A bill of materials is a deceptively simple document. At its surface, it's a list of components and sub-assemblies that make up a finished product. What it doesn't show—and what almost no procurement team has mapped—is the supplier dependency graph that sits below each line item, extending two and three tiers into the supply chain.
When we work through BOM mapping exercises, the common reaction from procurement teams is genuine surprise at what they find. Not surprise that concentration risk exists—most CPOs have a sense that it does—but surprise at where it is and how severe it turns out to be once you actually follow the tree.
What a BOM Dependency Map Actually Looks Like
Start with a single finished SKU. Its BOM might list 30–80 line items: PCBs, mechanical housings, specialty fasteners, power supply sub-assemblies, cable harnesses. Each of those line items has its own supplier. And each of those suppliers has their own supply base for the inputs that go into making your component.
A three-level BOM dependency map traces each line item to its Tier-1 supplier (your direct vendor or CM), then to the Tier-1 supplier's inputs at Tier 2, then one level further to Tier-3 sub-suppliers where data is available. For a moderately complex product, a full map can identify 200 to 500 distinct entities at Tier 2 and Tier 3 combined—many of them invisible to the procurement team before the exercise.
The interesting data isn't the number of nodes. It's the clustering. Across 200 Tier-2 and Tier-3 nodes, you typically find that a handful—often three to six—appear as supply sources for a significant fraction of your Tier-1 nodes. These are your concentration risk candidates. They're not random failures; they're structural dependencies baked into the supply chain architecture.
The Three Patterns You Find at Tier 2
Across BOM mapping work, three distinct concentration patterns appear consistently:
Single-source component concentration. A specialty component—a particular MEMS sensor, a specific power management IC, a proprietary connector type—has only one or two manufacturers capable of producing it to the required specification. Multiple Tier-1 suppliers all source from the same one or two sub-suppliers because there's no viable alternative. Your sourcing decisions at Tier 1 don't change this; the concentration is in the component's manufacturing base, not in your supplier selection.
Geographic cluster concentration. Multiple sub-tier suppliers are physically co-located in the same industrial region or even the same industrial park. This creates correlated risk: a regional event—flood, power grid failure, labor action, trade restriction—can simultaneously affect multiple sub-tier nodes that your Tier-1 map shows as independent. The geographic concentration often emerges because specialist manufacturing clusters develop organically in specific regions, and your CMs source from whoever is closest and most capable.
Parent-company concentration. Several sub-tier suppliers that appear as separate legal entities are actually subsidiaries of the same parent company. A financial or operational problem at the parent propagates across all subsidiaries. Your Tier-1 data shows four different supplier names; a Tier-3 mapping reveals they're all owned by the same holding company with shared financial exposure.
A Scenario: Automotive Electronics Sub-Tier Mapping
Consider a growing automotive Tier-1 supplier that produces electronic control modules for multiple vehicle programs. Their procurement team has qualified twelve contract electronics manufacturers and feels confident about their CM diversification. When they map their BOM three levels deep across their top five product lines, they find that seven of their twelve CMs source multilayer ceramic capacitors (MLCCs) from the same two sub-tier vendors in the same production region.
MLCCs are a commodity—priced per thousand units, purchased in enormous volumes. But capacity constraints in MLCC manufacturing are not uncommon, and the geographic concentration means a regional disruption affects seven of their twelve CMs simultaneously rather than one. Their risk mitigation strategy before the mapping exercise had focused on qualifying additional CMs. After it, they understood that qualifying more CMs without addressing the shared MLCC dependency was adding apparent diversification while leaving the actual concentration unchanged.
The Data Problem at Tier 3
Tier-2 data is hard to get. Tier-3 data is harder. The further you go down the supply chain, the less structured the data becomes and the fewer reporting obligations exist for suppliers to disclose their own supply base.
We're not suggesting that every procurement team needs complete Tier-3 visibility for every product line. That level of completeness isn't achievable for most organizations, and the marginal value of mapping beyond Tier 3 is generally low. The concentration risk that matters is almost always visible by Tier 2, with Tier-3 data providing confirmation in specific high-criticality paths.
The practical approach is risk-stratified coverage: full Tier-2 mapping for high-criticality, high-spend product lines; spot-check Tier-3 mapping on the highest-concentration nodes identified at Tier 2; lighter-touch monitoring elsewhere. This gives meaningful coverage without requiring an exhaustive data-gathering exercise for every SKU in your portfolio.
What the Map Changes About Sourcing Decisions
The value of BOM dependency mapping isn't the map itself—it's the sourcing decisions it enables. Without sub-tier data, procurement teams optimize at the Tier-1 level: negotiate better terms with CMs, qualify more vendors per category, improve on-time delivery performance. All legitimate objectives, but they don't address the concentration risk hiding below.
With sub-tier data, you can start asking different questions. Before awarding additional business to a CM, you can ask: does this CM share sub-tier suppliers with the CMs we already use? If yes, does that increase our concentration on specific components? That question doesn't appear in a standard RFx process, but it's the question that determines whether your diversification strategy is real or illusory.
You can also have more productive conversations with existing CMs about their own supply risk. A CM that understands you have visibility into their sub-tier network has an incentive to proactively disclose concentration risks and work with you on mitigation—rather than waiting until a disruption forces the conversation.
Getting the First Map Done
The biggest barrier to BOM dependency mapping isn't methodology—it's getting started. Most procurement teams look at the exercise and conclude it requires too much data they don't have and too much time they can't spare.
The practical starting point is narrower than a full portfolio exercise. Pick one product family: your highest-revenue SKU, your most complex BOM, or the product line where a supply disruption would have the worst downstream consequences. Use whatever BOM data you already have in your ERP, supplement it with CM data requests for the top-20 components by spend, and see what the concentration patterns look like at two levels.
That first map won't be complete. It will have gaps and uncertainties. But it will almost certainly surface at least one concentration pattern that wasn't visible before—and that's enough to justify expanding the exercise to the rest of the portfolio over time. Procurement teams that have done this work consistently report the same reaction: the concentration patterns they find are not where they expected, and the diversification strategies they were pursuing at Tier 1 were often addressing the wrong level of the problem.