that they have. Try to create a collaborative relationship with them. But for supply chain risk, at least for the foreseeable future, I would encourage CSOs to take it as a thing that they keep on their own desk to make sure that is it is happening in a way that makes sense to the supply chain. — And again, what we go back to is you as a CSO, you can't rely on those old playbooks. This is why you personally as a CSO need to be involved in standing up a riskmanagement program because your teams are going to go back to things that aren't fit for purpose like a likelihood impact matrix. They're going to want to take the decision in the supply chain because they don't know who the right person is in the business to make that decision. They're going to struggle because they're kind of functionally siloed. They don't know who across the supply chain is there to help them and work as partners to manage endtoend risk. So I you know I want to encourage our csos to think about actually taking it on as something that they are personally monitoring. You may have a center of excellence. head of strategy who is responsible for risk and resilience in the supply chain but keep it on your desk and make sure that they're not falling into those

three pitfalls that we already know exist. — Yeah. Well, fortunately the CSO has that C in the title. They are in the seauite. I mean, — we hope they're in the seauite. Yeah. — In an organization because if they're not, you know, their voice may not even be heard and they might not be able to take on this stuff. So, uh — yeah, but you know, if I may, I think one of the issues that we do hear is that CSOS feel like they're not included in the conversation — even though they are CSOS, even though they nominate. — Yes. Absolutely. Even though that they are CSOS, I think one thing that we can think about is how do we engage with the business in a more strategic partnership way. One of the reasons that we're not consulted with the business, I think, is because we try to take the decisions ourselves in the supply chain. Mhm. — So if we're trying to say this is what our risks are, this is how much we're willing to spend, this is what we're going to do to be resilient, then we are both responsible for the decision and for executing on it. And the business partner is unaware. — Yeah. Imagine a world though where you actually go to the business partner in let's say you you have a risk council and the business partner is in that risk council which they always should be by the way and you're kind of engaging with them in a conversation and you're saying we're not going to make this decision. It's your P& L. Well now what does that P& L owner need? They need you. They need to consult with you. They need your information. they need your strategic recommendations because they don't understand supply chain. Mhm. — So, and again kind of counterintuitively we rein we reinforce by taking the decisions that the business should be making in supply chain we reinforce that communications cycle that doesn't include the CSO if we give the decisions to the business then we need to be consulted in order to provide strategic recommendations — to them. And so that's a it's a kind of a way to reset that relationship a little bit and become partners. — Yeah. — With the business. — Risk counselor. You say, is that something that every organization should have? — Oh, yes. I thought you were going to say, do they have uh most organizations don't have them? — No, but you mentioned it by name. I mean, what is this thing called a risk council? Is it everybody is outside of supply? It includes supply chain but not entirely supply chain or who's at the table? — Correct. Yeah. No, I think so. So you need four different perspectives inside that risk council. — You need the um you need the business owner. So you need that P& L perspective to talk about the top line and the bottom line impact and how comfortable they are with risks. You need people like me who know risk. They know governance. They know strategy. They know how to drive decisions with the business. communicate with stakeholders. Then you need domain risk knowledge. So you need people who know what cyber security risk is, — what compliance and assurance risk is. — You haven't even talked about cyber security. That's part of it too. Yeah. — Yeah. So you need that domain expertise on specific kinds of risk. And then the last thing that you need in there is the business process expertise. The people who are actually executing on business process who know what mitigations are out there. Who is the correct backup supplier for this? How much is it going to cost to bring them on board? How much inventory could we hold? How much warehousing do we have available? What are the alternative logistics routes that we could send our finished goods inventories through? That's the business process expertise that you need in order firstly to know what's possible, but then also those are the folks who are actually going to go out and execute on the mitigations that you do want to proactively invest into. So, those are the four perspectives that you kind of want to have on that risk council. — Okay. Well, Susie, I want to thank you so much for tolerating my grilling. Oh, — uh your answers were just fantastic. Uh this is so interesting. I so appreciate the privilege of being able to speak with you today. But now I want to bring the audience in. We've invited the audience all along to be submitting questions and they have done so already. But even as we take on the questions that have already come in, audience members, keep posing those questions, uh, clicking on that Q& A icon at the bottom of your screen and Susie will get to as many of them as you as we can, time permitting. So, uh, let's start with this one. Uh, the question is, — do I need to engage an outside consultant or advisor to address supply chain risk in my organization or can I handle it internally? Um so um it's it is going to depend on essentially those

four people that you've got in your supply chain risk council. So you cannot outsource the strategic business decision that is bespoke to your organization. Uh so if you do hire a consultant or an outside advisor, you need to make sure they understand what you care about and what you want them to value as they develop that programming. You may have a consultant again like somebody like me with my knowledge set who can come in and say here's how you manage risk. This is the best way to go about and do it if you don't have that in your organization. — And I would encourage you to really think about that side of it because this is a green field environment. Risk management is different today than it was in 2016. And unfortunately for the past 10 years, most organizations haven't figured that out yet because they too busy responding. firefighting. — So yes, so what we have right now is a deficit of knowledge and practitioners who know how to strategically stretch across an end toend supply chain. So that risk knowledge, you may be hardressed to find it. So that's one that you might think about a consultancy or an adviser, but make sure you get one that does it right like Gartner for example. — Okay. — All right. Then um the third area is on that uh risk expertise the domain risk and again that make an obvious opportunity for a consultant or an adviser but then you get back to that business process ownership and expertise and that's probably going to be bespoke knowledge very institutional knowledge some people call it tribal knowledge I don't love the term but that kind of knowledge that is within your business that may be necessary for you to develop the correct options. — So, outside consultant or not, figure out where you're going to get those four areas of expertise. You may need to hire someone for that, you may not. — Is company size an issue? I mean, if you're a smaller company, you're less likely to have a lot of individuals like somebody over here called a chief risk officer or somebody with different names. Might they be more likely or more in need of outside counsel? — They could be. Yeah. I mean, if you don't have the expertise, then you do need to go outside, go for it. I would say if you go back to you're focusing on the Bentley — Mhm. — and you know that it's at risk, you should be in a pretty good position to go to your business and say, "We need somebody to manage this. " — So, you may turn it into a bit of an opportunity. Although, as we've seen, it is shocking how some of the largest companies, even the Fortune 500s, don't have the required visibility and understanding of their multi-ter supply chain. You'd be surprised to find out just how little they know. They could use some outside help, too, maybe. I don't know. Okay. Well, thank you. Thank you audience for that question. Here's another one. — Being on constant alert for supply chain disruptions can be exhausting. How do I keep my team active and engaged? — Yep. So, I'm gonna say the thing I keep saying, and I don't want to be annoying about this. — Oh, please be my guest. — If you focus on the things that your business cares about, — then you will be able to reduce substantially the pressure that is on your operational and frontline staff in terms of responding to every little thing that happens. you're going to be more particular and intentional and choosy, if you will, about where they spend their time. Some revenue is not worth saving, especially if it means you're going to have to take resources away from your higher value revenue in order to protect it. So, you can kind of lower the expectation a little bit for how much investment they need to put into risk management. At the same time, if you do have that risk council and you have a risk owners, you can shift some of the responsibility off of their plates onto those individuals who actually have the expertise needed to manage risk. You don't want your category managers to feel like they have to manage all risk for the entire organization, but that's kind of what it feels like from their perspective, right? — They they're category experts. They're not risk experts. So give them the expertise that they need potentially by hiring someone else to do it and having them work together rather than trying to kind of move over and shift over the responsibility onto their shoulders. — Yeah. — So kind of reducing the need a little bit by focusing in on what you care about the most at the same time that you're shifting some of that responsibility kind of more strategically and more thoughtfully through a risk council and a risk owner. This next question is related to that uh keeping interest going in the riskmanagement initiative. It says how do I maintain an effective risk management effort when program champions leave the company uh especially when there's a change of CEO but I might even

say when there's a change of CSCO got to be bigger than one individual. — Agree. Yeah. — How do you do that? — Yeah. So um I would say there are kind of two elements. So that risk council is going to be an important organizational device for you to keep it on the calendar and keep that regular conversation happening. Now you are going when you have stakeholders who leave especially if they are on the P& L side of things like a CEO or a regional general manager or a product owner a BU leader if you have transitions there you should expect that the risk appetite is going to change. It's kind of like the Bentley. If I go back to the Bentley example, I might be comfortable with putting a tarp on the car, but my husband, he's not going to want to put a tarp on it. He's going to want to park it in the garage because it's his Bentley, right? So, who's the CEO? Well, whoever writes the check at the end of the day. But the fact is that our levels of comfort with the risk is different and that will change when you have a different P& L owner. And so you should expect that the risk appetite will change and the budget to manage it is going to change. What you can do is put together a risk register that becomes a living document that actually establishes the agenda for those risk council meetings over time. And that risk register has the three things we've been talking about. What do you care about the most? How much does it cost to mitigate it? Are you P& L owner comfortable with the cost to mitigate? Do you want us to spend less or spend more? You put that into a risk register. It's a little bit more complicated than that, but those are the essential pieces of it. You create that as a living document that guides your supply chain risk council meetings. Now, you have an a forum ready for you for those changes in and it's not just changes in stakeholders, right? It could be that the life cycle of the thing that you care about is changing. It's end of life now. You don't want to protect it anymore. It could be that the risk environment is changing more risks. It could be that your budget situation has changed. You don't have as much money — or that stakeholder changes and so the opinion or the comfort level with risk is changing. So if you have that risk council and the risk register guiding the conversations, you should be in a pretty good position to maintain focus and maintain alignment over time. — I love it, Susie, that one of your themes here today is that the risk initiative is a dynamic thing that it's not a oneanddone locked into place thing that you create and just go forward with it. that the world changes and so does one's reaction and need to respond to that world. So that that's great. — Absolutely. — Um here's another people question. My goodness, I don't know why people care about people, but here it is. Uh how do I find the right talent to run this initiative? What are the skills required? What is a CSCO or a chief risk officer I mean what do they what skills and talents do they have to possess today? — Yeah. Um so I think being partially or marginally knowledgeable about risk is an important aspect of that. I think that the critical differences are actually around the strategic and critical thinking abilities of the people that you put to the question around risk. You have to have somebody who understands your business and understands how your business makes money which is different than how every other business makes money. So you have to understand kind of how the business makes money. You have to have really good communication skills so that you can adjust the messaging around risk and your strategy to the different stakeholders that you're going to be dealing with. with people who are going to make decisions about your risk appetite at the same time that you're working with category managers or planners or manufacturing folks who don't want their metrics to look worse because you're asking them to mitigate. So you're trying to find somebody who has that ability to communicate really well at multiple levels within the organization. They can go high and they can go regional. You need somebody who's really good at program management. That's another aspect of it. That's really important. They can't let things fall off their radar. They've got to keep focused on making sure that actions are being taken as a followup to some of these risk conversations. So, I think risk itself is something they can learn about. Our clients have access to me. I can teach them all day long about how to manage risk. What I can't teach them is strategic thinking. what's most important in their business. I can't teach them how to communicate with very specific people they know and I don't know. So some of that kind of more soft skills and business and

enterprise acumen, supply chain acumen are the things that really then begin to to seem like they're a little bit more important. — It's a tall order. It's hard — valuable individual we're looking for out there today. I hope you compensate them accordingly. — Yeah. Well, I mean, so that is one thing I would say like you are going to need a highc caliber individual. — Yeah. — So, as you're thinking about going with a business case to build a riskmanagement program, think about the kind of person that you want in that role and the kind of compensation they're going to be looking for. — It's probably higher than what you may have been thinking earlier when you thought it was somebody who just manages risk. — Okay. This question says, "When it comes to designing and running riskmanagement programs, here we go. Is AI going to put all relevant humans out of a job? " — No. Hard no. — Nope. I just don't think that is a realistic expectation. Um, a couple of things I can say here. So, in for AI, generally speaking, AI's capability does not determine the floor of our economy. Most of the economy is built on bespoke uh very much tailored and things that are not scalable. So, you know, think about the infrastructure project in your local city or town. Think about the hem of the pants that you need tailored. Think about things that you need specifically for your children. A large portion of our economy operates in areas that are very bespoke. They're not automatable. They're not even in a controlled environment. You're still going to need humans because you're not going to have the kind of ability that you need to respond to those very bespoke things. At the same time, we talked about this already. There is a very very wide digital gap for most organizations. What we capture digitally is a very small percentage of what is actually happening in reality. Even if you improve on your sensei, that data is going to be relevant for yesterday's world in a voua environment, it's probably going to struggle to keep up with the bespoke issues that you're trying to deal with. And the statistics that AI models are based on depresses the edge cases. But when you're talking about risk, that's actually what you need to prioritize, right? So, you've got a couple of issues there. And then the last thing I will say is that organizations and individuals are all operating in a widely varying digital maturity space. It is not technology that determines the pace of adoption. We know that regulations do. current data does your current organizations processes, compliance laws, uh, insurance and liability for decisions that organizations are making. These are all going to slow down how quickly AI becomes adopted in the organization. And that's not just your organization, that's yours and every other one that you're doing business with. So for me, I feel pretty confident that AI is not going to replace humans anytime soon. It has good use cases and where it makes sense, use it. If you need to map your supply chain so that you know where your supply base is, use AI for that 100%. There is a good use case there. But don't ask it to predict the future for you. And don't ask it to tell you what's most important for your organization. It doesn't know. It probably never will. Susie, I have so much enjoyed this conversation today. Thank you so much for your insights and it's been a very educational hour for me and for our audience in general. But uh unfortunately we are just about out of time. Uh we have time for one final question and here it is. What is the most important thing to remember about managing supply chain risk today? and what's the very first thing that I need to do to launch an effective riskmanagement program in my organization, especially if I've been lagging in that area. — Yeah, I'm going to give you three things, but I'm going to make it simple for you. So, we've talked about all of them. The first thing is don't prioritize risks. Prioritize what you care about first. The second thing is don't choose mitigations based on how effective they are or how they're going to help your function in terms of plan, source, make, deliver. Choose them based on their costs and their tradeoffs. That's what's going to tell you what you should do is how much it costs. And then the third one is do not make this

decision for the business. Work with your business. provide strategic recommendations for them about what is the best mitigation for you for their revenue. What's the most coste effective version of mitigation, but do not make that decision for them. Ask them what their comfort level is. How much do they want you to spend on mitigation? And I think I kind of answered the second question in the same way. If you're going to start today, start there. Start with what you care about. What do you care about? How much are you willing to spend to protect it? Ask the right person. Those three things. What do we care about? How much are we willing to spend to protect it? Who's the correct person to answer that? It's the P& L owner. — Well, it's time to drive off in the Bentley. Unfortunately, I think we're out of time. Susie, once again, thank you so much for your time. I've had a great conversation and so much enjoyed it. And audience, too, thank you for your participation and your excellent questions. I want to remind you that you can see Susie as well as many other Gartner experts and a lot of your industry colleagues too at the upcoming Gartner Supply Chain Symposium and Expo. That is two events. May 4th to 6th, 2026 in Orlando, Florida. May 18th through 20th in Barcelona, Spain. You learn about AI, crossf functional impact, building future ready organizations, just the whole thing. And especially risk management every year. This is the this is what the events you need to be at. Don't miss it. There's a QR code in the corner there that you can take a quick shot of for more information. Register with the code SCB2026. If you don't have time to take a shot of that QR code right now, don't worry. It will be sent to all attendees of this webinar upon its conclusion, which again unfortunately is right now. Susie, thanks again. Everybody, audience, have a wonderful day.