What’s the Procurement Tea...
What’s the Procurement Team’...

What’s the Procurement Team’s Role in Third-Party Management?

A global procurement leader told OneTrust that third-party management should be his team's responsibility. Here's why.

Jason Koestenblatt Team Lead, Content Marketing

clock5 Min Read

Featured Image

Third-party management (TPM) is growing more complex by the day as companies expand their supply chains and increasingly rely on digital processes. Some companies believe that this process should lie with individual departments who contract those services. Others require the TPM process to sit in the legal department alone.  

OneTrust sat down with the global procurement services leader of an international financial services company to better understand where TPM should be situated in the enterprise, why, and how this can help — or hurt — an organization’s trust profile.

The following is the result of that discussion.  

1. From a holistic, enterprise-wide perspective, just how important is third-party management

Although many companies don’t realize it, managing the enterprise’s third parties is immensely important. One of the biggest issues companies face is where to put that responsibility — sometimes it sits in the legal department, but it should definitely be with procurement. [Third-party management] tends to be a “who wants it least” and not “who wants it most” part of the business. A big factor is the economics; some companies may have 45% of their overall spend going to third parties – and that’s a big deal. In terms of managing risk, there needs to be a prioritization of who your company does business with. 

There’s a misconception that procurement is a cost center, but in reality it can provide anywhere from 5-35% savings for the company when evaluating and choosing third parties. There’s a lot more to lose than gain in this space. 

2. Is procurement the first line of defense for companies with third-party partnerships, or is it meant to be the back row / gate keeper? 

Procurement needs to be the front line when it comes to third-party management because [it] knows the business best. There’s a level of due diligence needed between sourcing each activity, which is an integrated function of procurement. But this partnership doesn’t seem to have high value yet because a lot of people don’t see the connection.  

3. How should procurement teams be assessing third-party risk? What’s best practice for process? 

Procurement teams must rely on a certain level of market data to inform these decisions. There needs to be a multi-level check through data services and existing subscriptions. There are some solutions out there that can help with this, but not all are digging deep enough.  

Managing third-party risk isn’t just about cybersecurity. That’s a huge component of course, but we also need to consider performance of those third parties. Poor performance can also create risk for the organization, and no one wants that.  

4. How difficult has compliance within third-party management become for organizations? 

The proliferation of vendor relationships has made (TPM) more difficult. With respect to third-party risk management, you could have 50,000 relationships to monitor. There are follow-ups with open items and decentralized interpretations. How do you even measure those metrics and data? 

That’s where automation plays a huge part — it’s a process and it’s in a box. The challenge comes in the transactional data. A company could have two, three million transactions annually. How do we look at that data within contracts, within expenses, and so on? The value to outsourcing this is that it would take a huge staff internally to do all this mining. Even better, if you can automate the process, you can save costs.   

Understand more about the state of third-party management by watching this webinar: Accelerating Automation: How the Pandemic Forced Third-Party Management to Scale

5. How does third-party management help create trust within an organization? How can it erode trust? 

Trust is a consistent process with whom we do business. Different variables are constantly changing, and trustworthiness creates value. Managing third-party risk has to go beyond, “oh, you did a cyber check” — it needs to be tied to real value. There’s an operational nature to it and being able to staff, monitor, and understand its data. Doing this properly is what creates trust from the procurement department outward to the rest of the company. Not doing these things properly, or mismanaging that third-party risk, is where trust can erode quickly.  

6. What’s the best way for the procurement team to create trust that goes outward to the rest of the business? 

New systems and processes should be considered. People are looking for point-in-time evaluation, and that’s often as simple as an incomplete vs. complete. There’s no scoring or grading — it’s simply a yes or no — and that doesn’t create confidence. In order for procurement to create trust while overseeing third-party management, reviews need to be accelerated and a tiering system should be put in place.   

All too often it takes a ton of time to get a green light, and once that green light comes, it’s off to the races. There’s no yellow or red light to slow down and take a second look. A tiering system would help dictate how vendors are looked at and evaluated. Once that’s under control and a process for measurement is in place, procurement can be confident in its approach, which ultimately will lead to creating trust both internally to the business and externally with the supply chain. 

Learn more about OneTrust’s third-party management capabilities by requesting a demo

You Might Also Be Interested In

JANUARY 12, 2023

Ultimate guide to the EU CSRD ESG regulation for businesses

JANUARY 11, 2023

Continuous improvement: The leading indicator for successful compliance programs

JANUARY 10, 2023

Build trust, promote your program in the Third-Party Risk Exchange

JANUARY 9, 2023

Building trust in a zero trust world

JANUARY 9, 2023

Consent management by the numbers: 2022 DMA report summary

JANUARY 9, 2023

Navigating the California Privacy Rights Act as a HIPAA-compliant business

JANUARY 6, 2023

US state privacy bills on the horizon in 2023

JANUARY 4, 2023

3 steps to stay compliant while using consent-driven targeted marketing

Onetrust All Rights Reserved