Laura Greenwood, Third-party Assurance Consultant at Crossword Cybersecurity PLC, explains how to approach Supplier Assurance and its management, as it becomes…


Laura Greenwood, Third-party Assurance Consultant at Crossword Cybersecurity PLC, explains how to approach Supplier Assurance and its management, as it becomes increasing important to procurement professionals.

Businesses are facing continual pressure to improve third party assurance & risk management from regulators, auditors, risk & compliance, and even customers & investors.  In fact, it is typically one of the top three enterprise risks for any large company or organisation. With other areas of enterprise risk, such as big changes in global trade policies, cyber security & business continuity, there is top-level visibility of the current risk position, a consensus to invest, and often established international standards. Third-party risk, however, is often under resourced and is simply not visible at board level in the same way.

A fact well understood by all procurement professionals is that whilst supplier relationships allow you to outsource the work, you cannot outsource the risks.  As a result, when taking on any third-party supplier, procurement professionals must work to ensure the service provider can provide assurance that it has sufficient controls to manage financial, operational and regulatory risks that relate to their specialism, and the service they will provide.  Compliance in areas such as the Modern Slavery Act or the General Data Protection Regulation have become increasingly important, and depending on the industry, any number of specific regulations may apply.  

This means that the task of onboarding suppliers, let alone the ongoing task of maintaining their supplier assurance can be very complex.  Not just in terms of the process, but procurement specialists will rely on support from other areas of the business such as finance and IT to carry out assurance checks for those areas – this all requires great co-ordination, communication and management skills.

As an example, supplier assurance and procurement teams stay well away from the deeply technical and mysterious world of cyber security.  Where supplier due diligence requires a cyber security assessment, it’s happily handed over to specialists – whether internal or external.  Any reports, risk acceptance or remediation activities are left with the cyber specialists while supplier assurance focuses on the core of financial risk, insurance cover, standards, supply continuity and so on.

From the cyber security specialist perspective, they typically approach these responsibilities as short-term, single-moment-in-time, instant assessments – often required on top of their day job of protecting the organisation’s IT assets and systems.  It’s also common that technical cyber specialists are asked about assessing standards, cyber controls and governance – an area in which they may well have no experience.  They’ll carry out these tasks as best they can, but won’t always see them as strategically important.

Whether cyber security, financial or other regulatory controls, organisations need a different approach in order to reduce risks associated with suppliers, vendors and other third parties.  One that combines the supplier assurance and procurement team’s approach based on good practice, controls, evidence of governance and commitments to improvement, with the deeper technical understand of other teams.  Supplier assurance and procurement teams have a far greater role to play in this than they may imagine.

Best of both worlds approach

A good framework, starts with the need for supplier assurance and other departments to gain an improved understanding about each other’s domains, objectives and responsibilities.  A starting point is for them to jointly develop Supplier Impact criteria that systematically assess how much inherent risk every supplier or third party may have in that department’s sphere. 

Each supplier can then be measured against these criteria, and their supplier impact level established.  A different approach for each level of impact should be agreed jointly and completely standardised across the organisation. For example, for suppliers with a Very High impact, the supplier should be expected to demonstrate a high level of internal controls.  With cyber security, for example, this should take the shape of obtaining or working to achieve high standards such as ISO27001, IASME Governance or NIST. This means it’s the supplier’s responsibility to show a serious level of control rather than the hard-pressed cyber security team’s responsibility to dive into hundreds of hours of audit work.  It also has the benefit of being easy for a non-cyber specialist to determine if the standard is present or not.

Where a technical assessment or test is needed, such as a penetration test or at least a “pen test” report from a credible third party, then the supplier assurance team can be responsible for managing that this takes place – handing over the responsibility to the cyber teams or external testers where needed.  This ‘management of risk’ role cannot be handed over though, as tempting as it is when the talk gets incomprehensibly technical.

The approach at each level of supplier impact should also contain the ongoing levels of compliance required in order to maintain good risk management.  Again, the supplier assurance team can timetable these ongoing reviews and focus on the governance of third-party risk – whether cyber, continuity, financial or regulatory.

A strategic approach to supplier risk information

Taking a formulated and strategic approach to supplier assurance creates an environment where the different teams involved in supplier risk start to use shared information systems to record and visualise supplier risks.  We have seen users creating really impressive supplier scorecards showing a combined view of financial, cyber, GDPR, Slavery and other risks all on one simple chart for each supplier. This creates a shared understanding of the totality of risk from each supplier and helps specialist teams, such as IT, and the supplier assurance team understand how their worlds fit together.  This is what a truly strategic approach to supplier assurance looks like, and it creates direct benefits for the business and its wider supply chain partners.


Related Stories

Issue 32 of Interface magazine is live!

Our cover story this month explores how Wei Li, Vice President & GM for AI & Analytics at Intel, and his team are powering Artificial Intelligence to enable the digital journey from data to insights

Digitalisation of procurement is a top priority – Globality

There is an urgent need for the digitalisation of the procurement function, according to a new report from leading smart sourcing solutions organisation Globality

EyeCare Partners: Procurement transformation at scale

EyeCare Partners works in partnership with clinicians and healthcare leaders to achieve the best patient and business outcomes and this…

Issue 31 of Interface magazine is live!

This month’s cover story reveals the cycles of transformation, being led by CDO Lucho Torres, which are driving the disruptive digital journey at Peru’s second largest financial services group

Issue 30 of Interface magazine is live!

This month’s cover story explores the customer-centric digital transformation journey of leading insurer AXA being led by UK & Ireland CIO Darrell Ryman

Channelling demand to drive bottom line value through exceptional shopper experiences.

Procurement channel optimisation is a holistic approach to maximising the performance of, and value from, companies’ external spend and digital…

Welcome to another packed issue of CPOstrategy!

Our cover story reveals a massive procurement transformation programme at Zendesk

Issue 29 of Interface Magazine is live!

Our cover story examines how Microsoft is accelerating innovation for sustainable growth by providing specialised solutions supporting financial health for enterprises and their customers in the Azure cloud

Sustainable and ethical procurement practices increase trust.

Sustainable and ethical procurement practices increase trust and confidence.

We believe in a personal approach

By working closely with our customers at every step of the way we ensure that we capture the dedication, enthusiasm and passion which has driven change within their organisations and inspire others with motivational real-life stories.