Procurement Policy

Scroll down

1. Purpose of this Policy

At three rocks, we believe good business means making responsible choices about who we work with and how we spend money.

This policy sets out how we buy goods and services responsibly, fairly, and in a way that reflects our values and ESG commitments. It applies to all procurement and our goal is simple: to make sure every purchase delivers value, protects our people and data, and supports ethical, sustainable business practices.

2. Scope

This policy applies to all three rocks employees and contractors involved in identifying, evaluating, selecting, purchasing, or managing:

  • IT infrastructure, cloud services and other services
  • Software licences and subscriptions
  • HR systems, tools, and outsourced services including contractors
  • Marketing platforms, agencies, and creative support
  • Financial systems, advisors, and services
  • Other products and services

It covers new purchases as well as renewals, extensions, and upgrades.

3. What we mean by Procurement

Procurement is the process of sourcing, evaluating, negotiating, and buying goods or services.

IT Infrastructure: includes hardware, networking equipment, cloud environments, related tools, and outsourced services.

Software Licences: such as subscriptions, renewals, or one-off software purchases.

HR Services: includes recruitment partners, people systems, training providers, wellbeing tools, and contractors.

Marketing Services: includes creative partners, media services, branding support, design tools, and consultants.

Financial Services: includes accounting systems, financial tools, tax advisors, audit support, and outsourced finance partners.

Other suppliers of products or services: such as venues, events, catering, office supplies.

4. Our Commitment

three rocks is committed to a transparent and values-driven approach to procurement. We will:

  • Make purchasing decisions that support our strategic goals
  • Work with reputable, reliable, and cost-effective suppliers
  • Protect data privacy and information security
  • Source goods and services ethically and responsibly
  • Keep accurate records of procurement decisions
  • Seek competitive quotations where appropriate
  • Prioritise suppliers who align with our values and ESG principles

5. How we Procure

5.1 Identifying business needs

Teams must clearly define:

  • Intended purpose and business justification
  • Value and expected outcomes
  • Risks, compliance, or data requirements
  • Alternatives considered

5.2 Supplier evaluation

Suppliers must be assessed against:

  • Cost and commercial value
  • Service quality and reliability
  • Information security controls (especially where personal or financial data is handled)
  • Compliance with data protection laws (e.g. Data Protection Act 2018, Data (Use and Access) Act 2025, UK GDPR etc)
  • Relevant expertise, capability, and support availability
  • Environmental and ethical performance, aligned with our modern slavery and sustainability commitments
  • Brand alignment and reputational integrity

5.3 Approval process

All procurement must follow internal approval processes, including:

  • Budget approval
  • Delegated authority limits
  • Legal or contractual review where required

No one may authorise spend without the correct approval.

5.4 Making a purchase

Purchases must be completed using agreed routes such as:

  • Contracted agreements
  • Supplier evaluation
  • Documented renewals

All agreements must clearly outline deliverables, terms, pricing, and data-handling expectations.

5.5 Record-keeping

We will maintain accurate procurement records, including where applicable:

  • Quotes and proposals
  • Approval and sign-off documentation
  • Contracts and agreements
  • Invoices and receipts
  • Renewal and licence schedules
  • Supplier contacts

Supplier performance will be reviewed periodically across all service areas.

6. What We Expect from Suppliers

Suppliers must:

  • Operate ethically and lawfully
  • Protect confidentiality, data privacy, and information security
  • Be transparent in pricing and service delivery
  • Have no involvement in forced labour, slavery, or unethical practices
  • Deliver reliable, high-quality goods and services
  • Commit to environmental responsibility

Suppliers who cannot meet these standards may be removed from our approved list.

7. Reporting Concerns

Employees must report concerns relating to:

  • Conflicts of interest
  • Unauthorised or inappropriate spend
  • Data protection issues
  • Supplier misconduct or unethical behaviour
  • Financial irregularities or fraud
  • Breaches of legal, ethical, or environmental expectations

Concerns can be raised with:

  • Your Line Manager
  • The Operations Team
  • The CTO or Finance Manager (depending on the nature of the issue)

Reports will be handled sensitively and confidentially.

8. Training and Awareness

three rocks may provide guidance or training to help relevant roles understand:

  • How to identify procurement needs
  • How to evaluate suppliers
  • Internal approval processes
  • How to purchase responsibly
  • Good record-keeping practices

9. Compliance and Consequences

Everyone involved in procurement must follow this policy.

Failure to comply may result in:

  • Removal of procurement responsibility
  • Corrective actions or re-training
  • Disciplinary action
  • Contract termination
  • Legal action, if appropriate

three rocks may audit procurement activity at any time.

10. Review

This policy will be reviewed annually, or sooner if business needs, legislation, or industry standards change.

11. Related Policies

  • Supplier Code of Conduct
  • IT Management Policy
  • Modern Slavery Policy
  • Environmental Policy
  • Privacy Policy
  • Disciplinary Policy

Version: 1.0
December 2025
Policy Owner: Chief Technology Officer