What Role Does Procurement Play in Supply Chain Risk Management?

Thanks to globalization and rapidly developing technology, enterprise involves more connections than ever before, and more connections means more risk in the supply chain.

Supply chain risk extends past those suppliers with whom you’re doing business directly. Beyond your third-party suppliers are their suppliers, and the supply chain continues branching out from there.

In this increasingly interconnected ecosystem, organizations can’t afford to silo their supply chain risk management responsibilities, and procurement teams should bear some of the burden.

The recent Airbus data breach is a perfect example of third-party risk in action. Vendors Rolls Royce and Expleo were involved in the incident, despite being “vetted” by procurement. So what was missing from the vetting process? Given the nature of the breach, it’s likely that Airbus’s procurement team was not focusing on the cyber risk of their suppliers.

In this post, we’ll go over a few ways procurement teams can improve their supply chain risk management strategies.

Ask the right questions

While onboarding new suppliers, procurement teams should consider additional sources of risk alongside factors like price and availability. Here are a few risk areas to consider:

  • Cyber — How much access will the supplier have to your organization’s sensitive systems and data? Is their cybersecurity performance up to your organization’s standards? How likely are they to experience a data breach?
  • Compliance — Is the supplier compliant with relevant industry regulations? Some regulations (like the California Transparency in Supply Chains Act and GDPR) hold businesses responsible for the actions of their suppliers, and non-compliance could spread up and down the chain.
  • Reputational — Does the vendor have a reputation for taking security seriously? Have there been incidents in the past? On what scale, and how did they respond?
  • Geopolitical — Where is the vendor located? Consider the possible cyber risks associated with the area’s geopolitical climate. For example, a vendor based in Ukraine may be a potential target of Russian cyberwarfare or sponsored actors.
  • Environmental — Based on location, what environmental risks does the vendor face? Do they have plans in place for coping with natural disasters and strategies for protecting critical systems?

Answering these questions can be tricky, but improved continuous monitoring technologies are making it faster and easier than ever to track risk in third parties.

Some of the biggest advancements have been made in the realm of cyber risk, and this is also one of the greatest sources of supply chain risk.

Address cyber risk

In addition to maintaining your own organization’s cybersecurity, you also have to worry about your third- and fourth-party suppliers’ cyber risk, as well as other connections up and down the supply chain.

According to Deloitte’s 2018 CEO and Board Risk Management Survey, more than 50% of organizations say they don’t have a plan to establish formal risk-monitoring standards for their third parties. For these organizations, lack of supply chain visibility could set the stage for a devastating data breach.

Digital Supply Chain Third Party Risk eBook
Download Now
Button Arrow

Data breaches that originate in the systems of third parties are among the most common and most expensive, and these attacks don’t always come through expected channels. The 2014 Target breach, for example, occurred after an HVAC vendor’s credentials were stolen. A 2017 attack on a petrochemical plant targeted third-party systems controllers.

Fourth-party breaches are a risk as well. When DNS provider Dyn went dark as a result of a cyber attack in 2016, large swaths of the U.S. internet — even websites which had no direct business with Dyn — went down, costing an estimated $20,000-$100,000 in losses per business per hour.

Strengthening the relationship between procurement and supply chain risk management

In a siloed organization, the procurement team might wait until just before a deal is signed to request a cyber risk assessment. Or worse, they might wait until after the ink is dry on the deal, or never request one at all.

In this model, cybersecurity isn’t prioritized, and supply chain risk increases as a result. To avoid this siloed structure, cybersecurity teams should have more of a role in the procurement process, and procurement teams should have more ability to evaluate a potential supplier’s security.

But how can procurement teams accurately evaluate cyber risk? How can an organization set specific, measurable standards for risk management while onboarding new vendors?

Security ratings offer one solution.

Security ratings are a data-driven, dynamic measurement of an organization’s cybersecurity performance. Ratings are derived from objective, verifiable information and created by independent organizations. With access to a security ratings platform, Procurement teams are able to easily see the relative cyber risk associated with potential suppliers.

Other tools, like BitSight for Fourth-Party Risk Management, can reduce fourth-party risk. By creating a map of digital supply chain connections, this tool can help procurement teams eliminate potential sources of risk in the extended enterprise.


In order to minimize risk, organizations need to recognize and strengthen the connection between procurement and supply chain risk management. Security ratings and fourth-party risk identification tools can arm your organization with the powerful continuous monitoring capabilities it needs to decrease overall risk.