Monthly Archives: February 2024

Close the Supplier Loop with LUPR

Suppliers are key to sourcing and procurement success because you depend on your suppliers for the products you sell, the services you provide, and the materials you need for your daily operations. Thus, Supplier Management is key to sourcing and procurement success, but most companies don’t even have up to date information on their suppliers.

In order to achieve the value you expect from your suppliers, you need to

  • properly onboard and vet them
  • manage their information
  • monitor their performance
  • record related issues
  • manage the relationship
  • store contracts
  • track the savings goals
  • track the realized savings
  • and so on

And, more importantly, your supplier account managers need to work with the supplier representatives in each of these tasks, which need to be streamlined for both parties.

The founders of LUPR, each with two decades (plus) of Procurement project experience, realized this and created a supplier management platform that could tackle these issues, and it did so on top of Salesforce, which makes it an easy buy for any organization already using Salesforce as the platform has already been vetted by IT, Risk, Sales, and Finance. It also makes it easy for staff to learn the platform, as they are already used to the basics of Salesforce, and they have staff who can help out.

Before we get into the specifics (modules) of the solution, one thing to note is that because it’s built on Salesforce, it has:

  • high levels of configurability
  • security down to the field level in an object (record)
  • automation
  • familiar reporting and analytics capability
  • easy integration with other Salesforce AppExchange apps

The platform has the following primary modules:

  • supplier registration portal (for self-serve onboarding)
  • supplier information management module
  • risk assessment module
  • issue reporting and performance tracking
  • supplier corrective action resolution (SCAR) control
  • savings tracking and pipeline management
  • reporting and analytics

Supplier Registration Portal
The supplier portal is a very user-friendly web-based portal where a supplier can go and register itself as wanting to do business with the buying organization as well as provide all of the information requested by the buying organization. When it comes to onboarding, it should be noted that the only available out-of-the-box integrations (subscriptions required) for supplier validation are Experian, CreditSafe, Equifax and RapidRatings for business identifiers, financial information, and/or credit scores. Additional, custom, integrations are possible, but if you have other validation data being pulled into your ERP (such as SAP and Oracle which they integrate with), you can pull the validated data in from your ERP rather than collecting it from a supplier (and having to validate it manually).

Supplier Information Management
Upon login, the user is taken to their dashboard, which can be custom configured, and usually overviews their approved supplier list (by product and service), their top supplier spend (by supplier), outstanding tasks (including approvals for onboarding, information updates, etc.), suppliers by relationship tiers (as it supports multiple tiers, which can be custom configured, but are defaulted to critical, strategic, transactional, and leverage, which matches many consulting 2*2 breakdowns), today’s events, NCRs by type, NCR and KPI trends, etc.

Supplier profiles are typical of what you would expect and you can define and track all standard corporate data (including registration numbers), contacts, banking information, risk scores (through an API or collected from surveys), ESG data (from AppExchange partners, including Ecovadis and CSRHub, or pulled in from surveys), and spend (with an ERP or P2P integration). You can also store certificates and track associated metadata, see the supplier’s Z-score, its KPI scores (and drill into scorecards), see any associated nonconformance occurrences, open activities, surveys, and create supplier level initiatives (around overall savings targets, organizational alignment, performance measurements, etc.).

Products and Services
One unique capability of the LUPR platform is that they support extensive product and service definitions, which are associated with the corresponding suppliers, as well as the corresponding organizational standard product or service, and you can drill into each individual supplier product/service from both the supplier profile and the standard product/service, which can be organized by category (or category hierarchy with additional system hierarchy). It’s also easy to search for products and services by keywords (and then filter into particular categories or suppliers if desired).

The built-in out-of-the-box support is very extensive, and allows buyers to analyze total spend, define organizational needs, analyze markets, engage stakeholders, create strategies, and manage performance by product as well as manage performance by suppliers (discussed below). The assessments can be quite deep and look at the business aspect, supply market flexibility, savings estimation, and ease & speed of implementation. Furthermore, any relevant stakeholders can be engaged in the analysis as needed.

Issue Reporting and Performance Tracking / KPI Scorecards
Performance tracking in the platform revolves around KPI scorecards which can be very extensive, depending on how much data the organization tracks and integrates into the platform. The platform comes with a number of scorecard templates (and a large number of pre-defined measures in the KPI library), but LUPR can build custom scorecards to evaluate a supplier on any dimensions that are relevant to your business. (Also, all of the templates can be updated as you see fit, measures added and removed and weights updated to suit organizational preferences.) (They’ve done quite a few over the years and can implement extensive, custom scorecards relatively quickly.) Contract compliance, (On Time) Delivery, Quality, ESG, realized savings, etc. can all be tracked (by default) at the supplier level if the data is available, and you can get KPI scorecards by supplier, category, supplier-category, or a subset of the supply base (restricted to a region).

Nonconformance / Supplier Corrective Action Resolution
The system comes with built in templates to capture nonconformances (related to contracts, delivery, quality, invoices, etc.) that can be filled out by any system user and then turned into a supplier corrective action workflow by a supplier (account) manager that will accept and complete the information, share the nonconformance report with the supplier through the supplier community, get additional information back, propose a corrective action, capture supplier acceptance (or rejection, and then restart the process), track progress, and when the issue is resolved, close it out. LUPR has a detailed dashboard to help the Procurement team track nonconformances for fast resolution.

Savings Tracking and Initiative/Pipeline Management
The entry point is the initiative dashboard which is a Kanban type project management dashboard that summarizes projects in each stage (idea, evaluation, validation, execution, finalization, and realization) as well as the total dollar value of all projects in each stage. If the user prefers, she can flip to a tabular view that can be filtered by stage, owner, spend category, SOP category, and other relevant dimensions. Upon drilling into an active initiative, the user can see all of the associated data as well as what has been realized to date in the realization phase.

A new initiative can be created by simply defining a small amount of project data (name, owner, bracketing dates, business unit, etc.), the spend category, and one or more actions that will need to be performed. Actions just need a name, type, associated category, and one or more suppliers or products you are tracking the action against, each of which is associated with a start date, end date, tracking frequency (one time, monthly, quarterly, etc.), and accounting categorization (capex, opex, etc.).

Reporting and Analytics
Most reporting in the system is summarized in dashboards (from which you can drill into the individual reports behind the widget).

Provided the system is integrated with your ERP or spend analysis system, or someone enters the monthly spend or (data necessary to calculate the) savings realized against each initiative, one of the key reports is the savings dashboard that summarizes the initiatives, total anticipated savings, savings targets for the year, target run rate savings by month, targets by owner, targets by status, targets vs actioned, and so on to allow a supplier and/or category manager to get a firm grip on how initiatives are going, where they may not be going as well as projected, and where supplier management may be needed.

Another key report is the category dashboard which tracks on-time delivery, NCRs not resolved within 30 days (or the number of days defined by the organization), average NCR resolution time (by supplier) invoicing errors, spend, identified savings by quarter, and other key metrics filterable by category.

LUPR comes with out-of-the-box reports and dashboards which can be further configured for you upon implementation, or you can build your own.

The system also maintains complete, unalterable, audit trails on every data element in the system which can be queried and reported upon at any time in the reporting module.

Global Search & Chatter
It’s worth pointing out that the platform also supports global search, and will show all results by type (supplier, product/service, projects, reports, dashboards, events, etc.).

It also has built in slack-like communication where the user can communicate with other users, supplier users, or custom groups of users.

Administration
As the platform is built on Salesforce, everything can be customized, and, most importantly, users can be given access rights down to an individual data element if needed. Most of the administration takes place in the object-manager, which allows the user to select any LUPR system object for customization, as appropriate. Within an object, the user can edit the data elements, the allowed value ranges, the display criteria and layout, the access rights, etc.

So if you’re on the market for a Supplier Relationship Management (SRM) solution, and especially if you are a mid-size organization looking for an SRM solution, that’s quick to buy, quicker still to implement (if you already have Salesforce), and a great complement to a modern Sourcing and Procurement solution (as their API can be used to build integrations that pull data in from your ERP/AP [and they already have integrations with SAP and Oracle] and push up-to-date supplier data to your sourcing platform), LUPR is a platform you should check out. As with the new generation of solutions aimed primarily at SME organizations, it starts at a very affordable price point and as it was designed by Procurement consultants with over two decades of experience, you know they will help you configure it to support the supplier management projects and reporting your organization needs.

The Prophet‘s 2024 Procurement Prediction Number 10

A “CFA-like” Credential Emerges in Procurement and Supply Chain B+.

The Prophet says that the procurement and supply chain industries, similar to most others, excluding finance, are lacking any certifications/credentials, by those “in the know,” as a superior qualification for a job than even a top degree from a world-class or specialized university which is totally true.

The Prophet also says that organizations such as CIPS, ISM, SIG, etc., might disagree with this viewpoint which is also totally true. The Prophet does note that he supports all of these organizations, which the doctor does as well, and that he believes their training materials are highly valuable, which the doctor doesn’t across the board. (the doctor has seen some of their training materials. While some of their training materials provide a very good foundation, some of their training materials are not so good. Most of these organizations are very weak when it comes to analysis, tech-backed processes and practices, government/industry specific compliance requirements, risk management in today’s increasingly fragile global supply chains. etc. But when so many Procurement departments are struggling with the basics, understanding what their role is, and how ethics should enter the equation, we do need these organizations and that is why the doctor supports them while reminding you to do your homework when it comes to training. Use them for their strengths, not their weaknesses.)

The Prophet then suggests that in 2024, credentials will take on new meaning, and the best ones, particularly those challenging to obtain and requiring rigorous exams (which many fail), similar to the CFA in finance, will begin to take on a new significance in Procurement.

the doctor agrees with the principle, but does not agree it will happen this year, or even next year. Why? This will only happen with industry regulation, and that only happens in two situations.

  1. when an industry-led body gains enough support from the majority of professionals in an industry to make it a de-facto requirement in any employer of any size to get a high-level procurement job; no organization yet has that weight, and we’re not going to see the NLPA, SIG, APS, etc. all fold into the ISM, and definitely not into CIPS, which is pseudo-global (as it has made progress in some of the Commonwealth); this means that we’d need to see a new industry initiative that gave all parties representation and allowed them all to contribute to the standard and exam — for this to form, a certification to be adopted, and a test accepted will take years
  2. when a government forces a requirement that can only be met by a certification (and either creates their own or adopts one); governments move slow, and when we have the situation in the US where
    1. the republican focus is on ripping democrats apart for what they didn’t do, rolling back human rights to the fifties, and installing a wannabe dictator as President-for-Life
    2. the democrat focus is on shaming the republicans, selectively protecting the human rights they want, and taking up the former republican war mantle (since Trump just wants to be a dictator, which doesn’t profit the military complex) and doing everything they can to back Ukraine and Israel (including risking World War III with their Middle East bombing of Yemen vs. just destroying every Houthi vessel launched into the water)

    and the situation in the UK where

    1. the conservatives are too busy trying to keep Dishy Rishy from making them the laughing stock of the political world (as he’s so far disconnected from the common person he has no clue)
    2. the liberal (democrats) are too busy trying to counter the conservative support for the global wars and lack of focus on the situation at home by being extra woke (and we know how that fared in America) …
    3. when we look at the NHS mess and postal service mess and their apparent unwillingness to do anything meaningful about it (for longer than should be humanly possible to ignore a crisis), it seems that good procurement is the last thing on their mind

which are the two countries that would need to lead such an effort (as the EU is very focussed on climate change and AI and struggling to hold itself together now with active protests in about a third of its member states on any given day; heck it’s too focussed on attacking the farmers, already forgetting what happened when Stalin called the Farmers the enemy of the state. (See this article, for example).

Thus, while such regulation is sorely needed, it’s not likely to happen, if it happens at all, until the later part of the decade (unless, of course, The Prophet and the The Public Defender want to once again band together and take up the charge and lead the effort to bring all the necessary parties together).

The Prophet was dead on with three of the primary reasons we need it.

  • GPAs are no longer a measure of academic performance in many universities.
    The Prophet notes that, according to the Yale Daily News, “Yale College’s mean GPA was 3.70 for the 2022-23 academic year, and 78.97 percent of grades given to students were A’s or A-’s,” including the hard sciences and engineering! He also notes that the Michigan State Broad Business School (which includes the Supply Chain and Procurement degree programs) also experiences significant grade inflation, with 80% of students in 3 out of 5 undergraduate classes earning a 4.0. (Source)
    The situation is even worse in China where you don’t even get accepted to some Universities unless you are an A- or better student, and where you are under intense pressure to maintain that A, to the point where a student will drop out (or commit suicide) rather than risk being thrown out for not maintaining it. Now, this would be great except for the fact that As are often contingent on rote memorization and learning to do the work the “state way”, not always with any free thinking whatsoever. (And then graduating ONLY if they think you’ll agree to share what you learn when they allow you to go outside China for that Post-Doc/Professor position).
    The situation is better in Canada [except Quebec], but there are some Universities / Departments that are under great pressure to remain competitive to maintain grant and industry funding, and others where the professors are so overworked that they don’t even bother to confirm that a Master’s student in Engineering can manually calibrate an oscilloscope or a Master’s student in Computer Science can appropriately identify and test for all boundary cases in a simple procedure. (Remember, the doctor has been a Professor, and maintains regular contact with Professors and knows this to be truth.) How could you trust either to validate your equipment or your code? (He couldn’t!) (Regarding Quebec, the current premiere is taking Quebec’s status as a nation within a nation and essentially discriminating against anyone who is not French and willing to speak French as a first, and only, language. [See this article, for example.])
  • DEI/affirmative action preferences, which still exist (despite the supreme court ruling and their illegality if they enforce admitting or hiring a less qualified candidate), have removed objective academic criteria in both degree-based programs and industrial training programs. This has resulted in candidates who might only be a D being admitted to programs because of their minority status while non-minority candidates with Bs were excluded.
  • The best talent may no longer be pursuing traditional college or graduate programs. There needs to be an objective means of evaluating hard and learned skills for those who cannot afford or do not wish to invest time in university studies, especially those who have taken industry training programs or annex courses specific to what they need as well as obtained relevant real world experience under a mentor. (There’s a reason there used to be apprenticeships; some learning onlly happened under the guidance of a mentor.)

The only other reason that needs to be mentioned in the doctor‘s view is

  • without a certification, how can you know that any candidate, no matter how experienced and skilled they appear, knows all of the foundations you need them to know? With so many different definitions of sourcing, procurement, and purchasing; so many different thoughts on what an individual should know about analytics, supplier identification, supplier vetting/onboarding/management/development, negotiation, contracting, global trade, logistics, risk identification and management, compliance, finance / finance support, etc., how can we have a solid baseline with a (multi-level) certification program?

It would be great if 2024 is the year that we saw this certification, but while we desperately need it, the doctor believes that, unfortunately, it’s still years away. (But he will challenge The Prophet to step up and make it happen!)

The Prophet‘s 2024 Procurement Prediction Number 9

SaaS Management Solutions Start to Eat Services Procurement Tech A+

More specifically “vendor management systems” (VMS) that are all about the billable hour.

As The Prophet asks, what happens when that billable hour becomes an SOW (either to skirt worker classification requirements or because it really is a complex SOW) especially when consultants, managed services or outsourcing providers need to blend and leverage AI, tech, data and other capabilities to deliver an outcome? You get joint SaaS/[IT] Category (management) solutions that become the new new norm of solutions for taking on certain business functions. And they won’t look anything like today’s VMS or SOW solutions, and will, as The Prophet notes, likely be new generation of todays SaaS/IT Category solutions which will either blend in more services or merge with / be acquired by new-age MSPs that build the offering around the new tech, and not the old tech.

But what will these solutions look like? Good question (that The Prophet did not answer).

More importantly, as The Prophet notes, this convergence will raise a ton of questions.

  • What metrics do you use to set up ideal outcomes in a blended services/tech/AI/data world?
  • “What” is negotiated (hint: it’s as far from the billable hour or a weekly “team” rate as can be)?
  • How do you capture and validate demand?
  • How do you reduce contract risk (including indemnifying (or not) for IP considerations, given recent AI lawsuits)?
  • How do you benchmark (drumroll please) an outcome?
  • What happens when an outcome becomes continuous, a metered service (like telecom) so to speak?

These answers may or may not dictate what the blended deliverable looks like, as the developments are just as, or more likely, to be developed taking into account whatever regulations currently exist or get introduced around the services, data, technology, and/or AI utilized. Plus, the smaller players will likely try to build off of whatever is getting traction from the big players but in a more innovative, effective, and cost effective fashion. (Remember, the big players like to charge you way more than a service can be profitably delivered for. Case in point: spend analysis. Large engagements, which usually start with a massive data cleansing effort, require a lot of analysis and reports, and modern solutions, will usually get quotes starting in the 7 figure ranges when there are a number of mid-sized, niche, consultancies, that can usually do the same work, faster and better, for 250K or less. [Remember, analytics is one of the the doctor‘s area of expertise, he knows the vast majority of vendors, and talks with the best regularly. Solutions 10X better than anything a Billion Dollar Suite or ERP will throw your way cost 1/10 of what they did a decade ago — but we’ll save this rant for another day.] The point is, they’ll let the big players create a market around a new offering, and then swoop in with a better, more cost effective, alternative.

the doctor has to admit this is one area where the answer has not yet revealed itself, one of the few areas where he’s not sure what the first solutions will look like (beyond a blend of current SaaS tools pre-integrated with third-party data feeds, semi-dedicated personnel performing regular tasks, account managers monitoring progress, and consultants doing quarterly checkups and advisory), and how long it will be before new workforce regulations get passed that change how such services can be offered (or how workers must be paid).

It will be an area to watch, and the doctor bets that Andrew Karpie will be watching it closely, so be sure to read anything he writes about it. It will be the first shakeup the VMS industry has had in decades.

Darkbeam: Shining a Light on your Supply Base Cyber Risk

In part 9 of our Source-to-Pay+ series, we talked about the need for cyber risk monitoring and prevention because, in today’s hyper-connected SaaS world, nearly half of an organization’s data breaches originate in the cloud. These risks don’t just come from cyber criminals. Some come from less-than-scrupulous employees and others come from suppliers, even well meaning ones. After all, who cares if the front door is locked when the back door is wide open.

Why do you care about your supplier’s back door? What do cyber-criminals want?

  • money
  • valuable intellectual property
  • exploitable personal data

Where can they get this?

  • account hacking, which is hard, or payment redirection, which is a lot easier
  • your ultra-secure server which is locked down tighter than Fort Knox with everything on it encrypted in 256-bit AES encryption, or the relatively unprotected Google Drive your supplier stores it on (as the file will be open to anyone who can compromise the account)
  • your double encrypted HR database stored in a secure AWS instance or the plain-text Microsoft word documents stored on the supplier’s sales rep laptop with its unencrypted hard drive and an utter lack of virus protection and internet security software

In other words, if your supplier has:

  • a lot of your money coming its way
  • your intellectual property
  • your executives’ personal data

and their cybersecurity is not as good as yours, you can be sure the cybercriminals are going to be going to, and through, them to get to you.

So you need to know which of your suppliers are at risk, so you can reach out to them and work with them to close the holes and eliminate the risks to them, and you. And for suppliers that you do significant business with (and regularly send million dollar payments), who hold your patented IP (for custom manufactured electronics, etc.), or store your employees and/or customers HR data, you need to not only assess their vulnerabilities but continuously monitor for threats.

You need a supplier vulnerability assessment and monitoring solution that can identify vulnerabilities, help you communicate those to your supplier, detect improvements, and, most importantly, identify new threats as they emerge that could cost you, or your supplier, significantly.

Darkbeam is one of these solutions. The Darkbeam solution offers both of these capabilities, continuous vulnerability monitoring across your entire supply base (at a very affordable price point that starts at a mere £25,000 a year, which is low-end for any cybersecurity solution) and continuous threat monitoring, and assessment, of critical suppliers in your supply base (which you can add for an incremental cost that can be as low as £10,000 a year for your ten most critical suppliers).

The vulnerability assessment solution monitors:

  • Connections: SSL certificates and associated validations (hosts, IP, TLS, etc.)
  • Privacy: e-mail and cloud servers and configurations and breaches (esp. email addresses)
  • HTTPS: web site configuration, cookies, and port security
  • DNS: DNS record completeness, security, and recent changes
  • Blacklist: domain and email blacklist monitoring
  • Exposure: shared host identification, domain permutation monitoring, favicon, exposed subdomain monitoring, etc.

Cyber-weakness in each of these areas is highly relevant because it could allow hackers and cyber-criminals to exploit your supplier, and you, in ways that include, but are not limited to, the following:

  • an expired SSL certificate could allow a cybercriminal to register a fake certificate that validates a fraudulent facsimile of the actual site
  • exposed email accounts could allow a cybercriminal to masquerade as a supplier representative and change banking details for payment
  • an insecure site configuration could provide a backdoor into your entire network
  • incomplete DNS records could be completed by a cybercriminal and redirect traffic to a fraudulent site
  • if a domain shows up on a blacklist it could prevent email/traffic to/from the domain; and if emails show up on a blacklist, it could indicate compromised emails and/or emails not being received by their intended recipients
  • if a supplier’s website is on a shared host that is used by a lot of other sites (that are insecure), a number of (one-character-off) permutations of the supplier’s domain have been registered, favicons are being replicated, etc. then that is a strong sign the supplier is being targeted by cyber criminals (that could be coming for you, or your customers, through them)

Based on their assessment, they will compute a cyber-risk score (out of 999), the lower the better, and the higher the more concerned you should be (and the sooner you should reach out to your [potential] supplier to have a conversation about what they are doing to increase their cybersecurity, especially if they have, or will have, your IP or personnel data).

The threat monitoring and assessment solution is a service-based solution where the Darkbeam cyber-intelligence team continuously monitors the web and dark web for potential threats, investigates those threats when they are detected, and if the threats are relevant, they send you a report on which you can take immediate action which can include, but not be limited to, involving the proper authorities, that they have experience working with in multiple countries.

They literally monitor dozens of legit security and threat-intelligence sites (where general cyber security firms release warnings of cloud or software insecurity along with known breaches) as well as dozens of dark-web sites where shady characters like to sell, or at least indicate the presence of, IT, Trade and Finance secrets they should not have. On many occasions, they have detected breaches and data theft even before the supplier’s IT team knew about it (and definitely well before you did, if you were ever told).

If an incident or threat is detected, the threat report you receive will outline the issue (e.g. data exposure / breach), the root cause (e.g. system breach, ransomware, etc.), when it was detected, how it was confirmed, and what is currently being done / monitored. It will then outline the perceived severity (e.g. medium due to potential IP leakage, high due to personal data likely being stolen) as well as any potential follow on risks (i.e. personal logins that can compromise other systems). It will summarize the currently known information uncovered by the analysts and the current status (which could be ongoing). And it will provide current recommendations, such as reaching out to the supplier, changing logins and/or locking down your systems, reaching out to various agencies, etc.

All in all, Darkbeam is a great Supply Chain Cybersecurity solution and should be on your consideration list if you don’t have such a solution already. Cyber attacks are coming, and it’s best to be ahead of the issue, then behind it.

It Was the Most Wonderful Time of the Year. Could it Be Again?

A couple of months ago we published an article on how ‘Tis the season … to bring an end to seasonality! (And JIT!) because, while consumer shopping may be seasonal, supply chains no longer support seasonality. The pandemic finally broke globally over-stretched supply chains and with the continued issues (lack of ships, due to scrapping; containers; due to trade imbalances; lack of capacity, due to extended shipping times now that the two major canals are not available and ships have to sail around both capes), the situation is not going to be fixed anytime soon.

In the article we noted that if you didn’t want to seasonally stock out, you needed to stop trying to stock seasonally and start planning for sustained stock up over time. Stock at the rate products are normally produced and able to be shipped. And stock to what you forecast.

But don’t stop there. If, even spacing out the orders and shipments, you can’t reasonably stock to demand, or, if the demand may not be high enough to minimize your logistics costs (via full container shipments), then you need to work on demand shaping as well as demand forecasting. Don’t over market / promote / sell a product you’ll have trouble delivering, and don’t maintain a product that isn’t going to optimize your economic order quantity.

Not everyone needs the newest product, or the top of the line product, some just need a product that works, which can be last year’s product, or the mid-line product. If you shape demand properly, through targeted marketing, targeted selling, or proper account management, you can make sure that you can meet all of your demand and keep each product line you should be maintaining profitable. And while we admit demand shaping can be harder than forecasting, sometimes it needs to be done. But it needs a lot of advance planning, so it’s critical that Procurement work hand in hand with Marketing and Sales to help identify the demands it can safely meet, when, and what demand levels are optimal for each product line. But if you integrate your planning, marketing, forecasting, sales, and supply chain planning, then maybe the holiday season will, in 2024, be the most wonderful time of the year.