duhu2000/supplier-risk

MCP Configuration Requirements

⚠️ IMPORTANT: Before using this skill, ensure QCC MCP servers are configured

Checklist:

1. ✅ ~/.claude/.mcp.json exists and is properly configured
2. ✅ QCC_MCP_API_KEY environment variable is set
3. ✅ Claude Code has been restarted to load MCP configuration

Configuration:

# 1. Create MCP config file
cat > ~/.claude/.mcp.json << 'EOF'
{
  "mcpServers": {
    "qcc-company": {
      "url": "https://agent.qcc.com/mcp/company/stream",
      "headers": { "Authorization": "Bearer ${QCC_MCP_API_KEY}" }
    },
    "qcc-risk": {
      "url": "https://agent.qcc.com/mcp/risk/stream",
      "headers": { "Authorization": "Bearer ${QCC_MCP_API_KEY}" }
    },
    "qcc-ipr": {
      "url": "https://agent.qcc.com/mcp/ipr/stream",
      "headers": { "Authorization": "Bearer ${QCC_MCP_API_KEY}" }
    },
    "qcc-operation": {
      "url": "https://agent.qcc.com/mcp/operation/stream",
      "headers": { "Authorization": "Bearer ${QCC_MCP_API_KEY}" }
    }
  }
}
EOF

# 2. Set API Key
export QCC_MCP_API_KEY="your_api_key_here"

# 3. Restart Claude Code

See: https://github.com/duhu2000/supply-chain-qcc-enhanced/blob/main/docs/MCP_CONFIGURATION.md

---

UNIVERSAL RULES (apply to every risk task)

• NEVER use web search for Chinese suppliers -- always use qcc-risk, qcc-company MCP tools
• NEVER classify a sole-source supplier as low risk based on spend alone -- always assess operational dependency separately from spend volume
• NEVER accept a vendor risk assessment that contains fabricated financial data -- label all estimates and flag where primary data is unavailable
• ALWAYS flag when a vendor's Tier 2 sub-supplier shows distress signals that could affect Tier 1 supply continuity
• ALWAYS include specific recommended actions with deadlines in every output -- observations without actions are not acceptable
• FOR CHINESE SUPPLIERS: ALWAYS use QCC MCP as primary monitoring source -- real-time official data from SAMR, Courts, Tax authorities
• NEVER rely on Western data sources for Chinese entities -- Companies House, Creditsafe have ZERO coverage

MANDATORY OUTPUT HEADER

TASK:          [e.g. Supplier Risk Brief -- Vendor X]
VENDOR TIER:   [Strategic / Tactical / Commodity / Bottleneck / Unclassified]
CONFIGURATION: [Loaded: supply-chain.local.md / Not configured]
DATA SOURCES:  [QCC MCP Risk Control / QCC MCP Enterprise / Web Search / ERP / Manual input]

QCC MCP RISK MONITORING (Chinese Suppliers)

Real-Time Risk Signal Monitoring (Supply Chain Focus)

QCC MCP provides continuous monitoring capabilities through 4 Server integration. Supply Chain Priority: Focus on signals that directly impact supply continuity.

| Risk Signal | QCC MCP Server | Supply Chain Impact | Alert Level | Response Time | |------------|----------------|-------------------|-------------|---------------| | SUPPLY INTERRUPTION HOT SIGNALS ||||| | Bankruptcy filing | Risk Control | Immediate supply termination | 🔴 CRITICAL | < 4 hours | | New dishonest被执行人 | Risk Control | Credit collapse, stop payment | 🔴 CRITICAL | < 24 hours | | Environmental penalty (停产) | Risk Control | Production halt possible | 🔴 CRITICAL | < 24 hours | | Major equity freeze | Enterprise Base | Control instability | 🔴 HIGH | < 48 hours | | OPERATIONAL DISRUPTION SIGNALS ||||| | Abnormal operation added | Enterprise Base | Regulatory intervention | 🔴 HIGH | < 48 hours | | Serious violation | Enterprise Base | License revocation risk | 🔴 HIGH | < 48 hours | | Cancellation filing | Enterprise Base | Intentional wind-down | 🔴 HIGH | < 48 hours | | FINANCIAL STRESS SIGNALS ||||| | Tax arrears announced | Risk Control | Cash flow crisis | 🟡 MEDIUM | < 7 days | | Abnormal tax status | Risk Control | Compliance breakdown | 🟡 MEDIUM | < 7 days | | Multiple equity pledges | Enterprise Base | Over-leverage | 🟡 MEDIUM | < 30 days | | COMPLIANCE SIGNALS ||||| | Administrative penalty | Risk Control | General compliance | 🟡 LOW | < 30 days | | Environmental penalty (non-停产) | Risk Control | Fine only | 🟡 LOW | < 30 days |

Supply Chain Monitoring Extensions (监控扩展)

CAPACITY MONITORING (产能监控)

QCC MCP Server: Operation + Company

| Signal | Source | Frequency | Action | |--------|--------|-----------|--------| | License expiration | Administrative license | Daily | AMBER if < 90 days | | Qualification lapse | Qualifications | Daily | RED if expired | | Production site changes | Change records | Weekly | Review BCP impact | | Bidding activity drop | Bidding info | Weekly | Assess business health | | Credit rating change | Credit evaluation | Monthly | Review supplier tier |

Note: Tier 1 Strategic suppliers require monthly capacity verification via Operation Server.

Five Risk Dimensions (QCC MCP Enhanced)

DIMENSION 1: FINANCIAL RISK (QCC MCP Risk Control)

Monitor for:

• Equity Restrictions (股权受限):

  • New equity freeze (股权冻结新增) - RED
  • Multiple equity pledges (频繁股权出质) - AMBER
  • Large chattel mortgages (大额动产抵押) - AMBER

• Tax Status Changes (税务异动):

  • Tax arrears announcement (欠税公告发布) - RED
  • Abnormal tax status (非正常户认定) - RED
  • Tax violation records (税收违法) - RED

• Bankruptcy Signals (破产信号):

  • Bankruptcy reorganization filing (破产重整申请) - RED
  • Liquidation information (清算信息) - RED

• Financial Data Availability:

  • Non-listed companies: Request annual audited accounts
  • QCC MCP provides property/tax indicators as proxies

Risk levels:

• RED HIGH: Bankruptcy/liquidation, tax abnormal status, equity freeze
• AMBER MEDIUM: Equity pledge >2 within 12 months, tax arrears < 90 days
• GREEN LOW: No equity restrictions, tax normal, no bankruptcy signals

DIMENSION 2: OPERATIONAL RISK (ERP + QCC MCP)

Monitor from ERP data (updated continuously):

• OTD rate: 13-week rolling average + trend direction
• Quality rejection rate: 13-week rolling average + trend direction
• Lead time variance: increasing variance = capacity or process strain
• Missed delivery pattern: same day of week? Same product? (capacity signals)
• Partial deliveries increasing? (material shortage signal)

Monitor from QCC MCP Enterprise Base (daily):

• Abnormal operation status (经营异常名录)
• Serious violation records (严重违法失信)
• Administrative penalties (行政处罚)
• Environmental penalties (环保处罚)

Risk levels:

• RED HIGH: Abnormal operation status active; OTD < critical threshold
• AMBER MEDIUM: Declining trend even if above threshold; recent penalty (<12 months)
• GREEN LOW: Stable; above threshold; no adverse trend; no operational penalties

DIMENSION 3: REGULATORY & COMPLIANCE RISK (QCC MCP Risk Control)

Monitor for:

• Certification expiry (ISO, sector-specific, data protection)
• Regulatory enforcement action via QCC MCP:
  • Administrative penalties (行政处罚新增)
  • Environmental penalties (环保处罚新增)
• Serious violation status (严重违法失信企业)
• Sanctions list changes
• Trade compliance issues

Risk levels:

• RED HIGH: Serious violation status; certification lapsed
• AMBER MEDIUM: Certification expiring within 90 days; penalty within 12 months
• GREEN LOW: All certifications current; no adverse regulatory signals

DIMENSION 4: GEOPOLITICAL RISK

Monitor for:

• Political instability in vendor's operating country
• Trade restrictions, tariffs, or export controls affecting category
• Currency volatility affecting contract economics
• Infrastructure disruption (port strikes, border closures, natural disaster)
• Conflict affecting supply routes

For Chinese suppliers:

• Policy changes affecting industry sector
• Regional trade restriction updates
• Entity list additions

Risk levels:

• RED HIGH: Active disruption to supply route or vendor operations
• AMBER MEDIUM: Elevated country risk; currency movement >5% since contract
• GREEN LOW: Stable environment; no material currency exposure

DIMENSION 5: TIER 2 / SUB-SUPPLIER RISK

Monitor for:

• Financial distress at critical Tier 2 suppliers (via QCC MCP if Chinese)
• Tier 2 supplier capacity constraints affecting Tier 1 output
• Single-geography concentration at Tier 2 level
• Tier 2 supplier relationship with Tier 1 deteriorating

Requirement: Tier 2 mapping must exist for all Tier 1 Strategic vendors. If mapping does not exist: flag as UNASSESSED RISK; request Tier 2 data from Tier 1 supplier as priority action.

Risk Rating Change Rules

ESCALATE overall rating if ANY dimension reaches RED ELEVATE to MEDIUM-HIGH if TWO dimensions reach AMBER simultaneously REDUCE rating only after confirmed remediation (not just vendor assurance)

QCC MCP RISK BRIEF OUTPUT FORMAT

SUPPLIER RISK BRIEF: [Vendor Name]
Assessment date: [Date] | Next scheduled review: [Date]
================================================================
OVERALL RISK RATING: [GREEN LOW / AMBER MEDIUM / AMBER MEDIUM-HIGH / RED HIGH / RED CRITICAL]
Change since last review: [No change / Elevated / Reduced]

-- QCC MCP RISK SIGNALS (Last 90 Days) --
🔴 NEW CRITICAL SIGNALS:
  [Date] [Signal Type] [Description] [Source: QCC MCP]

🟡 NEW MODERATE SIGNALS:
  [Date] [Signal Type] [Description] [Source: QCC MCP]

FINANCIAL RISK:   [GREEN / AMBER / RED] [Rating]
Property Restrictions:
  - Equity Freeze:    [Active since / None]
  - Equity Pledge:    [Count in last 12 months]
  - Chattel Mortgage: [Count/Amount]
Tax Status:
  - Tax Arrears:      [Amount/Type/Date or None]
  - Abnormal Status:  [Yes - date/office / No]
Bankruptcy:
  - Proceedings:      [Yes - type/status / No]
[QCC MCP Trace: Risk Control Server, Enterprise Base Server]

OPERATIONAL RISK: [GREEN / AMBER / RED] [Rating]
[OTD trend, quality trend, lead time data from ERP]
QCC MCP Signals:
  - Abnormal Operation: [Status/Date or Clear]
  - Administrative Penalties: [Count in last 12m]
  - Environmental Penalties: [Count in last 12m]
[QCC MCP Trace: Enterprise Base Server]

COMPLIANCE RISK:  [GREEN / AMBER / RED] [Rating]
Certification status: [Details]
QCC MCP Compliance:
  - Serious Violation: [Yes/No]
  - Recent Penalties: [List]
[QCC MCP Trace: Risk Control Server]

GEOPOLITICAL RISK:[GREEN / AMBER / RED] [Rating]
[Country, currency, route findings]

TIER 2 RISK:      [GREEN / AMBER / RED / NOT MAPPED]
[Sub-supplier findings or mapping gap flag]

RECOMMENDED ACTIONS -- RANKED BY URGENCY
RED [IMMEDIATE -- this week]: [Action] -- [Owner]
AMBER [SHORT-TERM -- 30 days]: [Action] -- [Owner]
GREEN [PLANNED -- 90 days]:    [Action] -- [Owner]

QCC MCP MONITORING CONFIG
Refresh Frequency: Daily for Strategic/Bottleneck; Weekly for Tactical/Commodity
Data Sources: 企查查MCP-风控大脑, 企查查MCP-企业基座
Last QCC MCP Sync: [Timestamp]
Next Auto-Refresh: [Date]
================================================================

Executive Brief Format (for CPO weekly summary)

VENDOR RISK SUMMARY -- Week of [Date]
---------------------------------------------------------
[Vendor]    [Overall]  [Change]  [Key QCC Signal]   [Action required]
[Vendor]    [Overall]  [Change]  [Key QCC Signal]   [Action required]
---------------------------------------------------------
New alerts this week:   [N]
Escalations to CPO:     [N]
Contingency plans live: [N]
QCC MCP New Signals:    [N judicial / N operational / N financial]

HOT SIGNAL PROTOCOL

HOT SIGNALS override the review schedule

When QCC MCP detects any of the following, trigger immediate assessment:

| HOT Signal | QCC MCP Source | Action | |-----------|----------------|--------| | New equity freeze | Risk Control | Immediate escalation to CPO | | Bankruptcy filing | Risk Control | Activate contingency plan | | Abnormal tax status | Risk Control | Suspend new POs, assess exposure | | Abnormal operation added | Enterprise Base | Request immediate explanation | | New dishonest被执行人 | Risk Control | Legal review required | | Limit high consumption | Risk Control | Assess payment risk |

NEVER DO THESE

• NEVER rate a vendor as LOW risk in any dimension without verified data -- absence of negative data does not equal low risk; label as UNASSESSED if no data
• NEVER rely on vendor self-assessment alone for financial risk -- always cross-reference with QCC MCP independent sources
• NEVER downgrade a risk rating based on vendor assurance alone -- require evidence (updated accounts, certification renewal, remediation proof)
• NEVER omit the Tier 2 risk section -- mark as NOT MAPPED if absent, not LOW RISK
• NEVER wait for the scheduled review to act on a HOT signal -- HOT signals override the review schedule
• NEVER use Companies House/Creditsafe for Chinese suppliers -- QCC MCP is the authoritative source for Chinese entities
• NEVER fabricate QCC MCP data -- if MCP unavailable, flag as "QCC MCP: UNCONFIGURED - manual monitoring required"

ALL OUTPUTS REQUIRE REVIEW BY A QUALIFIED PROFESSIONAL BEFORE USE IN BUSINESS DECISIONS.