A founder who runs a professional services firm described her approach to software buying recently. Three SaaS tools signed in the past year, each handled differently. One went through the ops director, one the office manager cleared on a company card, and she’d approved the third herself after a vendor demo. The pricing was fine on all three. The contracts were another matter.
Two had automatic renewals she hadn’t noticed. One was storing client data in a US-based server with no data processing agreement in place. None had been evaluated against alternatives before the decision was made.
That’s a common pattern in owner-managed businesses: everything treated as purchasing, which works for low-stakes buys and creates real problems for everything else. Knowing the difference between purchasing, procurement and strategic sourcing, and when to apply each, is how you avoid that pattern.
What choice are you actually facing?
The three terms are used interchangeably in owner-managed businesses, and that habit has a cost. Purchasing is the transactional layer, raising an order, receiving a service, processing the invoice. Procurement is the governance above that, from identifying what you need through to managing the supplier over time. Sourcing, often called strategic sourcing, is the upstream decision about who you buy from and on what terms.
A practical way to hold all three in mind: sourcing decides who you buy from and on what basis. Procurement governs how you manage that relationship over time. Purchasing executes each individual transaction within that framework.
In many owner-managed businesses, all three get collapsed into purchasing by default. That’s fine for commodity spend. It becomes a problem the moment a buy is significant, the supplier has the upper hand, or personal data is involved.
When is purchasing alone good enough?
For low-value, commodity spend that is easy to switch, purchasing alone is usually proportionate. Standard office supplies, basic peripherals, couriers, monthly SaaS subscriptions with no data obligations. The test: are there many interchangeable suppliers, low disruption if one fails, and no personal data involved? If yes, a simple approval threshold and a three-quote rule for larger one-off buys will cover the risk proportionately.
Spend-management tools can automate much of this: approval routing, policy checks, invoice matching. For categories that genuinely belong in purchasing, the investment is in the tooling, not a procurement process.
The risk is treating every buy as if it belongs here. A tool that handles client information, a contractor who is now central to delivery, a platform you’ve built your workflows around: none of those are commodity purchases, even if the first invoice felt like one. The National Cyber Security Centre makes clear that assessing supply chain security is an expectation for technology suppliers, not optional due diligence.
When do you need procurement or strategic sourcing?
Any buy material to your operations, involving personal data, or locking you in for more than twelve months needs a procurement lens, not just an approval. For bigger decisions, technology platforms, specialist contractors, services that are hard to replace, strategic sourcing matters too. You are choosing not just what to buy, but who to depend on and for how long, and that deserves its own evaluation.
Procurement, applied properly, means a few specific things. You define requirements in writing before you see a demo. You run at least a basic competitive process rather than buying the first tool you hear about. You assess security and data handling before signing. And you negotiate the contract terms, on renewal notice periods, exit rights, data portability, and liability.
For regulated or data-sensitive services, the expectations are defined. The FCA expects regulated firms to identify third-party dependencies that could affect important business services and to ensure contracts include access, audit, and information rights. The ICO requires written contracts with any supplier processing personal data on your behalf, covering precisely what the supplier can and cannot do with that data.
Strategic sourcing applies when you are choosing a supplier for something central to how your business works: a core practice management system, an AI document-processing platform, a payroll or payments provider. The question here is not only price. You’re looking at the supplier’s financial resilience, how concentrated the market is, what switching would cost in two years, and whether the contract gives you genuine exit options.
For AI tools specifically, a sourcing-led evaluation should also cover model hosting arrangements, where data is processed and stored, the supplier’s data retention and training policies, and their roadmap stability. Building your operations around a platform that changes fundamentally or disappears in eighteen months is a transition cost that careful selection would have avoided.
What does it actually cost to treat everything as just buying?
The financial cost shows up first. Research from procurement platforms and practitioners consistently finds that unmanaged, fragmented spend can add 20 to 50 per cent to total cost of ownership, once you account for emergency buys, duplicate subscriptions, missed renewal terms, and service failures. On a £500k annual third-party spend, structured procurement could plausibly return £25k to £75k a year, without changing what you buy.
The regulatory cost is more pointed. The ICO fined British Airways £20m in 2020 for a data breach that included inadequate supplier-side security controls. Marriott International received an £18.4m fine the same year, partly because the company had not carried out adequate due diligence on systems inherited through an acquisition. In both cases, treating third-party and supplier risk as a purchasing matter, rather than a procurement responsibility, contributed directly to the outcome.
The Carillion collapse in January 2018 illustrated a different category of risk. The National Audit Office estimated at least £148m in associated costs to the public sector alone. Owner-managed businesses in Carillion’s supply chain faced months of disruption from a single-supplier dependency that proper procurement would have identified and planned for.
For AI tools specifically, there is a newer exposure. UK-based businesses offering AI systems or services to EU customers face obligations under the EU AI Act (Regulation (EU) 2024/1689). For high-risk AI applications, fines run to €35m or 7% of global annual turnover, whichever is higher. Procurement that does not account for data governance, model transparency, and human oversight requirements is procurement that has already missed the point.
What should you ask before any significant supplier decision?
Five questions cut through much of the uncertainty. Running through them before committing to any supplier that is not low-value and easy to exit tells you whether you are looking at a purchasing decision, a procurement project, or a sourcing choice that needs its own evaluation. They also produce a written record showing you approached this responsibly, which matters if a regulator ever asks.
First, what is the total contract value, and how long is the term? Anything material to your cost base, or with a term over twelve months, generally warrants a procurement process rather than just an approval.
Second, what data will the supplier hold, process or access? If the answer includes personal data or commercially sensitive information, you need a written data processing agreement and, in some cases, a Data Protection Impact Assessment before you go live.
Third, is this supplier critical to your ability to deliver? If their failure would meaningfully affect your clients or your business continuity, treat them as a critical dependency, with corresponding contract controls, exit planning, and contingency.
Fourth, how concentrated is the supplier market? If there are only two or three credible providers, or you are entering a long-term ecosystem where switching costs will rise over time, that is a sourcing decision requiring its own deliberate strategy.
Fifth, do the contract terms give you adequate protection on renewal, exit, and data portability? Many SaaS contracts include steep renewal uplifts, short exit windows, and limited data-export rights. These terms are negotiable before you sign. Once you reach renewal, the balance of power has shifted and the window has typically closed.
Running through these five questions takes minutes. What it produces is a supplier decision made at the right level, with the right information, and with genuine consideration of the alternatives. That is the practical difference between purchasing and procurement, and it is worth being deliberate about which one you are doing before you sign anything.
If you want support thinking through how procurement fits into your AI tool selection and supplier strategy, Book a conversation to start that conversation.
