May 12

Vendor Risk: Can Procurement Manage a Way Out of It?

  • Home
  • >>
  • Vendor Risk: Can Procurement Manage a Way Out of It?

Employers of any size all around the world and in every industry have one thing in common: they must, by necessity, rely heavily on vendors as a vital component of their business operations. In fact, many organizations have more vendors than they do employees. Unfortunately, said reliance on these third-party relationships and on the activities of a vendor can leave businesses open to various hazards in categories called risk management domains: operational, financial; technical; regulatory compliance; reputational; and information security and privacy.

By employing effective vendor risk management, a business actively engages with its third-party vendors to ensure that the vendors’ operations, actions or inactions do not cause disruption to the business’s operations or otherwise have an undesirable effect on performance. Vendor risk management also keeps a business from getting hit with hefty fines or penalties for regulatory noncompliance or witnessing damage to the company’s reputation or brand — all because of something one of its vendors did (or didn’t do). And the group that’s increasingly becoming responsible for performing the critical task of vendor risk management? The Procurement department.

A Bigger Job to Do

Traditionally, Procurement’s primary role was to handle vendor selection, sourcing and negotiating best value/pricing on goods and services and finalizing vendor contracts. Performed optimally, this role alone contributes undeniable strategic value to the business. Today Procurement does far more heavy lifting because its core functions make it uniquely equipped to proactively identify and mitigate the myriad risks that third-party vendors present. 

Why the Need for a More Proactive Approach

The business environment continues to move faster, smarter, with more organizational interdependencies. Vendor networks are evolving from simple supply chains into complex value chains, growing almost exponentially in size and technical intricacy. Businesses rely heavily on their third-party vendors to cost-effectively fulfill their portion of the process, and thus must be capable of forecasting, overseeing and responding with agility should the slightest delay or deviation in the vendor’s actions be observed. Further, regardless of what functions are outsourced to vendors, compliance with all local, state and federal regulations remains the responsibility of the business.

The Damage Can Add Up

Failing to recognize the danger of vendor risk can cost a company dearly. Last year alone, a U.S. health insurer paid $2.09 billion in criminal penalties to the Department of Justice and $8.8 million to the Securities and Exchange Commission after one of its foreign vendors ran afoul of the Foreign Corrupt Practices Act. A major utility company reported a vendor had released the personally identifiable information of nearly 300,000 employees, and a bank reported a data spill at a vendor’s location exposed nearly two million current and former customers’ personal information. Data breaches like these cost a U.S. company an average of $8.1 million, with the intangible costs of reputational damage much harder to estimate.

Yes, They Can!

Procurement is well-positioned to take the lead on vendor risk management because, frankly, it’s already doing much of the job. Consider that the core functions in modern procurement operations are divided into six accountability areas that represent the supplier lifecycle from start to end:

  1. Strategic Sourcing
  2. Contracts Management
  3. Procurement Processes
  4. Invoicing and Payments
  5. Supplier Management
  6. Spend Analytics

Coincidentally, each of these six areas is essential to managing vendor risk. Thus, by monitoring the areas for which it traditionally is responsible (e.g., Sourcing, Contracts, Procurement, Invoicing) and extending its reach to include the other areas of accountability means Procurement can provide vendor risk management at the enterprise level — in particular, identify perceived operational, financial or information security risks and ensure that any fast-breaking regulatory and compliance matters are addressed to avoid any risks of that nature.

Just as the proliferation of technology is a major contributor to vendor risk, so does it figure prominently in providing a solution to manage it. Third-party cloud-based risk platforms are available that can connect a host of flexible tools with the eProcurement platforms and accounts payable system that the Procurement Department already uses, elevating the system’s scope and reach to bring immediate visibility, transparency, order, and application of best practices into every cross-functional transaction underway. The best of these platforms are robust and scalable, offering:

  • Seamless, easy integration with the company’s existing eProcurement system(s)
  • An intuitive, approachable UX
  • Efficient automated workflows and risk management processes
  • Tailoring for unique industry needs
  • Industry compliance and regulatory requirements as they develop
  • Scannable reporting capabilities
  • Freely shareable dashboards for real-time, aligned collaboration
  • Risk domains and assessment forms that can be tailored to the needs of the business 
  • Comprehensive customer service throughout the vendor lifecycle

Personal Relationships Are Key to Success

To monitor supply chain health, Procurement can further enhance the risk management process by once again doing what it already does: cultivating great relationships with vendors. These are people with whom they often talk to discuss terms and resolve issues so they’ve proven they’re up to the task. Work strategically, focusing first on top-tier and most-at-risk vendors within the risk management domains yet assess the entire group, as even vendors deemed lower-tier can have an outsize impact on a business should they trigger data breach or bribery claims.

There’s a great deal of upside to increasing the breadth of a business’s Procurement operations to include leveraging a cloud-based procurement platform to meld with the company’s P2P system and utilize both, along with personal relationships, to eliminate or minimize the myriad risks inherent with vendor relationships before they can negatively affect the business. At the same time, the wealth of key data and process improvements that are realized will help an employer streamline and optimize daily operations to face the competition with a distinct advantage. 

Sources:, Managing Vendor Risk (The Shelby Group)


vendor management, vendor risk