Supplier Certification Gap Remediation at a Fortune 100 Life Sciences Manufacturer

A corporate auditor at a Fortune 100 life sciences manufacturer flagged 3 key suppliers for missing compliance certificates. When the quality team investigated, they found that 64 out of 116 key suppliers had no valid certificates on file. The root cause was not negligence. It was contact decay: the people they had been emailing had left, changed roles, or simply stopped responding, and the team had no way to find replacements at scale.

This case study explains what happened, how the team attempted manual remediation, and what automated contact discovery and outreach would have changed.

The Trigger

The problem surfaced during a routine corporate audit. An auditor reviewed supplier compliance files for a business unit and flagged 3 key suppliers as missing required certificates. This is a standard audit finding. Missing supplier certificates are one of the most common issues flagged in quality system audits across regulated industries.

Three missing certificates is a manageable problem. The quality team could contact those 3 suppliers, request the documents, and close the finding within a few weeks.

But the Senior Supplier Quality Engineer responsible for the supplier base decided to look further. If 3 out of a small sample were missing certificates, what was the actual number across the full key supplier list?

The answer was far worse than expected.

Out of 116 key suppliers, 64 had no valid certificates on file.

More than half. Not because anyone had decided those certificates were not important. Because the process of collecting and maintaining them had quietly broken down over time.

The Root Cause: Contact Decay

The quality team had been emailing suppliers to request certificates. For many suppliers, they had sent 2, 3, 4, even 5 follow-up emails. No response. Eventually, the requests stopped. Not because anyone made a conscious decision to give up, but because there is a limit to how many times you can email someone who does not reply.

The underlying problem was that the contacts were wrong. People had left the company. Roles had changed. Email addresses were outdated. The requests were going into inboxes that no one was reading.

“What if those people leave the company? All my attempt to reach out to you… it’s not going to work.” — Senior SQE at the company

This is contact decay, and it is structural. In a supplier base of any size, contacts change constantly. People leave their jobs, get promoted, transfer to different facilities, or retire. Without a systematic way to detect and replace stale contacts, every outreach program gradually degrades. Response rates drop. Gaps accumulate. And because the process is spread across hundreds of suppliers, no single failure is dramatic enough to trigger an alarm. The deterioration is invisible until someone checks.

The Manual Remediation

Once the team understood the scope of the problem, they launched a remediation project.

Step 1: Clean the Supplier List

The full supplier list contained approximately 1,300 names. The team cleaned this to roughly 900 by removing suppliers with no purchase order activity in the past 4 years. These were dormant suppliers that were unlikely to be used again and could be addressed separately if needed.

Step 2: Build a Tracking Spreadsheet

The team built a comprehensive tracking spreadsheet listing all 900+ active suppliers, the required certificates for each, the current status (on file, expired, missing, requested), and outreach history. This spreadsheet became the central management tool for the remediation effort.

Step 3: Find Contact Information

This was the hardest step. The team pulled email addresses from SAP, hoping that the procurement contacts in the system could either provide the certificates themselves or forward the request to the right person.

For many suppliers, the SAP contacts were outdated. The team tried LinkedIn searches, company website lookups, and asking colleagues in other departments for contacts.

“3 to 4 hours a day is spent sending emails.” — Senior SQE at the company

Step 4: Mass Outreach

When direct email to known contacts did not produce enough responses, the team took an unusual step. They borrowed the internal marketing team’s communication tools and ran what was essentially a marketing campaign directed at their own suppliers. Mass emails requesting certificate submissions, with tracking and follow-up.

This is a measure of how difficult the problem had become. A quality engineering team was repurposing marketing infrastructure to solve a compliance problem, because the standard approach of individual emails to known contacts was not working.

Step 5: Ongoing Follow-up

Even after the initial mass outreach, the team continued spending hours each day on follow-up. Checking who had responded. Resending requests to non-responders. Trying to find alternative contacts at suppliers who remained silent.

The remediation project consumed months of effort. It was not a one-week sprint. It was an ongoing burden on top of the team’s regular responsibilities.

The Lesson: The Number an Auditor Finds Is Never the Real Number

The audit flagged 3 suppliers. The actual number was 64 out of 116 key suppliers. The difference is explained by sampling: an auditor checks a subset, not the full list.

This means that the number found in any audit is a lower bound. The real compliance gap is almost always larger. At this company, it was dramatically larger.

The deeper lesson is that the problem is structural, not operational. The team was doing the work. They were sending emails, following up, tracking responses. The process was not broken because people were not trying. It was broken because contact decay made the outreach ineffective, and there was no mechanism to detect or correct it.

When you send an email to someone who left the company a year ago, you do not get an error message. You get silence. And silence looks the same as a supplier choosing not to respond. Without a way to distinguish between “wrong contact” and “unresponsive supplier,” the team could not diagnose the real problem.

What Automated Outreach Would Have Changed

With automated contact discovery and outreach in place before the audit, the remediation situation would have looked fundamentally different.

Continuous Contact Maintenance

Instead of discovering during a remediation project that contacts were stale, the system would have been running quarterly staleness checks all along. Contacts that left the company or whose emails stopped working would have been flagged and replaced automatically. The contact database would not have decayed to the point where outreach to more than half of key suppliers was ineffective.

Right-Person Targeting from the Start

The tiered contact matching model would have identified the appropriate contact at each supplier for quality certificate requests, whether that is a Quality Manager (Tier 1), a Regulatory Affairs or Operations Manager at a smaller supplier (Tier 2), or the Plant Manager or Owner at the smallest suppliers (Tier 3). Requests would have reached someone who could actually respond, not a procurement contact hoping to forward the email internally.

Automated Follow-up Without Manual Effort

Instead of a person spending 3 to 4 hours per day sending follow-up emails, the system would have managed the follow-up sequence autonomously. Initial requests, follow-ups, escalations to alternative contacts. The quality engineer’s time would have been spent on engineering work, not email.

Document Verification at Collection

When certificates arrived, they would have been verified for validity dates, scope, legal entity, and accreditation body. Issues would have been caught and addressed immediately, not discovered months later during an audit.

Proactive Renewal

Instead of discovering expired certificates after the fact, the system would have tracked expiration dates and initiated renewal outreach before certificates lapsed. The goal is permanent audit readiness, not periodic remediation.

The Broader Pattern

This case is not unusual. The specific numbers (64 out of 116, 900+ suppliers, 3-4 hours per day) belong to this company, but the pattern is common across regulated manufacturers:

1. An audit or internal review reveals missing or expired supplier certificates.
2. The initial finding understates the real scope of the problem.
3. Investigation reveals widespread contact decay as the root cause.
4. Manual remediation is launched, consuming significant time and resources.
5. The remediation succeeds partially but does not address the structural problem.
6. Within 12-18 months, the gaps begin re-accumulating.

Breaking this cycle requires addressing the structural cause: contact decay. As long as outreach depends on static contact lists that are not systematically maintained, the cycle will repeat.

“That is exactly what we are looking for. I wish you were speaking with my director right now.” — Senior SQE at the company, after learning about automated contact discovery and outreach

---

Related Pages

• Supplier Contact Decay
• How to Run a Supplier Certification Remediation Project
• Automated Supplier Outreach for Compliance
• How Bridgecurrent Finds Supplier Contacts
• How to Prepare for a Supplier Documentation Audit