Monthly Archives: November 2023

Amazon: Resistance May Be Futile — But It’s Growing in the Masses!

Note: This content was originally posted on LinkedIn on November 15, 2023.

On November 15, 2023, Jason “the prophet” Busch of Spend Matters noted on LinkedIn that

Resistance is Futile.

[because] Amazon Business Reshape (in Chicago) is “the new Ariba Live” according to multiple people I’ve spoken to this week.

And stated that what struck him was:

how Amazon seemingly has one obsessive goal: drive usage, volume and value so customers keep coming back.

and that:

If it’s not already, I’m guessing Amazon Business will soon be a Fortune 500 P&L lurking inside a Fortune 5 company (and it’s going to be high on the list itself in the years to come).

among other things.

And while Usage, Volume, and Value will drive companies to try Amazon Business; without good SERVICE levels, when the contract ends, or even worse, if there’s no contract, when “Amazon” fails them spectacularly, will those customers actually return? (Remember that they see Amazon, not the vendor behind Amazon where the spectacular failure may actually occur.)

And, more importantly, if their service in their customer segment, where many of these business leaders will first experience Amazon is poor, will they trust Amazon Business for their business? (Is it not reasonable to expect service levels are the same across the board?)

I say this because I personally experienced Amazon customer service levels in Canada go from stellar (and the best of all the online merchants) to what I would consider the exact opposite of stellar in a very short amount of time in 2021/2022. I’m not the only person I know who cancelled Prime, which meant I went from buying, from a quick estimate, 600+ a month (for close to a decade after being a regular customer in North America for over 20 years) and a plan to move more business spend to Amazon to absolute ZERO (0) over a year ago (and my spend has stayed at that level since then).

This was also at roughly the same time complaints in the US skyrocketed to the point that the FTC stated that “Amazon has allegedly used dark patterns to trick millions of users into enrolling in its Prime program and trapping them“. (See this link.)

I know it’s different business units, different programs, different options for legal recourse, and different amounts of money at play, but my point is this.

1) the largest market for Amazon Business by far is the small business market — hundreds of thousands of companies that can’t afford a fancy (and expensive) Procurement solution (and would love a “free one” handed to them on an AWS platter)

2) the small business market is a market where ONE person usually makes the decision, not a team, and the decision is made as much on emotion as it is made on numbers; if that person had a less than stellar experience with Amazon personally, will they trust them for their small business if there is any other option available to them?

(Basically, while the doctor agrees that everything the prophet said might be true in the Mid-Size and Larger Enterprise market, we need to note that there are only thousands of large global enterprises [The Fortune 1000/Global 3000]; only tens of thousands of mid-size enterprises; but millions of small enterprises. Millions. That’s where the volume is!)

In other words, Amazon Business Reshape might have the excitement (after all, what else is new? the answer is, sadly, not much), but will it last? And will the excitement lead not just to an uptick, but sustained momentum and growth for Amazon Business?

9% of Companies Claim To Be Ready to Managed Risks Posed by AI? Bull Crap.

the doctor could not believe the recent headline in Forbes that said Only 9% of surveyed companies are ready to manage risks posed by AI. Because there is no way that 9% of companies are ready to manage the risks posed by AI. There’s no way even 0.9% of companies are ready to manage the risks posed by AI.

Why? Because of the rampant introduction of massive LLMs and DNNs that no one understands, for which I’m sure we’ve yet to seen the last of the abysmal failures, hallucinations, and suicide coaxing. There’s simply no way we can even begin to predict all of the potential errors they are going to make, the risks they are putting us under, the repercussions if those errors are made and risks materialize, and how the risks can be minimized, if not mitigated. No way whatsoever.

Not only is it theoretically impossible to be fully prepared, but when you consider that the average organization is not even equipped to handle regular software failures, how can the average organization expect to handle a software-based AI failure it can’t even predict?

The article, which quoted a recent study by RisKonnect (who are obviously able to detect and protect against most types of risk by using RisKonnect, and maybe that’s why they are so confident they can protect and defend against AI risks, but RisKonnect is for traditional enterprise and third-party risk, not cyber risk, and definitely not AI risk — no one can protect against a risk when they don’t even know what the risk is), did quote some very useful statistics on areas of concern. Specifically, of the companies surveyed

  • 65% are concerned about data and cyber,
  • 60% are worried about employees making decisions on erroneous information,
  • 55% are worried about employee misuse and ethical risk,
  • 34% are worried about copyright and intellectual property, and
  • 17% are worried about discrimination risk.

The risks are the right risks, and the order of priority is about the right order, but the percentage of companies concerned is much too low.

1. 100% of companies should be concerned about data and cyber. Not only are we in the age of state-sponsored hacking, which makes any company with useful confidential designs and information a target, but with almost all significant commerce being conducted online, all companies are a target for financial fraud.

2. 100% of companies that need to make decisions based on data analysis should be concerned about erroneous information, as all companies have bad data, and the bigger the company, the worse the data.

But none of these match the risks of AI. As per the quote in the article from Caitlin Begg, an over-reliance on AI can risk robotic, insensitive, spammy, or off-topic messaging, and that’s just the beginning. As noted, most companies haven’t simulated their worst case scenario, and since one can’t even predict what that is with AI, they aren’t even close to ready. It’s not just another article in the organization’s tech stack, even though the article seemed to indicate it is. One can prioritize transparency, accountability, threat and vulnerability monitoring, and risk mitigation, but when most AI applications can’t explain their actions, aren’t accountable humans, have no realistic threat and risk assessments, and there is no way to mitigate risk except not to use the technology in the first place for any decision that should be made by a HUMAN, it’s just not enough.

The precautionary steps are not to identify where AI can be most effective and incorporate it, the steps should be to

  1. identify where partners and third parties are using AI and putting your organization at risk
  2. identify where employees might be using unapproved web-based AI applications and put a stop to it
  3. identify where your SaaS providers are not only using, but introducing, AI into their applications after purchase and delivery and ensure that any utilization is bounded, tested, and properly constrained to prevent risk

Then, instead of unbounded AI, identify appropriate automation technologies that can be properly configured, integrated, and managed as part of an enterprise stack. And reap the rewards while your competitors deal with risks.

Source-to-Pay+ part 3: Corporate Risk

In Part 1 we noted that Risk Management went much beyond Supplier Risk, and the primitive Supplier “Risk” Management application that is bundled in many S2P suites. Then, in Part 2, we noted that there are risks in every supply chain entity; with the people and materials use; and with the locales they operate in. These risks come in all shapes and sizes. And any single risk can sink the company.

Today we are going to talk about some of the internal corporate risks and outline the function specific baseline capabilities that such a solution will normally possess.

Capability Description
Reputation/Brand A significant risk to a company is its reputation/brand, especially if it’s primarily selling to consumers. And the problem with reputation/brand damage is that it can come from anywhere. Quality issue that leads to a defect that causes consumers harm. Raw materials that are harmful to human health and might cause cancer, or worse, if consumed, inhaled, or even touched. An offensive statement (to a group of people) by an executive. A targeted online misinformation campaign by a disgruntled customer. Environmentalists who claim the organization is doing unnecessary environmental damage. Forced and Slave Labour. The repercussions of continuing to buy cobalt and copper from the congo while turning a blind eye to rampant sexual violence and rape. (An average of 48 victims are treated per day by Medicins Sans Frontieres, that’s 17,520 per year. And this has been going on for over a decade.)

And in these difficult times, you also have to deal with

  • Sourcing from countries engaged in “special military exercises” that have effectively started wars with other countries and
  • Sourcing from countries whose response to terrorist attacks have resulted in 10X the number of casualties caused by the terrorists.

In these two situations, it might be the case that most of your consumer base doesn’t care, but some will praise you while staying the course and helping the side they think is right (or good) while others will go out of their way to aggressively attack your brand for helping the side they think is wrong (or evil). And so on.

As such, the platform needs to be able to monitor news sources and social media. It must look for stories that could blow up, sentiment that could propagate, and events associated with related entities that could propagate. It must tie into multi-tier manufacturing systems and monitor raw materials, quality control systems to monitor production quality, It must tie into CSR/EHG systems to make sure the company is being environmentally conscious. And so on.

Sanctioned Entities An organization that does business with organizations on sanctioned or denied lists can get in serious trouble. It can be prohibited from doing business with government entities, fined, and the executives (criminally) charged. But it’s not just entities, it’s individuals as well. And it’s not just potential employees or contractors, but (potential) investors as well.

Its critical that the system tie into all sanction and denied party lists of every country it does business in, all lists of organizations that have had lawsuits brought against them (and the results if the lawsuits have been concluded), and lists of individuals who have investments in related corporations.

Fraud Every organization that makes money is at risk of being defrauded. That fraud can come from employees, including top executives, suppliers, third parties, and cyber criminals.

Such a system should integrate into the Supplier/Vendor Master and ensure that all invoices are coming from valid entities, the purchase order system to ensure the invoices match purchase orders and the payment amounts are valid, the payment system to make sure the payments go to accounts known to be associated with the vendor who sent the invoice, and no payments made without an invoice or appropriate counter-signed / doubly approved payment approval.

Such a system should also look at connections. Connections between the individuals in the organization who cut the PO, claim the services were delivered, make the payment, and the individuals who sent the invoice, verified the delivery, and accepted the payment.

Such a system should also integrate with the cyber monitoring and internet security systems and look for unusual activity that could indicate potential fraud.

Employees Employees are the biggest internal risks. And not just those who are looking to commit fraud, which will, hopefully, be a very small percentage of employees. There are also those who (might) have a conflict of interest, which could sway them in their decision making. And then there are the rest of the employees, who are human and make mistakes. Small mistakes like accidentally approving an invoice for 5K from a vendor who didn’t actually deliver the services, and might never deliver the services, because there are no processes in place to verify the delivery from approved vendors who have delivered in the past. Big mistakes like not locking down a port that allows a hacker to get into the local payment systems and alter the bank account for the 500K payment going out tomorrow. And everything in between.

This system should not only integrate with background check systems for employees who have access to the payment systems, but those who have access to restricted/classified IP, sensitive systems that need specialized training, and so on.

It should also integrate with certification and training systems to track an employee’s certifications and training.

GHG/Carbon In today’s climate, it’s important for a large company to track it’s internal carbon usage, not just the supply chain.

It’s likely that the organization will have it’s own system for carbon tracking. Such an organization will need to make sure the system is configured to track internal emissions and chain emissions separately, assign internal emissions to the company and the outbound chain as appropriate, and export the summaries to the corporate risk tracking system.

GDPR/Privacy GDPR is here, it must be respected, and failure to do so can be costly. But it’s not just GDPR an organization needs to be concerned with as privacy regulations are cropping up all over the world, and many countries in which the organization does business as a buyer, a seller, or both.

An organization must identify the private data it maintains on its employees, contractors, representatives of third parties, and the public. It must ensure such data is secured, encrypted, accessible only by those with explicit authority, and tagged as data the organization is legally allowed, or required, to keep and data that does not fall under that category. The location of such data must be indexed and the data, as well as all backups thereof, must be easily erased if someone asks to be forgotten (with the exception of any data the organization is legally required to maintain), and that must include all backups.

Contract The organization has contractual risk, both in the contracts with its suppliers as well as the contracts with its customers, and with respects to the contracts it never signed, but implied when it made the first order or purchase from a supplier. These risks include the losses from failure to complete its obligations as well as risks from suppliers and customers failing to complete theirs as well as force majeure risks and lack of of assignment to third parties and/or lack of adequate insurance coverage.

It’s critical that the Corporate Risk System integrate with all of the contract systems used by the organization, track contracts by risk type, identify lack of key clauses, and identify areas where lack of contracts or insurance put the organization at significant risk.

Epidemics/Pandemics The pandemic was not the last epidemic/pandemic the organization is going to face. More are coming. The organization needs to identify which parts of the operation are most at risk, what can be done to prepare for it, and what is in place when the worst happens.

As to how the system should support the planning, monitoring for, detection, and response to an emerging epidemic/pandemic, that’s probably organization dependent. But any Corporate Risk system that doesn’t at least recognize the need is not meeting the full problem.

A corporate risk system will also contain a host of generic analytics/planning/monitoring capabilities, but since many of these are, or at least should be, common among multiple types of risk systems, and since stand alone risk-focussed analytics applications are also part of the plethora of offerings out there, instead of discussing these generic features in this and every other article describing a particular focus/type of risk application, we will instead discuss these capabilities in an article dedicated to Risk Analytics and Monitoring near the end of this series.

Source-to-Pay+ part 2: End-to-End Risk Management

In Part 1 we noted that Risk Management goes much beyond Supplier Risk, and a primitive Supplier “Risk” Management application (which we prefer to label Supplier Uncertainty Management since it’s not full blown risk management, and there’s uncertainty as to how much it will actually do for you) is only the beginning of what your organization will likely need.

When it comes to risk, there are risks in:

  • your company
  • your suppliers
  • their suppliers
  • third parties you interact with (which may not be [direct] suppliers of goods or services)
  • your carriers
  • your supply chain network (ports, warehouses, [cross]docks, etc.)

These risks can be with

  • your people
  • your board
  • your investors
  • your supplier’s people, board, or investors
  • the materials your suppliers use
  • the locale they operate in
  • the suppliers your suppliers use
  • the locale they operate in
  • the carriers
  • the ports your carriers use
  • the warehouses used for interim storage
  • and any other part of, or player in, the supply chain

And the types of risks are numerous. They include, but are far from limited to:

  • unskilled/uncertified people
  • sanctioned/prohibited individuals and entity
  • restricted / banned materials
  • use of underage / forced / slave labour
  • geo-politics
  • economics / currency fluctuations
  • natural disasters
  • labour unrest / strikes
  • fraud / theft
  • the internet
  • and so on

And you need a very extensive application to identify, analyze, monitor, mitigate, and manage these risks. In fact, you may even need a suite of these applications, especially when you consider that most applications consider risks from the viewpoint of:

  • the company (especially those that offer GRC applications)
  • the supplier / third party (SRM/SUM+ / TPRM)
  • supply chain visibility
  • … w/or in-transport visibility
  • w/or multi-tier (manufacturing chain) visibility
  • cyber monitoring

And such an application will need entity/function specific capabilities as well as generic capabilities. The generic capabilities might include, but not be limited to:

  • data feed/stream integration
  • metric definition
  • trend analysis
  • user defined reports
  • data / trend monitoring
  • (mitigation) plan creation
  • plan management

Risk is broad, and the solution footprint needs to be broad as well. In the next few articles we will tackle some of the major application areas we noted above.

Source-to-Pay+ Part 1: The Beginning.

Once upon a time
not so long ago …

SI ran The 39 Steps … err … The 39 Clues … err … The 39 Part Series to Help You Figure Out Where to Start with Source-to-Pay and helped you understand what each of the six core technologies in Source-to-Pay do, how to evaluate them, and the order of implementation necessary to maximize short-term results (which is the only thing the CFO cutting the check for the systems cares about). Not that it should be hard, given that, as the doctor explained, if your organization is a mid market, the answer to Per Year, How Much Should You Outlay for Source to Pay? 120K! (because Yes Mid-Markets, 120K is More Than Enough for Source-to-Pay!). That’s cheap, and if you can’t get a 10X ROI on that, the doctor would be surprised. (Yes, you’ll need some integrations and some services, and that will double or triple the price and you may only see a 5X or 7X ROI, but still.)

But the reality is, especially in today’s turbulent times (where me and my wine is not enough), even full Source-to-Pay is not enough. Risks abound, and even if your Supplier Management Platform has an Uncertainty (Risk) module, there’s more than supplier risk to worry about. There’s third party, supply chain, logistics, geographic, natural disaster, and many other risks that Supplier Risk Management, which we prefer to call Supplier Uncertainty Management (due to the lack of depth, action management, support for mitigation planning, etc. we prefer NOT to call these Risk modules), applications in Source-to-Pay typically don’t address.

Then we have Corporate Social Responsibility (CSR), Environmental & Social Governance (ESG), and Carbon / Scope 1,2,3. Today, a non-responsible company that buys from suppliers who are particularly environmentally unfriendly, don’t treat their workers well, or, even worse, use forced or slave labour is the one that gets the consumer backlash, and possibly the civil AND criminal liability (with certain jurisdictions introducing laws making the last company down the chain responsible). A company that just hoards profit and doesn’t make an effort to give back is frowned upon. And a company that stays on dirty power when there is an alternative, wastefully uses fresh water, or unnecessarily consumes non-recyclable resources in its day to day operations is just being dumb. Moreover, when you consider that Carbon Tracking is Important — But a Calculator or a Credit is Not A Solution! but What You’re Really Concerned About is YOUR e-Liability, that it’s not just about tracking, but reducing where possible, and that there are real baselines given that it’s impossible to mine, process, produce, ship, or consume without emitting carbon, it’s not easy to figure out what you need.

When you are buying direct, you have to consider the supply chain as well as the implications of a change in the supply base. The ink on the contract is when the fun truly begins. The product has to arrive on time, on budget, damage free, at the right location. This requires logistics coordination, and if the contract will change the supply base configuration, this is something that should be considered up front. So logistics/network analysis is creeping into Sourcing.

Then there is the issue of T&E — what happens when it’s put on the card, because its too small to bother with a Procurement effort (it never is, although it’s not always worth the time of a Procurement Pro, and that’s why you need an appropriate T&E/Tail Spend system to make sure the end buyer gets it right) or someone is trying to bury something that they know is not truly needed, off contract, or shouldn’t be expensed.

Plus, at the end of the day, you have to pay … and most Source-to-Pay end at the OK-to-Pay. What do you do when it’s time to pay?

And so it goes.

As such, it’s time to start another multi-part series to help you, dear reader, understand the extended Procurement landscape and what you should be looking for in such systems. We’re not going to attempt to tell you what to implement first, as that will depend upon what your biggest need is, which will usually depend on what the biggest risks are to the organization at the current time — unidentified spend, risk of supply, breaks in the supply network, forthcoming legislation, global payments, and so on. We’re just going to take an area and explore it, for as many articles as it takes. More to come. Much More.