Third-Party Risk in Procurement

Third-party risk is broadly defined as the risk of doing business with people outside of your organization. The supply chain and sales channels are two major sources of third-party risk: Because these two business operations involve working with lots of partners, suppliers, vendors and independent sales representatives, the organization takes on a lot of risk in these functions.

Third-Party Risk in Procurement

In Deloitte’s Global Survey on Third Party Governance and Risk Management, 87% of organizations that participated had experienced an incident with a third party that disrupted their operations; 11% experienced a complete failure in their vendor relationship. Third-party risk is an unavoidable part of doing business, particularly in the field of procurement. However, there are ways to reduce your third-party risk through smart procurement practices. Here’s what you need to know. 

What is third-party risk?

Third-party risk is broadly defined as the risk of doing business with people outside of your organization. The supply chain and sales channels are two major sources of third-party risk: Because these two business operations involve working with lots of partners, suppliers, vendors and independent sales representatives, the organization takes on a lot of risk in these functions. 

Third-party risk comes in many forms. Strategic risk, for instance, indicates a type of threat that arises from adverse business decisions or the failure to carry out a business decision that is consistent with your organization’s strategic goals. A partner that acts in their own interests that are contrary to your business strategy is an example of strategic risk. 

Other key third-party risks include 

  • Reputational risk — when the third party puts your brand or business reputation at risk as a result of dissatisfied customers, procurement delays, etc. 
  • Operational risk — when external events impact your business operations and put your business at risk of financial loss.
  • Compliance risk — when the actions of a third-party partner are in violation of  your organization and industry’s governing laws, rules, regulations, policies or ethical standards.
  • IT security risk — when a third party’s cybersecurity is vulnerable and puts your IP, customer data, or other valuable data at risk. 

[Read more: ​​Derisking your supply chain: mitigating risks influenced by external threats

It’s impossible to 100% eliminate third-party risk, especially in procurement. However, there are strategic steps that organizations can take to reduce third-party risk in procurement. 

How to reduce third-party procurement risks

Reducing third-party risk starts with evaluating areas of high-risk exposure, some of which will be independent of the suppliers with which the company chooses to sign agreements. Understanding this baseline risk gives you a measurement against which to assess the risk that your partners bring to the equation. For instance, certain geopolitical risks — trade agreements between the US and China, for instance — are likely to impact your business regardless of which third-party suppliers you choose.  

From there, the procurement team should identify all of the potential risk scenarios, identifying which disabling circumstances are most likely to unfold, and which events are likely to provide the most costly interruptions to the supply chain even if they are highly unlikely to occur. This could include external threats such as: 

  • Geopolitical risks
  • Natural disasters
  • Financial market risks

With a complete picture of your highest areas of risk, you can begin to put into place a third-party risk management strategy. Your risk management strategy should seek to tackle everything from planning to strategic sourcing all the way through to vendor selection, supplier selection, due diligence, contract negotiation, and monitoring. 

Here’s how this process works. Imagine your risk audit determines that one of the biggest threats to your procurement practice is a natural disaster or geopolitical risk that impacts a key input arriving from suppliers in China. This might cause your procurement function to select local suppliers and/or diversify suppliers from different geographies outside of China. 

Managing third-party risk in this way can mean purchasing products and materials with a higher price tag, but it also substantially mitigates the potential disaster of having one event disrupt your entire business. A cost-benefit analysis shows that the risk involved with limiting your supplier base is greater than the cost of working with a local supplier. You may also learn that working with a US-based supplier can decrease your reputational risk, in addition to improving your operational risk. 

How technology can help reduce third-party risk

Organizations that use digital supply chain management platforms can easily analyze data in real-time to prevent slow responses to external threats. Tech-savvy procurement teams can make use of real-time data to understand nearly every conceivable circumstance that could alter the efficiency of the supply chain. This includes changes in regional weather, laws, politics, and even currency fluctuations that impact the profitability of active agreements with suppliers.

Likewise, technology plays a pivotal role in vetting suppliers. With the right platform, you can determine if your suppliers are credible and operating within lawful parameters. This includes vetting a supplier’s credit ratings and uncovering any legal judgments that have been rendered against them. Software can automate these processes, allowing your staff to focus on other high-value risk management tasks.


Inevitably, investing in solutions that provide data on global, third-party risk will benefit you in the long term. To learn more about third-party risk management, check out our blog, The Source.