Enterprise Risk Management: Center of Gravity Analysis for Global Supply Chains and Multinational Corporations

Why Center of Gravity Analysis Matters for Your Global Operations

The Suez Canal is a 193-kilometer waterway connecting the Red Sea and Mediterranean that handles approximately 12 percent to 15 percent of worldwide trade and 30 percent of global container traffic, with more than $1 trillion in goods transiting annually. 

In late 2023, Yemen’s Houthi rebel movement launched a wave of missile and drone strikes targeting ships bound to or from the Suez Canal in the Red Sea region. Between mid-December 2023 and late December, at least thirteen major shipping operators suspended voyages via the Red Sea. The volume of trade passing through the Suez Canal dropped by about 50 percent in the first two months of 2024 compared with a year earlier. Companies with multinational operations – from electronics manufacturers to retail suppliers operating from Philadelphia to Port Said – suddenly faced extended transit times and uncertain delivery schedules as vessels rerouted around the Cape of Good Hope, adding roughly ten or more days to Asia-Europe voyages.

The point isn’t just that supply chains are fragile. The point is that many multinational corporations don’t actually know which parts of their operations are truly critical or too tightly coupled. They’re conducting traditional risk assessments and allocating security resources without a complete understanding of asset criticality.

This is where Center of Gravity (COG) analysis is helpful. And if you’re responsible for enterprise security risk management, corporate security, business continuity, governance and risk compliance, or if you hold the title of Chief Security Officer or Director of Corporate Security, then you need to understand this security assessment methodology.

What is a Center of Gravity? 

Center of Gravity is originally a Clausewitzian term. Carl von Clausewitz, the Prussian military theorist, borrowed the concept from mechanical sciences (modern physics) after attending lectures by German physicist Paul Erman at the Prussian Allgemeine Kriegsschule (war college), where Clausewitz served as director from 1818 to 1830. In his seminal work On War (Vom Kriege), published posthumously in 1832, Clausewitz used the term Schwerpunkt (center of gravity) more than fifty times to describe a focal point within a combatant’s structure or system. According to the U.S. Army War College Strategic Studies Institute’s analysis of Clausewitz’s original German text, he defined a center of gravity as “the one element within a combatant’s entire structure or system that has the necessary centripetal force to hold that structure together.” The concept was intended to function as its counterpart in mechanical sciences does — as a focal point where forces converge and from which a blow would have the greatest cascading effect across an entire system.

More recently, the RAND Corporation’s Vulnerability Assessment Method Pocket Guide defines a center of gravity as “the primary entity that inherently possesses the critical capabilities to achieve the objective of the organization that owns it.” In enterprise security terms, it’s the thing that, if disrupted or destroyed, would cause the operational structure to be severely degraded or fail.

Importantly, however, the center of gravity is not always your largest facility, your most expensive asset, or your most obvious target. It’s the entity without which your organization cannot execute its primary objective.

Think of it this way: if your objective is to secure a high-rise building, you could install locks on every office door and window on all fifty floors. Or you could focus on controlling access at the lobby entrance, elevator banks, and stairwells. For multinational corporations operating across continents, identifying your operational “lobby entrance” – the critical access point that determines whether the entire system functions – and then building durable and redundant security and operational systems around it. 

The Expansion Paradox: Why Growing Globally Creates Hidden Security Vulnerabilities

Here’s the uncomfortable truth that most security leaders are avoiding: the more global your operations become, the less likely your traditional risk assessments are identifying the vulnerabilities that matter. Center of Gravity analysis forces you to think structurally – and very creatively – about your organization’s security. It asks hard questions: 

• What are the critical capabilities that make your multinational operation successful?
• What specific requirements does each capability depend on? 
• Which of those requirements are vulnerable to disruption — whether from supply chain failures, geopolitical events, regulatory changes, or security threats?

For a multinational corporation with significant operations scattered across Southeast Asia, Eastern Europe, the Middle East, and hubs in Pittsburgh, Philadelphia, Silicon Valley, and beyond, this analysis often illuminates critical vulnerabilities traditional security risk assessments would never identify.

Consider a real scenario: following Brexit, pharmaceutical companies that had relied on the European Medicines Agency (EMA) for centralized marketing authorization across the EU suddenly faced regulatory fragmentation. With the UK’s departure from the EU in January 2020, the UK’s Medicines and Healthcare Products Regulatory Agency (MHRA) became a standalone body, no longer part of the European regulatory system. Pharmaceutical companies were forced to duplicate their efforts by submitting separate applications to both the EMA and MHRA for drug approval, significantly increasing regulatory burdens, costs, and time-to-market. 

Companies that failed to secure dual approvals faced market access restrictions: medicines approved for the EU market could not automatically be sold in the UK, and vice versa. According to research published in the National Institutes of Health, this regulatory divide created supply chain disruptions, delayed patient access to medicines, and in some cases deterred companies from selling their products in the UK market altogether.

Is that level of regulatory dependency vulnerability in your enterprise risk management assessment? Or have you been focused on physical security budgets and perimeter controls? These physical security measures, while they are important and feel productive, don’t address the critical vulnerabilities that determine whether your multinational operation continues functioning.

The Three-Step COG Analysis Process

Step 1: Identify Critical Capabilities. What does your organization do? For a multinational corporation, this might be: “manufacture and distribute pharmaceuticals across five continents while maintaining profitability and regulatory compliance.”

Step 2: Map Critical Requirements. What does each capability require to function? Using the pharma example: supply chain access, capital movement, skilled personnel logistics, regulatory relationships, facility operations, data infrastructure, executive decision-making authority, and stakeholder confidence.

Step 3: Assess Critical Vulnerabilities. For each critical requirement, ask: Which of these are vulnerable to disruption? Which disruptions would cascade across multiple requirements?

For a corporation with operations extending from Pennsylvania to Peru, this phase might reveal that your vulnerability isn’t in a single location. It’s in your ability to move capital during geopolitical crises, or in your dependence on a single supplier for a critical component, or in your executive team’s ability to communicate when traditional communications infrastructure fails.

Where Many Organizations Fail in Enterprise Risk Management

Lots of organizations complete these assessments and file it away in a shared drive. The analysis becomes an intellectual exercise instead of a strategic tool, and the stack of papers your analysis created becomes the metaphorical paperweight.

The value of this risk management exercise emerges when you do three specific things:

First: Embed COG analysis into your strategic planning process. This isn’t a one-time assessment. The geopolitical environment shifts. Supply chains reconfigure. Regulatory landscapes change. Your center of gravity and its critical vulnerabilities will evolve, and there needs to be a structured cadence to these security-related activities.

Second: Allocate security resources based on COG vulnerabilities, not organizational hierarchies or traditional threat models. If your analysis reveals that regulatory relationships are more critical than executive protection capabilities, you’d better be structured to protect those relationships.

Third: Build redundancy into the systems supporting your COG. If your center of gravity depends on the ability to move capital internationally, and that capability has a single point of failure, you’ve identified a concrete vulnerability you can actually address.

Research on High Reliability Organizations, including nuclear power plants, aircraft carriers, and electrical power grids, demonstrates that organizations identifying critical capabilities and system dependencies through structured frameworks maintain operational continuity more effectively during disruptions. 

A 2011 study published in Critical Care examining HROs found that organizations employing anticipatory vulnerability assessment principles – preoccupation with failure, sensitivity to operations, and resilience – consistently avoid catastrophic failures despite operating in high-risk, complex environments.

Strategic Resource Allocation in Enterprise Risk Management With COG Analysis 

If you’re responsible for enterprise security risk management or corporate security, ask yourself: Do we truly understand what makes our multinational operation vulnerable? Have we identified our operational center of gravity? Are we protecting the critical requirements that actually matter?

Here’s the uncomfortable corollary: if you haven’t conducted a Center of Gravity analysis, you’re probably allocating significant resources to vulnerabilities that won’t cause your organization to fail, while missing vulnerabilities that will.

At Convoy Group, we leverage the expertise of former special operators and intelligence community professionals to help multinational corporations understand their true vulnerabilities, identify their centers of gravity, and build security strategies around what actually matters. Whether you’re managing operations across five continents or working to increase resilience within your current geographic footprint, Center of Gravity analysis provides the clarity to transform vulnerability into competitive advantage.