Purchasing programs are the elephant in the room of IT and Infosec and now that third party vendor risk and supply chain content is getting the attention it deserves, we should revisit a few points.
First, purchasing processes as a business risk has been solved for a LONG time. Like back in the 1970's. So nobody has an excuse for not having a good program with solid standards and practices in place. This also makes it quantifiable for KPI and KRI inclusion.
Second, not doing it correctly introduces risk in obvious and subtle ways. Obviously, because we don't want corruption in our purchasing practices, and subtly, because taking what we perceive to be short-cuts to avoid what we claim is an onerous purchasing process means we likely are not getting the best value for our money, and that's a shareholder and competitive advantage concern.
Third, any claim that the process is onerous and that we can't waste time going through needs analysis and vendor selection is a giant red flag regarding the IT and security program and the people managing it. If they aren't up to the task of managing a simple purchasing effort, can we be sure they are doing a good job with the operational IT and security business aspects? Resistance is expected, but the correct response should be business process optimization, not circumvention.
If the organization isn't following best purchasing practices, there is an unacknowledged risk there, and it should be addressed before it shows up as either a supply chain problem or an audit failure. Or an unexpected operational event.