Skip to main content

On-demand webinar coming soon...

PUMA

PUMA kicks into high gear with agile vendor risk management

Multinational sports brand reinvents vendor risk management with collaborative, organization-wide approach

Photo of an open office space with the Puma logo on a large red wall near a seating area

Overview

Industry: Retail and Manufacturing

Region: International

Company size: Enterprise

Featured solutions: Third-party Management, IT and Security Risk Management, Cookie Consent, Mobile App Consent 

Looking at PUMA’s vendor risk management process, you wouldn’t think it launched just a year ago. But it did.  

“We noticed that several other companies experienced data breaches and we wanted to improve our policies. With regulations and requirements getting more complex, we required a better system to check external vendors,” says Marco Preissinger, Senior Manager Information Security at PUMA Group.  

In the past, PUMA lacked a standardized way to manage vendor risks from an information security and data privacy point of view. 

“We wanted to know the exact IT risks tied to our current vendors and get a more consistent evaluation of new vendors,” recalls Florian Brandner, Director Global Information & Cyber Security at PUMA Group. “Using the OneTrust platform, our teams were able to create a clear framework for evaluating and monitoring vendor risks.”

This became PUMA’s Vendor Check process. Since it launched in 2023, the team has onboarded 250 vendors, reduced the process to an average of 17 days, and cut down its process time by 80% — and it’s just getting started.  

 

"Implementing OneTrust has accelerated our team's efficiency, cutting down our process time by 80% and reducing vendor onboarding to an average of 17 days. This efficiency has led to significant time savings, optimized resource utilization, and smoother operations."

 

Marco Preissinger, Senior Manager Information Security at PUMA Group

 

Reinventing vendor risk management

PUMA works with hundreds of independent suppliers and thousands of vendors across the globe, which meant the team needed to hit the ground running. 

“We really benefit from the templates library in OneTrust,” says Preissinger. “For us as a German company, the ISO templates were especially of great use. But we also pulled questions from other templates, so it was like a supermarket — a little bit of NIST, a pinch of ISO, and round it out with some GDPR. We did some rephrasing to fit our PUMA wording and OneTrust does the magic after.” 

The team decided to take a creative and proactive approach to mitigating vendor risks. While most organizations simply notify vendors when risks arise, PUMA goes a step further by including a technical damage scenario that details the potential impact and a treatment plan with suggestions for remediation.  

“We’re not just pointing out the risks. We notice vendors need a little bit more help to understand and mitigate risks, so we create what we call treatment plans. They're very simple; I would say five or six steps to mitigate one risk,” says Preissinger.  

They’ve seen an impressive adoption rate, with most vendors willing to address the risk. “The usage of the OneTrust platform has been instrumental in strengthening our relationships with vendors, as it allows us to provide them with targeted advice on mitigating risks based on our standardized treatment plans,” adds Brandner. 

This creates a mutually advantageous situation, where a vendor increases the security and reliability of its service, and PUMA as their customer effectively reduces overall risk. 

 

Easing the assessment workload

But the team didn’t stop there. After observing that vendors are often bombarded with assessments, they decided to lighten the workload by including only questions relevant to PUMA.  

“Some vendors provide a lot of services. For example, Microsoft has everything, but what if we only use a fraction of what they offer, like the Exchange email?” explains Preissinger. 

As part of the Vendor Check, the team created what they call the “business pit stop,” where they ask specific business units a few fast questions that help put the vendor in the right context. Dynamic assessments are then built in OneTrust, using conditional logic to further enhance the questionnaire based on each vendor answer.

The result? “We were able to reduce and simplify the assessment for the vendor, the business, and us as the reviewer,” says Preissinger. “The uniform approach ensures consistent and comprehensive risk handling, leading to a more robust risk management framework. As a result, our responses are faster and more effective, contributing to the overall resilience of PUMA.” 

 

OneTrust meets with PUMA

The PUMA team continues to improve its vendor check process using the templates library and dynamic assessments in OneTrust.

 

"Even though we’re a sporty, agile, fast brand, in terms of vendor risk management, we came from an Excel and Word world.

 

We have found and sorted 1,500 risks so far and with OneTrust, we can leverage these to make faster and smarter decisions and get better at dealing with risks. I think we are now much closer to an ideal situation with OneTrust."

 

Marco Preissinger, Senior Manager Information Security at PUMA Group

 

Fostering a risk-aware culture

Streamlining the vendor risk process gave the team time to focus on its top priority: increasing awareness and understanding of risk within the company.

“If one responsible business unit is not included, it will not work. We needed to establish a process that enables continuous improvements and brings everyone to the table,” explains Preissinger. “We don’t need everyone to be privacy or security specialists, but a risk-aware culture helps us expedite the process.” 

Regular meetings are also where a lot of the learning happens, as stakeholders from all the different departments across PUMA bring their own concerns and viewpoints about the process.  

Timo Stauber, Legal Counsel Data Protection at PUMA Group, attests to the benefits of taking risk into consideration. “Vendor Checks are useful for us legal counsels in the data protection sector,” he says. 

“The assessments give a quick overview of vendors and the use of a planned tool or project. We carry out an initial data protection evaluation and, if necessary, a more in-depth legal review. If the deployment of the vendor is permissible from a legal data protection perspective, we conduct the data protection contract negotiations based on the assessment and any existing risks.”

This collaborative approach has led to a cultural shift at PUMA. Stakeholders are now more concerned about potential risks and know that every vendor they want to use will need to go through the Vendor Check process. 

“Bringing people closer together has been the biggest improvement,” says Preissinger. “This is where OneTrust helps a lot because we’re able to centralize processes to make faster, more informed decisions, and increase risk awareness throughout PUMA.”

 

Photo of the PUMA team

From left: Timo Stauber, Daniela Dillmann, Florian Brandner, Wei Lo, Marco Preissinger

 

Gaining global traction

The Vendor Check process saw early success in building awareness and reducing risk and is currently being introduced to global subsidiaries through a system called ‘location onboarding’. 

Beginning in PUMA North America, the team spent a week at its Massachusetts office to introduce their established policies and best practices.

The week was spent working closely with senior management to define their existing risk management processes, input them into OneTrust, and plan marketing campaigns for other business units. At the end of location onboarding, all details were compiled in a neat package and handed over to the local team.  

“Without OneTrust, it would not be possible to have the agility and flexibility to adjust to local regulations and laws. It’s still a complex task, but the tool removes the uncertainty of knowing what to ask,” says Preissinger.

Looking forward, location onboarding is scheduled for multiple other regions: Chile, LATAM, Europe, EMEA, Austria, Hong Kong, Dubai, and the Nordics. 

“We would like to visit all the different PUMA entities and show our colleagues the OneTrust software as a whole, and the Vendor Check in particular,” says Daniela Dillmann, Legal Counsel Data Protection at PUMA Group.   

 

Driving security at scale

PUMA has been working with OneTrust since 2018, starting with its initial use of the Cookie Consent Module across all ecommerce sites. Now, more than five years later, they’ve further integrated with the platform’s Third-Party Management module and Power BI dashboards to achieve more robust and insightful analysis and internal transparency.

“Last year, we started with the Vendor Check and revised our template in the Data Mapping Automation module. With its various functionalities, OneTrust has great potential to simplify many processes here at PUMA,” says Stauber.

“In the future, procedures could be more integrated, automated. and adopted on a wide scale, including the entire vendor lifecycle and all relevant stakeholders for holistic risk management,” agrees Brandner. “This approach will guarantee seamless and efficient management of vendor relationships from start to finish.”


You may also like

Webinar

Supplier Sustainability & Responsibility

Modern slavery: Identifying exploitation and managing forced labor risks

In this webinar, OneTrust and Andrew Wallis, CEO at Unseen, will discuss the scale and impact of modern slavery on businesses' global supply chains.

March 14, 2024

Learn more

eBook

Ethics Program Management

Business messaging apps: A guide to corporate compliance

How can your business use third-party messaging apps while staying compliant? Dive into key usage considerations based on the DOJ’s 2023 guidance.

February 13, 2024

Learn more

Infographic

Third-Party Risk

4 top-of-mind challenges for CISOs in 2024

What key challenges do CISOs face going into the new year? Download this infographic to hear what experts from industries across the board have to say.

January 30, 2024

Learn more

Webinar

Third-Party Due Diligence

Best practices for conducting third-party due diligence for ethics & compliance​

Join this webinar for best practices for conducting third-party due diligence for ethics and compliance.

January 11, 2024

Learn more

Webinar

Ethics Program Management

Ethics Exchange: Third-party applications and ephemeral apps

Learn practical advice on how to navigate the risks of ephemeral apps and employee privacy in BYOD world.

December 05, 2023

Learn more

Webinar

Speak-Up Program Management

Navigating the EU Whistleblower Protection Directive: New rules, new risks

Join our expert-led webinar where we explore the EU Whistleblower Protection Directive and practical steps towards compliance. 

November 02, 2023

Learn more

Webinar

Ethics Program Management

Ethics Exchange: Risk assessments

Join our risk assessments experts as we discuss best practices, program templates, and how provide an assessment that provides the best value for your organization.

October 25, 2023

Learn more

Webinar

Ethics Program Management

Ethics Exchange: Investigations

Join our live webinar and learn how to conduct comprehensive ethics investigations that are trustworthy and efficient.

September 07, 2023

Learn more

Webinar

Third-Party Due Diligence

Driving excellence in third-party risk management: An in-depth look at different due diligence approaches

Join our in-depth webinar and learn how to define third-party due dilligence levels and when to apply them during your vendor management lifecycle.

July 20, 2023

Learn more

Webinar

Third-Party Due Diligence

A shortcut to third party due diligence fundamentals

In this webinar, we examine the scope of third-party due dilligence, best practices, and industry trends driving greater scrutiny on third parties.

July 13, 2023

Learn more

Webinar

Third-Party Due Diligence

Sanctions and export controls: Ensuring compliance

Watch our live expert webinar on understanding global sanctions and export controls and how to reduce your organiztion's risk exposure and ensure compliance.

June 29, 2023

Learn more

Video

Third-Party Risk

Third-party management demo

See how OneTrust's third-party management solution can help scale your third-party lifecycle and evaluate vendors with real-time risk intelligence.

June 27, 2023

Learn more

Webinar

Third-Party Risk

Unpacking the third-party risk regulatory landscape in the Nordic region and beyond

In this live webinar, our expert panel discuss emerging third-party risk regulatory trends in the Nordic region and show how OneTrust can help your business stay complaint.

May 30, 2023

Learn more

eBook

Third-Party Due Diligence

The global regulations driving third-party due diligence

Download our eBook learn how to start building a robust third-party due dilligence (TPDD) strategy that protects your brand and minimizes risk.

May 30, 2023

Learn more

Webinar

Third-Party Due Diligence

Ethics live Demo: Third Party Due Diligence webinar

Learn how OneTrust's Third-Party Due Dilligence, backed by Dow Jones, can help provide your business the data it needs to find trustworthy third parties and mitigate risk.

May 18, 2023

Learn more

In-Person Event

Ethics & Compliance

Ethics Exchange: Practical deep dive for third-party due diligence

Organizations are accountable for third-party actions, so they need robust due diligence to protect their reputation. Learn more at our ethics exchange event.

May 11, 2023

Learn more

Checklist

Ethics Program Management

Policy on development and administration of policies template

Get a head start on your ethics program and create a policy on development and administration of policies with our customizable template.

May 10, 2023

Learn more

Webinar

Third-Party Due Diligence

Maturing your third-party due diligence program: Process, data & technology

Experts at OneTrust and Dow Jones discuss third-party due diligence, covering industry trends, challenges, and how to streamline the process with technology.

April 27, 2023 1 min read

Learn more

Webinar

Ethics & Compliance

Unpacking the global third-party due diligence regulatory landscape

Learn how a strategic plan for compliance can help companies eliminate human rights and environmental violations and avoid costly consequences.

March 06, 2023

Learn more

Webinar

Ethics & Compliance

Third party due diligence – A practical deep dive

In this session, we'll look into the scope of third-party due diligence and a deep dive into practical implementation aspects and best practices for organizations.

December 13, 2022

Learn more

Report

Trust Intelligence

Trending toward trust

The "Trending toward trust" report from OneTrust highlights seven key trends that organizations need to know.

December 12, 2022

Learn more

Webinar

Ethics & Compliance

The number one metric for effective compliance programs: Continuous improvement

Join our webinar to learn how to develop and/or maintain a High-Quality E&C Program and what role data analytics play in improving your compliance program.

November 27, 2022

Learn more

Webinar

Ethics & Compliance

Best practices for conducting third-party due diligence for ethics & compliance

In this session, we'll explore the scope of third-party due diligence and best practices, such as industry trends driving greater scrutiny on third parties.

November 16, 2022

Learn more

Webinar

Ethics Program Management

Live demo: Conflicts of interest management webinar

Learn how to develop a holistic disclosure program, how to make it part of your risk assessment, and how to use it to meet regulatory obligations.

November 01, 2022

Learn more

Checklist

Ethics & Compliance

The CECO’s third party checklist

Use this checklist to ensure that your ethics and compliance program is effectively managing third parties across the entire relationship lifecycle.

October 28, 2022

Learn more

eBook

ESG & Sustainability

The CECO’s guide to managing third parties eBook

Download this eBook to learn the six steps in the lifecycle of risk-based third-party due diligence, compliance terms, and conditions, payment terms, etc.

October 27, 2022

Learn more

White Paper

Ethics & Compliance

Central vs. local intake and case management under the EU Whistleblowing Directive white paper

Download this white paper to learn the specific intake and case management requirements for local subsidiaries and offices across Europe.

October 25, 2022

Learn more

Webinar

Ethics & Compliance

The role of disclosures in risk assessment and management

In this webinar, we’ll discuss developing a holistic disclosure program, making it part of your risk assessment, and using it to meet regulatory obligations.

October 04, 2022

Learn more

White Paper

Ethics & Compliance

What CCOs need to know about the DOJ compliance certification requirement white paper

Download our white paper to learn how the DOJ’s new policy will empower CCOs, and discover what opportunities this new policy presents for your program.

September 01, 2022

Learn more

Webinar

Ethics & Compliance

How to transform your ethics management program through effective employee engagement

In this webinar, we’ll discuss how to develop a successful ethics management program and how to promote trust by developing awareness.

July 28, 2022

Learn more

White Paper

Ethics & Compliance

DOJ’s 2020 update to the evaluation of corporate compliance programs

This white paper explores the 2020 DOJ Compliance Guidance Update and where it takes corporate compliance programs this year and beyond.

July 15, 2022

Learn more

Checklist

Ethics & Compliance

DOJ self-assessment checklist

This enhanced DOJ guidance sets out a baseline, or the minimum standards, to demonstrate an effective ethics & compliance (E&C) program.

July 08, 2022

Learn more

Webinar

Ethics & Compliance

Conflicts of interest and disclosures

Join this roundtable with your peers and experts in ethics and compliance to discuss how to build a successful conflict of interest management program.

July 08, 2022

Learn more

Webinar

Ethics & Compliance

Effective policy governance and distribution

Join this roundtable to discuss how to create effective policies, run effective campaigns and report on each policy’s performance and influence. 

July 08, 2022

Learn more

Webinar

Ethics & Compliance

GDPR and the EU Whistleblower Protection Directive webinar

Join this webinar to learn how to review your whistleblowing processes to comply with the EU Whistleblower Protection Directive, the GDPR and others.

July 06, 2022

Learn more

Webinar

Ethics & Compliance

Hotline reporting under the EU Whistleblower Protection Directive: Unseen consequences, issues & practicalities

While there have been many articles and discussions around the EU Whistleblower Protection Directive, several significant issues have largely gone unnoticed. 

July 06, 2022

Learn more

Webinar

Ethics & Compliance

A hotline innovation masterclass: communications, awareness & confidentiality

Learn how to effectively train and raise awareness on your hotline and how to share information on the Directive so that your company remains compliant.

July 06, 2022

Learn more

Webinar

Ethics & Compliance

Evaluating hotline vendor compliance with the EU Whistleblower Protection Directive

Join us to learn how to choose a hotline vendor, and we also cover the onboarding and implementation process so that you can meet the Directive's deadline.

July 06, 2022

Learn more

Interactive Tool

Ethics & Compliance

Compliance KPIs worksheet interactive tool

Use this worksheet to understand what data you currently have, what you're lacking that may be important, and what certain data points may indicate.

July 05, 2022

Learn more

Webinar

Ethics & Compliance

Whistleblower retaliation under the EU Whistleblower Protection Directive: the reverse burden of proof

Learn how to implement anti-retaliation measures, and how to detect retaliation throughout the whistleblowing process using some new and novel techniques.

July 05, 2022

Learn more

eBook

Ethics & Compliance

14 key requirements to effective conflicts of interest management

Read this eBook to learn the key requirements that are fundamental to building a successful conflict of interest management program.

June 30, 2022

Learn more

Checklist

Ethics & Compliance

Annual compliance program checklist

Download our annual review compliance checklist to evaluate your E&C compliance program, identify key gaps, and prepare for the future.

June 30, 2022

Learn more

Webinar

Trust Intelligence

Become a trusted brand: 7 ways to promote your security, privacy, ethics and ESG programs

We discuss key points, such as choosing which certifications count the most to your business and how to save time when answering questionnaires.

June 20, 2022

Learn more

Checklist

Ethics & Compliance

Anti-retaliation checklist for compliance programs

Use these 19 questions to take a holistic look at how your program can improve training, investigations, policies, & more to prevent retaliation before it occurs.

June 17, 2022

Learn more

Checklist

Ethics & Compliance

EU Whistleblower Directive checklist

Assess your company's EU Whistleblower Directive compliance with this interactive checklist. 

June 16, 2022

Learn more

eBook

Ethics & Compliance

Ultimate guide to the EU Whistleblower Protection Directive

Download our free eBook on the EU Whistleblower Protection Directive learn its key requirements, who's protected, and answers to common questions. 

June 07, 2022

Learn more

Webinar

Privacy & Data Governance

7 ways trusted brands promote their security, privacy, ethics, and ESG programs

Watch this free webinar and learn 7 ways trusted brands promote their security, privacy, ethics, and ESG programs.

May 17, 2022

Learn more

eBook

Ethics & Compliance

The secret to effective policy management

Download this eBook and discover how a centralized policy management system helps drive compliance and ethics policy effectiveness. 

May 11, 2022

Learn more

eBook

Ethics & Compliance

How to build a speak-up culture

Download this step-by-step guide on building a speak-up culture and improve reporting rates. 

April 25, 2022

Learn more

eBook

Ethics & Compliance

Quick guide to the EU Whistleblower Directive

Use this guide to learn how the new EU Whistleblower Directive will be enforced, who is subject to it, and how to comply with it.

April 20, 2022

Learn more

Infographic

Ethics & Compliance

Infographic: The impact of an effective helpline on speak-up culture

Download this infographic and learn how an effective helpline is key to building a speak-up culture. 

April 08, 2022

Learn more

Interactive Tool

Ethics & Compliance

A simple conflict of interest disclosure form template

Download and customize this conflict of interest disclosure template to begin collecting voluntary disclosures at your organization.

April 05, 2022

Learn more

Webinar

Third-Party Due Diligence

7 best practices for conducting third-party due diligence for ethics & compliance

Watch this webinar and learn the seven best practices for third-party due diligence. 

January 03, 2022

Learn more

Webinar

Privacy & Data Governance

Data breach vs. ethics breach: How to prepare for both

In this webinar, we review case studies and tips from recent breaches and analyze which situations qualify as an "ethics breach."

July 07, 2021

Learn more

eBook

Ethics & Compliance

Creating an effective code of conduct

In this eBook, learn how to create an effective code of conduct with six key steps. 

June 01, 2002

Learn more