Traditionally, procurement teams have operated in very transactional, task-oriented functions, oftentimes siloed from other strategy-oriented areas of the company, including risk management, compliance, and management. Since the COVID pandemic, these roles have shifted, breaking down silos between departments and bringing attention to the roles of Chief Procurement Officers (CPOs) and procurement personnel.
“CPOs are successfully navigating… complexities while delivering across a greater breadth of KPIs. Although they are still heavily focused on costs, they have expanded their value propositions to influence demand, drive innovation, and work closely with strategic suppliers and partners to foster commercial compliance, increase speed to market, accelerate M&A integration/divestiture programs, and drive continuous improvement.”
As risks evolve and the number of third parties that organizations engage with increases, the need for procurement teams to take a more active role in their companies’ third-party risk management (TPRM) programs also increases.
Procurement: TPRM’s Link to the Extended Enterprise
The procurement team is the link between an organization and its suppliers, the extended enterprise. Procurement teams work to manage vendor scoping and onboarding risks, and understand the wider ecosystems that suppliers operate in. Because of this knowledge, procurement teams are able to capture and capitalize on insights for the enterprise, such as identifying new products, materials, capabilities, and offerings.
With this greater inclusion of procurement professionals into organizational strategy, CPOs and similar roles need to reframe how the function can best serve the organization, and how other departments can serve them. A key area of this is thinking of procurement from a risk-based approach, and how this function fits into wider risk management strategies.
This shift in procurement influence is even changing job responsibilities. While the old approach to procurement related to margin impact and onboarding vendors and technology, there is a need to focus on long-term strategy and impacts. No longer can procurement be focused on only cost savings, they must also be in-tune and contribute to risk management efforts.
TPRM Risks CPOs Need to Prioritize
Just as the role of procurement personnel is shifting, so too are the challenges that they are tasked to face. Several of these include:
Increased Supply Chain Risks:
From component shortages to logistical delays to global disruptive events, supply chain interruptions are some of the biggest risks facing organizations. Any delay in these complex supply chain processes can not only disrupt an organization’s core operations but potentially lead to components shortages or go-to-market strategies down the line.
These types of disruptions can often arise from lack of information and lack of risk awareness surrounding third-party vendors, such as heavy concentration risk within third-party ecosystems.
Fourth and Nth Parties:
In addition to the vendors that you have direct contracts with, it is also important to know your fourth parties and nth parties- i.e., your third parties’ subcontractors. Without this understanding, companies leave themselves vulnerable to issues such as cyberattacks, supply chain disruptions, and penalties. With a greater focus on initiatives such as ESG or ABAC, risks further along your supply chain must be identified and managed proactively.
ESG:
The magnitude of environmental, social, governance (ESG) regulations and compliance are reshaping how organizations manage suppliers, affecting not only procurement, but legal, compliance, risk functions, executives, and more. With concerns such as climate change, eliminating human trafficking and modern slavery from supply chains, identifying and eliminating corruption, etc. procurement must take a driving role in ensuring that third-party vendor relationships are aligned with ESG initiatives.
“CPOs must be proactive. All commercial firms measure financial profit, but 40% of CPOs stated their procurement organizations don’t define or measure their own set of relevant ESG factors, even though 60% do measure suppliers at some level on sustainability.”
Cyber and Information Security Risks:
According to a 2022 survey by PwC, only 40% of organizations have a thorough understanding of the data breach risks presented by third parties. And cyber-related incidents are rising. According to Aravo’s TPRM benchmarking survey, almost 70% of organizations experienced a data breach or cybersecurity incident in 2021.
Procurement teams can play a critical role in protecting their organizations from cyber incidents related to third-party activities. Ensuring that SLAs and contracts include areas for data protection and information security, conducting risk assessments on a regular basis, and limiting non-essential network access are all steps procurement teams can take to ensure security when working with third parties.
Key Areas of TPRM Relationships to Focus On
When approaching TPRM from a more holistic approach, procurement teams can and should be involved in multiple stages of the vendor lifecycle and risk management processes. Several of these include:
Vendor Selection and Onboarding:
Procurement teams are integral to vendor scoping, selection, and intake. Working with internal teams to determine the scope/need of the possible vendor, collecting information on potential third parties, and validating which would be the best fit are all components to this process. Using TPRM automation software, procurement teams are able to determine inherent risk, stick to budgets, and onboard with compliance and assurance.
Vendor Contracts Management:
Procurement teams also play a key role in determining the scope of service that a vendor/third party will perform for the organization. When taking a risk-based approach, these teams will ensure that contract and SLA terms are clearly defined, and being upheld after the vendor is onboarded.
Vendor Due Diligence:
Procurement’s role in TPRM does not stop with onboarding. Performing due diligence before a vendor is onboarded, and on a regular basis helps teams spot potential red flags and breaches of contract/SLAs. This allows organizations to assess risk across all third parties and conduct due diligence commensurate with the level and types of risk they present. It also provides transparency needed for audit trails.
Taking a Risk-Based Approach to Procurement
Taking a more holistic, risk-based approach to procurement functions not only elevates these roles but will also better serve the organization as a whole, helping to mitigate complex third-party risks that are only increasing in frequency. Being involved in the entire third-party/supplier relationship management process ensures agility, rather than relying on a one-size fits all procurement strategy that may allow risks to fall through the cracks.
By integrating or centralizing formerly siloed processes such as supply chain, third-party risks, travel expenses, procure-to-pay, and more, procurement professions will lead greater to organizational resilience and risk management. The future needs more procurement professionals who empower fresh, more strategic approaches to succeed in new, dynamic risk landscapes.
Hannah Tichansky is the Senior Content Marketing Manager at Aravo Solutions, the market’s smartest third-party risk and resilience solutions, powered by intelligent automation. At Aravo, she manages all content and thought leadership produced for products and campaigns, and contributes as an author for articles and blog posts.
Hannah holds over 12 years of writing and marketing experience, with 6 years of specialization in the risk management, supply chain, and ESG industries. Hannah holds an MA from Monmouth University and a Certificate in Product Marketing from Cornell University.
Hannah Tichansky is the Senior Content Marketing Manager at Aravo Solutions, the market’s smartest third-party risk and resilience solutions, powered by intelligent automation. At Aravo, she manages all content and thought leadership produced for products and campaigns, and contributes as an author for articles and blog posts.