When we talk about supply chain risk today, are we really talking about third-party risk?

It all depends on the sector you are in.

No.  Supply Chain Risk is specific to those companies you rely upon to provide what you provide to your customers.  For instance, if your company  develops software, your supply chain will include your hosting company if you are in the cloud as well as any vendor who manages that environment.   Third Party Risk is specific to those companies who help you do business but are not directly supporting your customers.  SalesForce and Workday would be good examples of a third-party provider.  They are essential to your business but aren't tied to your delivery.  

Now some people do like to lump everything together under the title Third-Party Risk.  I suppose there is nothing wrong with that but I prefer to break these into two categories as it helps me prioritize one vendor over another.  My tolerance for a security or availability issue with a vendor in my supply chain is lower than one who is a third-party support vendor.

I would say risk in my world would be tied to customer fulfillment & perception: is it available, delivered on time, cost effective and in a safe/reliable/quality state. The risks are product fraud, external events, total landed cost and supply (raw and finished).

A couple of decades ago, growing up in a manufacturing company, supply chain risk was really components like gas and chemicals and the silicon wafers and the logistics of shipping the product. All of it was highly physical in nature because that is what would disrupt the company's operations. And then we had the year 2000 when we all lit our hair on fire for next to nothing, and rattled everybody's cages to see what they were doing about it because we were fearful they would all shut us down because of the interdependencies. I think supply chain risk today is in many ways similar, but in many ways expanded in so many different things. A lot of peers that I've chatted with didn't even know really, they had solar winds in their environment and it took them days to figure it out. So there's this physical logical context that I think has evolved. Or we can even look at things recently: the Suez Canal issue. Again, a physical event, supply chain risks because supplies have been disrupted. And in some cases, some of the suppliers could have had technology components to them that would have flowed into the IT ecosystem or different things like that.

I would say that it really depends on what business you're in. In the 80s and the 90s, I was a part of 3Com and Palm. At 3Com, we had our physical factories. We had a very robust supply chain. But then I went on to primarily work with software companies, SaaS companies, their supply chain is different.