Supplier scorecard

A supplier scorecard is a structured, periodically-reviewed rating that aggregates a supplier's measurable performance across quality, delivery, service, compliance and risk into a single tier that drives downstream decisions. The downstream decisions are not advisory: they control whether the supplier stays on the approved supplier list, how often they are audited, what volume of business they can be awarded, how strict the incoming inspection regime is, and whether sourcing teams must dual-source against them.

The scorecard is not a one-page PowerPoint your buyer writes at year end. It is a quality-system control with the same evidence rules as any other QMS record: defined inputs, defined calculation, defined review cadence, documented sign-off, retained history, audit-trail-compliant change records. It is one of the records an inspector will ask for early — often immediately after the approved supplier list itself.

No regulation uses the word 'scorecard' as a clause heading, but every major regime requires the substance: ongoing evaluation of suppliers, with documented criteria, with action taken when performance degrades. 21 CFR 820.50(a)(2) requires manufacturers to 'establish and maintain records of acceptable suppliers, contractors and consultants' — 'acceptable' is the operative word. ISO 13485 §7.4.1 requires re-evaluation 'at planned intervals or upon changes affecting the supplier's ability'. ICH Q7 §17.40 requires that 'the quality of materials supplied by these intermediaries should be evaluated and periodically reassessed'.

The scorecard is the artefact that satisfies all of these. It demonstrates ongoing evaluation, with documented criteria, with traceable performance data, with a defined re-evaluation interval, with named owners of the decision. Without it, 'acceptable' is just a yes/no flag with no audit trail of how the yes/no was reached.

There is a second, commercial reason. Supplier failures are one of the largest sources of recall, market-action and revenue loss for regulated manufacturers. A 2022 PWC supply-chain study found that 65% of pharmaceutical recalls had a root cause in a supplier or contract manufacturer. A scorecard that flags performance degradation before it produces a quality incident is the cheapest insurance any QMS can buy.

Supplier evaluation and re-evaluation is one of the most consistent QMS expectations across regimes. The shape varies (some require named scorecards, some require any periodically-reviewed evaluation record); the substance is identical.

A scorecard that survives inspection has at least five dimensions, each with its own input metrics and weighting. Single-dimension scorecards (e.g. 'on-time delivery only') are widely cited as inadequate by Notified Bodies and FDA QSIT investigators because they miss the quality and compliance picture.

Some organisations add a sixth dimension for sustainability / ethics — REACH, RoHS, conflict minerals, Modern Slavery Act, EU CSRD — particularly for raw-material and packaging suppliers. The number of dimensions is less important than the explicit documentation that every dimension has a defined input, a defined weighting and a defined tier-trigger threshold.

A scorecard is only useful if the score maps to an action. The standard pattern is a four-tier scheme that determines how the supplier is managed:

The dimension weighting drives whether a single quality incident moves a supplier from Preferred to Watch in one period, or whether it takes a quality + delivery dual degradation. Defaults that survive scrutiny put quality + compliance at 60-70% of the total weight and delivery + service at 30-40%. Pure-delivery scorecards (the classic procurement metric) are now widely rejected by quality auditors as inadequate.

Scorecards are usually scored on a quarterly cadence, but quarterly is too slow for some events. A defensible programme defines explicit trigger events that re-score the supplier immediately and force a documented review:

• Any critical or major NCR linked to material from the supplier.
• Any product complaint with root cause attributed to the supplier.
• Any recall (regulator-initiated or voluntary) involving the supplier.
• Any regulator action against the supplier (FDA Warning Letter, EU GMP non-compliance status, Notified Body certificate suspension).
• Any supplier-initiated change notification that affects a critical attribute (manufacturing site, sub-supplier of a critical input, QC method, release specification).
• Any failure to provide a Certificate of Analysis on time or to specification.
• Any change in ownership, financial-health flag, or business-continuity event affecting the supplier.
• Any cyber-security or data-integrity incident at a service / data supplier.

Trigger-event handling needs three things to be inspection-ready: timestamped logging of the trigger, a documented re-score within a defined SLA (usually 5 business days), and an explicit decision on whether tier changes and whether containment is needed. 'We knew, but didn't get around to re-scoring' is the response that gets you a Form 483.

Not every supplier gets the same scorecard treatment. ISO 13485 §7.4.1 and 21 CFR 820.50 both require that the type and extent of control be 'based on the evaluation results' and proportional to risk. The standard pattern is a three-tier criticality scheme that is independent of the performance tier above:

Criticality is not a performance metric — a critical supplier with poor performance moves to the Watch performance tier but stays at critical criticality. The two axes drive different decisions: criticality drives review depth and frequency, performance drives volume and containment.

FDA's 2016 Contract Manufacturing Quality Agreement guidance and EU GMP Chapter 7 both expect a written Quality Agreement with every supplier whose output materially affects product quality. The Quality Agreement is the document that makes scorecard metrics enforceable — without it, an incoming-quality NCR is your problem; with it, it is a contractually-defined breach that triggers an agreed remediation path.

A Quality Agreement that integrates with a scorecard typically defines:

• Specifications that apply (referenced from controlled documents).
• Acceptance criteria (CoA contents, sampling plan, OOS handling).
• Change-notification triggers (manufacturing site, sub-supplier of a critical input, QC method, release specification, ownership).
• Notification SLAs (usually 30 days advance notice for major changes, immediate notice for safety / regulatory events).
• Performance commitments (on-time delivery %, lot-acceptance %, complaint-response time).
• Audit rights (frequency, notice period, for-cause unannounced audits).
• Escalation path and termination triggers tied explicitly to scorecard tiers.

A scorecard that depends on manual data entry will drift; a scorecard that is fed automatically from the QMS subsystems and the ERP will not. The data sources that matter:

• Goods-receipt and incoming-inspection module: lot-acceptance rate, CoA accuracy, on-time-in-full %, lead-time variance.
• QC / LIMS module: incoming-QC results, OOS / OOT rate, sampling escalations.
• NCR module: NCRs opened against each supplier, classification, ageing, root-cause linkage.
• Complaint module: complaints with root cause attributed to the supplier.
• Audit-management module: audit findings by class, audit-result trend, scheduled vs actual audit dates.
• Document control module: Quality Agreement currency, supplier-CoA template currency, supplier-SOP review status.
• Change-control module: supplier-initiated change-notification volume and timeliness.
• Communication / supplier-portal logs: response times to RFQ, technical query, change request, CAPA assignment.
• External risk feeds (where subscribed): financial-health, geopolitical, regulator-action feeds.

Each data source needs an auditable connection — manual exports into a spreadsheet are not auditable in the Part 11 / Annex 11 sense. Either the scorecard pulls from the source system through a controlled integration with audit-trail continuity, or the source data is captured directly in the same system that owns the scorecard.

ISO 13485 §7.4.1 and ISO 9001 §8.4.1 both require re-evaluation 'at planned intervals'. The standard governance shape:

• Monthly: critical-supplier scorecard refresh; trigger-event re-scores within 5 business days.
• Quarterly: major-supplier scorecard refresh; tier-change decisions documented and signed by QA; supplier review meeting with the owning category manager.
• Annual: full re-qualification of all suppliers on the approved supplier list, including a formal supplier-management review with QA leadership and procurement.
• On trigger: ad-hoc re-scores and tier reviews per the trigger-event list above.

Supplier scorecards are a standing input to QMS management review (ISO 9001 §9.3 / ISO 13485 §5.6). The management-review pack should include: % of approved suppliers in each tier, count of tier changes in the period, count of trigger-event re-scores, supplier-CAPA status, top-10 highest-risk suppliers by combined criticality + tier.

Reading FDA Warning Letters, Notified Body deficiency reports and certification-body reports surfaces the same supplier-scorecard failure modes repeatedly:

• No re-evaluation at all — suppliers approved once at qualification, never reassessed. Direct breach of ISO 13485 §7.4.1 / 21 CFR 820.50(a).
• Single-dimension scorecards (delivery only, or quality only) — adequate for procurement, inadequate for the QMS.
• Manual scorecards in a spreadsheet — no audit trail, no controlled version history, no Part 11 compliance.
• Tier changes without documented decision rationale — the score moved, but no one signed the tier change.
• Trigger events not re-scored — a critical NCR opened against the supplier, scorecard still reads 'Preferred' three months later.
• Tier upgrades automated equally with downgrades — supplier laundering one good month back into Preferred status.
• Quality Agreement not aligned with scorecard — performance commitments in the agreement that are not measured in the scorecard, or scorecard metrics with no contractual basis.
• Approved supplier list still shows suppliers whose scorecard has been Probationary for 6+ months without explicit disposition.
• Sub-supplier changes notified by the supplier never reflected in the scorecard — the supplier's manufacturing site moved, your scorecard still shows the old risk profile.
• Foreign supplier verification gaps — for FDA-regulated food importers, missing or stale FSVP records on suppliers.

Beyond the per-supplier score, the supplier-management programme itself needs metrics. A management-review-grade dashboard tracks at least six, trended quarterly:

• Approved supplier list size — total active suppliers by criticality tier.
• Distribution across performance tiers — % Preferred / Approved / Watch / Probationary, trended.
• Re-evaluation adherence — % of scheduled scorecard refreshes completed on plan, by criticality.
• Audit-schedule adherence for the supplier-audit programme — % of scheduled supplier audits completed on plan.
• Quality Agreement currency — % of critical suppliers with a current Quality Agreement under review-due date.
• Supplier-driven incident rate — number of NCRs / complaints / deviations / recalls in the period with root cause attributed to a supplier, trended.

Supplier scorecards in V5 are not a separate module bolted onto purchasing — they are a live aggregation of every supplier-relevant data point already captured by the QMS, with explicit links to the actions the score drives. The capabilities, end to end:

• Each approved supplier record carries criticality, current performance tier, score by dimension, contributing data points by row (clickable through to the source NCR, complaint, CoA, audit finding, change notification), Quality Agreement version + due date, contracted commitments + current performance against each, audit history with last finding count, and next scheduled audit date.
• Five-dimension scorecard out of the box (quality, delivery, service, compliance, risk) with configurable weighting per material category — critical APIs weighted differently than packaging differently than non-GxP service suppliers.
• Live data feeds from goods-receipt, QC, NCR, complaint, audit-management, change-control, document-control and the supplier portal — no manual data entry, full audit-trail continuity on every contributing data point.
• Trigger-event re-scores: NCRs above defined severity, complaints linked to a supplier, supplier-initiated change notifications, regulator-action feeds and Quality Agreement breaches all force a re-score within a documented SLA.
• Tier downgrades automatic; tier upgrades require explicit QA sign-off with documented decision rationale.
• Approved supplier list auto-updates from tier transitions: a supplier moved to Probationary is automatically marked 'hold for new POs' until QA disposition.
• Supplier portal — the supplier sees their own scorecard, their open CAPAs, their pending change requests and their Quality Agreement renewal status. Inbound change notifications enter directly into the V5 change-control system on the receiving side.
• Management-review pack auto-generated: tier distribution, re-evaluation adherence, supplier-driven incident rate, top-10 supplier risk list, all exportable for the quarterly QMS management-review meeting.
• Audit-management integration: a supplier moved to Watch or Probationary automatically schedules an on-site audit within 6 months; scorecard data feeds the auditor's pre-audit pack so the audit can be targeted at the actual risk pattern.
• Part 11 / Annex 11 by construction: every scorecard change carries an audit trail, every tier change is e-signed, every escalation triggers a controlled record.