GxP Lifeline

Risk-Based Supplier Management for Scaling Evaluation, Selection, and Control

digital internet network iot for risk based supplier management solutions

Quality management systems standards like ISO 9001 (Quality Management Systems Requirements) and ISO 13485 (Medical Devices – Quality Management Systems) have long espoused applying risk-based thinking when planning the management of various processes. One of the processes where these standards either imply or explicitly require risk considerations is in managing suppliers. For ISO 9001, risk-based thinking is implied by the use of the phrase “type and extent of control.” In ISO 13485, it is explicitly stated three times within the requirements for purchasing and purchased products. In a nutshell, both are saying that you need to determine how much control to apply based on the risks involved.

Adopting a Risk-Based Approach to Supplier Management

It starts with understanding and documenting the inherent risks associated with your products or services. Obviously, there’s a difference in the risks represented by a pacemaker versus a dishwasher, but both do have inherent risks. Next is consideration of the degree to which each supplier can affect those inherent risks. For example, a supplier that provides critical components like the batteries for a pacemaker can potentially impact the product’s safety and performance more than one that provides logo emblems for a refrigerator.

3 Phases of the Supplier Management Process

So far, we’ve only touched on general considerations that would apply to any supplier within each supplied product or service category. Next would be consideration of the risks associated with specific suppliers within each category. The supplier management process encompasses three phases:

  1. Evaluation.
  2. Selection.
  3. Control.


Risk-based evaluation of each potential supplier needs to include consideration of variables including capability/maturity, certification/accreditation, past performance, financial stability, and other practices that may be applicable to your industry (e.g., environmental impact, conflict materials, security, diversity, fair-trade, etc.).


All of this implies that you’ve established methods for gathering and quantifying this information to enable comparison and analysis for use in the remaining phases. It also implies that you’ve established the relative priority of each risk characteristic (e.g., will financial stability be equal to capability when making selection decisions?). Establishing priorities, or weighting of the characteristics, will facilitate the selection process of whether an individual supplier meets the minimum requirements or when having to decide between multiple suppliers. It will also help avoid making selection decisions based on characteristics that may not be risk factors, like picking the lowest bidder. By quantifying and prioritizing all of the characteristics, and perhaps including business considerations like cost, the selection becomes much more efficient and consistent.


The last stage, control, is the most significant, complex, and longest lasting. This is where decisions need to be made regarding:

  • The degree of incoming inspection that will be required.
  • How supplier performance will be measured and monitored.
  • How often suppliers will need to be re-evaluated (and maybe disqualified or put on probation).

Again, having quantified and prioritized risk factors allows you to decide what type of acceptance activities will be required. Questions about acceptance activities that commonly need to be addressed include:

  • Do you need to perform your own inspections and/or analysis?
  • Can you rely on the supplier to provide certificates of analysis or conformance?
  • Can you just go dock to stock?
  • If doing your own or having the supplier performance inspection/analysis, what sample size is required and what number of defects is allowed?

These factors may change over time as measuring and monitoring supplier performance improves or degrades the risk characteristics. For example, if a supplier demonstrates exceptional performance over time, or they implement an accredited analysis lab, you may be able to change the acceptance methods.

Having quantified and prioritized the risk characteristics will also make it easier to decide what to measure and how to monitor supplier performance, or whether measurement and monitoring are even required. For example, a supplier of low-risk components for which you have a history of good performance probably doesn’t require a quarterly scorecard. You also probably don’t need to re-evaluate them annually like you might with higher-risk suppliers.

Obviously, this is a lot of information to gather, review, and manage. And there’s the implication of needing to remember when to repeat some activities, not to mention the likelihood that other functions in your organization will need to be aware of supplier status. Are they still in good standing? Are they approved for providing multiple types of products or services, or only specific ones? For example, just because a supplier has been approved to supply one of your machined parts, doesn’t necessarily mean they’re automatically approved to supply any machined part.

Simplifying and Streamlining With Modern Supplier Management Solutions

Today’s advanced supplier management tools like electronic quality management systems (eQMS) can make this all much easier to manage than paper or spreadsheet-based approaches. And these supplier management software solutions typically have the ability to exchange information with other business systems like enterprise resource planning (ERP), accounting, purchasing portals, export compliance, etc. Trying to accomplish all of this using manual methods will likely result in not doing as intended and therefore not realizing value, effectiveness, and compliance (if applicable to what you do).

Steve Gompertz headshot

Steve Gompertz (CQM, CBA, RAC-US, CMII) is a leader in quality systems management with over 30 years’ experience in the medical technology industry. His career includes roles in quality systems development and implementation, project management, engineering automation, configuration management, audit, and software development for companies including Pelican BioThermal, St. Jude Medical, Boston Scientific, Medtronic, Vital Images, and Control Data. He is now a consultant to the industry providing guidance on quality systems and regulatory compliance. Steve holds a B.S. in mechanical engineering from Lehigh University, and certifications in quality management, medical device auditing, regulatory affairs, project management, and configuration management. Steve started his professional career in software development and then moved into systems implementation project management. After joining the medical device industry, he transitioned from implementing quality-related IT solutions to managing quality organizations and processes. Steve also helped St. Cloud State University develop and is a Sr. Adjunct Instructor in the “M.S. in Medical Technology Quality” program.

Free Resource
MasterControl Supplier

Enjoying this blog? Learn More.

MasterControl Supplier™

Download Now
[ { "key": "fid#1", "value": ["GxP Lifeline Blog"] } ]