Monthly Archives: November 2012

It’s About Time You Get a Grip on Risk!

Risk management is about more than just the disclosures the auditors make your accountants put in the fine print when you release your financial statements and annual reports. And it’s more than the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. For example, from a supply management point of view, risk management is modus operandi for supply assurity when there is an average of 250 supply chain disruptions for public companies every month. (Source) And from a profit point of view, it’s value. Less money dealing with the financial and brand fallout from a disruption is more money spent on innovation to meet customer demand.

And, as per this recent Ernst & Young post over on the Harvard Business Review blogs, it’s money in the bank. Their recent research fund that companies in the top 20% of risk (management) maturity generated three times the level of EBITDA as those in the bottom 20%. Wow!

So why is this? I think it’s due to the fact that less than 40% of companies are actively managing (supply) risk to the level they should be. In 2008, a Marsh survey found that only 35% of organizations self-reported that supply chain risk management was moderately effective at their companies. In other words, 65% of companies did not have a risk management program that was at least moderately effective. In 2011, researchers at Vlerick Leuven Gent Management School and Ghent University did a supply chain risk management study and found that 64% of the companies have no one responsible for managing supply chain risks! That’s essentially 0 improvement in the last three years! And while the initial introduction of a risk management program will require a significant investment of talent, it’s not that difficult, relatively speaking. As the post says, the critical factors are communication, openness, leadership, framework identification, formal methods, coordinated planning, standardized monitoring, and occasional (stress) testing of the different facets. With the right leadership and training, everyone will be able to do their part. And in the end, just like the Global 50 consumer products company highlighted, in the post, the organization will have

developed a governance structure that allows it think about risk proactively, and has aligned its risk profile and exposures more closely with its strategy. Its governance leadership group and supporting management clarified the company’s risk appetite, defined its risk universe, determined how to measure risk, and identified which technologies could best help the company manage its risks. Aligning risk to strategy, by identifying strategic risks and embedding risk management principles into business unit planning cycles, enabled the company to identify and document 80% of the risks that have an impact on performance. This alignment of risk awareness and management practices, from strategy to business operations, enabled the company to monitor risk developments more effectively. Managers could keep the organization within acceptable tolerance ranges, driving performance to plan.

So just do it. You’ll double your EBITDA in the process!

Demo Tips

the doctor has been asked a few times now by vendor reps on how to give a good demo. He’s been hesitant to address the subject beyond what is already on the FAQ regarding product reviews because this is one subject where good is in the eye of the beholder, but since he doesn’t like his time wasted when getting demos, here are his tips for giving a good demo to SI.

(01) PowerPoint is for Pansies.
Did I mention I was going to be brutally honest? You don’t demo a product with PowerPoint. EVER! Powerpoint is only for

  1. Summarizing key facts about your company.
  2. Summarizing key points about the problem domain.
  3. Summarizing key contributions of your solution.

then you get into the demo ASAP (As Soon As Possible).

(02) Off-the-Cuff is only for experts. Have planned, tested, to-the-point walkthroughs that cover the key features you want to promote.
If you just released a new version of your product that adds new auction formats, constraints or cost modelling capabilities to optimization, real-time market feed integration, etc. and that is what you want to show off – make sure you’ve tested minimal walkthroughs that display those capabilities as accurately as possible. Don’t divert from these unless asked as you don’t want to run out of time and not show off your best capabilities. And definitely don’t dilly-dally.

(03) Focus on features that are unique. Not cookie-cutter features found in a dozen competitor products.
Even if it’s new to you, it isn’t going to do anything to impress someone who’s seen it a dozen times before, no matter how flashy your UI is. And speaking of UI, this is enterprise, not consumer, so flash doesn’t get you bonus points. In fact, if the flash slows down or detracts from the process, it gets you strikes. Enterprise is about ease of use and efficiency. Unless you’ve found a way to simplify the process, avoid anything that’s considered a standard feature of the product you’re promoting.

(04) Don’t jump around the screen.
You might have fast internet, but that doesn’t mean that the person on the other end has fast internet or that the web sharing software you’re using can keep up as you jitter around the screen like a Hummingbird. Move smoothly, and slow enough for the software to keep up. If you have a habit of jittering, setup a client machine next to you so you can see what your audience sees.

(05) Have a flushed-out data-set.
Once you get through the scripted part of the demo designed to show off your product’s key feature, or significant enhancements since the last demo, the doctor is going to want to confirm that it is market ready and real. This means he’s going to want to see some random functionality, on the path of his choosing. And he’s not the only blogger who works this way. Be prepared to cater to your audience’s demand. After all, if you want a good write up, you’re going to have to keep their interest long enough for them to get enough material to write it.

(06) Have a domain expert on the call.
Preferably this person and the person giving the demo are one in the same, but if not, be sure you have someone who can answer intelligent, thoughtful, expert questions, which you are going to get if you do a good job and keep the doctor‘s attention because he is, after all, a domain expert.

(07) And, whatever you do, don’t paint an old Fiat 500 black and call it a luxury limo.
Remember that even though you can put lipstick on a pig, in the end, you still have a pig, so do not simply slap a new UI on an old product and try to pass it off as new and improved. If you haven’t improved the process or capability, or it still doesn’t really do what it needs to do to be effectively deployed, you’re not going to be able to hide this from anyone who has one eye open and half a functioning brain when it comes to technology. Trust me on this one.

Hiperos – It’s So Hip To Be Square with 3rd Party Management! Part II

Hiperos provides a SaaS platform that allows an organization to manage the entire 3rd party lifecycle, which consists of registration, data collection, segmentation, control automation, assessment, management, and collaborative issue resolution.

Hiperos includes your standard SIM (Supplier Information Management) functionality that allows for supplier self-service registration and profile maintenance and data integration from third party sources. On top of that it implements a user-configurable rules-based workflow that allows third-parties to be segmented into different buckets that represent the different programs that they need to be subjected too – be it FCPA, REACH, WEE, HIPPA, or some other type of compliance or monitoring program. Each bucket has its associated monitoring rules that notify the third party when more information is needed and that automatically alerts the user when a violation is detected or when information is not provided by the third party in a timely fashion. Assessments are automatically run every time new data becomes available and can be run by a user at any time. The fact that all relevant third party information is available at all times allows users to pro-actively manage third parties, and associated risks, and then either work with third parties to mitigate risks, if the potential infraction can be corrected, or cut them loose if the risk of association is too great (because they showed up on a denied party list or use child labour in their supply chain).

The application, which loads the default user-defined dashboard, allows a user to manage third parties, engagements, relationships, products, and programs and to define programs, vendor communities, reports, and analytics.

The dashboard is multi-tabbed and allows a user to define relevant views on each of the application areas defined above, as well as a default dashboard that allows the user to see the information most relevant to him or her. At the top of the dashboard is a link to current action items that allows a user to quickly see what needs to be done in third party management, engagements, programs, etc. The dashboards can be configured using hundreds of pre-defined (reporting) widgets or the user can define their own widgets by defining appropriate reports in the reporting module. And the user can bring in real-time news and data feeds from sites of interest.

The application can track any compliance, performance, sustainability, or risk data elements of interest and, like any good SIM platform, is preconfigured to track hundreds of relevant data items, depending upon the programs you define as relevant for a given compliance, performance, or risk program (which minimizes the amount of configuration required to track custom fields). And not only is all relevant data available from any view that is program or user defined, but it’s all interlinked so a user can click on a third party included in a program, see the relevant report(s), and then dive into the third party data management screen to examine the raw data elements, and then run a report on just a data subset.

Program definition is flexible and allows for any type of compliance, risk, sustainability, or performance program you can think of. In addition, the fact that Hiperos also supports contract meta-data and third-party data feeds allows financial impact reports to be generated. That way, a user always knows what the impact of a third-party falling out of compliance is to the organization. Knowing that a tier-one supplier might be buying from a tier-two supplier that might be using child labour is one thing, but knowing that the organization is spending 20 Million across 5 categories on that tier-one supplier is something else. In the first case, the supplier is put on the “investigate” list and someone gets around to it when they get around to it. In the second case, the user knows that it is a high priority and an investigation has to be started immediately as the public backlash will be extremely damaging to the organization if it gets out that 20 Million is being spent on products and/or services that were partially produced by child labour.

Hiperos has also included extensive color-coded geo-mapping capabilities so that you can quickly see, for any program, where the highest risk areas are globally and dive in. While Hiperos is not the first company to do this, they have latched on to the fact that the visual representation of risk or non-compliance by region allows one to quickly see what regions have to be monitored. This allows resources to be properly applied, especially since proper monitoring will typically require subscriptions to appropriate data feeds for those regions.

The Market Intelligence capabilites are quite extensive too, and they have pre-configured watch-lists, diversity monitoring, parent-subsidiary monitoring, subcontractor monitoring, REACH/WEE monitoring, and dozens of other feeds of interest which can be enabled as required by the client.

And the analytics piece supports the full suite of slice-and-dice capabilities found in most sourcing products today, so that you can dive into the data and find out which suppliers, categories, or programs represent the highest risk to your organization.

There’s quite a bit of data, and the application can be quite busy at times, but Hiperos has one thing right, where compliance is concerned, it’s Hip to be Square.

Hiperos – It’s So Hip To Be Square with 3rd Party Management! Part I

When we last checked in with Hiperos, they had evolved from a Risk Management platform to an “Extended Enterprise Management” platform that integrated Contract Management, Compliance Management, Performance Management, and Sustainability Management into a 360° solution platform for an organization that wanted to get these various facets of risk under control.

However, as they have continued to roll-out their platform and work with clients in different verticals (beyond finance, which was their initial core strength and where they appear to be dominating the market), they have found that as enterprises get their internal(ly controlled) risks under control, their clients realize that typically the biggest risks they face are from their suppliers and vendors who provide then with all sorts of direct and indirect product and services. As a result, 3rd Party Management (3PM) has become critical to their operational success. How critical?

Consider these statistics. Forty-four percent of data breaches involve third parties, and the most expensive data breach has cost 35.3 Million dollars to resolve. And while this is atypically high, a data breach will cost an organization millions to resolve (as even the cheapest data breach cost $780,000). And if there turn out to be traces of blood money or drug money in your supply chain, it could cost you as much as $160 Million to settle the resulting probe. In short, 3rd Party Risk, if not properly managed, is likely to end up costing your organization millions. The only question is when.

And if you believe that preventative spending to manage risks that might not happen is unwise in this economy, consider this. Organizations that implemented Hiperos 3rd Party Management saw a 75% reduction in customer impact incidents due to sole sourcing. One organization was able to eliminate a seven-figure spend of 4 Million in annual subscription fees that it was paying just to insure that it wasn’t using blacklisted or banned suppliers (and that it wasn’t working with suppliers who were known to bribe and/or be involved in anti-corruption investigations) as the Hiperos 3rd Party Management solution contained all the functionality they needed. And, overall, Hiperos’ clients saw a 300% increase in the assessment of 3rd parties with a high-breach potential — allowing them to be vetted or eliminated before a costly incident occurred.

And this is jus a short-list of costly compliance and reputational risk facing an average organization that operates globally and has to deal with ISO, SAS 70, Anti-Bribery, Anti-Money Laundering, FCPA, SOX, OCC, CFPB, REACH, WEEE, OSHA, HIPPA, and W9 security and reporting obligations, just to name a few. A third party management solution tracks all of this, and more.

So what does Hiperos do to help you with your 3rd Party Management? Stay Tuned for Part II.

Robotistan, I Think Not!

In a recent post over on Horses for Sources, Jim Slaby gives us Greetings from Robotistan, outsourcing’s cheapest new destination, and tells us that software robots are going to replace outsourced labour.

According to Jim, you will soon be able to have your own business process analysts create software robots to do the work instead of outsourced labour because you can get the robots up and running in five months and they will do the work for less than half the cost of Indian FTEs.

His rationale, the existence of a UK startup by the name of Blue Prism that makes a software development toolkit and methodology that lets non-engineers quickly create software robots to automate rules-driven business processes.

Pretty flimsy. For starters, here are the caveats that he finds:

01. The process must be repetitive back-office and not require human judgement or much exception handling.
Which probably limits it to data entry, account review, and creation of initial online access credentials.

02. IT buy in is required.
For starters, the software requires a virtual machine cluster. And the maintenance of such adds to what is probably already an excessive workload.

0.3 There is a learning curve.
It typically takes two to four months to master the tools to model, automate, test, and optimize the robots, according to Jim.

And this is just the beginning. Yes, a large wireless carrier and a major BPO services provider may have found some limited success, but you can’t overlook the facts that:

04. When you scale up, any unhandled exception has the potential to effectively crash the system.
Let’s say you created a robot for account review, a prime example for the technology as indicated by Jim, and you define an exception as any new account under a year that is overdue more than 10 days. Let’s say you are a wireless carrier, which typically has relatively high customer turnover thanks to the fact mobile numbers are portable, and you run the robot on a small test set of 1,000 records and only come up with 10 exceptions. You think it’s great and set it loose on the system with millions of subscribers, but fail to realize your sample set was abnormal and the exception rate is actually 5% and not 1% (and that you failed to insure the less than one year test was properly coded) and all of a sudden you get a queue with 100,000 exceptions that need to be manually processed. Chances are the robot will crash when the manual reviewer tries to load the entire queue!

05. BPM software is currently the be-all, end-all of bloat-ware, especially when you’re trying to create an “AI” application.
As a result, the amount of memory, processing power, and storage required to automate even simple queues is exponentially more than what would be required by an application set up to support a human. And while processing power and storage is still doubling on a regular basis, Moore’s Law is coming to an end as we are close to hitting the point where quantum uncertainty will prevent us from shrinking chips any further. This means that, as you try to build more sophisticated robots, the number of machines you require will double, quadruple, octuple, etc. until the cost to run the hardware will exceed what you could pay a human to do the same task in an emerging market (because machines require energy and energy costs and they are going nowhere but up). And, unlike the machine, the human won’t have to push every tenth transaction to the queue for someone else to process as she’ll know how to deal with the majority of transactions by the virtue of her intelligence, dedication, and desire to keep her job and have a better life.

Software is going to continue to get more powerful, and it is going to continue to automate more data processing, and continue to minimize the amount of data that requires human review, but human review is still going to be required and we’re not going to replace humans in any process that matters any time soon. We might reduce the number of humans we need, but we won’t eliminate the need for them or replace them with robots just yet.

And anyone that disagrees with me can bit my gloomy fleshy ass. 😉