If your board asked for a clear view of third-party risk tomorrow, could you produce it without spreadsheets? For many Chief Procurement Officers, the honest answer is uncomfortable.
Not because supplier risk is being ignored. In most large organisations, there is no shortage of data, reports, or checks. The problem is that supplier information often lives in too many places, owned by too many teams, maintained in too many different ways. And spreadsheets become the glue holding it all together.
How spreadsheets become the default
Spreadsheets are familiar, flexible, and easy to deploy. When procurement teams are under pressure to move quickly, especially across regions, service lines, or acquisitions, spreadsheets feel like a practical solution to tasks like:
- Tracking onboarding status
- Capturing insurance certificates
- Recording ESG assessments
- Monitoring compliance checks
Over time, more columns appear. New versions are created. Local teams adapt them to their needs. Files are emailed, copied, renamed, and stored in different folders. What began as a stopgap becomes infrastructure.
Where things start to break down
The challenge is not that spreadsheets are “bad”. It’s that they were never designed to support the realities CPOs now face. Global supplier ecosystems are complex. They include contractors, service providers, and long-tail vendors, often operating across multiple jurisdictions with different regulatory, safety, and compliance requirements. In this environment, spreadsheets introduce three key risks.
Visibility fragmentation. When data is spread across regions and functions, no single view is truly complete. Reporting requires many hours, if not days, of reconciliation rather than high value analysis and insight.
Confidence erosion. When supplier data relies on manual updates, version control becomes uncertain. Leaders, rightly, are hesitant to rely on information they cannot fully trust, especially in front of the board.
Response is slower. When questions arise about insurance coverage, compliance gaps, or high-risk suppliers, teams spend time chasing down and checking data instead of making decisions.
None of this is dramatic, but over time, it creates exposure.
Why boards are asking different questions
Boards are no longer satisfied with point-in-time assurances. They want to know:
- How current is our view of third-party risk?
- Where are our biggest exposures today, not last quarter?
- Can we demonstrate consistent oversight across regions?
- Are we confident in our supplier data if regulators ask?
These questions are difficult to answer when supplier risk lives in spreadsheets designed for local tracking, not global governance.
From Tools to Operating Model
Most CPOs already know that spreadsheets will not scale forever. The harder question is what replaces them and making the time to manage the change. The organisations that move on successfully tend to make a specific shift in mindset. They stop trying to standardise every local process. Instead, they standardise how supplier risk is governed.
That means:
- A single framework for supplier qualification and risk
- Consistent data requirements across regions
- Central visibility without removing local ownership
- Ongoing oversight rather than periodic data collection
Spreadsheets struggle in this role because they were never built to act as a shared operating model.
Maintaining Local Excellence While Gaining Global Control
The irony is that spreadsheets often persist longest in well-run organisations. Strong local teams build processes that work for their context. Over time, those processes become entrenched. Changing them feels disruptive, even risky. But when supplier risk needs to be understood at board level, across geographies and categories, it is usually time to make the switch. What worked locally usually stops working globally.
Moving beyond spreadsheets without slowing the business
Replacing spreadsheets is not about adding complexity, additional processes or bureaucracy. In fact, it’s usually about removing those things. When supplier risk is managed through a single, consistent model:
- Data stops being re-entered and reconciled
- Assurance becomes continuous rather than episodic
- Reporting becomes faster and more reliable
- Conversations shift from “is this data right?” to “what should we do next?”
This change enables procurement to take a more strategic position by moving from reporting risk to managing it.
If the board asked for a clear view of third-party risk tomorrow, the real question is not whether the data exists. It’s whether it exists in a form you would be comfortable standing behind. For many organisations, that moment is when spreadsheets finally show their limits.