Supplier quality management (SQM) is the system for making sure purchased materials, components, and services meet requirements: qualifying suppliers by risk, verifying incoming product, measuring performance with scorecards, and escalating structured corrective action when things go wrong. Done well, it manages suppliers continuously, not once a year at audit time.

The annual supplier audit is where supplier quality goes to feel finished. One visit, one binder, twelve months of assumptions. Meanwhile the defects arrive weekly at the receiving dock, get argued about by email, and get paid for in sorting labor and line stoppages. A working SQM program is boringly continuous: risk decides the attention each supplier gets, data flows in from every receipt, and a defined ladder governs what happens when performance slips. Here is that program in six steps.

The 6-step supplier quality program

  1. Tier suppliers by risk, not spend alone. Score each supplier on two axes: the consequence if their product fails (safety, line-down exposure, customer impact, switching difficulty) and the likelihood of trouble (process maturity, history, certification status). The tiers set everything downstream: audit frequency, inspection level, scorecard depth.
  2. Qualify before the first PO, proportional to tier. High-risk suppliers get an on-site process audit and a first article inspection; medium-risk get a remote assessment and FAI; low-risk commodity suppliers may need only certifications and a sample approval. Writing the proportionality down keeps qualification from being either theater or a bottleneck.
  3. Define the verification method per part, and put it in writing. Incoming inspection, certificate review, source inspection at the supplier, or dock-to-stock: the choice belongs to the part's risk, and it changes as evidence accumulates (more on this below).
  4. Score performance monthly from data you already have. Incoming acceptance rate, PPM defective, on-time delivery, responsiveness to corrective actions. Receipt records and NCRs already contain this; a supplier scorecard just aggregates it where both sides can see it.
  5. Escalate on a published ladder. Slipping scores trigger defined steps, from a corrective action request to tightened inspection to new-business hold. Suppliers behave differently when the ladder is known in advance; so do buyers.
  6. Develop, or exit, deliberately. For strategic suppliers, invest: share data, run joint problem-solving, help them build capability. For chronic low performers on commodity parts, requalify an alternative. The expensive mistake is doing neither and absorbing the failure cost forever.

How do you tier suppliers by risk?

Two questions per supplier: how bad is failure, and how likely is it? Plot them and the matrix assigns the treatment. A foundry supplying a safety-critical casting with a shaky process history demands audits, SPC evidence, and tight incoming checks. A distributor supplying standard fasteners with years of clean receipts earns dock-to-stock. The matrix's job is making sure the effort lands where the risk lives, not where the loudest buyer or the most recent fire points.

Supplier risk matrixSupplier risk matrix: attention follows riskIMPACT OF FAILURE →LIKELIHOOD OF NONCONFORMANCE →HIGH IMPACT, LOW LIKELIHOODcertify + periodic audit,watch the scorecard closelyHIGH IMPACT, HIGH LIKELIHOODintensive: audits, SPC evidence,tight inspection, develop or exitLOW IMPACT, LOW LIKELIHOODdock-to-stock, cert review,annual scorecard glanceLOW IMPACT, HIGH LIKELIHOODsampling inspection, SCARs,second source if chronicRe-plot quarterly: suppliers move as evidence accumulates.
The risk matrix. Tiering is a living decision; a clean year moves a supplier down, a bad quarter moves them up.

Incoming inspection or supplier certification?

Incoming inspection verifies product after it arrives; certification shifts verification upstream, accepting the supplier's own process evidence in place of your gauge. Neither is universally right, and the honest framing is a trade: inspection buys certainty at the receiving dock and pays in labor, dock time, and duplicated effort; certification buys flow and pays in the trust you must first verify and then keep verifying.

The workable pattern is a progression. New supplier or new part: 100% or tight sampling inspection plus a first article. Sustained clean history: reduced or skip-lot sampling. Demonstrated process control, submitted capability data, and a passed process audit: certified status and dock-to-stock, with periodic requalification and instant demotion on an escape. The mistake worth naming is treating dock-to-stock as a cost-cutting decree rather than an earned status: skipping inspection without evidence doesn't remove the verification cost, it moves it to the production line, where it returns with interest as line-down time and failure cost.

ISO 9001:2015 clause 8.4 leaves the method open but not the obligation: controls on externally provided products must ensure they meet requirements, with criteria for evaluating, monitoring, and re-evaluating suppliers, and records of it all (ISO 9001:2015).

What goes on the scorecard, and what happens when it slips?

Four metrics carry most of the weight: quality (PPM defective or lot acceptance rate), delivery (on-time in full), responsiveness (corrective action cycle time), and commercial performance. Publish the formula to suppliers, refresh monthly, and let receiving data and NCRs feed it automatically; a scorecard assembled by hand each quarter is already an audit, not a monitor. Our supplier scorecard guide covers the mechanics and weighting.

The scorecard's authority comes from the ladder behind it:

Supplier escalation ladderThe escalation ladder, published in advanceRUNG 0 · ROUTINE: monthly scorecard, both sides see the same numberstrigger up: missed target, escape, or negative trendRUNG 1 · SCAR: corrective action request, 8D response with evidencetrigger up: late, shallow, or repeated SCARsRUNG 2 · CONTAINMENT: tightened/100% inspection, at supplier's costtrigger up: escapes continue under containmentRUNG 3 · ON-SITE AUDIT + improvement plan with dated milestonestrigger up: milestones missedRUNG 4 · BUSINESS HOLD: no new awards; qualify the exit pathevery rung has a way back down: sustained clean performance
The escalation ladder. Each rung has a defined trigger up and an earned path back down.

The corrective-action rung deserves its own sentence. A supplier corrective action request (SCAR) should demand structured problem-solving, and the common currency is the 8D format, the eight-disciplines method popularized by the automotive industry in the 1980s: team, problem description, containment, root cause, corrective action, implementation, prevention, recognition. Accept an 8D the way you would your own CAPA: containment with dates, a root cause that survives the "would removing this prevent recurrence?" test, and effectiveness evidence, not a promise to retrain. If your own CAPA discipline is weak, supplier 8Ds will be weak too; suppliers learn quickly what a customer actually reads. The same applies to supplier audits, which should follow the same evidence-first structure as your internal audits.

What does supplier failure actually cost?

The case for continuous SQM is arithmetic, and the numbers live mostly in accounts nobody labels "supplier":

When you total one bad quarter from one problem supplier, line stoppages, sorting overtime, expedited replacements, the number usually dwarfs the cost of the risk-tiering and scorecard program that would have caught it at rung one of the ladder.

The data problem underneath all of it

Every step above runs on receiving and quality data: acceptance rates, defect codes by supplier, SCAR cycle times. In plants where receiving inspection results live on paper travelers and NCRs in a shared drive, the scorecard is quarterly guesswork and the ladder never fires until a crisis. Getting incoming checks and nonconformances captured digitally at the dock, connected to the ERP records they reference, is what makes continuous SQM cheaper than the annual-audit version, and it is exactly the kind of plumbing Harmony's connected-systems and quality intelligence modules handle alongside the QMS you already run. The audit still has its place; it just stops being the only day of the year you know how your suppliers are doing.