Supplier quality management (SQM) is the system for making sure purchased materials, components, and services meet requirements: qualifying suppliers by risk, verifying incoming product, measuring performance with scorecards, and escalating structured corrective action when things go wrong. Done well, it manages suppliers continuously, not once a year at audit time.
The annual supplier audit is where supplier quality goes to feel finished. One visit, one binder, twelve months of assumptions. Meanwhile the defects arrive weekly at the receiving dock, get argued about by email, and get paid for in sorting labor and line stoppages. A working SQM program is boringly continuous: risk decides the attention each supplier gets, data flows in from every receipt, and a defined ladder governs what happens when performance slips. Here is that program in six steps.
The 6-step supplier quality program
- Tier suppliers by risk, not spend alone. Score each supplier on two axes: the consequence if their product fails (safety, line-down exposure, customer impact, switching difficulty) and the likelihood of trouble (process maturity, history, certification status). The tiers set everything downstream: audit frequency, inspection level, scorecard depth.
- Qualify before the first PO, proportional to tier. High-risk suppliers get an on-site process audit and a first article inspection; medium-risk get a remote assessment and FAI; low-risk commodity suppliers may need only certifications and a sample approval. Writing the proportionality down keeps qualification from being either theater or a bottleneck.
- Define the verification method per part, and put it in writing. Incoming inspection, certificate review, source inspection at the supplier, or dock-to-stock: the choice belongs to the part's risk, and it changes as evidence accumulates (more on this below).
- Score performance monthly from data you already have. Incoming acceptance rate, PPM defective, on-time delivery, responsiveness to corrective actions. Receipt records and NCRs already contain this; a supplier scorecard just aggregates it where both sides can see it.
- Escalate on a published ladder. Slipping scores trigger defined steps, from a corrective action request to tightened inspection to new-business hold. Suppliers behave differently when the ladder is known in advance; so do buyers.
- Develop, or exit, deliberately. For strategic suppliers, invest: share data, run joint problem-solving, help them build capability. For chronic low performers on commodity parts, requalify an alternative. The expensive mistake is doing neither and absorbing the failure cost forever.
How do you tier suppliers by risk?
Two questions per supplier: how bad is failure, and how likely is it? Plot them and the matrix assigns the treatment. A foundry supplying a safety-critical casting with a shaky process history demands audits, SPC evidence, and tight incoming checks. A distributor supplying standard fasteners with years of clean receipts earns dock-to-stock. The matrix's job is making sure the effort lands where the risk lives, not where the loudest buyer or the most recent fire points.
Incoming inspection or supplier certification?
Incoming inspection verifies product after it arrives; certification shifts verification upstream, accepting the supplier's own process evidence in place of your gauge. Neither is universally right, and the honest framing is a trade: inspection buys certainty at the receiving dock and pays in labor, dock time, and duplicated effort; certification buys flow and pays in the trust you must first verify and then keep verifying.
The workable pattern is a progression. New supplier or new part: 100% or tight sampling inspection plus a first article. Sustained clean history: reduced or skip-lot sampling. Demonstrated process control, submitted capability data, and a passed process audit: certified status and dock-to-stock, with periodic requalification and instant demotion on an escape. The mistake worth naming is treating dock-to-stock as a cost-cutting decree rather than an earned status: skipping inspection without evidence doesn't remove the verification cost, it moves it to the production line, where it returns with interest as line-down time and failure cost.
ISO 9001:2015 clause 8.4 leaves the method open but not the obligation: controls on externally provided products must ensure they meet requirements, with criteria for evaluating, monitoring, and re-evaluating suppliers, and records of it all (ISO 9001:2015).
What goes on the scorecard, and what happens when it slips?
Four metrics carry most of the weight: quality (PPM defective or lot acceptance rate), delivery (on-time in full), responsiveness (corrective action cycle time), and commercial performance. Publish the formula to suppliers, refresh monthly, and let receiving data and NCRs feed it automatically; a scorecard assembled by hand each quarter is already an audit, not a monitor. Our supplier scorecard guide covers the mechanics and weighting.
The scorecard's authority comes from the ladder behind it:
The corrective-action rung deserves its own sentence. A supplier corrective action request (SCAR) should demand structured problem-solving, and the common currency is the 8D format, the eight-disciplines method popularized by the automotive industry in the 1980s: team, problem description, containment, root cause, corrective action, implementation, prevention, recognition. Accept an 8D the way you would your own CAPA: containment with dates, a root cause that survives the "would removing this prevent recurrence?" test, and effectiveness evidence, not a promise to retrain. If your own CAPA discipline is weak, supplier 8Ds will be weak too; suppliers learn quickly what a customer actually reads. The same applies to supplier audits, which should follow the same evidence-first structure as your internal audits.
What does supplier failure actually cost?
The case for continuous SQM is arithmetic, and the numbers live mostly in accounts nobody labels "supplier":
- ASQ reports total quality costs commonly run 15-20% of sales revenue; the incoming-material share of that shows up as receiving inspection labor (appraisal), sorting and line stoppages (internal failure), and escapes that reach your customer wearing your name (external failure) (ASQ, Cost of Quality).
- ISO 9001:2015 clause 8.4 makes supplier evaluation, monitoring, and re-evaluation a certification requirement with retained records, so a scorecard that exists only in a buyer's memory is also an audit finding waiting to happen (ISO 9001:2015).
- A supplier defect discovered at receiving costs a rejection and a SCAR; the same defect discovered at final assembly costs teardown, delay, and expedite fees; discovered by your customer, it costs chargebacks and standing. The multiplier between those stages is the entire business case for moving verification upstream.
When you total one bad quarter from one problem supplier, line stoppages, sorting overtime, expedited replacements, the number usually dwarfs the cost of the risk-tiering and scorecard program that would have caught it at rung one of the ladder.
The data problem underneath all of it
Every step above runs on receiving and quality data: acceptance rates, defect codes by supplier, SCAR cycle times. In plants where receiving inspection results live on paper travelers and NCRs in a shared drive, the scorecard is quarterly guesswork and the ladder never fires until a crisis. Getting incoming checks and nonconformances captured digitally at the dock, connected to the ERP records they reference, is what makes continuous SQM cheaper than the annual-audit version, and it is exactly the kind of plumbing Harmony's connected-systems and quality intelligence modules handle alongside the QMS you already run. The audit still has its place; it just stops being the only day of the year you know how your suppliers are doing.