Chapter 20: Building a Supplier Approval and Monitoring Program That Scales
If you have 50 to 200 active suppliers, you cannot audit them all every year. You also cannot monitor them all equally—some supply mission-critical components, others supply packaging tape. The solution is tiered supplier classification: dividing your supply base into three categories that receive commensurate control effort.
Defining Your Three Tiers
Critical Suppliers are those whose products, services, or processes directly affect product safety, regulatory compliance, or manufacturing uptime. In automotive supply (relevant to many Canadian manufacturers, particularly in the IATF 16949 supply chain), a critical supplier might include a steering component moulder or a braking system fabricator. In food or medical devices, a critical supplier is anyone touching the product or its contact surfaces.
For critical suppliers, you need:
- Annual on-site audit (or biennial if they hold current third-party ISO certification and have zero major nonconformances)
- Monthly or quarterly performance reviews based on on-time delivery, defect rates, and responsiveness data
- Right of access for unannounced audits
- Documented change control—they notify you before changing suppliers, processes, or locations
- Corrective action response time of 5 to 10 business days for major issues
Major Suppliers are high-volume vendors or those supplying components with moderate complexity or risk. A metal stamper producing brackets in volume, or a plastic moulder running commodity housings, falls here.
For major suppliers:
- On-site audit every 18–24 months, *or* evidence of current third-party ISO certification reviewed annually
- Quarterly performance reviews (at minimum)
- Documented SCAR (supplier corrective action request) process for quality issues; response time 10–15 business days
- Right of access for audits (announced)
Standard Suppliers are low-risk, low-complexity, high-volume commodity suppliers. Fasteners, packaging materials, raw material distributors, and logistics providers often fit here.
For standard suppliers:
- Approval based on ISO certification, references, and initial performance sampling
- Annual performance review based on data (on-time delivery, defect rates from incoming inspection)
- SCAR process for serious issues; response time 15–20 business days
- Incoming inspection or receiving-stage controls (see next section)
The classification isn't permanent. A supplier can move up or down based on performance. If a standard fastener vendor starts missing deliveries consistently, you escalate them to major tier and tighten controls. If a critical supplier achieves two years of perfect on-time, zero-defect performance, you might reduce audit frequency (but keep the oversight).
Building Your Approved Supplier List
Your ASL is your control hub. For a mid-sized Canadian manufacturer, it should include:
- Vendor name, location, and contact
- Classification tier (critical, major, standard)
- Products or services supplied
- Approval date and re-evaluation due date
- Approval basis (audit notes, ISO cert review, performance data, or combination)
- Key requirements (technical specs, delivery windows, quality metrics)
- Performance scorecard data (latest quarter or year)
- Audit history (date, findings, corrective actions)
Many plants maintain this in a spreadsheet; others use ERP systems. The tool matters less than the discipline. The ASL must be:
- Current: Updated when suppliers are added, removed, or re-evaluated
- Visible: Accessible to procurement, quality, and operations teams
- Linked to purchasing: Purchase orders should reference the ASL; you shouldn't be able to issue a PO to an unapproved vendor without a documented exception
- Auditable: Every entry should have supporting documentation (approval file, recent scorecard, audit report)
Sample Supplier Scorecard: The Metrics That Matter
Here's a practical scorecard template used by Canadian manufacturers we've guided through ISO 9001 implementation:
| **Performance Metric** | **Weight** | **Target** | **Data Source** | **Frequency** |
|---|---|---|---|---|
| On-Time Delivery Rate | 30% | >95% | Receiving log, PO records | Monthly |
| Quality (PPM/Defect Rate) | 35% | <500 PPM or >99.95% accept rate | Incoming inspection, field failure data | Monthly |
| Response to Quality Issues | 15% | SCAR closure within agreed timeframe | Quality system, SCAR register | Per incident |
| Documentation Compliance | 10% | 100% (certs of conformance, test data, traceability) | Receiving checklist, audit | Monthly |
| Responsiveness to Changes | 10% | <5 business days for ECO acknowledgment | Email log, change order history | Per change |
Overall Score Calculation: (Delivery % × 0.30) + (Quality % × 0.35) + (Issue Response Score × 0.15) + (Doc Compliance × 0.10) + (Change Response Score × 0.10)
A score of 90–100% is acceptable. 80–89% triggers a management review conversation (What's happening? Is it temporary?). Below 80% triggers a formal SCAR and a re-evaluation of supplier status.
Pro Tip: This scorecard is tied to actual business data—not gut feel or opinion. When you go into management review, you bring real numbers. When you decide to escalate a supplier to critical tier or move them to probation, the scorecard justifies it.
Chapter 19: What Clause 8.4 Actually Requires for Externally Provided Processes and Materials
ISO 9001:2015 groups external provision into three categories: **products and services you buy**, **outsourced processes**, and **outsourced functions**. Each c
Chapter 21: Incoming Inspection: Designing Controls That Match Risk, Not Just ISO Boxes
Many Canadian manufacturers inherited incoming inspection practices from the 1980s: inspect 100% of everything, document the count, file the paperwork. By 2026,
Request a Consultation
Fill in your details and we'll get back to you.
