Back to Hub

Analyst Eye on CPO shift in focus towards third-party risk management

08/08/2023 By and


Continuing our series of analyst observations on procurement tech market movements, this week we are considering the shift in CPO priorities towards supply-related risks.

The recent Deloitte Global Chief Procurement Officer Survey tells us, “CPOs have definitively indicated that risk is here to stay, as evidenced by the greater than 70% in our survey who indicated that procurement-related risk/supply chain disruption has increased in the past 12 months on top of an already elevated baseline.” It finds that overall procurement and supply-related risks have continued to increase taking into account the significant shift from 20% in the 2021 study to 43% in the 2023 study of CPOs citing overall procurement risk as a top focus.

Everyone is well aware of the cause of this attention amplification: scarcely any business escaped the repercussions of pandemic, but as our research analyst Abigail Ommen puts it:

“Prior to the Covid 19 pandemic, only a small subset of people was acutely aware of risk management. It was the pandemic, and the supply-disruption events that followed, which brought risk management to the fore as it became apparent that entire companies could actually crumble. The idea of having suppliers backed up, diversified and analyzed came with a need to have alternative sources of supply – if one country couldn’t deliver, maybe another could. Having that option has become more important than ever, because we’ve all seen the consequences of not taking risk seriously enough.”

So, in 2022 our analysts pooled their knowledge of solution vendors that address third-party supply chain risk. This resulted in a seven-part series looking at the various types of risk that organizations face and how certain solution vendors can help manage and mitigate them.

Part of that series covered the ability of systems to map the supply chain beyond tier-1 suppliers to identify and monitor risk in the sub-tiers. The series looks at vendors like Resilinc, Sphera (riskmethods), SourceMap and Transparency-One.

But this balanced analysis contains the following caveat:

“In practice, these platforms may sound remarkable, but each is only as good as its model and the breadth of its monitoring. If the supply chain is not completely mapped — locations not kept up-to-date or local news sources in the local language not monitored due to multi-lingual deficiencies — significant events could be missed. Plus, some solutions are dependent on a tier-one supplier identifying tier-two suppliers (and the extent of utilization), and so on down the chain. Hence, if a tier-one supplier says it is using a reputable tier-two supplier, but has actually switched to a more questionable tier-two supplier and does not update its buyers, a potential tier-two shutdown will expose the multi-tier supply risk information black hole that existed before.”

It does acknowledge, however, that “many of the providers covered in the series offer supplemental services that assist in risk management.” These might include:

  • Data cleansing and normalization to remove any duplicate vendors or transactions.
  • Monitoring supplier sites for risks, for example suppliers that have lost their site/IP address and are no longer valid.
  • Fraud prevention (i.e., finding fraudulent expenses before they are paid).
  • Supplier monitoring on behalf of clients that monitors and grades suppliers for risk.
  • Consulting for adjacent areas like contract negotiations to minimize risk in all areas of the S2P cycle.

Vendors mentioned among these providers include: AI-driven expense and AP auditing platform AppZen; contingent workforce and rogue spend control provider Brightfield TDX; worker classification, assessment and vetting platform CXC Comply; supply chain risk compliance network Avetta; and global enterprise risk assessor of suppliers, service providers and contractors GRMS. Each vendor in the series is examined for its data sources and distinct risk-modeling strengths.

“In short, the days of monitoring financial risk alone are over,” says Abby. “Solution providers and buyers must manage all factors, including ESG, cybersecurity, geopolitical issues, legal and regulatory issues, brand/marketing issues and partnerships, mergers and acquisitions. Each factor plays a part in incorporating new suppliers, reducing cost and maintaining a useful digital presence.

“Risk management vendors aggregate information from a variety of data sources to flesh out a view of a client’s risk profile. Risk monitoring services can help businesses make informed decisions and save money in the long run. This can include adjusting supply chain processes to avoid disruptions, updating cybersecurity protocols to prevent breaches or changing marketing strategies to respond to changing consumer sentiment.

“The differentiation in coverage of these vendors is one reason why it’s important to thoroughly research the market before committing to a provider.”

Procurement tech selectors use TechMatch from Spend Matters to discover new vendors, compare the market, read customer testimonials and feel safe in their decision making.

Spend Matters Insider vendor analyses provide independent, honest reviews of solution providers: check out Craft, Prevalent and ProcessUnity by way of examples in this category. And look out for an upcoming series on Supplier Diversity offered up by our analyst Bertrand Maltaverne this autumn addressing risk, which of course goes hand-in-hand with compliance.