Your ERP already holds all the data you need to score your suppliers. Delivery lead times, non-conformity rates, invoicing history — the raw material is there. What’s missing is the methodology to turn it into an actionable risk map your procurement teams can actually use.
According to a Gartner study published in August 2024, 73% of companies have modified their supplier networks over the past two years to reduce exposure to disruptions (Gartner, 2024). McKinsey further estimates that a supply chain disruption lasting more than one month now occurs on average every 3.7 years, and can cost up to 45% of annual earnings over a decade (McKinsey, 2025).
This guide gives you a concrete methodology to build supplier scoring in your ERP, select the right modules, and meet current regulatory requirements.
Why Supplier Risk Management Has Become Urgent in 2026
CSDDD: Corporate Due Diligence Now Extends to Your Supply Chain
The EU Corporate Sustainability Due Diligence Directive (CSDDD, Directive 2024/1760) has been in force since July 2024. Following the Omnibus amendment published in 2026, its scope was revised upward: companies with more than 5,000 employees and more than €1.5 billion in global turnover are now in scope, with a compliance deadline set at 26 July 2029.
In practical terms: you must identify, prevent, and remedy adverse impacts on human rights and the environment throughout your supply chain. Without a structured supplier mapping in place, demonstrating that vigilance becomes impossible.
For mid-market companies below the CSDDD thresholds, pressure is coming through their enterprise customers, who are cascading their own obligations down to their supplier panels.
Geopolitical Context: The Single-Source Trap
Between 2020 and 2025, supply chain disruptions exposed the fragility of networks built around a single source for critical components. An export restriction, a blocked port, a factory fire — an unidentified single-source dependency can halt production for three to eight weeks.
The best-documented example remains the semiconductor crisis of 2021–2022, but similar situations now regularly affect raw materials, specialised packaging, and spare parts with long substitution lead times.
The primary objective of supplier scoring is to identify your critical single-source dependencies before they become an operational crisis.
Mounting ESG Regulatory Pressure on Your Supplier Panel
Beyond CSDDD, three European regulations now require traceability reaching back to individual suppliers:
- CSRD: if you are subject to sustainability reporting, you must be able to document the ESG practices of your key suppliers.
- EUDR (EU Deforestation Regulation): for in-scope commodities (cocoa, coffee, timber, soy, palm oil…), mandatory traceability to the plot of origin.
- CBAM (Carbon Border Adjustment Mechanism): imports of certain materials must be accompanied by a verified carbon footprint.
These requirements only reinforce the case for centralised supplier scoring in your ERP rather than scattered across departmental spreadsheets.
The 5 Supplier Risk Categories to Score
Financial Risk: Solvency First
A financially stressed supplier is a disruption risk before any actual failure: late deliveries, declining quality, requests for early payment, and eventually default.
Key indicators to monitor:
- Solvency score (Altman Z-score, Dun & Bradstreet scores, Creditsafe ratings)
- Payment behaviour: a supplier that pays its own sub-contractors late is an early warning signal
- Evolution of equity and net assets over three financial years
Geographic Risk: Mapping Concentration
Geographic concentration can be assessed at two levels:
- Country concentration: what share of your critical purchases come from a single geographic zone?
- Single-source: for each critical reference, do you have at least two qualified suppliers capable of delivering?
A straightforward metric: the Herfindahl-Hirschman Index (HHI) adapted to your purchases by product family. The higher the HHI, the more concentrated your dependency.
Quality Risk: Data Already in Your ERP
Quality risk is the best-documented dimension in any ERP, provided teams have properly configured returns and non-conformity workflows:
- Non-conformity rate at goods receipt (NCR rate)
- Number of supplier returns per period and per reference
- Quality audit results, if structured in the procurement module
A supplier with an NCR rate above 2% warrants a systematic quarterly review.
Delivery Risk: OTD as the Central Indicator
On-Time Delivery (OTD) measures the percentage of deliveries that meet the confirmed date. It is the most directly actionable indicator:
- OTD > 95%: reliable supplier
- OTD between 85% and 95%: monitor, semi-annual review
- OTD < 85%: immediate action plan or sourcing alternative
In most ERPs, OTD is calculated from the reconciliation between the confirmed delivery date (order acknowledgement) and the actual receipt date.
Compliance Risk: GDPR, Anti-Bribery, ESG
This fifth dimension is often the least structured. Key questions to document for each active supplier:
- GDPR: if the supplier processes your customers’ data, is a Data Processing Agreement (DPA) in place?
- Anti-bribery: has the supplier signed your code of ethics? Are they eligible under your gifts and hospitality policy?
- ESG: do they hold an EcoVadis score or equivalent? Have they signed an ESG code of conduct?
Building a Scoring Matrix in Your ERP
Data Already Available in Your ERP
Before looking for external data, audit what your ERP already contains. For the vast majority of mid-market companies, the procurement and goods-receipt modules hold:
| Data | Source ERP module |
|---|---|
| Actual vs confirmed delivery lead times | Procurement, Goods Receipt |
| Non-conformity rates | Quality, Goods Receipt |
| Order history and volumes | Procurement |
| Supplier payment lead times | Finance / AP |
| Returns and credit notes | Procurement, Finance |
| Contacts and contractual documents | Master Data, DMS |
This data is sufficient to build scoring across quality, delivery, and dependency dimensions. That is typically 70% of the work, with no external integration required.
External Data to Integrate
For the financial and ESG dimensions, three connectors cover the bulk of the market:
- Dun & Bradstreet (D&B): the global reference for solvency and financial scores. API available, with ERP connectors for SAP and major mid-market platforms.
- Creditsafe: a more accessible alternative, covering 160 countries. Native integration in several mid-market ERPs.
- EcoVadis: the de facto standard for supplier ESG scoring. Scores out of 100 across four categories (environment, social, ethics, responsible procurement). Available via API or partner portal.
Scoring Matrix Example: 100-Point Weighting
Here is a sample weighting adapted to a manufacturing mid-market company:
| Category | Weight | Key Indicators |
|---|---|---|
| Quality (NCR, returns) | 40% | NCR rate, number of returns in prior year |
| Delivery (OTD) | 30% | 12-month rolling OTD |
| Financial (solvency) | 20% | D&B / Creditsafe score |
| ESG / Compliance | 10% | EcoVadis score, signed code of conduct |
A supplier scoring below 60/100 automatically enters a supplier development plan. Below 40/100, they move to “under surveillance” status, with a mandatory dual-sourcing requirement within 90 days.
This weighting is not universal: a food sector company will place more weight on quality and traceability. A pure-play e-commerce business will prioritise delivery and flexibility.
Which ERP Modules Natively Address Supplier Risk?
SAP Ariba Supplier Risk (Tier 1)
SAP Ariba Supplier Risk is the most comprehensive solution on the market. It centralises internal SAP data (orders, goods receipts, quality) with external feeds (D&B, EcoVadis, LexisNexis for compliance) and generates automatic alerts when a supplier’s risk profile deteriorates.
The constraint: Ariba licensing costs position it firmly in the enterprise segment. For mid-market companies with 200–500 employees, the ROI needs to be justified by a large panel (>100 active suppliers) and clear CSDDD obligations.
Oracle Procurement Cloud / Supplier Qualification Management
Oracle natively includes a supplier qualification module in its Procurement Cloud suite. The onboarding process (questionnaire, validation, initial scoring) is structured, and continuous monitoring draws on transactions across the Oracle platform.
Key advantage for multi-entity groups: supplier panel consolidation at group level is native, with differentiated approval policies by entity.
Microsoft Dynamics 365 SCM + Vendor Collaboration
Dynamics 365 Supply Chain Management includes a Vendor Collaboration portal that allows suppliers to confirm purchase orders, submit shipping confirmations, and view their performance history.
Native scoring is limited: you typically need to supplement with Power BI (risk dashboards) and a Creditsafe or D&B integration via Power Automate. A good fit for mid-market companies already operating within the Microsoft ecosystem.
Odoo Purchase + Creditsafe Connector
Odoo does not include a dedicated supplier risk management module in the strict sense. However, combining the Purchase module (OTD, NCR via Quality) with the Creditsafe connector available on the Odoo App Store covers the financial and delivery dimensions effectively.
For companies running Odoo 17+, the Spiffy Supplier Scoring community module offers a configurable scoring matrix directly within the procurement interface.
Sage Intacct / Sage X3: Native Limitations
Sage platforms contain basic indicators within the procurement module (OTD, returns) but do not offer structured supplier scoring natively. Integrator partners typically provide add-on extensions or connections to dedicated sourcing platforms such as Ivalua or Jaggaer for more complex supplier panels.
3 Concrete Actions for This Quarter
1. Audit your active supplier list
Extract from your ERP the full list of suppliers with at least one order in the past 12 months. Identify those for which you are single-source on a critical reference. The goal: understand your exposure before investing in tooling.
2. Configure at least 3 KPIs in your ERP
For each active supplier, calculate directly in your ERP:
- 12-month rolling OTD
- Non-conformity rate at goods receipt
- Average payment lead time (actual vs contractual)
These three indicators cover 70% of operational risk and require no external tools.
3. Establish a quarterly review cycle
Formalise a quarterly procurement meeting built around an ERP dashboard. Identify the 10 most critical suppliers (by volume and single-source status) and the 5 with the lowest scores. For each, decide: action plan, alternative sourcing development, or planned de-listing.
This review cycle is also what CSDDD expects as evidence of “active vigilance”: documented decisions made on the basis of a structured risk assessment.
To go deeper on the regulatory dimension, read our guide on CSDDD compliance and what corporate due diligence means for your ERP and our article on digitising B2B procurement with an ERP vendor portal. For the broader supply chain integration picture (WMS, TMS, demand planning), see our integrated ERP supply chain guide 2026.