The role of procurement in third-party risk management

In todays complex business environment, the role of procurement in managing third-party risk is getting more and more important. This blog post examines how procurement teams can effectively manage these risks in light of the evolving threat landscape and emerging regulations.

Why procurement should consider third-party risks

The oversight and management of third-party risks is crucial from an organisations’ perspective for several reasons:

• Cost efficiency and value protection: Effective risk management by procurement safeguards the organisation against potential financial losses and disruptions. This includes avoiding costs associated with data breaches, regulatory fines, and operational downtimes.
• Brand and reputation management: In today’s connected world, a company’s reputation is closely tied to its supply chain ethics and practices. Procurement teams that effectively manage third-party risks help maintain a positive brand image and consumer trust.
• Regulatory compliance and legal liability: As regulatory environments become more stringent, non-compliance can result in significant legal liabilities. Procurement’s active role in ensuring supplier compliance helps mitigate these risks.
• Supply chain resilience: Proactive risk management leads to a more resilient supply chain, capable of adapting to changes and recovering quickly from disruptions.

Roles of procurement in third-party risk management

In the realm of third-party risk management, the procurement function within an organisation is not monolithic. Rather, it comprises a spectrum of distinct roles, each with its unique contributions to risk management. Importantly, it falls upon the procurement leadership to define and adopt the roles that best align with their organisation's specific needs and strategic goals - also considering the existence of other functions within the organisation such as sustainability and security. By identifying and embracing these roles, procurement teams can effectively tailor their approach to managing third-party risks, ensuring both compliance and operational efficiency. Below, we explore these roles, offering insights into how they can be selectively adopted and integrated into a cohesive risk management strategy.

• Risk assessor and mitigator: One of the primary roles of procurement is to evaluate potential and existing suppliers for various risks, such as financial instability, cybersecurity threats, human right risks, or non-compliance with legal standards. This role also involves developing strategies to mitigate identified risks.
• Regulatory compliance officer: Procurement teams can opt to focus heavily on ensuring that suppliers adhere to relevant laws and regulations. This role is crucial for avoiding legal complications and penalties associated with non-compliance.
• Relationship manager: This role involves building and sustaining strong relationships with suppliers. It emphasizes effective communication and collaboration, which are key to gaining better visibility into the supply chain, associated risks and ensuring compliance.
• Orchestrator: Procurement can play a pivotal role in orchestrating third-party risk management, acting as a central hub that ensures cohesion and alignment among diverse departments. By integrating activities like due diligence assessments and real-time monitoring, procurement acts as a conductor, harmonising the efforts of sustainability, security, compliance, and other relevant teams. This centralised approach not only streamlines the process but also fosters a unified strategy towards managing third-party risks.
• Strategic advisor: Procurement can choose to play a more advisory role, providing strategic insights to senior management on supplier selection and supply chain design in light of risk profiles, concentration risks, and business objectives.
• Technology integrator: In this role, procurement is responsible for implementing and leveraging technology solutions, such as third-party risk management technology, to streamline the risk assessment and monitoring processes.
• Educator and trainer: This involves taking up the mantle of educating business, IT, finance and other teams about the importance of third-party risk management and training them in best practices and processes.

Emerging regulations affecting procurement

The landscape of regulatory compliance is ever-evolving, presenting a significant challenge for procurement teams across Europe. Staying abreast of and adapting to these changes is not just about legal adherence but also about safeguarding the organisation from potential risks and repercussions. This section highlights some of the key emerging regulations that are reshaping the procurement function, underscoring their impact and the need for strategic alignment to these new norms.

1. German Supply Chain Act (LkSG): Applicable to all organisations operating from Germany or doing business with German companies, this regulation requires entities to assess human rights and environmental issues within the supply chain.
2. Network & Information Security Directive (NIS-2): Focuses on improving cybersecurity across the EU. Procurement must ensure third-party compliance with these cybersecurity standards.
3. Corporate Sustainability Reporting Directive (CSRD): Expands sustainability reporting requirements, influencing procurement to assess suppliers’ sustainability practices, which includes human rights and environmental aspects.
4. Corporate Sustainability Due Diligence Directive (CSDDD): Holds companies accountable for human rights and environmental impacts in their supply chain.
5. Digital Operational Resilience Act (DORA): Targets the digital resilience of financial entities, affecting procurement in financial services.
6. General Data Protection Regulation (GDPR): Emphasizes personal data protection, requiring procurement to verify third-party vendors’ compliance.
7. Deforestation Act: Aims to prevent supply chain contributions to deforestation, impacting procurement strategies for product sourcing.

Effective third-party risk management strategies

In a landscape where third-party relationships are integral yet potentially fraught with risks, developing effective management oversight and strategies is crucial for procurement teams. These strategies should encompass a range of activities, from initial assessment to ongoing supervision, ensuring that third-party engagements align with the organisation's risk tolerance and compliance standards. Here are some key strategies to consider:

• Due diligence assessments: This involves vetting potential suppliers for their cybersecurity, sustainability and, compliance with relevant laws, and alignment with the organisation's values and standards. Due diligence should also consider the potential supplier's own third-party relationships, extending risk assessment down the supply chain.
• Risk-based supplier segmentation: Not all suppliers pose the same level of risk. By segmenting suppliers based on the risk they pose, procurement can apply more stringent controls and monitoring to higher-risk entities, ensuring efficient use of resources.
• Contractual risk mitigation: Embedding risk management clauses in contracts with suppliers can provide a legal basis for ensuring compliance and managing risks. These clauses might include compliance standards, audit rights, and penalties for non-compliance.
• Continuous monitoring and evaluation: Risk management is an ongoing process. Regularly reviewing and evaluating third-party performance and compliance helps in identifying and addressing issues before they escalate. This includes monitoring for changes in the supplier's business environment that may affect risk levels – e.g. adverse media or security ratings.
• Collaborative risk management: Working closely with suppliers to manage risks can be more effective than imposing unilateral standards. This collaboration can include joint risk assessments, shared risk mitigation plans, and continuous dialogue on risk-related matters.
• Incident response planning: Having a plan in place for managing incidents involving third-party vendors is crucial. This should include clear procedures for incident reporting, assessment, and remediation, as well as communication strategies for internal and external stakeholders.
• Leveraging technology: Utilising intuitive risk management tools and software can streamline the assessment, monitoring, and reporting processes, reducing time and cost. These tools can provide real-time data and analytics, enhancing the organisation's ability to respond swiftly to emerging risks.
• Training and capability building: Ensuring that procurement staff are trained in risk management principles and practices is essential. Regular training sessions can keep the team updated on the latest risk management techniques and regulatory requirements.

Adopting a multi-faceted approach to third-party risk management allows procurement teams to address the myriad of risks associated with external partnerships effectively. By implementing these strategies, organisations can not only ensure compliance and mitigate risks but also foster stronger, more resilient relationships with their suppliers.

Conclusion

In conclusion, the role of procurement in third-party risk management is multifaceted and increasingly pivotal in todays complex business environment. The landscape is shaped by an evolving threat landscape and a variety of emerging regulations, each demanding a strategic and informed response. Procurement teams are at the forefront of this challenge, tasked with adopting diverse roles that range from risk assessors to strategic advisors. The implementation of effective risk management strategies is crucial, not just for regulatory compliance but for safeguarding organisational integrity and maintaining operational resilience. Through rigorous due diligence, continuous monitoring, and collaborative risk management, procurement can navigate these complexities, ultimately contributing to a stronger, more secure, and compliant organisational framework. As the business world continues to evolve, the proactive and adaptive approach of procurement in managing third-party risks will remain a key factor in the success and sustainability of organisations.