Geopolitical instability, cyber threats and economic volatility are not only amplifying each other at an accelerating pace. They are also increasingly converging in one place: the supply chain. For finance professionals, that convergence changes everything.
The conflict in the Middle East has shown the speed at which risk travels through modern supply networks, and how difficult it is to contain once it starts. Shipping routes are not only exposed to physical risk, but also to commercial pressure. Rerouting adds time and cost. Insurance premiums increase sharply, if cover is available at all. Suppliers further down the chain face cashflow strain, which in turn affects their ability to deliver. What initially looks like a logistics problem quickly becomes a financial one.
In some cases, the impact of these ripple effects is more severe than many organisations expect. As one ACCA member specialising in supply-chain risk notes, this is less of a contained disruption and more a form of contagion: revenues can fall abruptly while costs rise at the same time, particularly for businesses dependent on physical goods or regional operations. That combination is what makes the current environment particularly challenging.
The new front door
The supply chain has always been a source of operational risk. What has changed is the role it now plays in connecting different types of risk. Geopolitical events disrupt routes and counterparties, economic pressure weakens suppliers, and cyber threats exploit those vulnerabilities – often by targeting the weakest points in the network.
‘At least 80% of all cyber breaches go through the supply chain,’ says Greg Schlegel, founder of the Supply Chain Risk Management Consortium. ‘The bad guys try to find the path of least resistance to get into the big guys’ supply chain.’
Many organisations still do not have a clear view beyond their tier-one suppliers
Organisations are rarely compromised through their core systems. Instead, attackers gain access via third parties. Smaller suppliers, often with fewer resources and immature controls, become entry points, allowing attackers to move upstream into larger organisations with stronger defences but limited visibility beyond immediate suppliers.
This is what makes supply-chain cyber risk difficult to manage. It is not just about securing internal systems but understanding the resilience of an extended and often opaque network.
Cyber threats hit finance
One of the more notable shifts is how directly cyber risk is now intersecting with finance. A growing number of attacks are focused on supplier relationships, particularly through invoice and payment fraud. By compromising or impersonating a vendor, attackers can issue legitimate-looking invoices or request changes to payment details. For finance teams, these attacks are difficult to detect because they sit within normal business processes.
Artificial intelligence is adding another layer of complexity. More convincing phishing emails, synthetic voice messages and even deepfake communications are making it harder to distinguish genuine requests from fraudulent ones, especially where urgency is involved.
At the same time, the boundary between cyber and physical disruption is becoming less clear. Attacks on operational systems – manufacturing, logistics or infrastructure – can now have immediate real-world consequences, compounding existing supply-chain disruption.
What is emerging now with AI – for example, Mythos – reinforces that shift. Systems capable of identifying and exploiting vulnerabilities at scale point to a future where cyber risk becomes faster, more automated and harder to detect. The bigger issue is visibility. Organisations are often shown what these systems can do without a clear view of their limitations. This reflects the reality of modern supply chains: complex, opaque and only more understood after something goes wrong.
Unprepared
Most organisations recognise that these risks are increasing. The challenge is turning that awareness into practical resilience. Visibility remains a key issue. Many organisations still do not have a clear view beyond their tier-one suppliers, making it difficult to identify critical dependencies or weak points.
Business continuity planning is another area under pressure. Plans often exist, but they are typically designed around single events – a system outage or a supplier failure – rather than multiple, overlapping disruptions. They may also rely on access to systems that would not be available in a severe scenario.
Unless these risks are expressed in financial terms, they can struggle to gain traction at senior levels
There is also a governance dimension. Supply chain and cyber risks are still often treated as operational or technical issues rather than strategic ones requiring board-level attention. But unless these risks are clearly expressed in financial terms, they can struggle to gain traction at senior levels.
Organisations navigating these challenges effectively tend to treat supply-chain risk as a strategic issue, not just an operational one. They invest in understanding their dependencies, including suppliers beyond the first tier. They also run realistic scenario exercises that test how the business would respond if systems were unavailable or key suppliers failed. Just as importantly, they integrate these considerations into decision-making at the highest level.
There is also a more subtle factor at play: trust. Trust acts as ‘a kind of currency within supply chains’, as one risk specialist put it. Where it is strong, organisations can respond more quickly and collaboratively to disruption. Where it is weak, transactions slow down, costs increase and risks are harder to manage.
In an environment where disruption is both more frequent and more interconnected, that difference becomes increasingly important.
Expanding role
For finance professionals, this environment changes the scope of the role. It is no longer just about reporting on performance after the fact. It is about helping organisations understand where they are exposed and how those exposures translate into financial outcomes.
That includes quantifying the impact of disruption – on revenue, costs and working capital – as well as challenging assumptions about where risks sit within the business. It also means engaging more directly with issues that may once have been seen as outside finance’s remit, from supply-chain structure to cyber risk.
These risks are no longer separate. They are connected, reinforcing each other in ways that can escalate quickly.
More information
ACCA’s risk community contributes to insights and articles. For enquiries contact its chair Rachael Johnson. See other ACCA thought leadership on risk
