As organisations digitise procurement processes, the emphasis is moving from system implementation to embedding security and behavioural change, ensuring procurement acts as a resilient pillar against supply-chain cyber risks.
Procurement transformation is migrating from a finance-led efficiency exercise to a central pillar of cyber resilience. As organisations digitise buying processes, outsource services and stitch together cloud applications, procurement decisions in...
Continue Reading This Article
Enjoy this article as well as all of our content, including reports, news, tips and more.
By registering or signing into your SRM Today account, you agree to SRM Today's Terms of Use and consent to the processing of your personal information as described in our Privacy Policy.
creasingly determine who has access to systems and data, what contractual protections exist and how visible supplier risk becomes in day-to-day operations. Yet many transformation programmes still fail to change behaviour, leaving well-designed controls “on paper” and exposing firms to unmanaged third‑party risk.
The distinction matters because project management and change management mitigate different dangers. Project management delivers systems; change management ensures people adopt them consistently and correctly. Without the latter, secure procurement workflows are routinely bypassed, often without malice, creating shadow IT, fragmented supplier estates and gaps in contract clauses that attackers can exploit. According to McKinsey, nearly 70% of digital transformations fail to deliver expected results, a shortfall that in cyber terms becomes unmanaged exposure.
Embedding security into procurement requires more than tools. Cross-functional ownership is essential. Procurement sits at the intersection of finance, IT, legal, security and the business, and if responsibility remains siloed approval paths break down and accountability evaporates. Industry analysis from Capgemini argues procurement is uniquely placed to drive supplier oversight across the lifecycle, but only when it leads a coordinated, enterprise‑wide approach to third‑party risk.
Practical failures are common. A typical scenario sees organisations adopt an e‑procurement platform to eliminate email-driven purchasing and improve third‑party visibility. Where change management is limited to feature training, teams find workarounds and continue ad hoc buying, reintroducing the very risks the platform was meant to solve. Where change leaders combine hands‑on guidance, pilot programmes and clear incentives, showing not just how to use the tool but why approvals and contract clauses matter, visibility, reconciliation and vendor governance improve quickly.
Technology developments create new opportunities but also require governance. According to a KPMG report, generative AI is transforming third‑party risk management by automating diligence tasks such as contract intelligence and supplier compliance checks. The report recommends adopting structured third‑party risk frameworks so automated insights translate into enforceable procurement controls rather than generating more alerts. Emerging technical approaches, such as a blockchain‑based framework proposed in academic research, aim to improve the integrity of vendor assessments by providing an immutable, auditable record of security audits and smart contracts to reduce human error. Those approaches could strengthen traceability and accountability if integrated into procurement change programmes.
The threat landscape underscores urgency. Supply‑chain attacks that target weaker links in vendor ecosystems have yielded high‑impact breaches; the SolarWinds compromise remains the clearest recent example of how attackers weaponise trusted update channels to reach thousands of customers. Government and defence sectors highlight regulatory pressure: Deloitte’s work on the Defence Industrial Base stresses migration towards supply‑chain cyber governance aligned with NIST SP 800‑171, while commentary from industry consultancies notes the Cybersecurity Maturity Model Certification will embed contractual cybersecurity requirements more deeply across defence suppliers once broadly enforced. Procurement change management must therefore translate regulatory requirements into repeatable, auditable workflows.
Three practical priorities emerge for closing the gap between intent and operational reality.
-
Make change management core to procurement programmes. Design pilots with business‑led champions, measure adoption and operational outcomes (speed of approvals, reduction in off‑portal purchases, fewer security exceptions) and reinforce behaviours continuously rather than relying on one‑off rollouts.
-
Embed risk controls into daily workflows. Operationalise contract security clauses, approval gates and third‑party assessments so they form routine checkpoints in procurement decisions. Where AI or distributed ledger technologies are used, integrate outputs into existing governance processes rather than treating them as point solutions.
-
Assign clear, cross‑functional ownership. Create joint accountability across procurement, security, IT, legal and finance for supplier lifecycle management, and align metrics to both cost and cyber‑risk outcomes. Industry guidance from Capgemini and KPMG underscores that procurement must lead with business context while security enforces minimum controls.
Procurement transformation presents a measurable opportunity to reduce exposure to supply‑chain and third‑party cyber risk, but only if organisations treat adoption and behaviour change as the central objective. Technology can accelerate diligence and provide immutable records; regulatory regimes are tightening; and historic supply‑chain breaches show the consequences of leaving weaker links unaddressed. Translating policy into everyday practice, through disciplined change management, cross‑functional governance and continuous reinforcement, turns procurement from a potential vulnerability into an instrument of resilience.
Source: Noah Wire Services
