The Procurement Risk Playbook: 5 Plays to Win the Third-Party Risk Game

From data breaches to contract violations, supply chain disruptions can make or break your company. To prepare, you’ll first need visibility into your vendors’ internal processes and into their external business environments. Then, you’ll need to identify any risks, understand them in the context of your business, and act to reduce their impact on you. Simple, right?

In our experience working on hundreds of third-party risk management programs, we’ve found that the key to “winning” (and making it look simple) is a strong partnership between procurement and IT security. However, we’ve also found that most procurement pros have little visibility into third-party risk – and even less visibility into how to use risk intelligence to their advantage.

If this sounds familiar, you’ll want to check out our latest strategy paper, The Procurement Risk Playbook: How to Win the Third-Party Game.

Most Third-Party Risk Management Programs Discount Procurement Risk …

Third-party risk management (TPRM) solutions have traditionally focused exclusively on cyber risk and controls for protecting sensitive data. While this is important, it ignores other risks that can be just as damaging to your organization. For example:

• Financial instability can impact a vendor’s ability to deliver goods and services
• Regulatory filings or violations could indicate future distracting legal challenges
• Leadership turnover can signal a change in strategy that impacts products and services
• Insufficient environmental, social and governance (ESG) practices can signal leadership problems

… Resulting in a Short-Sighted View of Vendors

The results of not including this type of data in your vendor risk assessments include limited pre-contract visibility (which can obscure potential risks), delays in onboarding, and inconsistency in evaluating vendors.

Think of Third-Party Risk Management as a Team Sport – Run These 5 Plays

Think of managing vendor risk in terms of a team sport. A team has many roles including a front office, scouts, coaches, and players. Each role has specific responsibilities that can help win a game or contribute to a loss. A team that focuses only on stopping one facet of their opponent’s strategy can be easily defeated by another facet. That’s why it’s essential to have a solid playbook for coordinating your team to reduce risk throughout every stage of the third-party lifecycle – from sourcing and selection to offboarding.

Run these 5 plays to get started:

1. When selecting vendors, don’t give up easy points – Screen vendors against a wide range of risks.
2. Ensure everyone is working from the same playbook – Centralize all of your data and risk analysis to share with the entire team
3. You can’t double-team everyone – Utilize inherent risk scoring and tiering to customize risk evaluations.
4. Adjust strategies throughout the game – Continuously monitor vendors so you have up-to-the minute data to make the best decisions.
5. Keep an eye on the scoreboard – Have an agreed-upon set of metrics to determine what success and failure looks like, and act on it.

Get a complete breakdown of the plays in our 10-page strategy paper, The Procurement Risk Playbook: How to Win the Third-Party Game.

Next Steps

Keeping procurement and IT security teams working from the same playbook is fundamental to winning at third-party risk management. The benefits include better intelligence, faster assessments, stronger contract negotiations with partners, and enforceable vendor accountability.

Ready to take the field? Contact Prevalent to schedule a strategy session on how you can get ahead of third-party risk before the clock runs out!