Third-Party Risk Management: Bridging the Gap between Procurement and Internal Audit

A partnership between the risk management, procurement and internal audit teams can help keep an organization out of the risk hot seat.

Jennifer Ulrich 2016 Headshot

Over the past several years we have seen new risk management trends plaguing organizations as well as some older trends resurfacing. Legal and financial risk are still prevalent in most organizations, in addition to regulatory and information security risk. In analyzing these risks, it’s apparent multiple areas of the business are impacted from an ownership standpoint, as well as some other form of direct correlation to their line of business. No matter who owns the risk, it is important to identify roles and responsibilities of potential parties that would need to be involved to prevent risk and react to exposure.

Two of the most critical parties in the risk management process, aside from the risk management team themselves, include procurement and internal audit, which are impacted by all forms of risk, not just one specific criteria or role related aspect. Thus, they need to be partners in the management and execution of third-party risk management within the organization, especially when it comes to more regulated environments.

Both procurement and internal audit have an associated stereotype they need to overcome to be effective.

Procurement is unfortunately often viewed as a roadblock; internal clients regard them as an impediment to getting their products and services as quickly as possible. In the procurement world we know that “as quickly as possible” often times has multiple risk elements, including lack of due diligence in supplier qualification, improper bid solicitation, rushed and uninformed decision making, and inadequate attention to detail in negotiations and contracting, to name a few. The consequence of these rushed processes can expose the organization to financial, reputational, compliance and operational risks, at a minimum.

Internal audit is viewed as the regulators, and rightfully so, as that is inherent to their role. However, this regulator stereotype creates a sense of unease and discomfort. People can be afraid to say or do things that might be construed as “risky.” Business units understand internal audit is critical to operations, but they tend to avoid them when possible, just as with procurement, to alleviate having to follow more processes than absolutely necessary.

When the two functions can break free of these stereotypes and get the businesses to not only trust them, but to proactively engage them in correlating activities, the benefits can be plentiful. One of the best ways to build this trust and engagement is for both internal audit and procurement to demonstrate the value they offer their business counterparts. Simply put, they need to convey their ability to make the business unit’s lives easier.

If engaged sooner, there is less likelihood of having to handle risk exposure once it has already occurred.  Unfortunately, this value positioning is not always so easily adopted by the business stakeholders.

The procurement professional needs to possess risk expertise as part of their core skillset.

The procurement professional in today’s environment must be a polyglot and possess a wide range of skills. When we broach the topic of third-party risk management, procurement is a primary player in accomplishing tasks that tie to everything from selecting vendors to ensuring continual monitoring of contracts is carried out with the proper due diligence. Prior to contracting, procurement must vet the vendor’s risk level against pre-established criteria within the organization.

To effectively assess risk exposure, the procurement professional must have some understanding of what constitutes risk and what triggers to look for when completing the analysis. This goes beyond simply having an understanding of the organization’s risk policies and standards. Procurement needs to have a supplier-level understanding of risk; meaning, understanding what might impact the supplier relationship specific to the industry, and in particular, the types of products or services procured for the business.

When procurement can come to the table and educate stakeholders on what affects them from a risk standpoint above and beyond the basic classification of risk level, it will help them to demonstrate their value position more effectively.

Internal audit needs to understand the functionality of procurement’s operations.

Internal audit is responsible for ensuring controls are in place where necessary, processes are followed diligently and reporting is effective. Due to the nature of procurement processes and the impact that an unauthorized purchase can have from an audit perspective, internal audit needs to have a thorough understanding of all things procurement. No matter what industry the organization operates in, this will be the case.

Not to mention, internal audit is also likely to be a customer of the procurement organization, needing strategic sourcing and support like any other business unit.

Internal audit is there to ensure that the governance in place complies with industry specific standards, while procurement needs to execute on and maintain the structure.

Since the two business units need to operate so succinctly, they need to find a way to develop a partnership to ensure they act in a checks and balances fashion. Internal audit should set the tone of compliance, and procurement must execute on the processes that ensure compliance is managed properly within the business units. They will need to work closely together to establish processes that meet the standards of the regulatory bodies governing the organization.

Whether it is procurement’s role in carrying out the processes to source and procure goods and services, internal audit’s role in managing the controls tied to those processes or the stakeholder’s role in owning the supplier relationships that ultimately carry the associated risk, everyone is responsible for ensuring the organization remains free of risk exposure. All three functions have their own set of responsibilities that tie to third-party risk management. When they work together collaboratively and communicate openly, there is less chance for the organization to find itself in the risk hot seat.