Procurement is essential to most businesses. Obtaining outsourced goods and services for the organization at the best possible value from vetted vendors drives business success. As risk is pervasive in sourcing and the supply chain, Risk Management and Procurement need to team up to deliver outsourced goods and services with the lowest amount of risk and the highest standard of security.
In fact, Risk Management and Procurement share many of the same objectives. “Procurement plays a vital role in strategically aligning company values while managing the supply chain. Now more than ever, companies are turning to procurement to mitigate supply chain risk and maintain business continuity,” describes Majdi Sleimen, co-founder of Tradogram, in the UK’s Business Reporter.
In the “Reaching Across the Aisle: Partnering with Procurement for Success” webinar Tom Garrubba, Vice President, Shared Assessments, met with Phil Bennett, Manager Information Security Governance, Horizontal Services, Navy Federal Credit Union, to exchange viewpoints on the relationship between TPRM and Procurement within organizations.
Importance of Partnerships
In TPRM, we tend to emphasize successful partnerships with the outsourcers we are constantly evaluating. But, internal partnerships between TPRM and business functions – especially procurement – are important to cultivate. A good relationship between TPRM and procurement can build a more robust and meaningful TPRM program and process.
Procurement can make the risk evaluation process more efficient by lending a greater depth of knowledge and extending visibility to vendors. There is a business case for the TPRM and procurement relationship – the relationship itself can reduce risk.
Think about your organization and how it looks in terms of responsibility. You can visualize a RACI chart (a matrix of all the activities or decision making authorities undertaken in an organisation set against all the people or roles). Who is responsible for an action? Who is accountable? This will help you think about the stakeholders in risk management and inform your narrative approach – what is the story associated with what you are trying to accomplish through risk management? The risk management story is that you want to avoid risk and reduce regulatory action!
TPRM’s Perception of Procurement
TPRM tends to view procurement as a “one-stop-shop” for executing Request for Proposals (RFPs) and Requests for Information (RFIs). TPRM also views procurement as holding the keys to all major contracts and records of vendor relationships – those financial and legal reports necessary for checking vendor health. TPRM sees Procurement as being the guardians of preferred vendor lists.
The first webinar poll points to many TPRM practitioners involving procurement in their work only when needed. But, some 34% of TPRM practitioners involve procurement in their work weekly.
As for how TPRM is involving procurement in processes, 37% of TPRM practitioners rely on procurement to deliver or help with contracting needs while 13% of TPRM practitioners rely on procurement for vendor inventory.
Establishing a VIC Initiative – Vendor Information Controls
It is effective to establish a regular pattern of working together with procurement to establish a Vendor Information Checksheet Initiative (VIC). With a VIC, TPRM and procurement can pre-screen prospective vendors during Request for Proposal (RFP) or Request for Information (RFI) thereby weeding out vendors with inadequate privacy and security controls.
VIC questions should tie back into your questionnaire to expedite the assessment by quickly identifying adverse responses. “Showstopper questions” should be risk-approved by critical stakeholders such as Business Unit VPs, Chief Procurement Officers, Chief Privacy Officers or CISOs.
Build the Relationship Around a Business Case
As Risk Management and Procurement share many of the same goals – secure and efficient outsourced relationships – a business case is at the heart of the relationship. Building a strategic relationship with procurement can avoid downstream risks. Consider your size and organizational TPRM structure as you reach out to stakeholders. Finally, recall that TPRM exists to support business goals.