Monthly Archives: January 2024

An Introduction to TPCM: Third Party Compliance Management

TPRM: Third Party Risk Management is Big. Really Big. In fact, as evidenced by recent investments over the past year (Spectrum’s 200M investment in RapidRatings in 2022, Vista Partners acquisition of Resilinc, and now the 1.2B acquisition of Exiger by Carlyle and Insight), it’s HUGE. Actually HUGE! (Not Trump huge. In fact, the exact opposite. 😉 )

Why? The pandemic finally caused the space to wake up and realize not only how significant long-term disruptions are, but how much risk has been embedded in over-extended global supply chains over the last thirty-plus years (thanks to the global sourcing craze started by the Big X and Mid-Sized Consultancies that chimed in during the 90s as a method of “cost savings”, which really just resulted in “spend transference” to big consultancy pockets and the buildup of risk, and risk related debts, in the supply chain that, just like technical debt, always comes due someday). Big corporations have finally realized they need to manage that risk, or at least maintain constant visibility into it, if they want to get the supply they need to just stay in business. (At the end of the day, “cost savings” don’t matter if you don’t actually stay in business, which is what happens when you don’t receive any products to sell. So you need to assure supply first, and then avoid unnecessary cost second — especially since there is no real “savings”, just cost avoidance with improved processes, designs, networks, management, etc.)

As a result, these companies, who were mostly clueless about the risks (sometimes by choice), needed solutions now to at least get insight into the risks so they could plan mitigations, or at least take action when something happened. Since their traditional enterprise / manufacturing resource management, supply chain, source-to-pay, or back-office systems didn’t give them the insight they needed, they finally started to turn to TPRM (and in some case, broader SCRM – Supply Chain Risk Management) systems in a big way.

And that’s great. Until it isn’t. As a result of all of the supply chain failures and the impending disasters they created across supply chains, not just health and defense, governments have started taking action and introducing a lot more regulatory compliance into the mix. This is at the same time they are waking up to the wild west of technology and introducing a lot more regulation into the mix around personal data and use of AI. And with fraud and money laundering seemingly increasing without end, there’s a lot more regulation around partner due diligence. And then there is the reality that the world is heating up (whether you believe in climate change or not), that this heating up is contributing to an extremely substantial increase in natural disasters, that temperature is correlated with carbon and greenhouse gasses (GHG) in the atmosphere, that we are currently producing a lot of carbon and GHG as a species, and while we may not have been entirely responsible for getting here (as there are other factors that cause temperature to naturally rise and fall on a planetary scale — although the changes we’ve seen in the last few decades have historically taken centuries or millennia looking at the geological record), we need to do everything we can to not make it worse (or risk natural disasters on a scale that have not been seen for millennia, and that have sometimes even led to extinction level events in the past). In response to this, countries are making commitments to the Conference of the Parties of the UNFCCC and instituting legislation limiting the carbon you can create (without fines or fees to offset that, presumably fines or fees that will be invested in greener energy options, but we have to admit many governments haven’t thought that far ahead) and the amount of other pollutants you can pump out.

In other words, not only do companies have to worry about more risks than they are aware of, they also have to deal with more regulations than they can easily keep track of (and, when they’re not on the ball, they don’t find out about them until they get a fine) — as well as dedicate way more time than they should gathering the required information for, and filling out, the appropriate reports and filings.

Moreover, and this shouldn’t surprise you, the vast majority of TPRM (and even SCRM-TPRM) systems don’t help with this at all. While they can be configured to detect issues that may represent potential violations, they generally don’t collect the reporting data that is required and typically don’t provide the detailed trickle-down visibility that is needed to verify that key requirements — such as personal data protection, no forced labour, etc. — are truly adhered to throughout the chain.

That’s why many big multi-national organizations, especially those that collect and process personal data, do a lot of global importing or exporting, or deal with extended supply chains and have to comply with extensive privacy regulations AND data protection laws in the finance sector, have to comply with hundreds of sanctions and denied party lists globally (as well as ensure there are no connected beneficial entities on those lists), and/or need visibility down to the source on human rights needs a solution that understands the regulations they are subject to, encodes the data they need to collect and the violations (special types of risk) they need to monitor for, and helps them produce the reports and regulatory filings they need to make.

And the only system that can do this is a Third Party Compliance Management solution, which has some commonality with a Third Party Risk Management solution, but also a lot of differentiation as well. Most organizations won’t know they need such a solution, as they won’t even know that such a solution exists (as there’s not many solutions and not much buzz about them … yet). Hopefully this post will change all that. Even though the solutions are two sides of the same coin, the sides haven’t met yet, and until they do, which could be years (and years and years) away (because no one has really thought about the hard center yet), for many companies, what they really need is a TPCM solution.

10 Great Questions to Pre-Qualify a Vendor Before Onboarding for a Deep Dive, Courtesy of Certa

A recent article in the SCMR by Jag Lamba, the CEO of Certa, a Third Party Risk Management (TPRM) vendor headquartered in California and focussed on compliance, risk, and ESG had some very good questions to ask before engaging with a US vendor, but some of them were very US-centric and others took a platform based approach. (You certainly need a platform, but certain areas, like security, go beyond the platform.)

But if we generalize these questions, they are relevant for everyone, and make it clear why you need a Third Party Risk Management (TPRM) platform that goes just beyond key suppliers/vendors, and beyond product and service needs. (And if you’re wondering what you need a TPRM, check out Part 4A and Part 4B of our new Source-to-Pay+ series where we are currently focussing on Risk Management.) They’re also industry independent and can allow you to short circuit a time-consuming industry (product/service) specific diligence because if the third party fails any of these questions, why would you bother going deeper? Just move on to the next contender!

  1. Does the vendor meet the needs of its customer base?: Any major negative news headlines? Any drops in financial performance? Any grumblings on Glass Door? Any of your counterparts in local groups or associations using them and bad mouthing them?
  2. Does the vendor have the operational capability AND capacity to serve you?: If you need a modern machining process or a vendor who can produce a minimum of a million units, don’t bother with any vendors that don’t have the process or can’t produce a million units.
  3. What financial and sustainability reporting process are they subject to? : The best way to ascertain their ability to stay compliant with financial and other regulatory (like ESG) requirements is to review the government reports. (They may [white] lie in their marketing, and then claim you misinterpreted, but they’re not as likely to lie to the government who could fine them, criminally charge them [in some countries], or shut them down.)
  4. How do they approach security?: Not just cyber security, but facility security, personnel security, and information security. Over half the attacks come from the cloud because it’s easy when you leave a security hole, hackers don’t have to leave their basement, they can attack you half a world away, and face no repercussions because there are no extradition treaties and the local authorities just don’t give a f*ck if they aren’t doing any criminal activity in their country. But when that fails, their local counterparts try to break into the facilities — if the vendor stores unsecured physical copies of critical IP, local backups of sensitive IP on unsecured USB/Zip/Thumb drives, or a lot of money on site — all someone has to do is walk in with a workman’s uniform, enter the backroom to check the wiring when no one’s in it, stuff something in their workbag or pocket, and, buh-bye. If your personnel are not trained to detect social engineering attempts, then someone’s going to have a little chat with them, something like “Hi, what do you do? Oh, is that your doggie in the picture, what’s your doggie’s name? My doggie’s name was Scooter. You know it’s my birthday tomorrow. I’m a Scorpio. What about you? So you were born in 1979 and you’re a goat like me in the Chinese zodiac? Cool! Hey, you know that I was just reading that most people use their birthday and pet’s name as a password. I thought it was only me. What, you do too? Aww, so cute. Well, nice meeting you.” Network access granted! And then if you’re not ensuring all personal, confidential, or sensitive IP is clearly marked, only stored in locked filing cabinets, always encrypted, and those files only on secure, encrypted, network drives, hackers are going to easily find those files accessible from limited access accounts with weak-passwords accessible by brute force.
  5. Do they do business with any entities sanctioned in your country?: If so, they are probably a no-go. You don’t want to be only one degree of separation removed from a sanctioned entity. (And, of course, they shouldn’t be sanctioned — because you shouldn’t be considering them at all if they are!)
  6. Would you have a backup plan if their suppliers or partners they relied on got sanctioned?: i.e. if you need to locate a complete production line in one geography, and there is only supplier of a key raw material or part in that geography, maybe you’re looking in the wrong geography
  7. What is their viewpoint on diversity?: great suppliers encourage diversity and look for good people that represent the entire cross-section of humanity in the area in which they operate; they don’t have arbitrary goals or the one Token black in the C-suite to check a box; they hire all races, cultures, religions, ages, etc., train them all, and then promote the best (and, over time, they build a diverse management team)
  8. Are their objectives aligned with your objectives?: If your objective is quality and distinction for the wealthy, and their objective is cut costs no matter what, they are probably not the supplier for you.
  9. Do they have a sustainability program. And is it sensible?: In some jurisdictions, they not only have to report down to “Scope 3”, but stay within a limit for overall emissions, or get in (financial) trouble (with fines, etc.). And if you have to report as well for doing business with them, or to satisfy the regulatory requirements of a region you operate in, and they can’t report to you, that’s not good. Not good at all.
  10. What level of risk will they add to your business?: If you’re happy with the answers to the first 9 questions, before you dive deep into certifying their products and services, their production lines and capacities, etc., ask this first. If the risk is too great in general, it might be a no-go before you start. And this is why you need a comprehensive TPRM platform to do a preliminary assessment.

And yes, Certa is one platform that might be able to help you, and one you should add to your RFP invite list if you don’t have a TPRM. We will note that they’re not the only one (and this could be relevant if you are in the EU and need a local provider), and that we’ll list others in Part 10 of our Source-to-Pay+ series, but close by stating that you should not overlook Certa. They’ve been around for a decade, have raised over 50M, likely integrate into whatever you’re already using in your Source-to-Pay process (with integrations to 100+ platforms and data feeds), have pre-built solutions for Compliance / Risk / ESG, and have a number of Fortune 500 clients.

Grading The Prophet on His Supply Chain Predictions …

Hopefully you’ve been paying attention over on LinkedIn as The Prophet has been sharing his predictions for the Procurement and Supply Chain space for the coming year as the vast majority are right on the money.

When the series is done, the doctor will discuss each prediction in more detail, but for now, he’ll just direct you to the articles so you can catch up before The Prophet completes the series and you miss possibly the best intelligence on what is coming your way in 2024 (and what you need to consider if you are going to be anywhere near prepared for it):

Current Grade: A!

It Was Nice to See Procurement Get a USA Today Headline, But …

… it would be nicer still if the article made any sense!

Last month, the USA Today ran an article on How to Optimize the Procurement Lifecycle of Your Business that gave the doctor hope that maybe Procurement would get a sliver of the just desert it deserves. But, alas, the article was yet another example of how the big publications don’t care, don’t actually verify the content, and allow whatever big company gets their attention to push their agenda.

Because SEO has no place in any article on “How to Optimize the Procurement Lifecycle of Your Business”. Sales cycle, maybe. But Procurement cycle? Not a chance!

Let’s back up.

The article starts off by noting that understanding the procurement process is vital to improving cost efficiency, ensuring quality procurement solutions, and staying compliant with regulations, which is all true, and all critical to any business (among other things, but you can’t overwhelm the average reader who’s likely not a Procurement expert). It also notes that the procurement process is fraught with complexities and challenges which is also true, and also critically important for a non-Procurement person to understand.

Then it says that optimizing the procurement process entails the use of modern technologies, insights, and strategies, which gave the doctor hope that maybe it would help an average user understand what kind of technologies the organization needed, what insights the technologies should provide, and what types of procurement strategies the organization might want to consider.

But instead of actually providing these key insights it goes on to say that inefficiencies in procurement management can lead to increased costs, delayed deliveries, and compromised quality, which, while also true, is not that helpful at this point (and should have been listed as examples of the complexities and challenges highlighted above). It used this as a lead in to how modern point-of-sale (POS) systems are instrumental in dealing with inefficiencies, WHAT THE HELL?, which is used as a lead in to a whole section on digital transformation: incorporating SEO for Procurement Optimization, WHAT THE FUCK?

A POS solution is NOT a Procurement solution, and it’s certainly NOT instrumental in dealing with inefficiencies in Procurement management. Procurement is about acquiring the product an organization needs when — and where — it needs it. While a modern POS system can push roll up data into the inventory management system which, in turn, can generate forecasts to feed Procurement, a modern POS system is not necessary because all Procurement needs is sales projections, and if the delivery timeline from the source in Bangladesh or Shanghai is 45 to 60 days, it only needs 60 days of granularity, not sales data by the hour! Logistics will need that granularity to do finer forecasts to push stock where it is needed before it is needed, but NOT Procurement.

But the cardinal sin of this article is claiming that incorporating SEO techniques into the digital transformation strategy of the business can add another dimension to procurement optimization. No NO NO NO NO! The article claims that with SEO techniques, businesses can reach out to a wider pool of global suppliers, which is completely false because THAT’S NOT HOW SEO WORKS! SEO helps people doing searches find sites that match certain keyword searches, and, thus, would only work if the potential supplier has a sales person who is actively using the internet looking for new customers, who is using the keywords that the site has been SEO’d for, and who is searching in the organization’s language and in the organization’s geography (as most search engines prioritize same language results in the region). In other words, the chances of a supplier you might actually consider finding your SEO-optimized site and reaching out to the right person at your organization is only slightly better than you winning the grand prize in a mega-millions lottery.

The proper solution for finding new suppliers is a supplier discovery / network solution like
Apex Analytix,
Graphite Connect,
MFG,
Onventis,
Promena,
ScoutBee,
Supplhi,
supplier.io, and
Tealbook.

NOT SEO!!!

So, even though Procurement is the life blood of the business, when it comes to mainstream coverage, Procurement Don’t Get No Regard, No Regard At All!

There is a Price of Relocating to “Friendly Countries”, but There Are also Corresponding Cost Reductions

A recent article in El Pais on the price of relocating factories to ‘friendly countries’ noted that according to the European Central Bank (ECB), 42% of the large companies in the Old Continent that it has recently surveyed have resolved to produce in allied countries as a means of reducing risks. However, this relocation carries economic consequences, and international institutions — such as the IMF and the ECB — warn of its impact on growth and soaring prices.

The article is right. Some prices will go up as countries move out of countries in, or likely to engage in conflict, both of the physical (war) and the economic (closed borders, significant tariff increases, rolling lockdowns, etc.) variety, and move to more “friendly” countries. (As far as SI is concerned, it shouldn’t just be “friendly” countries, it should be “friendly countries close to home”. At least companies are realizing that China and/or the lowest cost country is not always the answer when that answer comes with risks that, when they materialize, could lead to skyrocketing costs and losses that dwarf five years of “savings”.

Furthermore, even though 60% of those contacted said that changes in the location of production and/or cross-border sourcing of supplies had push up their average prices over the past five years, this hasn’t been true across the board, it doesn’t have to be true, and some of those could still see savings as they optimize their new processes, methodologies, and supply chain network. (Changes don’t reach full efficiency overnight, and sometimes it is two or three years before you can optimize a supply chain network due to existing contracts, infrastructure, etc.)

Why are costs (initially) going up for many companies?

  • wages: many of the “friendly” countries are more economically mature, or advantaged, with a higher standard of living buffered up by higher wages / better social systems
  • utility charges: in “friendly” countries that are using newer, cleaner, sources of energy or limiting energy production from burning (coal, oil, natural gas) have energy costs that are often higher as the initial infrastructure investment has not been amortized, water costs could be higher if more processing inbound or outbound is required, and so on
  • production overhead: chances are that the factories are newer, required a large investment that isn’t anywhere close to being paid off yet by the owner, and you’re paying a portion of the large interest payment to the investors/banks as part of the overhead

However, it’s important to note that:

  • productivity: will go up when you move to a locale where the workforce is more educated and skilled and is better able to employ automation and modern practices, and thus gets more efficient over time, countering the initial wage increase
  • energy costs: will reduce over time as a solar farm or wind farm can produce renewable energy for decades, with the initial investment often being paid back within one third to one quarter of that time; as a result, energy prices should remain flat(ter) over time than in the locales where they are still burning dwindling fossil fuels (which rise every year in cost) and have not yet invested in renewables
  • overhead: will decrease once the investments are paid back (and the interest payments are gone), which means it can stay flat as other production related costs rise (compared to older plants which will eventually reach a point where the revitalization investment becomes significant on a regular basis)

In addition to:

  • logistics costs: will reduce when you choose a friendly country closer to your target markets (since most freight is ocean freight on fossil fuel burning cargo ships)
  • disruption costs: will reduce as less risk translates into less (costly) disruptions over time

So while costs may go up a bit at first, at least relatively speaking, they will go down over time, especially as network and process optimizations are introduced and obtained from experience with the new network, suppliers, and technologies.