Rethinking Supplier Assessment with the Supplier Performance Risk System

Eric Marquette

Welcome back to the Procurement Federal Acquisition Supplement & Defense Federal Acquisition Supplements Clauses podcast. I'm Eric Marquette, here as usual with Ruby and Paul. Today we're diving into what might be one of the most misunderstood but critical tools in DoD supplier evaluations: the Supplier Performance Risk System, or SPRS. Now, if you're just joining from last week's episode, where we talked about the precedence of contract documents, this topic should feel like a natural progression—because the way suppliers are ranked can dictate entire outcomes on major contracts.

Ruby Sturt

Yeah, and SPRS is so much more than just a cybersecurity check or a sticker price thing—it's a risk buffet! I feel like people think, "Oh, NIST 800-171? Pass! Cost's low? Win!" And then they're gobsmacked when they're dinged on delivery or flagged for item risk. The system’s, like, looking under the hood, the trunk, and even the glovebox.

Paul Netopski

That's exactly right, Ruby. SPRS evaluates supplier risk, price risk, and item risk—so, three major buckets. Supplier risk is about performance—so, the probability that the supplier can't fulfill the contract or creates a supply chain risk. Item risk focuses on whether that specific product could introduce mission or safety problems. And price risk checks whether your price is actually consistent with what the government’s paid before, or if it's a red flag outlier. Focusing on just one of those and ignoring the rest is basically asking for trouble.

Eric Marquette

I know that trap all too well. In one of my earliest media gigs, I was obsessed with keeping costs down—underbid the competition, promise everything. But when we got the job, it turned out the lowest bid had hidden quality issues. There were late nights, delayed deliverables, and, in the end, the project wound up costing so much more than we’d saved up front. Looking back, it’s the same core risk principle SPRS is trying to capture—it’s not enough to just look at the sticker price or the score on a spreadsheet. If the supplier’s late, or an item’s flagged as a high risk, that affects everything down the line.

Paul Netopski

And that's why, in the SPRS, you're being scored on delivery, quality, suspected counterfeits, price consistency, and especially supplier integrity. A high NIST 800-171 assessment might keep you in the running, but poor track records on on-time delivery or a history of corrective actions—those get factored in separately and can weigh down your overall supplier risk score.

Ruby Sturt

So true. And I love that you mentioned supplier integrity, Eric. There's this whole section in the SPRS where integrity records—like a past termination for default or some defective pricing—get you docked. It’s genuinely holistic. You could ace cybersecurity, but if you’ve been caught submitting counterfeits, sorry mate, that’s a massive red X.

Eric Marquette

Exactly. And the weighting isn't even across these categories. Some factors, like suspected counterfeit items, immediately start negative and just get worse with more records. You can't just patch that with a couple positive survey results.

Paul Netopski

Right. Plus, SPRS is pulling all this data in—from EDA, FPDS, DLA, CPARS, GIDEP, even the SAM system for excluded vendors. So it's not relying on a single report or some isolated bad day—it's tracking patterns and, importantly, it’s designed to slowly 'forget' older issues as they age out. You can recover, but it's not instant.

Ruby Sturt

So let's talk nuts and bolts. Paul, can you help us unpack how the scoring actually works? 'Cause I peeked at the formulas, and, whew, there’s more math in there than on my last tax return.

Paul Netopski

Yeah, it’s a lot to decode—but let's break it down. The supplier risk score is the sum of ten risk factors, each with its own calculation. First: quality and delivery. Every contract’s quality issues, product defect reports, corrective actions, even good deliveries—they’re all weighted based on how recent they are, using what SPRS calls an "age-weight multiplier." So, more recent stuff matters more.

Eric Marquette

The scaling factor is another interesting bit—it kind of normalizes scores so big suppliers and small ones are assessed fairly. It makes comparison across the board a bit more level, but it won't hide consistent poor performance, will it?

Paul Netopski

No chance. And delivery's huge: If you’re early or on time, you get positive weighting; late or terminated contracts? Negative. And then come the color bands—that’s where we go from numbers to what procurement folks actually see. Blue is the top 5% of performers, purple's the next 10%, green is the solid 70% in the middle, yellow is the next 10%, and red is the bottom 5%. If you’re in the red, you're in trouble—and if it's for a high-risk product or critical supplier, that can be the end of the story for getting future work.

Ruby Sturt

But the magic is, you can have two suppliers with identical NIST compliance or cyber scores—and completely different SPRS colors. Paul, you had an example about something like this?

Paul Netopski

Absolutely. I saw two suppliers—let’s call them Supplier Alpha and Supplier Bravo. Both ticked the NIST 800-171 boxes, both bid about the same, but Alpha had a hidden backlog of late deliveries and several corrective action requests. Those older negatives were still recent enough to matter. Their SPRS supplier color was yellow—whereas Bravo, who'd been routinely on time and had no recent integrity issues, was up in green, almost purple. The difference? Alpha’s issues were factored in with heavier age weights, and SPRS doesn’t forget easily—especially not in the first year or two after a problem.

Eric Marquette

I'm glad you brought up the color bands, Paul, because it’s easy to focus on that—"just get to blue, get to the top"—but you mentioned that the thresholds shift. If you’re sitting right near the cutoff, you might ping-pong between colors based on how your peers perform too. It’s a moving target!

Paul Netopski

Exactly. And government uses these colors as quick signals, but they look at the underlying factors too. It’s not only about the top color—context matters, patterns matter. Oh, and integrity records—those are a killer for your score, by the way. They're always negative, and stuff like defective pricing or a termination for default is hard to shake off for years.

Ruby Sturt

We see those examples all the time, even outside defense. You can't just charm your way out of a bad track record; that stuff's mathematically sticky in SPRS. Makes the system robust, but also a bit nerve-wracking for suppliers, I reckon.

Eric Marquette

So, how do program managers and contracting officers actually use SPRS? Because it's not just, “Oh, you’re in the red, you’re out.” There’s more nuance, right?

Paul Netopski

Absolutely. They’re blending SPRS outputs with other tools and a bit of professional judgment. SPRS scores tell you the probability of performance issues, but officers also factor in market research, sometimes due diligence reports, the actual requirements, and even intelligence-related supplier assessments—especially for supply chain risk management, or SCRM.

Ruby Sturt

And that's where it really links up with supply chain risk management workflows. But let’s be real—most folks don’t start talking about SCRM until something goes spectacularly wrong. Early illumination, though, is what the SCRM guidebook hammers home. The sooner you spot a risk, the cheaper and easier it is to dodge a crisis—whether that’s a dodgy supplier or some rare earth material shortage down the road.

Paul Netopski

Spot on. SCRM calls out four strategies when risks pop up: accept, avoid, transfer, or control. So once SPRS flags a risk, you figure out which strategy makes sense. Let's say an item’s flagged as high risk — maybe it’s critical and also has a history of counterfeiting in GIDEP. You might control the risk by diversifying suppliers, or avoid it altogether by changing the requirements or excluding that item. Or, sometimes you transfer risk — maybe you add contract language so the supplier assumes some liabilities. Each approach has to be justified, documented, and monitored as the program evolves.

Ruby Sturt

I mean, in Australia, we joke about our supply chains being resilient 'cause we've got bushfires, floods, the odd python in the warehouse. But honestly, if you catch the risk early thanks to an SPRS report, you can keep your project on track—or save yourself from a very expensive, very public mess. The SCRM workflow is literally “plan, illuminate, share, assess, respond,” on repeat.

Eric Marquette

That’s the trick, isn’t it? Tying SPRS data into broader risk registers, iterating your risk responses—because, let's be honest, risk never really goes away; it just changes shape. Having those daily-updated SPRS scores is like an early warning signal you can act on, not just another bureaucratic tick box.

Paul Netopski

And sharing those risks internally—across the enterprise—matters just as much. If one program uncovers something through SPRS, sharing that insight could prevent another team from going down the same rabbit hole. SCRM and SPRS aren’t about eliminating all uncertainty; they’re about giving decisionmakers the right information, early, so you can mitigate rather than scramble at the last minute. It's a whole ecosystem of tools, not just a single dashboard.

Ruby Sturt

Totally. Sometimes it feels like a never-ending game of whack-a-mole, but having something like SPRS means you’ve got the mallet ready—most of the time, anyway.

Eric Marquette

All right, that's a wrap for today's session on rethinking supplier assessment with SPRS. If you're just catching up, make sure to listen to previous episodes on data rights and incident response, which layer perfectly with these risk topics. Thanks to Ruby and Paul for the banter and the brains as always. We'll be back soon with more on procurement, negotiation options, and what’s changing next in federal acquisition. Until then, take care.

Ruby Sturt

Catch ya next time! Cheers, Paul. Cheers, Eric.

Paul Netopski

Great discussion, as always. See you both next episode.