A production line goes down on a Thursday afternoon. The critical-path supplier for the failed component was qualified 18 months ago: a positive reference call, a folder of scanned certificates, and the procurement manager's informal approval over email. The ISO certification in that folder expired eight months ago. Nobody noticed because there is no process for tracking document expiry on vendor records, there is a shared folder and the implicit assumption that someone is monitoring it. When the certification auditor arrives the following week, the company has an active critical supplier with a lapsed qualification and no approval trail to show.
A folder of certificates is not a qualification process. It's a filing system. The distinction matters enormously when an auditor, a regulator, or an enterprise customer asks you to demonstrate how a vendor was evaluated, not that they have certificates.
ISO 9001:2015 Clause 8.4 sets an explicit requirement: the organization shall determine controls applied to externally provided processes, products, and services, and shall establish documented criteria for evaluation, selection, monitoring, and re-evaluation of external providers. In an internal first-party audit, a quality engineer's scoring sheet usually passes. In a third-party certification audit or an enterprise customer's supply chain audit, the required evidence is a qualification record that shows: criteria applied, nonconformities found, corrective actions taken, and the approval attributed to a named role. 'We have a folder of vendor certificates' does not meet this standard.
Structure the vendor onboarding as a Flow with four distinct phases: document collection (procurement analyst), technical and risk review (quality and legal), a formal committee approval gate, and operational registration. Each document has an owner and a deadline. The committee gate requires each member's explicit approval, not a reply-all email, and no phase advances until all requirements are met.
Risk classification is where the flow adapts to vendor type. A service provider and a raw material supplier carry different compliance requirements and different audit exposure. Conditional logic in the Flow template activates the requirements appropriate for each vendor category at intake, rather than relying on the analyst to remember which checklist applies to which supplier.
The ongoing dimension of vendor management is as important as initial qualification. Annual re-qualification, SLA performance reviews, and audit cycles are recurring Flows that tie back to the original supplier record. When a vendor's certification is approaching expiry, Cadenio fires the renewal alert and opens the re-qualification run automatically, without a calendar reminder that may or may not reach the right person.
Most procurement teams underestimate the commercial angle. Enterprise customers increasingly include supply chain audit requirements as contract conditions, asking not just whether your suppliers are qualified, but how they were qualified, who signed off, and on what cadence they're re-evaluated. A policy describes what you intend to do. A run history shows what you actually did, when, and with whose approval. For teams competing on contracts where supply chain integrity is a selection criterion, that distinction is the edge.