2 min reading
Mon Sep 20 2021

The three way handshake: Procurement, Risk Management and TPRM

Silvana Precup

You might have heard about the friendship between the Procurement and Risk Management(RM) departments. TPRM or third party risk management is the new kid on the block. If you're still not convinced, there are a few good reasons to become friends with TPRM:

●    It reduces the burden on your Procurement and RM teams and process

●    It has an impact on your credibility in the market as an organization

●   It makes a competitive difference in the market when you are a vendor or service provider with a good security rating

●    It helps to have an informed discussion at a board level about the cybersecurity posture of your organization.

In this article the focus is on the first point. On the one hand, we consider the individual viewpoints of the teams who are responsible for vendor selection, due diligence, onboarding, and monitoring. On the other hand, we will share a view on how Procurement, RM and TPRM could collaborate to better protect the business from cyber risks.

It is common for the above vendor management responsibilities to be shared and split between the Procurement team/department and the RM team/department. Some organizations manage third parties in a different team all together. As such, this can result in having a siloed approach to managing third parties, instead of a coherent end-to-end process.

Procurement teams which manage business partner/vendor relationships are core to the well functioning of any business. Inside the organization, procurement plays a key role in aligning the risk appetite of the business with how third party risk is managed.

The collaboration between these two teams have historically protected business from risk.

Fast forward to the current context, to third-party cybersecurity threats and pandemic-driven supply chain failures. Add to that increasing regulatory scrutiny over third-party risk management and faulty vendor risk management processes. Given this volatile context, we can all understand why the new kid on the block, TPRM, is not easy to befriend. This article shares the view that in order to mitigate the increasing cyber risk, it is important to develop and integrate TPRM alongside RM and Procurement.

Now, there could be as many approaches to managing risk, as there are organizations. What will work for one, might not work for another. Therefore, here are a few criteria to consider for your organization:

  • Consider the three lines of defense organizational set-up or risk framework to have a coordinated approach to TPRM. It could be a framework approach where IT security, finance, legal and risks are tackled in the existing set-up.
  • Consider introducing an early IT security due diligence starting from the vendor selection phase while respecting the as-is organizational set-up and maturity of the Procurement and Risk departments.
  • Perform a risk analysis during the vendor onboarding phase, mapping the different levels of risk and assign risk ownership.
  • Regularly monitor the high and medium risks to ensure that they're still in the risk appetite of the business.
  • A result of the point above could be making a decision on whether a risk needs to be escalated to higher management, or even terminating the contract with the vendor.

As organizational change goes, it can take a while for organizations to find their way to what works best for their business context. So the sooner TPRM is introduced the more time the organization has to iterate and improve how cyber risk is managed.

If you need help getting started, Ceeyu can support you take the first steps. Connect with us via [email protected]

Silvana Precup


Cybersecurity professional experienced in cross-functional roles bridging between top management, risk functions, IT and security operations teams. With a knack for TPRM and digital footprint.