For Chief Procurement Officers (CPOs), risk management is becoming an increasingly important initiative. The procurement function has traditionally been associated with cost savings and supply chain efficiency. However, procurement leaders must now adopt new roles. Increasingly, the function is essential to mitigating risks in areas such as digital resilience, AI ethics, and sustainability.
The regulatory landscape is becoming ever more complex. In January, both the Digital Operational Resilience Act (DORA) and the second phase of the Corporate Sustainability Reporting Directive (CSRD) 2 became applicable in the European Union. A key element of complying with these new regulations is managing risks from interactions with third parties. This is why procurement teams need to be involved in the process.
If risks materialise, they can have significant financial and operational implications. For example, a supplier’s financial instability could result in a number of issues. These could include longer lead times, quality issues, or even the need to find an alternative partner at short notice. Often, this comes at a premium cost. Non-compliance with regulations can also result in hefty fines, legal action, and reputational damage. Since being introduced in May 2018, the General Data Protection Regulation (GDPR) has resulted in over €5.5 billion of fines.
Integrating risk management into the procurement process
A good foundation for procurement teams to manage third-party risk successfully is to clearly define how risk management will be incorporated into the procurement process. For example, should due diligence be carried out at the sourcing stage, or at the onboarding stage after a supplier has been selected? If a risk has been flagged, what controls need to be in place to prevent an order being raised with that supplier until the appropriate risk mitigation is in place?
Process design decisions such as these are further complicated in global companies. These organisations have to contend with the fact that local markets often have different regulations and systems architectures. A “core model” needs to be defined and standardised. This way, procurement can adhere to global compliance requirements, while staying sufficiently flexible to cater to nuances in local markets.
Selecting the right software
Most companies have already defined what risks they want to manage and how they want to quantify them, but how easy it is to standardise that process depends on the software being used.
Selecting the right software can be complex. There are risk management modules offered by software companies whose core product focuses on procurement, but also point solutions on the market that can be integrated with Source-to-Pay software. The best third-party risk management (TPRM) software enables companies to automate the process of sending due diligence questionnaires to third parties, scoring the responses, and validating risk data from external sources, such as credit ratings.
Deciding which software is right for the business depends on many factors. These include budget, integration requirements, and the level of customisation required. It is worth investing the time to evaluate the strengths and weaknesses of the different options.
The business case for implementing TPRM software can be easily justified by the avoidance of regulatory non-compliance fines; GDPR penalties, for example, can be up to four percent of annual global turnover.
Winning hearts and minds
One of the biggest challenges for CPOs when it comes to managing risk is communication. Risk assessments need to be completed by a large number of internal business stakeholders and third parties.
Explaining what information is required, why it is important, and tailoring that messaging to people with different roles can be a challenge. For example, finance teams might focus on cost implications, while legal teams might prioritise compliance. There is also a delicate balance to be struck between mitigating risk, and not delaying business critical requirements.
Risk management should be presented as a process to enable operations in a compliant and responsible way, rather than as a potential obstacle. It helps to have a dedicated change management team to explain to business users and suppliers why risk management is important, using practical examples. Building positivity around the initiative will increase the likelihood of TPRM being successful.
The benefits for Procurement
Implementing a TPRM process can deliver a host of benefits for the procurement function. This is in addition to minimising the probability of operational disruption and financial losses.
Encouraging third parties to consider risk might result in more collaborative commercial partnerships. It can also drive discussions around product innovations such as sustainable packaging or locally sourced materials. Building the company’s reputation as an ethical brand can improve customer satisfaction and competitive advantage. By driving initiatives that create revenue growth, procurement teams will raise their profile to a more strategic level.
Conclusion: risk management as a priority in 2025
TPRM will be especially important in 2025, with DORA and the second phase of CSRD becoming applicable in the EU from January. There is additional EU regulation on the horizon: the Corporate Sustainability Due Diligence Directive (CSDDD) will become applicable in 20274. Policy changes by the Trump administration may also have a potential impact on global supply chains.
We are living in an era of heightened uncertainty and complexity. Risk management is no longer just a box-ticking exercise for Chief Procurement Officers. It’s a strategic imperative. By embedding risk management into procurement practices, CPOs can achieve a number of critical goals. They can enhance supply chain resilience, protect financial stability, ensure regulatory compliance, and uphold their organisation’s reputational goals. As businesses continue to navigate an unpredictable landscape, the ability to manage risk will set successful CPOs apart as true strategic leaders.
