Supplier Risk Audit Template — Score Reliability, Criticality, and Backup Coverage

A supplier risk audit is a practical exercise, not a strategy document. The goal is to come out of it with a defensible list of the suppliers you actually depend on, how exposed you are at each one, and which gaps need to close before the next disruption — not a polished deck.

This template is built around the work most procurement and supply-chain teams already do informally — the spreadsheet that lives in someone's head, the supplier list that's "mostly current," the gut-feel ranking of which vendors are scary. It turns those instincts into a structured audit your buyers, planners, quality team, and CFO can all read the same way.

Every supplier in scope gets scored on five dimensions, on a 1–5 scale. The dimensions are intentionally narrow so two reviewers will produce nearly the same score:

1. 1Criticality — what stops if this supplier fails this week.
2. 2Reliability — observed delivery, quality, and responsiveness over the last 12 months.
3. 3Concentration — share of the part / material this supplier represents.
4. 4Backup coverage — how qualified the alternate is, not whether one exists in theory.
5. 5External exposure — region, route, regulatory, financial, geopolitical signals.

Criticality is the dimension teams get wrong most often, because it gets confused with spend. High-spend suppliers are not necessarily critical, and low-spend ones often are.

The right test is operational, not financial:

• Does losing this supplier stop a finished good from shipping inside 14 days?
• Does it stop a customer commitment, regulatory filing, or product certification?
• Is the input substitutable from inventory, or only from a re-qualified alternate source?

Two yeses is a 4. Three yeses is a 5. Spend is a tiebreaker, not the input.

Reliability has to come from observed history, not from your buyer's relationship with the rep. Pull the last 12 months of receipts and score on three signals:

• On-time delivery rate against the originally promised date — not the rescheduled one.
• Quality acceptance rate at receiving and after first use.
• Responsiveness measured as median hours to first substantive reply on an issue.

If your ERP can't answer one of those questions, that's the audit finding for that supplier — and a visibility gap to close before the next cycle.

Most "we have a backup" answers don't survive a live disruption. The honest test is whether the backup is qualified today for the specific part, at usable volume, with current pricing.

1. 1Named alternate supplier, not a category.
2. 2Qualified part numbers — not similar parts.
3. 3Recent test order or shipped volume in the last 12 months.
4. 4Lead time and price on file, not estimated.

Most disruption comes from a level deeper than your direct suppliers — the foundry, the resin producer, the specialty coating line, the single fab making your microcontroller. Direct suppliers often don't volunteer this information, and audits that stop at Tier-1 miss the actual risk.

The audit asks three Tier-2 questions for any Tier-1 scoring 4 or 5 on criticality:

• Where is the upstream input physically produced — region, country, plant if available?
• Is the upstream input single-sourced from your supplier's perspective?
• What was the last documented disruption in that upstream node?

You will get incomplete answers. Capture them anyway. The pattern of unknowns is itself the map of where Tier-2 visibility needs to improve.

An audit that produces 400 supplier rows and no summary doesn't get used. Two roll-ups carry the conversation:

1. 1Exposure heatmap — criticality × reliability, weighted by concentration. Gives you a single picture of which suppliers are both important and unreliable.
2. 2Single-source register — every supplier with concentration ≥ 80% on a critical input, with current backup coverage status. This is the list that goes to leadership.

A supplier risk audit is not a one-time exercise. The right rhythm for most mid-market manufacturers is:

• Full audit annually, scoped to the top two product lines by revenue.
• Quarterly refresh on the single-source register and any supplier scoring ≥ 4 on criticality.
• Monthly delta review — what moved, what new exposure appeared, what coverage closed.

The point of cadence is not the audit document. It's that supplier risk becomes a standing operating conversation rather than a fire-drill artifact you produce after a disruption.