Procurement or Information Security: Who Owns Third-Party Risk Management?

4 minute read

July 2020

There is no right answer to which team should own Third-Party Risk Management, but effective programs need to support requirements across the organization, including requirements from both the Chief Procurement Officer and the Chief Information Security Officer. Understandably so, these executives and their teams need to understand the risk that comes from vendors and their services to successfully manage risk, meet goals and make decisions.

Chief Procurement Officers and their team want to streamline the vendor onboarding process and ensure that the company is developing relationships with the best vendors for the job, while Chief Information Security Officers need to not only maintain the cybersecurity status quo, but also monitor all vendors to make sure they are as buttoned up as their own company. It is important for a successful third-party risk program meet these requirements (no easy task).

How to Create a Cross-Functional Third-Party Risk Management Program with Procurement and Information Security

No matter where the third-party risk function “lives” within an organization, in order to develop a best-of-breed program, strong leadership and program sponsorship is necessary to create an integrated approach to suit the needs of all critical stakeholders.

Once secured, third-party risk teams must tie upfront activities during pre-contract vendor due diligence to the backend ongoing monitoring activities to create a mature, cross-functional and highly efficient Vendor Risk Management program.

The below steps will aid third-party risk teams in creating an effective program to meet the needs of both Procurement and Information Security.

1. Identify the Top Risk Domains

To start, third-party risk teams need to identify the risk domains that are important to each functional group and incorporate them into due diligence activities. Many organizations started by using the Information Security domain when conducting due diligence, but there are several critical areas to consider and review before signing a contract and bringing a vendor into the fold.

Risk domains to consider include:

  • Financial – The risk of working with a failing business
  • Reputation – The risk of working with an unethical business
  • Information Security – The risk of exposure if information is leaked
  • Business Continuity – The risk to the company if a vendor goes out of business
  • Compliance – The risk of a vendor being noncompliant to regulatory compliance
  • Geographic – The risk that global regulations (like GDPR) pose to a business relationship
  • Fourth Party – The risk of a vendor’s third parties being noncompliant
  • Conflict of Interest – The risk of working with businesses where there is a conflict of interest (business, ethics, etc.)

2. Incorporate Lines of Business into Third-Party Risk Processes

Including Line-of-Business (LOB) contacts into third-party risk processes can help to further reduce vendor onboarding cycle times and allow teams to better assess vendor performance. During pre-contract due diligence, LOBs can work with the third-party risk teams to identify the inherent risk of a potential vendor in order to scope due diligence. This should carry throughout the vendor lifecycle, with the two working together to identify risk and track vendor performance. Procurement is heavily invested in vendor performance as their goal is to work with top-performing vendors that can meet and exceed goals.

3. Connect Third-Party Risk to RFx

Once a standardized pre-contract vendor due diligence process has been established, third-party risk teams must consider how to mature their program to meet organizational needs. Connecting third-party risk information to RFx activities, contract negotiations, service-level agreement (SLA) tracking and procurement systems will allow for further visibility across the organization and enhanced decision-making to drive ROI

Take SLAs, for example. Third-party risk teams can build a library of SLAs and track where they are being used and work with LOBs to understand acceptable thresholds. This type of SLA enforcement engine can help procurement to negotiate contracts, drive informative conversations and (if necessary), collect penalties.

4. Integrate SMEs Into Third-Party Risk Processes

Similarly to Line-of-Business contacts, third-party risk teams must integrate subject-matter experts (SMEs) into third-party risk processes to improve assessment quality and gain understanding of cross-functional activity. SMEs’ deep expertise can help to identify and understand risk domains, and therefore the potential risks, of new vendor relationships. Information security is typically involved with connecting SMEs to third-party risk, as cyber experts can help to review vendor security efforts and protect the organization.

5. Map Vendor Risk to Internal Frameworks

Finally, third-party risk teams should consider internal frameworks as a core pillar of a successful cross-functional vendor risk management program. Mapping vendor risk to internal risk and compliance frameworks can further align the risk from vendors and suppliers to other parts of the organization, including the necessary frameworks that support the Chief Information Security Officer activities (ISO, NIST and more).

An Integrated Approach for Chief Procurement Officers and Chief Information Security Officers

While the Chief Procurement Officer and the Chief Information Security Officers’ requirements may differ, a high-performing vendor risk management program should bridge the processes between both the Procurement Office and CISO Office, ensuring that both executive requirements are met. A successful internal risk program supports upstream processes for contract and sourcing management and a complete mapping framework for CISOs to tie their management of vendor risk into their internal cybersecurity program.

To learn more about cross-functional risk programs, watch the on-demand webinar, Procurement vs. CISO: Balancing Third-Party Risk Program Priorities, featuring John Tondreau, Senior Director of Customer Success at ProcessUnity and Tom Garrubba, Vice President, The Santa Fe Group, Shared Assessments Program.

Watch the on-demand webinar from ProcessUnity and Shared Assessments to learn how to balance Third-Party Risk Management priorities across the organization and develop a successful program to meet the needs of stakeholders.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit