Measuring supply-chain risk
Why assessing a component or a supplier is not the same as assessing a specific procurement lot. How CILM measures risk as a consequence of evidence sufficiency, what the five factors address, and what the methodology produces as output.
Every organization that procures electronic components has access to some form of risk intelligence. Component-data platforms track lifecycle position, availability, and price anomalies. Incident databases record parts that have been flagged, tested, and found suspect. Supplier-qualification processes establish which companies are permitted to supply at all. These tools are useful, and CILM is not an argument against any of them.
The problem they share is the unit of analysis. They assess the component, the supplier, or the market — objects that are the same for every buyer of that part. What they do not assess is the evidence available for a specific delivery from a specific source to a specific organization at a specific time. That evidence is not the same for every buyer, even when the part number is.
CILM addresses the object those tools leave unexamined.
The core distinction
CILM treats risk not as a property of a component or a supplier, but as a consequence of the sufficiency of evidence for the provenance and history of a specific lot.
The shift in object is not a refinement of existing scoring. It is a change in what is being measured. A component-risk score describes the catalog entry. An evidence-sufficiency assessment describes the decision situation facing a particular buyer for a particular delivery. The catalog score is the same for all buyers; the evidence situation differs.
This distinction has a practical consequence. Two procurement teams can hold identical part numbers from the same supplier on the same day, with the same catalog-level risk score, and face entirely different evidence situations. One has a traceable supply chain, complete documentation, and a recent verification record. The other has an independent broker, a CoC that does not match the lot date code, and no prior verification. The catalog score says the same thing to both. The evidence sufficiency says something different.
The same part number, two different decisions
Consider a specific integrated circuit that appears in two separate procurement events on the same date.
In the first event, the part is supplied by an authorized distributor, carries documentation traceable to the original manufacturer, and has been subject to incoming inspection at a defined level. The evidence is sufficient. The routing decision is acceptance with a standard record.
In the second event, the same part number is offered by an open-market broker at a price below the market median, with a certificate of conformance that lists a date code inconsistent with the manufacturer’s production records for that period. The supply chain has three intermediate transfers with no documentation for two of them. The evidence is not sufficient. The routing decision is verification before acceptance, at a depth determined by the criticality of the application.
Both events involve the same part number. The catalog-level risk is identical. The lot-level evidence situation is not. CILM is built to make that difference measurable and auditable.
What the five factors address
CIRS — the Component Integrity Risk Score — aggregates five factors. Each addresses a distinct dimension of the evidence situation for a lot. The factors are qualitative descriptions of what matters; their precise calculation is maintained in restricted technical documentation and is not reproduced here.
S — Supply Channel Structure addresses the authorization level and transparency of the supply path: whether the channel is authorized, how many transfers of ownership have occurred, whether each step is documented, and how close the route is to the original manufacturer. A longer, less transparent chain means less evidence about provenance.
F — Counterfeit Exposure Frequency addresses the historical and probabilistic exposure of this part number, manufacturer family, or channel type to supply-chain incidents. It draws on external incident intelligence and includes a signal for emerging risk that may not yet be fully reflected in historical records. According to ERAI’s 2025 annual report, independent distributors accounted for 48.26 percent of parts reported to ERAI — the single largest reporter category by type — which illustrates how channel structure and incident exposure are related.
Q — Verification Quality addresses what verification has already been performed on this lot and at what depth. It is coded as a deficit: a lot with no prior verification carries the maximum deficit; a lot with documented independent laboratory results carries a lower one. This factor is the primary mechanism through which laboratory evidence enters the score.
D — Documentation Integrity addresses the completeness, consistency, and verifiability of the documents accompanying the delivery: certificates of conformance, test reports, invoices, packing lists, and any traceability documentation. Inconsistencies between documents — or between documents and physical markings — signal an evidence gap, not necessarily a fake, but a situation that requires resolution before a confident decision can be made.
C — Component Criticality and Lifecycle addresses what failure would mean in the intended application, and where the part sits in its lifecycle. A component in an obsolete or end-of-life status has a different evidence environment than a currently produced part: authorized channels may be unavailable, documentation may be harder to verify, and the incentives for counterfeiting increase as genuine stock becomes scarce. ERAI’s 2025 data shows that parts with obsolete or end-of-life status represented 60.02 percent of all reported parts, against 36.15 percent for active parts — a ratio that reflects the practical importance of lifecycle position in supply-chain risk.
Before and after verification
CIRS is calculated twice for each lot, and the two values serve different purposes.
The prior score is calculated on the evidence available before physical verification. It determines whether verification is necessary and at what depth — L0 (documentation review only) through L3 (full independent laboratory examination). The prior score is a routing decision, not a final assessment.
When verification occurs, the results are recorded as evidence events and used to update the relevant factors. The score recalculated after verification is the posterior score. It reflects what is now known, rather than what was estimated before testing.
The two values are stored separately, with a record of what events produced each update. The prior is not overwritten by the posterior. Both remain in the audit record, because the routing decision made on the prior score is itself part of the documented history of the lot.
What CIRS produces
The output of CIRS is not a verdict. It is four things: a risk tier, an evidence confidence, a recommended verification depth, and a disposition.
The risk tier indicates how the lot should be routed given its current evidence situation. The evidence confidence indicates how much weight the score should carry — a score built on complete, consistent evidence carries higher confidence than one built on sparse or conflicting inputs. The recommended verification depth translates the tier into an actionable instruction: what testing, if any, is warranted before a decision can be made. The disposition is the documented decision: accept, quarantine, verify at a specified level, or reject.
CIRS never produces a finding of genuine or counterfeit. It produces a structured, auditable basis for an engineering decision.
What CIRS does not replace
CIRS is a pre-verification triage tool. It does not perform physical testing, and it does not substitute for laboratory examination of lots that require it. It does not generate component data — it consumes signals from component-intelligence platforms, incident databases, and lifecycle records, and uses them as inputs to the evidence assessment for a specific lot.
It also does not establish a permanent rating for a supplier. The evidence situation for a given lot from a given supplier may differ across deliveries, depending on what documentation accompanies each one and what verification is applied. A supplier who performs well across many lots is not thereby exempt from evidence assessment on the next one.
Where the methodology stands
CIRS is in active development. The calculation architecture is documented and its factors are fixed. Exact parameters — weights, tier boundaries, and missing-data defaults — are maintained in restricted technical documentation and are not published until a validation protocol has been completed. An empirical corpus of procurement communications, published as an open dataset on IEEE DataPort, provides the observational basis for the methodology’s development; independent researchers can access and study it directly.
The methodology’s current status and the steps remaining before wider publication are set out on the methodology status page.
[DIAGRAM: horizontal sequence showing Evidence Intake → CIRS-prior → Risk Tier → Verification Trigger → Lab Evidence Event → CIRS-posterior → DCP Update → Documented Decision → Feedback. Above the sequence, a bracket labels the segment from Evidence Intake to Risk Tier as “pre-verification routing”. Below, a bracket labels the segment from Lab Evidence Event to CIRS-posterior as “posterior update”. A vertical divider between Verification Trigger and Lab Evidence Event marks the point at which physical verification occurs. Author-developed.]
Information gain
The distinction between catalog-level risk and lot-level evidence sufficiency is made concrete through the same-MPN-different-decision example and the prior-to-posterior update mechanism, neither of which appears in standard component-intelligence literature — drawn from the published CILM methodology and its empirical corpus.
Author contribution
The framing of risk as a consequence of evidence sufficiency for a specific lot rather than a property of a component or supplier, the five-factor CIRS architecture S/F/Q/D/C, and the prior-to-posterior evidence update, as set out in the CILM methodology developed by the author.
Claims and sources
-
According to ERAI's 2025 annual report, independent distributors accounted for 48.26 percent of parts reported to ERAI, making the independent distribution channel the single largest source of reported supply-chain incidents by reporter type.
-
According to ERAI's 2025 annual report, parts with an obsolete or end-of-life lifecycle status represented 60.02 percent of all parts reported, compared with 36.15 percent for parts with an active status.
-
The author describes the gap between dashboard-level supply-chain risk and lot-specific evidence in two articles published in Supply Chain Management Review: 'The Hidden Supply-Chain Risk No Dashboard Shows' (30 June 2026) and 'Manufacturing Component Verification Errors' (7 July 2026).
-
The empirical basis for the methodology includes a published corpus of anonymised procurement communications, available as an open dataset on IEEE DataPort (DOI 10.21227/34y3-zj88).
FAQ
What is the difference between component risk and lot risk?
Component risk describes properties of a part number: its lifecycle position, its history of incidents, the markets in which it circulates. That information is the same for every buyer of that part. Lot risk describes the evidence available for a specific delivery from a specific source at a specific time. Two buyers holding the same part number from the same supplier on the same day can face different evidence situations — and therefore different risk positions — depending on what documentation, channel history, and verification each can access.
What does CIRS measure?
CIRS is a composite risk score that aggregates five factors: supply channel structure, counterfeit exposure frequency, verification quality, documentation integrity, and component criticality and lifecycle position. Each factor addresses a distinct dimension of the evidence situation for a lot. The score is used for triage and routing, not as a verdict on authenticity.
What does CIRS produce as output?
A risk tier, an evidence confidence, a recommended verification depth, and a disposition. It does not produce a finding of genuine or counterfeit.
What changes after laboratory verification?
Before verification, CIRS is calculated on the available evidence — a prior score. Laboratory results and other verification events update the relevant factors and the confidence score, producing a posterior score. The two values are stored separately, with a record of what events caused each update. The prior and the posterior are never merged into a single undated number.
Does a high CIRS score mean a component is counterfeit?
No. A high score means the evidence available for that lot is insufficient to support a confident risk assessment, or that the available evidence contains signals that warrant closer examination. The score drives a routing decision — what verification to apply — not a verdict about the component.
Can CIRS replace laboratory testing?
No. CIRS is used before testing to decide whether testing is necessary and at what depth. It does not substitute for physical examination. Its role is to direct testing resources toward the lots that need them most, rather than applying the same inspection level to every delivery.