Navigating Third-Party Risk in Procurement Outsourcing
Third-party risk management (TPRM) in procurement outsourcing has become an essential foundation for businesses, shaping resilience, compliance and long-term success. Managing a business is like a captain steering a ship, with each supplier or third-party partner representing a key crew member. Without the right safeguards, one weak link can sink the ship. This harsh reality is why 75% of organisations now prioritise TPRM, according to KPMG’s global TPRM Outlook survey.
KPMG’s findings also reveal that 70% of businesses acknowledge inefficiencies in their TPRM programmes, leaving them exposed to reputational risks. In today’s digital age, almost two-thirds (64%) of TPRM budgets are laser-focused on cyber risk – but TPRM doesn’t stop at cybersecurity. It also enhances supply chain resilience and embeds ESG principles into operations while aligning with investor expectations.
As KPMG’s report makes clear, for those embarking on procurement outsourcing journeys, robust TPRM practices are no longer optional.
The regulatory landscape: Navigating compliance
Regulatory waters are getting choppier, with global expectations reshaping how businesses manage third-party risks. For example, the UK’s Prudential Regulation Authority (PRA) and Germany’s Supply Chain Act serve as blueprints for operational resilience and sustainability.
The PRA’s March 2021 requirements for financial firms demanded rigorous board engagement, senior management accountability and advanced ICT risk management. These mandates included data security controls across 13 specific areas, as well as continuity planning and concentration risk management which focused on future-proofing rather than just compliance.
Now, the EU is rolling out The Digital Operational Resilience Act (DORA). It will come into force this month and is aimed at strengthening the IT security of third-party financial entities including banks, insurance companies and investment firms. This comes after the COVID-19 pandemic sparked an increased reliability on digital systems, increasing the dire need for digital resiliency.
Beyond compliance: Procuring a sustainable future
The pandemic is not the only catalyst for change in the sector; sustainability has taken centre stage in recent years as more legislation calls for increased scrutiny within procurement and supply chain operations.
Todd Boehler, Chief Strategy Officer (CSO) at ProcessUnity, observes the ripple effect: "There’s pressure on both sides; regulations like the German Supply Chain Act take a detailed approach to sustainability and ESG risk management – and its influence is expanding globally.
Todd joined ProcessUnity in 2014 and has more than 20 years of experience in product management and strategy, having founded a governance, risk and compliance (GRC) startup which was later purchased by Oracle.
“The second driver,” he explains, “is investor pressure and good practice, emphasising embedding ESG principles not only within organisations but throughout their supply chains. Understanding and managing ESG from third and fourth parties is crucial.”
As global markets evolve and regulators gain influence, the focus is shifting from mere compliance to sustainable procurement. Todd stresses: “Beyond compliance, sustainable procurement offers business benefits: enhancing brand reputation, ethical practices, labour standards and environmental stewardship.”
He emphasises that sustainable practices are no longer a "nice-to-have" but an essential part of business strategy: “These positive impacts resonate globally, prompting management, investors and boards to question how organisations approach, implement and invest in these initiatives."
By adopting such initiatives, companies not only improve their ethical standing but also position themselves for lasting success, making sustainability a key component of future growth and resilience.
Addressing the third-party risk vulnerability gap
Third-Party Risk Management (TPRM) is more crucial than ever, yet many organisations are struggling to stay on top of it.
Ed Thomas, Senior Vice President at ProcessUnity, highlights some eye-opening stats: "Today, more than 50% of breaches originate from third parties, prompting executive teams and boards to scrutinise TPRM programs more closely. Alarmingly, 75% of TPRM leaders are dissatisfied with their current processes. This frustration grows as third-party portfolios continue to expand, while resources for vetting risks remain stagnant."
Ed leads ProcessUnity’s marketing team, overseeing the company’s awareness, demand generation and thought-leadership programmes. With extensive experience in marketing and sales operations at ProcessUnity, Cura Software Solutions and OpenPages (now IBM), he has helped hundreds of organisations streamline their risk and compliance programmes using next-generation automation tools.
This creates what’s known as a ‘third-party risk vulnerability gap.’ This is marked by inefficiencies in onboarding, assessment backlogs and challenges with accurately tiering risks. To close this gap, organisations need to modernise their TPRM practices and introduce tools that can streamline processes and handle growing complexities.
[boxout] KPMG’s guidance is a call to action, urging businesses to adapt to the increasingly complex risk environment. With only 22% of firms recognising ‘operational resilience’ as a TPRM driver, there’s a clear need to align these programmes with broader resilience strategies. [boxout]
Moreover, pre-contract due diligence must go beyond surface-level checks. Businesses need to thoroughly evaluate providers’ business models, finances, capabilities and resources. After all, 74% of companies admit they struggle to assess fourth parties effectively. Now is the time to act before the risks escalate.
The KPMG report goes on to highlight contract management as an often-overlooked, yet crucial element, in TPRM.
Shockingly, only 57% of organisations have enterprise-wide agreements that clearly define which services can or cannot be outsourced. This glaring gap highlights the urgent need to create strong frameworks – not just for external agreements, but also for intragroup arrangements. Internal agreements, though frequently overlooked, demand the same level of attention when it comes to governance and control. Without these solid frameworks, companies are leaving themselves exposed to risks that could have been mitigated with just a little more attention to detail.
Ongoing monitoring is also crucial to TPRM; organisations must actively leverage audit rights, access provisions and outcome-focused evaluations. This means assessing operational and concentration risks through severe yet plausible scenarios, ensuring they’re prepared for the worst-case while staying vigilant in everyday operations. Technology is already making a significant impact here, with 46% of TPRM tasks currently supported by tech. That number is expected to rise to 58% within three years, revolutionising efficiency and accuracy in monitoring, according to KPMG.
Keeping data secure amid technological transformation
Another major red flag in TPRM is data security. However, despite its importance, only 54% of firms are prioritising privacy in their TPRM programmes. KPMG's guidance emphasises that implementing 13 essential data security controls is non-negotiable to ensure strong protection across the supply chain.
As the complexity of third-party risk grows, so too does the role of AI and automation. The days of relying on spreadsheets and homegrown databases are long gone.
Ed’s thoughts on this topic are unequivocal: “AI and automation are critical as third-party risk becomes increasingly complex. Significant work is required for initial risk assessments, pre-contract due diligence, post-contract monitoring, SLA reviews and offboarding.”
For Ed, this is no longer a manual task; it’s a data problem. Effective TPRM requires a unified system of record, one that centralises information such as profiles, assessments, policies and findings into a single platform.
For instance, he explains that onboarding 200 third parties with 100-question assessments generates 40,000 data points annually, a number which doubles each year as monitoring data accumulates. A central data core can integrate external cybersecurity ratings, ERP systems, contract lifecycle management tools and risk platforms. This consolidated data streamlines the process and simplifies TPRM. Assessment exchanges also play a key role, enabling third parties to complete one standardised questionnaire that can be shared with multiple customers, supporting the "assess once, share many" model. These modern tools are transforming TPRM, ensuring that risk management processes remain scalable, efficient and effective.
It doesn’t stop at AI; cloud arrangements are an increasingly important focus in TPRM. With a significant proportion of TPRM budgets dedicated to cyber risk – much of which is tied to cloud vulnerabilities – organisations must evaluate cloud materiality, risks and resilience with greater precision. Exit strategies and contingency planning are also critical, ensuring businesses are prepared for the unexpected. Scenario testing helps firms stay ready for potential disruptions, allowing them to respond swiftly and effectively when challenges arise.
KPMG’s recommendations highlight the need for proactive, tech-enabled TPRM strategies that integrate resilience, address critical gaps and prepare organisations for an ever-evolving risk environment. Meanwhile, the team at ProcessUnity makes it clear that it’s not just about managing risks, but transforming them into a competitive advantage. By leveraging modern technology and improving risk management processes, companies can stay ahead of the curve.
To read the full article in the magazine, click HERE.
Explore the latest edition of Procurement Magazine and be part of the conversation at our global conference series, Procurement & Supply Chain LIVE.
Discover all our upcoming events and secure your tickets today.
Procurement Magazine is a BizClik brand