Every SMB importer we’ve talked to eventually hits the same wall: they sourced from one country, then two, then five, and now they can’t hold the full risk picture in their head anymore. A tariff change in Vietnam, a currency move in Turkey, and a port strike in Oakland all land in the same week, and the ops lead is reverse-engineering the P&L impact from memory.
A supplier risk matrix is the simplest tool that fixes this. It’s a spreadsheet. That’s the whole thing. What matters is what columns you track, how you score them, and how often you refresh.
One row per supplier (or per country-category if you have many suppliers in the same lane). Eight columns:
| Column | What goes in | Refresh cadence |
|---|---|---|
| Country | ISO-2 code of origin | — |
| HS code / product | The 6–10 digit HS classification and product family | Annually or on re-class |
| Annual spend (USD) | Last 12 months | Quarterly |
| Tariff risk | Current MFN rate, any in-progress Section 232 / 301 / AD/CVD investigation, likelihood change in next 6 months (1–5) | Monthly |
| Sanctions risk | Clean / flagged / suspended against OFAC, EU, UK, UN, PEP lists | Weekly |
| FX risk | Volatility of counter-currency vs. USD (σ of daily returns), any capital-controls news | Weekly |
| Logistics risk | Port congestion, canal routing, last incident | Weekly or on event |
| Composite score | Spend-weighted sum of the four risk columns (0–100) | Auto on refresh |
Keep the scoring primitive. For each risk column, use a 1–5 scale where 1 means “no known issues in the last 90 days” and 5 means “actively elevated, decision needed this week.” Multiply by the supplier’s share of total annual spend. Sum. That’s your weighted exposure.
The point isn’t to build a hedge-fund-grade model. It’s to give you a single number per supplier that says “pay attention to this one first.” If your supplier in Turkey just became a 14 on composite, and the one in Vietnam is a 3, that’s where your ops hour goes.
Two mistakes show up repeatedly in matrices built without help:
Refreshing only when something breaks. The matrix has to be a weekly, not crisis-triggered, habit. The whole value is that you see the change before it becomes a crisis. A matrix refreshed after the port strike is a postmortem, not risk management.
Missing the sanctions column entirely. Smaller importers often assume sanctions are “a big-company problem.” They’re not. OFAC enforcement actions against companies with under $10M revenue have risen every year since 2022, and the fines ($50K–$500K range) can kill an SMB. A weekly screen takes five minutes if you have the pipeline and the list refresh automated.
You can run this with: Google Sheets (free), a sanctions-screening feed ($40–$100/mo), an FX volatility feed like OANDA or wise.com historical rates (free), and a trade-signal feed for tariff and port events. That last piece is where most SMBs over-pay — enterprise tools bundle it into $20K+/yr packages — but if you can get the signal alone at $97/mo, the whole stack comes in under $150/mo.