From periodic checks to Ariba SRM risk scores with D&B/OFAC feeds and routed reviews

Overview

A medical device firm vetted suppliers thoroughly at onboarding but had little continuous visibility into changing risk signals. Financial stress, sanctions changes, and adverse news surfaced late—often near renewals or when quality issues appeared—forcing emergency re-sourcing. Intelligex connected external risk feeds to the firm’s Supplier Relationship Management (SRM) platform, standardized supplier identity, and stood up a scored dashboard with thresholds that routed items to Procurement and Compliance for review. Issues began surfacing early, the review process became predictable, and sourcing decisions carried a clear audit trail.

Client Profile

• Industry: Medical devices and diagnostics
• Company size: Global manufacturer with multi-tier supply base
• Stage: Mature quality system formalizing continuous supplier risk monitoring
• Department owner: Procurement, Supply Chain & Logistics
• Other stakeholders: Supplier Quality Engineering (SQE), Quality/Regulatory, Compliance, Legal, Finance, IT/Security, Internal Audit, Regional Sourcing Teams

The Challenge

Supplier onboarding included diligence on financial stability, sanctions screening, and quality certifications. After approval, monitoring relaxed into periodic reviews driven by renewal dates or incident reports. Risk indicators were scattered: a finance analyst kept a watchlist, Compliance checked sanctions lists irregularly, and regional teams tracked news about key suppliers informally. Changes in ownership, legal status, or credit health did not consistently reach the SRM record.

When issues surfaced—an adverse media report, a sanctions listing, or a drop in a supplier’s financial health—they arrived via email threads with screenshots and links. Decisions about holds, additional audits, or alternate sourcing required urgent alignment across Procurement, Supplier Quality, and Compliance. Evidence and rationale lived in attachments, not in a system of record. The lack of a continuous, governed view led to last-minute surprises and avoidable disruptions.

Regulatory scrutiny raised the stakes. The company’s quality system aligned to medical device standards and supplier controls, but the monitoring process did not provide a consistent mechanism for detecting changes and documenting responses. Leadership wanted a single, scored view of supplier risk, tied to the SRM record, with clear thresholds and routing that met audit expectations without introducing a new system for day-to-day buyers.

Why It Was Happening

Each function monitored a slice of risk with its own tools. Finance reviewed credit and payment behavior. Compliance checked sanctions and watchlists. Quality tracked certifications and audit outcomes. There was no common identity for suppliers across feeds, so signals could not be tied confidently to a single record. Without thresholds, reviews were driven by inboxes and anecdotes instead of a shared policy.

The SRM captured onboarding artifacts and performance metrics, but it was not wired to external signals on a steady cadence. Data arrived in bulk at renewal time or as one-off checks. Decisions and exceptions were captured in meetings or emails rather than linked to the supplier profile. The result was reactive risk management and rework when downstream teams needed to trace decisions.

The Solution

Intelligex implemented a continuous monitoring layer that connected external feeds for financial health, sanctions, and adverse news to the SRM. Supplier identities were standardized and mapped to corporate family trees. A scoring engine translated signals into a simple risk score with clear thresholds. Items crossing thresholds created review tasks for Procurement and Compliance, and all evidence and decisions were attached to the SRM record. Dashboards provided a portfolio view with drill-down to supporting details. The approach integrated with existing tools, emphasized human decision-making, and created repeatable governance.

• SRM integration to surface risk scores, supporting evidence, and review tasks within existing supplier profiles. Example pattern aligned to SAP Ariba Supplier Risk.
• Financial health data ingestion and supplier identity enrichment with corporate linkages from a reputable provider. Reference for supplier risk content: Dun & Bradstreet Supplier Risk.
• Sanctions and watchlist screening against official sources, refreshed on a predictable cadence. Background: U.S. Treasury OFAC and the EU’s Sanctions Map.
• Adverse media monitoring that flagged credible reports tied to suppliers and parent entities, with deduplication and severity tagging to reduce noise.
• Standardized supplier identity using global identifiers and legal entity resolution to associate signals reliably with SRM records.
• Risk scoring engine with weighted domains (financial, compliance, media, operational) and thresholds for alert, review, and hold. Weights were policy-owned and versioned.
• Workflow orchestration that generated review tasks for Procurement and Compliance, captured outcomes and mitigations, and escalated holds to Supplier Quality when necessary.
• Dashboards for portfolio and category views with filters by region, risk domain, and mitigation status, built in the company’s analytics toolset.
• Audit trail capturing source feeds, scores, thresholds crossed, reviewers, decisions, and effective dates.
• Quality system alignment with supplier controls under medical device standards. Background: ISO 13485.

Implementation

• Discovery: Cataloged current onboarding checks, sources for financial and sanctions data, and how alerts were handled. Mapped supplier identifiers across ERP, SRM, and accounts payable. Documented quality system expectations for supplier monitoring and audit evidence with Quality and Regulatory Affairs.
• Design: Defined the supplier identity model and corporate family mapping. Designed risk domains, scoring weights, and thresholds with Compliance and Procurement. Specified integration touchpoints to create tasks, attach evidence, and update risk fields in the SRM. Outlined the review workflow and escalation paths.
• Build: Implemented connectors for external feeds, identity resolution, and deduplication. Built the scoring engine and threshold logic. Integrated with the SRM to display scores, create review tasks, and store artifacts. Developed dashboards for portfolio and drill-down views with role-based filters.
• Testing and QA: Ran the pipeline in shadow mode, scoring suppliers without generating tasks, and compared results to known issues and past incidents. Tuned identity resolution and scoring weights to reduce false positives. Verified that review tasks, attachments, and audit logs behaved correctly in the SRM sandbox.
• Rollout: Started with a subset of strategic suppliers and critical categories. Enabled alerting for threshold breaches with human review required before any holds. Expanded coverage by category and region as confidence in scoring and identity mapping increased. Maintained feature flags to adjust thresholds without code changes.
• Training and hand-off: Delivered role-based sessions: Procurement on interpreting scores and initiating mitigations; Compliance on sanctions adjudication and documentation; Supplier Quality on escalation criteria; and category managers on dashboard use. Provided a playbook covering scoring definitions, evidence expectations, and decision templates.
• Human-in-the-loop review: All threshold-triggered items required review and a recorded rationale. The system proposed actions based on policy, but humans confirmed holds, mitigations, or dismissals. Exceptions and overrides were time-bounded and visible on the supplier record.

Results

Risk moved from a periodic checklist to a continuous, governed process. Financial stress, sanctions changes, and adverse news appeared in the SRM as scored alerts with evidence, instead of as scattered emails. Procurement and Compliance reviewed items in a predictable sequence, decisions were logged on the supplier record, and mitigations were visible to downstream teams.

Renewals and sourcing events met fewer surprises because signals surfaced early. Category managers prioritized alternates with adequate lead time, Supplier Quality scheduled targeted audits, and Legal had a clear record of what was reviewed and why. Emergency source changes tapered, and internal discussions centered on policy thresholds and mitigations rather than on tracking down links and screenshots.

What Changed for the Team

• Before: One-time vetting and ad hoc emails; After: Continuous feeds with scored alerts inside the SRM.
• Before: Inconsistent supplier identity across systems; After: Standardized legal entity mapping with corporate family context.
• Before: Debates over whether to act; After: Policy-driven thresholds and clear review tasks with assigned owners.
• Before: Evidence buried in attachments; After: Artifacts and decisions attached to the supplier record with an audit trail.
• Before: Surprises at renewal; After: Early visibility with time to mitigate or source alternatives.
• Before: Portfolio blind spots; After: Dashboards showing risk by category, region, and mitigation status.

Key Takeaways

• Make supplier risk a continuous signal into the SRM, not a calendar reminder at renewal.
• Standardize identity and corporate families so external signals attach to the right supplier every time.
• Translate raw feeds into a simple, policy-owned score with thresholds that route work to the right reviewers.
• Keep humans in charge of holds and mitigations; capture rationale and evidence on the supplier record.
• Roll out by critical categories and run in shadow mode first to tune identity matching and scoring weights.
• Align monitoring and documentation with medical device quality requirements so audits rely on the SRM, not inboxes.

FAQ

What tools did this integrate with?
The solution fed risk signals into the existing SRM, where scores, evidence, and tasks were visible on supplier profiles. External sources included financial health and corporate linkage data, sanctions and watchlists from official sources such as OFAC and the EU’s Sanctions Map, and adverse media monitoring. The pattern aligned with platforms like SAP Ariba Supplier Risk for in-platform display and workflows.

How did you handle quality control and governance?
Supplier identity was standardized with global identifiers and corporate family mappings. Scoring weights and thresholds were policy-owned and versioned. All threshold breaches generated tasks with required evidence and a documented decision. Overrides were time-bounded and visible. The audit trail captured source signals, scores, reviewers, and effective dates, supporting both internal audit and regulatory expectations under frameworks like ISO 13485.

How did you roll this out without disruption?
The monitoring ran in shadow mode first, scoring suppliers without creating tasks. Results were compared to known issues and past incidents. A pilot group of critical suppliers enabled early learning while the legacy process remained in place. Thresholds and identity-matching rules were adjusted through feature flags. Once confidence grew, alerts and tasks were enabled broadly.

How were sanctions and adverse news handled?
Sanctions lists were refreshed on a predictable cadence and screened against standardized legal entities and known aliases. Matches generated review tasks for Compliance with links to official listings and a place to record adjudication. Adverse media was filtered for credibility and relevance, deduplicated, and tied to entities or corporate parents before alerting, which reduced noise for reviewers.

How did you reduce false positives and avoid duplicate alerts?
Identity resolution combined legal names, registration details, and corporate linkages to match feeds reliably. Scoring incorporated severity and recency, and alerts required crossing policy thresholds. Dismissals carried a reason and a cooling period, so the same non-issues did not re-trigger immediately. Where signals persisted or escalated, the system re-opened the review with prior context attached.