Monthly Archives: October 2015

The Six Strategic Sourcing Samurai

In our last post, we made the bold statement that it’s not optimization, it’s strategic sourcing and the even bolder statement that SI believes it has become practically impossible to do true strategic sourcing without optimization.

This is probably scary for those of you that are looking for a strategic sourcing solution and just figured out that, if the doctor is right*, then most of the organizations on your RFX list are not going to make the cut because while there are dozens of Sourcing platforms on the market, there are only six (6) that have true strategic sourcing decision optimization that implement all four (4) pillars defined in the classic wiki-paper that formally defined strategic sourcing decision optimization (SSDO).

So who are these six strategic sourcing samurai? They are the six remaining companies that took the time and effort to not only research and build a solution, but take it to market and wait while the market caught up with the vision that a few pioneers had fifteen years ago — a vision of true best-cost global sourcing from a total cost of ownership (and, more recently, from a total value management) perspective.

They are:

It’s not a long list, but it’s an important list. Furthermore, one can be sure that there will be more companies to add to the list in a couple of years, especially since there are a number of advanced solvers out there — such as CPLEX, Gurobi, XPress, etc. — to build solutions on; a number of 3PLs — such as APL, Schneider, etc. — that have very advanced logistics optimization solutions; and a few companies — such as LLamasoft, Oracle, etc. — that have very advanced Supply Chain (Network) Optimization solutions (which is not the same as SSDO). Optimization is spreading, and as more companies realize its power, it will continue to spread. However, now that the early adopters have proven the power of decision optimization, the question is, are you going to be a leader, and one of the first to capitalize on it, or a laggard, and watch as your competition moves faster, captures more market share, and generates a greater year-over-year profit based on the advanced cost reduction and cost control methodologies that optimization provides?

As for those of you that already have a previous generation sourcing solution and, for one reason or another, are locked in to it, don’t fret. A few of these vendors are quite happy to license their software as a secondary solution because, even though optimization should be used in every event, the reality is that, if the category has been well studied, the cost model is relatively simple, or the product is going out for an all-inclusive bid, the additional savings that optimization is likely to find is small and those categories can continue to go through the current platform. By cherry picking the categories with the largest (un-managed spend) and which appear to have the largest opportunities, and simply conducting those through the secondary optimization platform (and then pushing the bids and awards back into the primary platform to maintain a single database of bid and award data), it’s likely that the organization can easily identify 80%+ of all of the additional savings opportunities identifiable through optimization for a small additional investment. It’s whatever works. If the organization can get by on one platform, great, but if it can’t, or feels it can extract more value from two platforms, that’s fine too. Strategic Sourcing is for everyone, and that’s why the leading optimization vendors are quite happy to work with everyone who’s ready.

* the doctor is right. The real question is, when will your organization be ready to accept it? If your organization has not yet reached a level of sourcing maturity that, at the very least, puts it in the Hackett Group top 8%, it may not be far enough along it’s sourcing journey to truly understand why optimization is a necessary for strategic sourcing in the latter half of this decade.

Technological Damnation 92: Data Loss

It is the information age and data is the life blood of the company and the supply chain. The financial chain is controlled by data. The physical flow of goods is dictated by data. People communicate electronically through data packets. It’s all data. And losing that data is a damnation. Not just because data is lost, but because:

Lost Intellectual Property data is a loss of competitive advantage

Sometimes the only edge a company has is it’s intellectual property that it can use to create a slightly better product, do better in a foreign market, or lower its costs enough to undersell the competition when its products are no better. If that gets stolen, and one or more competitors get their hands on it, the advantage is gone and all of a sudden the product is no better, the edge in the foreign market is lost, and there is no cost advantage to exploit in the end product.

Intrusions that result in lost or stolen data are hard to trace

If your systems or networks get hacked, and your data is stolen, good luck figuring out who got your data, because chances are that not only will you not be able to figure out who hacked you, but you will not even be able to figure out where the hack came from. Right now, there are free hacking toolkits for every major OS on the deep web that can bounce packets off of dozens of anonymous proxy servers, fake TCP/IP headers, and exploit dozens upon dozens of security holes that can be launched successfully against the average system by budding script kiddies — so imagine what real black-hats can do if this is what they give away for free. Do you know how many zero-day exploits are in your systems? They do!

Even if the intrusions are traced, loss is hard to recover

Let’s say you are able to afford, and hire, the best white-hat trackers from the top security firms on the planet and they trace the hack to, let’s say, a rogue hacker in China or Russia. Do you think you’re going to recover anything? Nope. And even if you can trace the hack to your country or a country that you operate in, do you think suing a hacker who got an untraceable payment to a Swiss or Cayman Islands account is going to net you anything? No way!

Data loss prevention requires very powerful, expensive, digital vaults

The only protection your organization has is to install the best systems with the best encryption configured by real security pros. This is not easy to do. Considering that most web sites are full of security holes that are easily uncovered by open source products like PortSwigger’s Burp Scanner, imagine how hard it is to properly secure a database, an ERP, an OS, and the communication lines between them. So not only do you have to buy a top of the line system with embedded security, but then you have to find a real security expert to properly configure and harden the system — who is extremely pricey if you manage to find that person.

And loads of security training, awareness, review, and enforcement.

The majority of data thefts are not the result of hacks, but the result of disgruntled employees with access or social engineering. That’s why you need good policies, training, and enforcement. An admin should not grant carte-blanche access to data in a system to an employee who does not need it just because it’s too hard to set up the roles based security, even if the employee is happy and trust-worthy. Chances are that security will never be reviewed and if, in two years, the employee gets disgruntled or falls on hard times, that’s an exploit waiting to happen.

But the biggest risk is the average employee who writes her password on a post it inside her drawer, a receptionist who does a system test when asked over the phone, or an office admin who grants a workman access to the server room because they look like they should be there. The most common way a hacker gets access to your system is by posing as the janitorial staff who gets to go into every cubicle to empty garbage (and check desks for password post-it notes), as the vendor rep who wants to test the server connection (and has the rep go to a site that looks like the vendor portal admin screen and login for a speed / reliability test when all it does is capture the authentication data before passing through to a real site), or by dressing up as an IT shop employee there to fix the server — because once you’re on the live system, you can suck all the admin codes you want for a remote access later. Poor security practices opens holes bigger than the Vredefort crater.

And the average person does not understand this, even after repeated instructions and explanations as to why writing the password down is dangerous. So this damnation will be with us for quite some time.

It’s Not Optimization. It’s Strategic Sourcing.

Last week in my post on how The Trade Extensions Event Was Different. Their View is Different. It’s Time for Different I noted that the reason the event was different is because, unlike most purveyors of perplexing optimization software, they did not focus on their the capability, uniqueness, and savings potential of their optimization software, choosing to barely acknowledge the concept, and instead took the viewpoint that it’s not optimization, it’s just sourcing.

And as I indicated in that post, said in Monday’s Post on how It’s NOT a Suite, It’s JUST Sourcing Part II, SI has a very similar view. SI is now convinced that it’s not optimization, it’s strategic sourcing as SI believes it has become practically impossible to do true strategic sourcing without optimization.

Why? Because we have not only reached the point where it is impossible to define a sourcing event of any magnitude without hitting at least a few of the nine dimensions of complexity but we have also reached the point where the data collection, manipulation, and analysis requirements are so intensive that only a sourcing solution built on, and backed by, a true optimization engine is going to be able to handle the data, manipulation, and analysis required.

Now, we’re not saying that the right strategy for every event is optimization, but we are saying, as per SI’s already classic paper on Optimization, What Comes Next, that you cannot determine the right strategy without optimization to at least build and solve a baseline cost model given current market prices and expected bidder increases or decreases from the last event. For example, while a 3% savings potential might be enough for a (strategic) sourcing auction or optimization-based multi-round RFX, a 3% drop in expected product cost does not necessarily imply a 3% savings potential. If that drop is from remote suppliers that ship down lanes where costs have risen 10% and shipping is 30% of the overall total cost model, there is no savings potential. The right strategy is a renegotiation with the incumbent for a contract extension or a spot market buy. Similarly a 2% drop in price combined with a 5% drop in logistics costs could equate to a 3.5% savings potential under the right circumstances, which is substantial on a 50M+ category.

Plus, with bundled discounts, volume discounts from suppliers and carriers that take effect at different price points, different import and utilization costs for each supplier, and an ever increasing plethora of capacity constraints, mandatory award splits to minimize risk, secondary goals of minimal environmental impact, and so on, it’s often impossible to determine what the lowest cost solution is and, thus, if the cost increase associated with assigning a (greater percentage of the) award to a preferred supplier seen as being more valuable in the long term is actually worth it.

There’s just no way to do a strategic analysis and justify a strategic decision without a basic level of true mathematical optimization capability. Spreadsheets were breaking under the strain of basic sourcing requirements years ago. Now these sheets are just shards of glass — which will eventually cut you if repeatedly handled.

So if you want to source, use what you want. But if you want to strategically source, use an optimization-backed sourcing solution. You won’t need optimization for every event, but since you won’t know when you’ll need it until you have it, you still need it.

Technological Damnation 78: e-Privacy

Privacy is a good thing, and e-Privacy is a better thing, but that doesn’t mean it’s not an eternal damnation to Procurement. Why?

Customers are always demanding more privacy rights.

Including rights that they do not have in the off-line world. While you definitely should not post online that they shop at your location, they some consumers don’t even want you to keep records that they do. But in the real world, you can keep your security feeds, that show them, your physical credit card receipts for at least seven years, that show they shopped their, and the associated transaction receipts, that shows what they bought. But as soon as you store that data in a system, aggregate it, and use it to build a loyalty program and target appropriate rewards (even if you do so in a private way and don’t share the data with anyone), you’re trying to invade their privacy rights. So you have to be extra careful in Procurement that any systems you source have the highest safeguards and are only going to be used for legal, responsible uses.

Oversight requirements are increasing as regulatory acts are multiplying.

As more and more consumers demand their e-Privacy rights, and as more and more data breaches happen as a result of lax (or nonexistent) security, more and more regulations are being proposed and passed. There are so many provincial and federal acts addressing e-Privacy across finance, health-care, and technology that it’s dizzying. It’s impossible to keep up, and when something is missed, Procurement, who will be made responsible for Procuring the technological systems needed by the organization and the third party services providers to help with proper configuration, will be the organization given the blame.

The technological sophistication required to achieve an acceptable level of security and privacy safeguards is through the roof.

It’s not just buying a new database with built in 256-bit encryption, it’s getting all of the data into the database, making sure the data is encrypted on the way in, making sure it goes through a secure, encrypted channel from the port from the old database to the new database, and making sure the new database is appropriately configured and locked down to only authorized access through only authorized channels. This configuration is not easy, given the complexity of today’s encryption technology, the complexity of the tools that need to be encrypted, the arsenal of freely available hacking tools on the deep web, and the average security and third party systems knowledge of an average system administrator. Procurement has to first identify true security experts with experience security the systems and software that need to be secured, source a firm, vet the experts presented, and ensure that the person who shows up is the person who is actually the person whom they are expecting. A tall order for an organization typically tasked with sourcing products to keep production and operations going.

Consumer fear combined with the a lack of technological understanding of the underlying security requirements makes this a difficult damnation to tackle, but one that is only going to get more relevant and immediate as time goes on.