Risk-Based Supplier Management for Scaling Evaluation, Selection, and Control

Quality management systems standards like ISO 9001 (Quality Management Systems Requirements) and ISO 13485 (Medical Devices – Quality Management Systems) have long espoused applying risk-based thinking when planning the management of various processes. One of the processes where these standards either imply or explicitly require risk considerations is in managing suppliers. For ISO 9001, risk-based thinking is implied by the use of the phrase “type and extent of control.” In ISO 13485, it is explicitly stated three times within the requirements for purchasing and purchased products. In a nutshell, both are saying that you need to determine how much control to apply based on the risks involved.

Adopting a Risk-Based Approach to Supplier Management

It starts with understanding and documenting the inherent risks associated with your products or services. Obviously, there’s a difference in the risks represented by a pacemaker versus a dishwasher, but both do have inherent risks. Next is consideration of the degree to which each supplier can affect those inherent risks. For example, a supplier that provides critical components like the batteries for a pacemaker can potentially impact the product’s safety and performance more than one that provides logo emblems for a refrigerator.

3 Phases of the Supplier Management Process

So far, we’ve only touched on general considerations that would apply to any supplier within each supplied product or service category. Next would be consideration of the risks associated with specific suppliers within each category. The supplier management process encompasses three phases:

1. Evaluation.
2. Selection.
3. Control.

Evaluation

Risk-based evaluation of each potential supplier needs to include consideration of variables including capability/maturity, certification/accreditation, past performance, financial stability, and other practices that may be applicable to your industry (e.g., environmental impact, conflict materials, security, diversity, fair-trade, etc.).

Selection

All of this implies that you’ve established methods for gathering and quantifying this information to enable comparison and analysis for use in the remaining phases. It also implies that you’ve established the relative priority of each risk characteristic (e.g., will financial stability be equal to capability when making selection decisions?). Establishing priorities, or weighting of the characteristics, will facilitate the selection process of whether an individual supplier meets the minimum requirements or when having to decide between multiple suppliers. It will also help avoid making selection decisions based on characteristics that may not be risk factors, like picking the lowest bidder. By quantifying and prioritizing all of the characteristics, and perhaps including business considerations like cost, the selection becomes much more efficient and consistent.

Control

The last stage, control, is the most significant, complex, and longest lasting. This is where decisions need to be made regarding:

• The degree of incoming inspection that will be required.
• How supplier performance will be measured and monitored.
• How often suppliers will need to be re-evaluated (and maybe disqualified or put on probation).

Again, having quantified and prioritized risk factors allows you to decide what type of acceptance activities will be required. Questions about acceptance activities that commonly need to be addressed include:

• Do you need to perform your own inspections and/or analysis?
• Can you rely on the supplier to provide certificates of analysis or conformance?
• Can you just go dock to stock?
• If doing your own or having the supplier performance inspection/analysis, what sample size is required and what number of defects is allowed?

These factors may change over time as measuring and monitoring supplier performance improves or degrades the risk characteristics. For example, if a supplier demonstrates exceptional performance over time, or they implement an accredited analysis lab, you may be able to change the acceptance methods.

Having quantified and prioritized the risk characteristics will also make it easier to decide what to measure and how to monitor supplier performance, or whether measurement and monitoring are even required. For example, a supplier of low-risk components for which you have a history of good performance probably doesn’t require a quarterly scorecard. You also probably don’t need to re-evaluate them annually like you might with higher-risk suppliers.

Obviously, this is a lot of information to gather, review, and manage. And there’s the implication of needing to remember when to repeat some activities, not to mention the likelihood that other functions in your organization will need to be aware of supplier status. Are they still in good standing? Are they approved for providing multiple types of products or services, or only specific ones? For example, just because a supplier has been approved to supply one of your machined parts, doesn’t necessarily mean they’re automatically approved to supply any machined part.

Simplifying and Streamlining With Modern Supplier Management Solutions

Today’s advanced supplier management tools like electronic quality management systems (eQMS) can make this all much easier to manage than paper or spreadsheet-based approaches. And these supplier management software solutions typically have the ability to exchange information with other business systems like enterprise resource planning (ERP), accounting, purchasing portals, export compliance, etc. Trying to accomplish all of this using manual methods will likely result in not doing as intended and therefore not realizing value, effectiveness, and compliance (if applicable to what you do).