Resilience and Risk Management

Critical Minerals: A Supply Chain Risk for Organisations That Don't Mine Anything

Critical minerals usually arrive as a mining and geopolitics headline: rare earths, export controls, great-power competition, ASX resource stocks. For most organisations, that framing makes it feel like someone else's issue, a matter for miners, governments, and investors. It is not. Critical minerals have become a live supply chain risk for organisations that do not mine anything and never touch a rare earth element directly, because their products and operations depend, often invisibly and several tiers up the chain, on materials whose supply is concentrated in a single country that has shown, repeatedly, that it will restrict the flow.

Through 2025 and into 2026, the theoretical risk of that concentration became an operational reality. A series of Chinese export controls on rare earths and related materials disrupted global supply, exposed how dependent Western industries are on a chokepoint they had largely ignored, and turned critical minerals from a slow-burn strategic concern into an immediate question for any supply chain that relies on motors, magnets, batteries, electronics, or advanced manufacturing. That covers a very large share of the modern economy.

This article is for supply chain, procurement, and operations leaders whose organisations depend on critical minerals, whether they know it yet or not. It explains the nature of the vulnerability, why it is a buyer's and operator's problem rather than only a miner's, where Australia sits, and what a practical supply chain response looks like. It stays in the supply chain lane: visibility, sourcing, inventory, and resilience, not mining, geology, or investment, which are not ours to advise on.

The vulnerability, plainly stated

The heart of the problem is concentration in one part of the supply chain. Critical minerals themselves are reasonably dispersed in the ground around the world. What is not dispersed is the processing and refining capacity that turns raw ore into usable materials. China dominates that midstream to an extraordinary degree: it accounts for roughly 91 per cent of the world's processed rare earths, and majorities of refined lithium, nickel, cobalt, graphite, and manganese, the materials underpinning batteries, magnets, motors, and the energy transition. Rare earths are the least geographically diversified of all, with China holding the commanding share of separation and refining.

That single fact, that the rocks are everywhere but the processing is concentrated in one country, is the strategic vulnerability. It means that even where alternative mining exists, the world still has to route material through one country's processing to make it usable, and that gives that country a chokepoint it can open or close. For the rest of the world, including Australia and its allies, this is a substantial and, until recently, under-managed exposure.

The risk became real

What turned this from a textbook concern into an operational one was the move from owning the chokepoint to using it.

In April 2025, China introduced export controls on several heavy rare earth elements, the dysprosium, terbium, and similar materials critical for electric vehicles, wind turbines, motors, and defence systems, along with related compounds and magnets. The immediate effect was that rare earth exports effectively ground to a halt as exporters waited for approvals under a new and opaque licensing regime. Later in 2025, the controls were broadened into a comprehensive, extraterritorial regime under which foreign-made products containing even a small proportion of Chinese-origin rare earths, or made using Chinese processing technology, required a licence, extending one country's regulatory reach across global supply chains.

What followed is just as instructive as the controls themselves. Through late 2025 and into 2026 there were mutual stand-downs and suspensions between the major powers, with measures paused into late 2026, and China formalised a dedicated industrial and supply-chain security framework. The pattern, restrict, negotiate, suspend, restrict again, demonstrates that this is now a live, repeatable lever of policy, not a one-off event. For a supply chain leader, the lesson is not the detail of any single measure, which will keep changing, but the structural reality underneath: a critical input on which your operations may depend can be restricted, delayed, or licensed away with little notice, and the vulnerability is permanent until the underlying concentration changes.

Why it is a buyer's problem, not just a miner's

Here is the reframe that matters most for organisations that do not see themselves as part of this story. You almost certainly do not buy rare earths or critical minerals directly. You buy the things made from them: the permanent magnets in motors and generators, the batteries in equipment and vehicles, the electronics in your products, the components in your machinery. The critical mineral exposure is embedded several tiers up your supply chain, inside parts and assemblies bought from suppliers who bought them from other suppliers, and it is usually invisible from where you sit.

That makes this, at its core, an n-tier supply chain problem of exactly the kind that has become a recurring theme across modern supply chain risk. The dependency that can stop your production is not your tier-one supplier; it is a material constraint two, three, or four tiers up, in a component you never specified at the mineral level. Electric vehicles, renewable energy equipment, electronics, industrial motors, batteries, and defence systems are all exposed this way, and the organisations that assemble, distribute, or rely on those products inherit the exposure whether or not they have ever thought about it. Seeing that exposure requires deliberately tracing your supply chain beyond the first tier to find where critical minerals and the components containing them actually enter, and most organisations have never done it.

Where Australia sits

Australia occupies an unusual and, in principle, advantageous position in all of this. It is exceptionally well endowed, home to more than forty of the minerals identified as critical, and the world's leading destination for rare earth exploration investment. The federal government has moved to capitalise on this through the Future Made in Australia agenda, considering measures such as strategic stockpiling, production tax credits, and expanded support for domestic processing, and through international arrangements including the US-Australia Critical Minerals Framework aimed at building allied mining and processing capacity. New Australian processing and refining capacity is coming online, positioning the country as a potential alternative node in a supply chain the West is urgently trying to diversify.

That is the genuinely positive part of the story, and it matters. But it comes with an honest caveat that supply chain leaders should not gloss over: building sovereign and allied processing capacity at scale takes years, the West still lacks some of the key processing technologies, and self-sufficiency remains a long road. The vulnerability is live now, even as the capacity to address it slowly builds. Organisations cannot simply wait for sovereign capacity to mature and assume the problem will resolve itself; they have to manage the exposure in the interim, while supporting and eventually leveraging the alternative capacity as it becomes available.

The supply chain response

A practical response to critical minerals risk draws on the same resilience disciplines that apply to other concentrated, geopolitically exposed supply chains, applied specifically to critical inputs.

See the exposure through n-tier visibility. The first and most valuable step is to trace your supply chain beyond the first tier to identify where critical minerals and the components containing them enter, where the concentration and single points of failure sit, and which of your products and operations depend on them. This visibility is the foundation, and for critical minerals it almost always reveals dependencies the organisation did not know it had.

Diversify sources and, crucially, processing. Reducing reliance means qualifying alternative suppliers, sources, and processing routes, including the emerging non-China and Australian and allied capacity as it comes online. Because the chokepoint is in processing rather than mining, diversification has to reach the processing stage to be meaningful, and it should be weighed on total cost and risk rather than unit price alone. This is core sourcing and procurement strategy.

Hold strategic inventory of the most exposed inputs. Just as governments are considering strategic stockpiling, organisations can selectively buffer the critical inputs that are most exposed and hardest to substitute, accepting the carrying cost as insurance against a supply interruption that would halt production. The discipline is selectivity: buffer the genuinely critical and constrained, not everything.

Pursue design and substitution where possible. Where product design allows, reducing dependence on the most constrained materials, or qualifying substitutes, removes exposure at the source. This is a longer-term lever but a powerful one.

Secure supply contractually and engage suppliers. Longer-term agreements, transparency requirements on sub-tier sourcing, and contractual security for critical inputs help stabilise supply and surface the n-tier exposure that suppliers might otherwise keep opaque.

Plan in scenarios. Because the policy environment will keep shifting, model critical-minerals supply shocks, further controls, licensing delays, sudden unavailability, and test your supply chain against them in advance, the same scenario-planning and wargaming discipline that applies to tariffs and other disruptions. This connects to the broader supply chain resilience work that should sit over the whole network.

Opportunity as well as risk for Australian organisations

For Australian organisations, the situation is double-edged in a way worth recognising. They carry the same buyer-side exposure as everyone else, through the components and equipment they rely on. But they also sit in a country building the very sovereign and allied capacity the world is seeking, which creates an opportunity to secure more resilient, more local supply over time and, for some, to participate in the new supply chains being built. For Australian manufacturers, energy-transition players, and defence-adjacent organisations, building critical-input resilience now is both prudent risk management and strategic positioning for an environment in which secure, traceable, allied supply is becoming a competitive advantage in its own right.

How Trace Consultants can help

At Trace Consultants, we help organisations manage critical minerals risk as the supply chain and procurement problem it is for buyers and operators. We do not advise on mining, geology, or investment; we work on the visibility, sourcing, inventory, and resilience that determine whether a critical-input disruption stops your operations or merely tests them.

We map your critical-input exposure to n-tier depth. We trace where critical minerals and the components containing them enter your supply chain, beyond the first tier, so you can see the dependencies and single points of failure that are otherwise invisible.

We design the sourcing and diversification response. Through our procurement practice, we help qualify alternative suppliers, sources, and processing routes, including emerging Australian and allied capacity, weighed on total cost and risk.

We design strategic inventory and resilience. We help determine which critical inputs warrant buffering and how much, and build the inventory and planning approach that balances the carrying cost against the risk of interruption.

We build the scenario planning. We help model critical-minerals supply shocks and test your supply chain against them, so your response is prepared rather than improvised, drawing on our resilience work.

Explore our procurement and resilience capability →

Speak to an expert at Trace →

Where to begin

Start by finding out whether you are exposed, because most organisations are and do not know it. Trace your supply chain beyond the first tier to identify where critical minerals and the components built from them enter, and which of your products and operations would be affected if that supply were restricted. That map is the foundation for everything else, and it is the step almost everyone skips.

From there, prioritise the most exposed and least substitutable inputs, and work the levers in sensible order: diversify sources and processing where you can, buffer the genuinely critical inputs, pursue design alternatives over time, secure supply contractually, and build the scenario planning to stay ahead of a policy environment that will keep moving. Engage with the emerging Australian and allied capacity as it comes online, both as an alternative source and, for some, as an opportunity.

Critical minerals are no longer a distant resources story. They are a demonstrated, repeatable chokepoint in supply chains that reach into a vast range of products and industries, and the organisations exposed are mostly ones that have never thought of themselves as critical-minerals dependent. The ones that map their exposure, build resilience, and position for the more secure supply being built will be far better placed than those who keep treating it as someone else's problem until the day a component simply stops arriving.

This article is general information about supply chain risk and does not constitute investment, financial, or legal advice.

‍

N-Tier Cyber Risk: How Cyber and Supply Chain Teams Are Working Together

For years, cyber risk teams and supply chain teams occupied different worlds. The cyber function defended systems, hardened the perimeter, and answered to the CISO. The supply chain function moved goods, managed suppliers, and worried about cost, service, and continuity. They rarely sat in the same meetings, and when they did, they spoke different languages. That is changing fast, and the reason is a risk that neither team can see or manage on its own: n-tier cyber risk, the cyber exposure buried deep in the multi-tier supplier network that feeds every organisation.

The most damaging supply chain cyber incidents rarely come from a direct supplier the organisation knows well. They come from somewhere further down, a sub-supplier two or three tiers removed, a shared software component nobody had mapped, a technology provider that hundreds of companies unknowingly depend on at once. Understanding that risk requires two things that live in two different functions: the threat and risk-assessment lens that the cyber team holds, and the visibility into who is actually in the supplier network that the supply chain team holds. Neither is sufficient alone. So the leading organisations are doing the sensible thing and bringing the two teams together around the shared problem of n-tier risk.

This article is for supply chain, procurement, and security leaders watching this convergence happen, or needing to drive it. It covers what n-tier risk actually is, why cyber makes it acute, why neither function can manage it alone, what is pushing the teams together in Australia, and how the collaboration works in practice.

What n-tier risk actually is

Most organisations understand their tier-one suppliers, the businesses they contract with directly. N-tier risk is everything behind that: the suppliers' suppliers, and their suppliers in turn, layer after layer down to the raw inputs, the components, and the shared platforms several steps removed from the organisation that ultimately depends on them. The "n" simply means however many tiers deep the chain actually goes, which is usually far deeper than anyone has mapped.

The defining feature of n-tier risk is that the exposure that matters most is often not at tier one at all. A direct supplier may be perfectly secure while the real vulnerability sits two or three tiers below it, in a sub-supplier or a shared component that the tier-one supplier itself may not have visibility into. When something goes wrong down there, it cascades upward through the chain, and the organisation at the top feels the impact without ever having known the deeper supplier existed. This is true of supply chain risk generally, tariffs, disruption, modern slavery, and it is especially true of cyber.

Why cyber makes n-tier risk acute

Cyber sharpens the n-tier problem in a way few other risks do, because of concentration and shared dependency.

Modern supply chains are bound together by shared software, common platforms, and reused components. A single widely-used piece of software, a single popular technology vendor, or a single shared service can sit beneath thousands of organisations several tiers down, none of which think of it as part of their supply chain. When that shared dependency is compromised, the breach does not hit one company; it hits everyone connected to it at once, through tiers they never mapped. The pattern of major software supply chain compromises in recent years, where one upstream breach cascades simultaneously to vast numbers of downstream organisations, is the clearest illustration of why n-tier cyber risk behaves differently from a single supplier going down.

The result is that an organisation can have excellent security itself, and well-secured direct suppliers, and still carry serious exposure through a sub-supplier or shared component it has never assessed because it never knew it was there. The risk is real, it is deep in the chain, and it is invisible without deliberate effort to find it.

Why neither team can manage it alone

This is the crux, and it is why the two functions are converging. N-tier cyber risk sits precisely at the intersection of two capabilities that traditionally lived apart.

The cyber risk team brings the threat lens. It understands attack vectors, can assess the cyber posture and maturity of an entity, knows what good security looks like, and can judge how serious a given vulnerability is. What it generally does not have is a map of the organisation's actual multi-tier supplier network, who is really in it, what depends on what, where the concentration and single points of failure sit. That is not the security team's domain, and it is not in their systems.

The supply chain team brings exactly that missing piece. It owns the supplier relationships, understands the dependencies, and has the methods and motivation to map the chain beyond the first tier. What it generally lacks is the cyber-threat lens to know which of those suppliers and dependencies represent serious cyber exposure and how to assess them.

Put plainly: the cyber team can assess risk but cannot see the network, and the supply chain team can see the network but cannot assess the cyber risk. N-tier cyber risk can only be understood by combining the two. The organisations getting ahead of this are no longer leaving cyber as IT's problem or supply chain risk as procurement's problem; they are building joint working between the functions, where the supply chain team surfaces and maps the n-tier network and the cyber team assesses it, and together they prioritise and act. The collaboration is not a nice-to-have. It is the only way the risk becomes visible at all.

What is pushing the teams together

Regulation is accelerating the convergence, particularly in and around Australia's critical infrastructure.

The Security of Critical Infrastructure Act, through its Critical Infrastructure Risk Management Program, requires responsible entities across sectors including energy, water, health, financial systems, data, and transport to manage supply chain as one of four mandated hazard categories, explicitly addressing the risks introduced by third-party vendors, service providers, and contractors. Meeting that obligation properly means looking beyond direct suppliers into the deeper network, which is exactly the n-tier challenge, and it cannot be done by the security function or the supply chain function in isolation. Entities must align to a recognised framework such as the Essential Eight or NIST, review their program annually, and meet incident reporting timelines, all of which demand that cyber and supply chain knowledge be brought together.

Reinforcing this, the 2026 to 2028 NSW Government Cyber Security Strategy now requires government agencies to actively assess, monitor, and report on the cyber security posture of their third-party suppliers, extending the mandate out into the supplier ecosystem. And the Cyber Security Act 2024 has added ransomware payment reporting and is phasing in security standards for connected devices. Transport assets including ports and freight networks are squarely within the critical infrastructure regime. Each of these obligations effectively requires the cyber and supply chain functions to work from a shared understanding of the supplier network, which is precisely why the previously separate teams are now sitting together.

There is also a cascade effect that pulls in organisations well beyond the directly regulated. Because critical infrastructure operators and government must now manage and evidence their suppliers' cyber posture, suppliers, including ones not themselves regulated, are increasingly assessed on cyber security as a condition of winning and keeping the work. For those suppliers too, answering credibly means understanding their own n-tier exposure, which again requires the two functions to collaborate.

The two faces of the risk both teams care about

The convergence is reinforced by the fact that cyber risk touches the supply chain in two directions, and both functions have a stake in each.

The supply chain is an attack surface: every digital connection to a supplier, platform, or service is a potential entry point, and the deeper and more integrated the network, the larger and less visible that surface becomes. And the supply chain is a victim: when a supplier, logistics provider, port, or shared system is taken down by ransomware or outage, the organisation's operations stop, and recovery is a supply chain continuity exercise as much as a technical one. The cyber team cares about the first because it is a security exposure; the supply chain team cares about the second because it is an operational disruption. In reality both faces require both teams, which is the whole argument for working together.

How the collaboration works in practice

A working partnership between cyber and supply chain functions around n-tier risk has a recognisable shape.

The supply chain team maps the network and its dependencies. It builds the picture of who is actually in the supplier base beyond tier one, where the concentration and single points of failure sit, and what depends on what, the n-tier visibility that the cyber team needs and does not have. This is the foundational contribution, because you cannot assess risk in a network you cannot see.

The cyber team assesses posture and threat against that map. With the network made visible, the security function can evaluate the cyber posture of critical suppliers and dependencies, judge severity, and identify where exposure is genuinely serious rather than merely present.

Together, they prioritise and act. The two functions jointly prioritise by criticality and exposure, embed cyber posture into supplier onboarding, contracts, and supplier management, build the supply chain continuity, redundancy, fallback processes, and recovery playbooks that keep operations running when a connected party is hit, and bring cyber-driven supplier outages into resilience scenario planning and exercising. And they govern it jointly, with shared data, shared prioritisation, and clear accountability spanning both functions rather than a gap between them, aligned to the organisation's obligations under the critical infrastructure regime.

The model that works treats n-tier cyber risk as a shared responsibility with two halves: the supply chain half, visibility, supplier risk, and continuity, and the cyber half, threat assessment and technical controls. The collaboration is where the two halves meet.

The Australian context

Australia's framework actively drives this convergence. The SOCI regime, the NSW government strategy, and the Cyber Security Act together create explicit obligations around third-party and supply chain cyber risk, with critical infrastructure including ports, freight, and transport in scope, and a cascade that reaches suppliers to critical infrastructure and to government regardless of their own regulatory status. The threat environment is intensifying, with rising ransomware and supply chain compromise and particular vulnerability in the operational technology and legacy systems running warehouses, ports, and manufacturing. In this environment, the organisations that have built genuine cyber and supply chain collaboration around n-tier visibility are markedly better placed than those where the two functions still operate in separate silos.

How Trace Consultants can help

At Trace Consultants, we supply the supply chain half of this partnership, the n-tier visibility, supplier risk discipline, and continuity that the cyber function needs to assess and manage risk in the network. The technical security controls, posture assessment, and incident response sit with your security function and specialist partners; the supply chain mapping, third-party risk, and resilience sit with the supply chain, and that is what we bring to the table alongside them.

We map the n-tier network so the risk becomes visible. We build the picture of your multi-tier supplier base, dependencies, and concentration, beyond the first tier, that gives your cyber team something to assess and your organisation a clear view of where exposure actually sits.

We embed third-party risk into procurement. Through our procurement practice, we integrate supplier cyber posture, assessed jointly with your security function, into onboarding, contracts, supplier management, and tender criteria, prioritised by criticality.

We build the continuity that limits the damage. We design the redundancy, alternative supply, fallback processes, and recovery playbooks that keep your supply chain operating when a supplier or system is compromised, drawing on our supply chain resilience work.

We help the two functions work as one. We help establish the joint operating model and governance that bring cyber and supply chain teams together around a shared view of n-tier risk, with clear accountability across both, aligned to your critical infrastructure obligations.

Explore our resilience and supply chain capability →

Speak to an expert at Trace →

Where to begin

Start where the two functions meet: map your supplier network beyond the first tier so the n-tier exposure becomes visible, then bring your cyber team in to assess the posture and threat against that map. Most organisations have never combined the two views, and doing so almost always reveals dependencies and concentrations, often shared platforms or sub-suppliers several tiers down, that neither function knew to worry about.

From there, prioritise jointly by criticality and exposure, build supplier cyber posture into procurement for the relationships that matter most, design the continuity that keeps operations running through a compromise, and establish the governance that gives n-tier cyber risk a shared owner across cyber and supply chain rather than leaving it in the gap between them.

The cyber risk that can hurt an organisation most is rarely at tier one, where it can be seen. It sits deep in the network, in the suppliers and shared dependencies nobody mapped, and it can only be understood when the team that knows the threats and the team that knows the network work from the same picture. That collaboration, built on real n-tier visibility, is fast becoming the difference between organisations that can see their cyber exposure and those that simply hope it is not there.

‍

Modern Slavery: From Reporting to Due Diligence in Your Supply Chain

For most of the time Australia's Modern Slavery Act has been in force, corporate compliance with it has been, in honest terms, a paperwork exercise. Large businesses prepared an annual statement, described their policies and intentions, tabled it, and moved on. The Act asked entities to report on the risks of modern slavery in their operations and supply chains and the steps they were taking, but it carried no penalties and no obligation to actually do anything beyond disclose. The result, as the government's own review concluded, was a regime that had not produced meaningful change for the people it was meant to protect.

That era is ending. Reform of the Modern Slavery Act is live in 2026, the government has appointed Australia's first federal Anti-Slavery Commissioner, and the clear direction of travel is from a disclosure framework to an action framework: mandatory, risk-based due diligence, backed by penalties and oversight. For supply chain and procurement leaders, this is not a compliance footnote. Modern slavery risk lives in the supply chain, overwhelmingly in its deeper tiers, and finding and addressing it is fundamentally a supply chain and procurement task. The reforms turn that task from optional to obligatory.

This article is for procurement, supply chain, and operations leaders who need to understand where the law is heading, why it is a supply chain problem rather than a legal one, and what a genuine due diligence response looks like. It is general information, not legal advice; the interpretation of obligations and the modern slavery statement itself sit with your legal advisers, but the operational work of finding and addressing risk sits with you. And it is worth holding onto the point of all of it: the purpose is to protect vulnerable workers from exploitation, not merely to manage corporate risk.

Where the law stands and where it is going

The Modern Slavery Act 2018 requires entities with consolidated annual revenue of $100 million or more, operating in Australia, to report annually on modern slavery risks in their operations and supply chains and the steps taken to address them. As designed, it was a transparency mechanism: report, and let public and market scrutiny do the rest. It included no mandatory due diligence requirement and no penalties for inadequate effort.

The statutory independent review of the Act, completed in 2023, found that this disclosure-only approach had not driven meaningful change for affected people, and made 30 recommendations to strengthen it. The government has agreed, or agreed in principle, to the large majority of them. The most consequential are these: introducing a mandatory, risk-based due diligence obligation; lowering the reporting threshold from $100 million to $50 million in consolidated revenue, which would pull a substantial number of additional mid-sized businesses into scope; and introducing civil penalties for non-compliance. A federal Anti-Slavery Commissioner has been established to oversee the regime.

In early 2026, the Commissioner released an initial position paper sharpening two reforms in particular: a mandatory risk-based due diligence obligation for reporting entities, and a mechanism for the Commissioner to formally declare that a particular product, service, or industry carries a high risk of modern slavery, which entities would then have to take into account in their own due diligence and reporting. The Attorney-General's Department has commenced consultation on the reforms through 2026, which means the decisions being made this year will shape the framework for years to come. While the amendments are not yet law, the consistent signal from government, the Commissioner, and the review is that this is a matter of when, not if.

The headline for supply chain leaders is the shift in what is being asked. The old question was, in effect, "what can you tell us about your modern slavery risk?" The new question is becoming "what are you actually doing to find it and address it?" That is a profoundly different obligation, and it cannot be met with a better-written statement.

Why this is a supply chain problem

Modern slavery risk does not sit in a company's head office. It sits in its supply chain, and almost always in the deeper tiers, in the raw material extraction, the component manufacturing, and the labour-intensive production that happens several steps removed from the Australian buyer, often in higher-risk regions and sectors. A business can have impeccable employment practices in its own operations and still have significant exposure embedded in what it buys.

This is what makes due diligence a supply chain and procurement capability rather than a legal one. Meeting a due diligence obligation means actually mapping the supply chain to locate where the risk is, assessing and prioritising it, taking reasonable and proportionate action to prevent and address it, and monitoring on an ongoing basis. None of that is achievable from the legal department alone. It requires the visibility, the supplier relationships, and the procurement processes that supply chain functions own.

There is a direct parallel here to the Scope 3 emissions challenge now arriving through mandatory climate reporting. In both cases, the risk and the data sit with suppliers and below the first tier, and in both cases the obligation is shifting from "report what you happen to know" to "go and find out, and act on what you find." Organisations that have built the supply chain visibility and procurement discipline to handle one are well placed to handle the other, because the underlying capability, knowing and managing what happens deep in your supply chain, is the same.

The scale of Australia's exposure

The reason this matters so much is the sheer size of the exposure, and how little of it is currently managed. Analysis by Walk Free and Fair Supply estimates that close to $100 billion worth of Australia's imports sit at heightened risk of modern slavery, around one dollar in every five spent on imported goods. Electronics, machinery, and appliances carry the largest high-risk spend, in the order of $13 billion. Close to 90 percent of apparel and clothing imports come from countries with forced labour risks. Everyday goods, phones, computers, footwear, vehicle parts, are all implicated.

Against that exposure, most companies are still not identifying the specific risks within their supply chains, and even fewer are taking concrete steps to address them. That gap between the scale of the risk and the depth of the response is precisely what the reforms are designed to close, and it is why a disclosure framework was judged inadequate. When the obligation becomes mandatory due diligence with penalties, that gap becomes a direct liability.

The cascade and the market-access dimension

Two further dynamics make this unavoidable even for organisations that imagine themselves out of scope.

The first is the same cascade that runs through emissions reporting and supplier requirements generally. Lowering the threshold to $50 million directly captures many more entities. And beyond the directly captured, larger reporting entities conducting genuine due diligence will require modern slavery information and assurances from their suppliers, pushing the obligation down the chain to businesses that are not themselves reporting entities. Being below the threshold will not keep the requirement away if your customers are above it.

The second is international market access. Major trading partners are tightening forced labour import controls and introducing mandatory due diligence regimes of their own, across the United States, the European Union, and parts of Asia. Australian businesses supplying into those markets, or working with global customers subject to those laws, will have to demonstrate clean sourcing regardless of where Australian law lands. Building the capability now is therefore commercially sensible, not merely regulatory compliance, because the alternative is restricted market access and competitive disadvantage. And the proposed high-risk declaration mechanism means the Commissioner could formally flag specific products, regions, or industries as high-risk, obliging entities to factor those declarations into their due diligence in a consistent, evidence-led way.

There is also a level-playing-field effect worth naming. For businesses already responding meaningfully to modern slavery risk, a due diligence obligation is unlikely to require dramatic change. The real change falls on those who have been cutting corners, who will now face the same obligations as everyone else. Organisations that have invested in genuine capability stand to benefit from that levelling.

Why the old approach will not survive

A well-crafted annual statement describing policies and aspirations is not due diligence, and the reforms make that distinction concrete. Mandatory risk-based due diligence requires mapping the supply chain to find where modern slavery risk actually sits, prioritising it by severity, taking proportionate action to prevent and address it, providing or enabling remediation where harm is found, and monitoring continuously. It is an ongoing operational practice, not an annual document.

Under a penalty regime, with a Commissioner empowered to oversee, declare high-risk areas, and hold non-compliant entities to account, the paperwork approach becomes a liability rather than a defence. The organisations that have treated their modern slavery statement as a communications exercise will find that it does not constitute the due diligence the reformed Act will require.

What good looks like

A genuine due diligence response follows a clear and, importantly, proportionate shape. The Commissioner has been explicit that due diligence should be risk-based and proportionate, focused on the most severe risks rather than spread thinly across everything, and oriented toward better outcomes for workers rather than box-ticking.

It begins with mapping the supply chain beyond the first tier to locate where risk concentrates, by geography, by sector, and by material or product, because the risk is almost always upstream of where the buying decision is made. It then risk-assesses and prioritises by severity, putting effort where the potential for serious harm is greatest. It embeds modern slavery into procurement, through supplier onboarding, contractual requirements, codes of conduct, supplier assessment and audit, and tender criteria, so that responsible sourcing is built into how the organisation buys rather than bolted on afterward. It engages suppliers and builds their capability rather than simply issuing demands, because the deeper-tier suppliers where risk sits often need support to identify and address it. It establishes remediation pathways, so that when harm is found the response helps affected workers rather than simply cutting the supplier and moving the problem elsewhere. And it builds governance, ownership, and continuous monitoring, including the ability to respond to any high-risk declarations the Commissioner issues.

This is recognisably the same discipline that underpins responsible and sustainable supply chain management more broadly, applied to the specific and serious risk of forced labour and exploitation.

The Australian context

Australia's regime has a federal and a state dimension. Alongside the Commonwealth Act, New South Wales operates its own Modern Slavery Act with its own Anti-Slavery Commissioner, with a particular focus on removing modern slavery from public procurement through oversight, codes of practice, and a public register. That public procurement emphasis aligns with the broader direction of government buying, where ethical conduct, including labour and human rights practices, has become an explicit consideration in value-for-money assessments under the reformed Commonwealth Procurement Rules. For organisations selling to government, demonstrable modern slavery due diligence is increasingly part of being a credible supplier.

The proposed drop in the federal threshold to $50 million, combined with Australia's import-exposure profile and the cascade of requirements down supply chains, means a far wider set of Australian businesses will need real capability than the current $100 million threshold suggests. And with consultations live through 2026, this is the window in which the obligations are being shaped and in which sensible organisations are getting ahead of them.

How Trace Consultants can help

At Trace Consultants, we work on the supply chain and procurement side of modern slavery due diligence, the operational practice of finding, prioritising, and addressing risk in the supply chain. The legal interpretation and the modern slavery statement sit with your legal advisers; the visibility, the supplier engagement, and the embedding into procurement sit with the supply chain, and that is where we work.

We map your supply chain to locate the risk. We build the visibility, beyond the first tier, that reveals where modern slavery risk actually concentrates, by geography, sector, and product, so due diligence is targeted at real exposure rather than spread blindly.

We risk-assess and prioritise. We help you assess and prioritise risk by severity, in the proportionate, risk-based way the reforms call for, so effort and resources go to the most serious risks first.

We embed it into procurement. Through our procurement practice, we build modern slavery into supplier onboarding, contracts, codes of conduct, assessment, and tender criteria, and into supplier engagement that helps deeper-tier suppliers improve rather than simply demanding assurances.

We build the governance and monitoring. We help establish the ownership, ongoing monitoring, and response processes, including responding to high-risk declarations, that turn due diligence into a sustained practice rather than a one-off exercise, connected to your broader supply chain strategy and visibility.

Explore our procurement capability →

Speak to an expert at Trace →

Where to begin

If your organisation reports under the Modern Slavery Act, or will be drawn in by the lower threshold, the most valuable first step is to map your supply chain deeply enough to see where modern slavery risk actually sits, then assess and prioritise it by severity. That visibility is the foundation for genuine due diligence and the thing most organisations currently lack.

If you are not directly captured, do not assume the reforms pass you by. Your larger customers will increasingly require evidence of clean sourcing, and overseas markets already do, so the capability is becoming a condition of doing business regardless of the threshold. Build it now, while the consultations are still shaping the detail and ahead of the obligation becoming binding.

Either way, the work is the same in substance: know your supply chain, find the risk, prioritise the most severe, act proportionately to prevent and address it, and keep at it. Australia's modern slavery regime is moving from reporting to responsibility, from describing the problem to doing something about it. The organisations that treat that as a supply chain capability to build, rather than a statement to polish, will be the ones that meet the obligation and, more importantly, actually reduce the exploitation it exists to address.

This article is general information and does not constitute legal advice. Entities should confirm their specific obligations under the Modern Slavery Act, and any reforms to it, with their legal advisers.

Related reading: Procurement · Sustainable Supply Chain Management · Strategy & Network Design

‍