The role of procurement in third-party risk management

The role of procurement in managing third-party risk is getting more and more important. In this blog, you’ll discover how procurement teams can effectively manage these risks.

1. Why procurement should consider third-party risks

The oversight and management of third-party risks is crucial from an organisations’ perspective for several reasons:

Cost efficiency and value protection

Effective risk management by procurement safeguards the organisation against potential financial losses and disruptions, as associated with data breaches, regulatory fines, and operational downtimes.

Brand and reputation management

A company’s reputation is closely tied to its supply chain ethics and practices. Procurement teams that effectively manage third-party risks help maintain a positive brand image and consumer trust.

Regulatory compliance and legal liability

As regulatory environments become more stringent, non-compliance can result in significant legal liabilities. Procurement’s active role in ensuring supplier compliance helps reduce these risks.

Supply chain resilience

Proactive risk management leads to a more resilient supply chain, capable of adapting to changes and recovering quickly from disruptions.

2. 7 procurement roles for effective third-party risk management

In third-party risk management, procurement isn't a single role but a mix of various tasks, each contributing uniquely. Procurement leaders must define and adopt roles that fit their organisation's needs and goals, considering other areas like sustainability and security. By identifying and adopting these roles, procurement teams can manage risks more effectively, ensuring compliance and efficiency.

Let’s explore these roles and how they can be integrated into a unified risk management strategy.

Risk assessor and mitigator

One of the primary roles of procurement is to evaluate potential and existing suppliers for multiple risks, such as financial instability, cybersecurity threats, human right risks, or non-compliance with legal standards. This role also involves developing strategies to reduce identified risks.

Regulatory compliance officer

Procurement teams can opt to focus heavily on ensuring that suppliers adhere to relevant laws and regulations. This role is crucial for avoiding legal complications and penalties associated with non-compliance.

Relationship manager

This role involves building and sustaining strong relationships with suppliers. It emphasises effective communication and collaboration, which are key to gaining better visibility into the supply chain, associated risks and ensuring compliance.

Orchestrator

Procurement can play a pivotal role in orchestrating third-party risk management, acting as a central hub that ensures cohesion and alignment among diverse departments. By integrating activities like due diligence assessments and real-time monitoring, procurement acts as a conductor, harmonising the efforts of sustainability, security, compliance, and other relevant teams.

This centralised approach not only streamlines the process but also fosters a unified strategy towards managing third-party risks.

Strategic advisor

Procurement can choose to play a more advisory role, providing strategic insights to senior management on supplier selection and supply chain design in light of risk profiles, concentration risks, and business objectives.

Technology integrator

In this role, procurement is responsible for implementing and leveraging technology solutions, such as third-party risk management technology, to streamline the risk assessment and monitoring processes.

Educator and trainer

This involves taking up the mantle of educating business, IT, finance and other teams about the importance of third-party risk management and training them in best practices and processes.

"Effective risk management by procurement safeguards the organisation against potential financial losses and disruptions, including costs associated with data breaches, regulatory fines, and operational downtimes."

3. Keeping up with ongoing regulatory changes that affect procurement

Constantly changing regulations are a big challenge for procurement teams in Europe. Keeping up with these changes is crucial for legal compliance and protecting the organisation from risks. This section highlights key new regulations affecting procurement and the need to align strategies with these changes.

1. ‍German Supply Chain Act (LkSG). Applicable to all organisations operating from Germany or doing business with German companies, this regulation requires entities to assess human rights and environmental issues within the supply chain.
2. ‍Network & Information Security Directive (NIS-2). Focuses on improving cybersecurity across the EU. Procurement must ensure third-party compliance with these cybersecurity standards.‍
3. Corporate Sustainability Reporting Directive (CSRD). Expands sustainability reporting requirements, influencing procurement to assess suppliers’ sustainability practices, which includes human rights and environmental aspects.
4. ‍Corporate Sustainability Due Diligence Directive (CSDDD). Holds companies accountable for human rights and environmental impacts in their supply chain.‍
5. Digital Operational Resilience Act (DORA). Targets the digital resilience of financial entities, affecting procurement in financial services.‍
6. General Data Protection Regulation (GDPR). Emphasises personal data protection, requiring procurement to verify third-party vendors’ compliance.‍
7. Deforestation Act. Aims to prevent supply chain contributions to deforestation, impacting procurement strategies for product sourcing.

4. Effective third-party risk management strategies for procurement teams

Managing third-party relationships is vital for procurement teams. Effective strategies should include initial assessment and ongoing supervision to meet the organisation's risk and compliance standards. Here are some key strategies to consider:

• ‍Due diligence assessments: This involves vetting potential suppliers for their cybersecurity, sustainability and, compliance with relevant laws, and alignment with the organisation's values and standards. Due diligence should also consider the potential supplier's own third-party relationships, extending risk assessment down the supply chain.‍
• Risk-based supplier segmentation: Not all suppliers pose the same level of risk. By segmenting suppliers based on the risk they pose, procurement can apply more stringent controls and monitoring to higher-risk entities, ensuring efficient use of resources.‍
• Contractual risk mitigation: Embedding risk management clauses in contracts with suppliers can provide a legal basis for ensuring compliance and managing risks. These clauses might include compliance standards, audit rights, and penalties for non-compliance.‍
• Continuous monitoring and evaluation: Risk management is an ongoing process. Regularly reviewing and evaluating third-party performance and compliance helps in identifying and addressing issues before they escalate. This includes monitoring for changes in the supplier's business environment that may affect risk levels – e.g. adverse media or security ratings.‍
• Collaborative risk management: Working closely with suppliers to manage risks can be more effective than imposing unilateral standards. This collaboration can include joint risk assessments, shared risk mitigation plans, and continuous dialogue on risk-related matters.‍
• Incident response planning: Having a plan in place for managing incidents involving third-party vendors is crucial. 
This should include clear procedures for incident reporting, assessment, and remediation, as well as communication strategies for internal and external stakeholders.‍
• Leveraging technology: Using an intuitive risk management tool and software can streamline the assessment, monitoring, and reporting processes, reducing time and cost. These tools can provide real-time data and analytics, enhancing the organisation's ability to respond swiftly to emerging risks.‍
• Training and capability building: Ensuring that procurement staff are trained in risk management principles and practices is essential. Regular training sessions can keep the team updated on the latest risk management techniques and regulatory requirements.

Using a varied approach to third-party risk management  helps procurement teams handle many risks from external partnerships. These strategies ensure compliance, reduce risks, and build stronger, more resilient supplier relationships.

"A company’s reputation is closely tied to its supply chain ethics and practices. Procurement teams that effectively manage third-party risks help maintain a positive brand image and consumer trust."

5. Conclusion: The crucial role of procurement in managing third-party risks

Procurement's role in managing third-party risks is crucial. With evolving threats and new regulations, procurement teams must adopt diverse roles from risk assessors to strategic advisors. Effective risk management ensures compliance, protects organisational integrity, and maintains resilience. By performing due diligence, continuous monitoring, and collaborating on risk management, procurement strengthens the organisation. Procurement's proactive approach to third-party risks is key to organisational success and sustainability.