Category Archives: Compliance

Primary ProcureTech Concern: Compliance

Compliance is not something that any organization can shake.

Why?

As per our risk entry on compliance, compliance is a major risk. In any given country there are dozens (and dozens) of regulations that have to be adhered to. They cover all aspects of operations from workforce to production to distribution and all of the environmental and operational and labelling requirements that go with it.

Impact Potential

  • fines that can be serious as a result of violating any regulatory requirement
  • seizure and destruction if a product contains banned substances
  • criminal charges in some jurisdictions as gross negligence that leads to people getting hurt or killed by your product or service is sometimes enough for criminal charges

Major Challenges/Risks

  • international organizations are subject to hundreds of regulations and even itemizing what they are can be a near impossible task
  • reporting requirements can be quite onerous and exacting, especially when there are language laws, minimum disclosure laws, precise submission requirements, etc.
  • track and trace requirements that may require every raw material to be tracked and traced back to the source

Final Words

The topic of, risks resulting from non, and the barriers that are imposed by compliance could fill volumes, and has. That’s why compliance will always be a top concern, and why you need experts in the various areas and jurisdictions you need to be compliant in to make sure that you are.

Governance IS the Agent No One is Talking About

Joel is right — The Procurement AI Agent That No One is Talking About is Governance, it’s the agent that is needed the most, and, moreover, it’s one of the few agents, especially among the AI Agents (that include the felon roster), that can actually be implemented predictably and reliably, if you define their role properly.

In Joel’s post, he asks:


What happens AFTER you go live?

  • Users start tweaking workflows without documentation
  • Agents get duplicated as teams grow
  • Logic gets lost when staff turnover happens
  • Nobody remembers why decisions were made

And then tells you the answer:

It’s the same mess we created with ERP and S2P systems!

And then he goes on to say

????’? ???? ?? ????:

  • Automated workflow documentation
  • Change tracking with rationale capture
  • Duplicate detection and consolidation
  • Impact analysis before modifications
  • Knowledge retention across team changes

And he’s very close here, except what we really, really need (and really, really want) is

  • Impact assessment before initial implementation (as well as modifications),
  • Workflow documentation up-front and not just on changes, and
  • Documentation of every decision made, whether or not it changes the workflow, as well as who made it, and who approved.

In other words, knowledge capture and retention is ongoing, change tracking is also decision tracking, and analysis is continual.

However, when it comes to duplicate detection and consolidation, good luck with that!

While it would be nice to automatically detect (and quash) duplicate agents — if they are acting on API pulls through third party systems, how do you know they exist? When users in multiple departments go rogue, and do their own thing (especially if they are unaware there’s already an agent-based app for that), how do you know? You don’t!

So, instead, what you should really be focused on, especially from a GRC viewpoint, is

access tracking and access control
only authorized, validated requests get through to systems and agents because while you can’t track every agent on your system, approved or felonious, you can ensure access control to data if you replace the (open) APIs with no access control or access tracking with an agent that intercepts all requests and does that
risk assessment
continuously monitor data sources, internal and external, for KRIs and alert the right person when a potential risk situation is detected
compliance enforcement
ensure that any company, industry, or government protocols are followed in access control, data collection, decision making, and reporting

Considering that all of this can be accomplished via well-defined workflows, you could build very reliable agents and solve the un-cool problem that everyone needs a solution too. And I think that would be cool. Don’t you want to be someone who’s cool?

Myth-busting 2025 2015 Procurement Predictions and Trends! Part 7

Introduction

In our first instalment, we noted that the ambitious started pumping out 2025 prediction and trend articles in late November / early December, wanting to be ahead of the pack, even though there is rarely much value in these articles. First of all, and we say this with 25 years of experience in this space, the more they proclaim things will change … Secondly, the predictions all revolve around the same topics we’ve been talking about for almost two decades. In fact, if you dug up a Procurement predictions article for 2015, there’s a good chance 9 of the top 10 topic areas would be the same. (And see the links in our first article for two “future” series with about 3 dozen trends that are more or less as relevant now as they were then.)

In our last instalment, we continued our review of the 10 core predictions (and variants) that came out of our initial review of 71 “predictions” and “trends” across the first eight articles we found, in an effort to demonstrate that most of these aren’t ground-shattering, new, or, if they actually are, not going to happen because the more they proclaim things will change …

In this instalment, we’re again continuing to work our way up the list from the bottom to the top and continuing with “Risk & Compliance”.

Risk and Compliance

There were 10 predictions across the eight articles which basically revolved around “risk management strategies” with some sideline focus on the need for “resilience”, “cybersecurity”, and “compliance”. As with almost every “prediction” and “trend” in this series, this is yet another prediction that makes headlines every year, no more important this year than the last, and no more likely to get any more attention until a major event happens that significantly disrupts the organization, a disruption that could have been prevented with better risk management systems and processes. Before we discuss further, as is our custom, we will list the ten predictions.

  • Blockchain
  • Cybersecurity and Data Privacy
  • Cybersecurity in Procurement
  • Compliance
  • Enhanced Risk Management Strategies
  • Expansion of Risk Management Strategies
  • Geopolitical Instability Shapes Risk Management
  • Resilient Supply Chains
  • Risk Management and Resilience will continue to be a Priority
  • Risk Management

Risk has been increasing year over year for over two decades. It should be front and center in every organization, especially given the facts that very few organizations that have been around for any length of time haven’t been impact to some degree by a disruption event and the chance of an organization of any size not experiencing a disruption in the next year is close to zero. And it does make the top of the charts in the board room, but, unfortunately, it’s still not making the top of the charts in the priorities when it comes to new solution acquisition and new process introduction. In most organizations, it’s just being pushed down to the tactical personnel who execute daily tasks. Personnel who may not have enough of a big picture understanding to manage risk properly in their decisions.

However, given the need for resilience in the age of constant supply chain uncertainty and disruption (due to epidemics and pandemics; border closings and sanctions; strikes and port shutdowns; reduced cargo capacity from perfectly good transport ships being junked during COVID, Houthis in the Red Sea, and Panamanian droughts, trade wars, reduced/cut-off rare-earth/raw material supply etc.), risk should be even more prominent and more actively addressed. Leading organizations will double down on resilience and supply assurance strategy and survive the disruptions relatively unscathed, and those who don’t double down on resilience and supply assurance won’t. It’s that simple.

Given that almost 3/4 organizations were hit with a cyberattack in 2023, which was an all time high and which was only projected to increase in 2024, cybersecurity concerns should also be at an all time high, but given that most organizations relegate that to IT, we know it’s not going to get much better in Procurement. It needs to, considering how much organizational finance flows through Procurement, but it won’t change much.

Finally, organizations know they need to comply with regulation, so compliance is always at the edge of the Procurement mindset, but beyond minimal requirements, it never gets much attention, regardless of how much a few analyst firms or vendors try to push it.

What Should Happen? (But Won’t!)

Organizations need to prioritize the acquisition of a Risk360 solution, or the closest thing it can find, implement it, and monitor it regularly to make sure they detect risks that can impact their supply chain or operation as soon as such a risk occurs. Not after the supply has been cut, not after the organization has been locked out of all their organizational systems, not after key customers have failed and orders evaporated, not after signing a contract with a sanctioned party, and so on. Today, every decision made has to be made risk aware. And without a centralized risk management system, that will not happen.

Six down, four to go!

The Prophet‘s 2024 Procurement Prediction Number 10

A “CFA-like” Credential Emerges in Procurement and Supply Chain B+.

The Prophet says that the procurement and supply chain industries, similar to most others, excluding finance, are lacking any certifications/credentials, by those “in the know,” as a superior qualification for a job than even a top degree from a world-class or specialized university which is totally true.

The Prophet also says that organizations such as CIPS, ISM, SIG, etc., might disagree with this viewpoint which is also totally true. The Prophet does note that he supports all of these organizations, which the doctor does as well, and that he believes their training materials are highly valuable, which the doctor doesn’t across the board. (the doctor has seen some of their training materials. While some of their training materials provide a very good foundation, some of their training materials are not so good. Most of these organizations are very weak when it comes to analysis, tech-backed processes and practices, government/industry specific compliance requirements, risk management in today’s increasingly fragile global supply chains. etc. But when so many Procurement departments are struggling with the basics, understanding what their role is, and how ethics should enter the equation, we do need these organizations and that is why the doctor supports them while reminding you to do your homework when it comes to training. Use them for their strengths, not their weaknesses.)

The Prophet then suggests that in 2024, credentials will take on new meaning, and the best ones, particularly those challenging to obtain and requiring rigorous exams (which many fail), similar to the CFA in finance, will begin to take on a new significance in Procurement.

the doctor agrees with the principle, but does not agree it will happen this year, or even next year. Why? This will only happen with industry regulation, and that only happens in two situations.

  1. when an industry-led body gains enough support from the majority of professionals in an industry to make it a de-facto requirement in any employer of any size to get a high-level procurement job; no organization yet has that weight, and we’re not going to see the NLPA, SIG, APS, etc. all fold into the ISM, and definitely not into CIPS, which is pseudo-global (as it has made progress in some of the Commonwealth); this means that we’d need to see a new industry initiative that gave all parties representation and allowed them all to contribute to the standard and exam — for this to form, a certification to be adopted, and a test accepted will take years
  2. when a government forces a requirement that can only be met by a certification (and either creates their own or adopts one); governments move slow, and when we have the situation in the US where
    1. the republican focus is on ripping democrats apart for what they didn’t do, rolling back human rights to the fifties, and installing a wannabe dictator as President-for-Life
    2. the democrat focus is on shaming the republicans, selectively protecting the human rights they want, and taking up the former republican war mantle (since Trump just wants to be a dictator, which doesn’t profit the military complex) and doing everything they can to back Ukraine and Israel (including risking World War III with their Middle East bombing of Yemen vs. just destroying every Houthi vessel launched into the water)

    and the situation in the UK where

    1. the conservatives are too busy trying to keep Dishy Rishy from making them the laughing stock of the political world (as he’s so far disconnected from the common person he has no clue)
    2. the liberal (democrats) are too busy trying to counter the conservative support for the global wars and lack of focus on the situation at home by being extra woke (and we know how that fared in America) …
    3. when we look at the NHS mess and postal service mess and their apparent unwillingness to do anything meaningful about it (for longer than should be humanly possible to ignore a crisis), it seems that good procurement is the last thing on their mind

which are the two countries that would need to lead such an effort (as the EU is very focussed on climate change and AI and struggling to hold itself together now with active protests in about a third of its member states on any given day; heck it’s too focussed on attacking the farmers, already forgetting what happened when Stalin called the Farmers the enemy of the state. (See this article, for example).

Thus, while such regulation is sorely needed, it’s not likely to happen, if it happens at all, until the later part of the decade (unless, of course, The Prophet and the The Public Defender want to once again band together and take up the charge and lead the effort to bring all the necessary parties together).

The Prophet was dead on with three of the primary reasons we need it.

  • GPAs are no longer a measure of academic performance in many universities.
    The Prophet notes that, according to the Yale Daily News, “Yale College’s mean GPA was 3.70 for the 2022-23 academic year, and 78.97 percent of grades given to students were A’s or A-’s,” including the hard sciences and engineering! He also notes that the Michigan State Broad Business School (which includes the Supply Chain and Procurement degree programs) also experiences significant grade inflation, with 80% of students in 3 out of 5 undergraduate classes earning a 4.0. (Source)
    The situation is even worse in China where you don’t even get accepted to some Universities unless you are an A- or better student, and where you are under intense pressure to maintain that A, to the point where a student will drop out (or commit suicide) rather than risk being thrown out for not maintaining it. Now, this would be great except for the fact that As are often contingent on rote memorization and learning to do the work the “state way”, not always with any free thinking whatsoever. (And then graduating ONLY if they think you’ll agree to share what you learn when they allow you to go outside China for that Post-Doc/Professor position).
    The situation is better in Canada [except Quebec], but there are some Universities / Departments that are under great pressure to remain competitive to maintain grant and industry funding, and others where the professors are so overworked that they don’t even bother to confirm that a Master’s student in Engineering can manually calibrate an oscilloscope or a Master’s student in Computer Science can appropriately identify and test for all boundary cases in a simple procedure. (Remember, the doctor has been a Professor, and maintains regular contact with Professors and knows this to be truth.) How could you trust either to validate your equipment or your code? (He couldn’t!) (Regarding Quebec, the current premiere is taking Quebec’s status as a nation within a nation and essentially discriminating against anyone who is not French and willing to speak French as a first, and only, language. [See this article, for example.])
  • DEI/affirmative action preferences, which still exist (despite the supreme court ruling and their illegality if they enforce admitting or hiring a less qualified candidate), have removed objective academic criteria in both degree-based programs and industrial training programs. This has resulted in candidates who might only be a D being admitted to programs because of their minority status while non-minority candidates with Bs were excluded.
  • The best talent may no longer be pursuing traditional college or graduate programs. There needs to be an objective means of evaluating hard and learned skills for those who cannot afford or do not wish to invest time in university studies, especially those who have taken industry training programs or annex courses specific to what they need as well as obtained relevant real world experience under a mentor. (There’s a reason there used to be apprenticeships; some learning onlly happened under the guidance of a mentor.)

The only other reason that needs to be mentioned in the doctor‘s view is

  • without a certification, how can you know that any candidate, no matter how experienced and skilled they appear, knows all of the foundations you need them to know? With so many different definitions of sourcing, procurement, and purchasing; so many different thoughts on what an individual should know about analytics, supplier identification, supplier vetting/onboarding/management/development, negotiation, contracting, global trade, logistics, risk identification and management, compliance, finance / finance support, etc., how can we have a solid baseline with a (multi-level) certification program?

It would be great if 2024 is the year that we saw this certification, but while we desperately need it, the doctor believes that, unfortunately, it’s still years away. (But he will challenge The Prophet to step up and make it happen!)

An Introduction to TPCM: Third Party Compliance Management

TPRM: Third Party Risk Management is Big. Really Big. In fact, as evidenced by recent investments over the past year (Spectrum’s 200M investment in RapidRatings in 2022, Vista Partners acquisition of Resilinc, and now the 1.2B acquisition of Exiger by Carlyle and Insight), it’s HUGE. Actually HUGE! (Not Trump huge. In fact, the exact opposite. 😉 )

Why? The pandemic finally caused the space to wake up and realize not only how significant long-term disruptions are, but how much risk has been embedded in over-extended global supply chains over the last thirty-plus years (thanks to the global sourcing craze started by the Big X and Mid-Sized Consultancies that chimed in during the 90s as a method of “cost savings”, which really just resulted in “spend transference” to big consultancy pockets and the buildup of risk, and risk related debts, in the supply chain that, just like technical debt, always comes due someday). Big corporations have finally realized they need to manage that risk, or at least maintain constant visibility into it, if they want to get the supply they need to just stay in business. (At the end of the day, “cost savings” don’t matter if you don’t actually stay in business, which is what happens when you don’t receive any products to sell. So you need to assure supply first, and then avoid unnecessary cost second — especially since there is no real “savings”, just cost avoidance with improved processes, designs, networks, management, etc.)

As a result, these companies, who were mostly clueless about the risks (sometimes by choice), needed solutions now to at least get insight into the risks so they could plan mitigations, or at least take action when something happened. Since their traditional enterprise / manufacturing resource management, supply chain, source-to-pay, or back-office systems didn’t give them the insight they needed, they finally started to turn to TPRM (and in some case, broader SCRM – Supply Chain Risk Management) systems in a big way.

And that’s great. Until it isn’t. As a result of all of the supply chain failures and the impending disasters they created across supply chains, not just health and defense, governments have started taking action and introducing a lot more regulatory compliance into the mix. This is at the same time they are waking up to the wild west of technology and introducing a lot more regulation into the mix around personal data and use of AI. And with fraud and money laundering seemingly increasing without end, there’s a lot more regulation around partner due diligence. And then there is the reality that the world is heating up (whether you believe in climate change or not), that this heating up is contributing to an extremely substantial increase in natural disasters, that temperature is correlated with carbon and greenhouse gasses (GHG) in the atmosphere, that we are currently producing a lot of carbon and GHG as a species, and while we may not have been entirely responsible for getting here (as there are other factors that cause temperature to naturally rise and fall on a planetary scale — although the changes we’ve seen in the last few decades have historically taken centuries or millennia looking at the geological record), we need to do everything we can to not make it worse (or risk natural disasters on a scale that have not been seen for millennia, and that have sometimes even led to extinction level events in the past). In response to this, countries are making commitments to the Conference of the Parties of the UNFCCC and instituting legislation limiting the carbon you can create (without fines or fees to offset that, presumably fines or fees that will be invested in greener energy options, but we have to admit many governments haven’t thought that far ahead) and the amount of other pollutants you can pump out.

In other words, not only do companies have to worry about more risks than they are aware of, they also have to deal with more regulations than they can easily keep track of (and, when they’re not on the ball, they don’t find out about them until they get a fine) — as well as dedicate way more time than they should gathering the required information for, and filling out, the appropriate reports and filings.

Moreover, and this shouldn’t surprise you, the vast majority of TPRM (and even SCRM-TPRM) systems don’t help with this at all. While they can be configured to detect issues that may represent potential violations, they generally don’t collect the reporting data that is required and typically don’t provide the detailed trickle-down visibility that is needed to verify that key requirements — such as personal data protection, no forced labour, etc. — are truly adhered to throughout the chain.

That’s why many big multi-national organizations, especially those that collect and process personal data, do a lot of global importing or exporting, or deal with extended supply chains and have to comply with extensive privacy regulations AND data protection laws in the finance sector, have to comply with hundreds of sanctions and denied party lists globally (as well as ensure there are no connected beneficial entities on those lists), and/or need visibility down to the source on human rights needs a solution that understands the regulations they are subject to, encodes the data they need to collect and the violations (special types of risk) they need to monitor for, and helps them produce the reports and regulatory filings they need to make.

And the only system that can do this is a Third Party Compliance Management solution, which has some commonality with a Third Party Risk Management solution, but also a lot of differentiation as well. Most organizations won’t know they need such a solution, as they won’t even know that such a solution exists (as there’s not many solutions and not much buzz about them … yet). Hopefully this post will change all that. Even though the solutions are two sides of the same coin, the sides haven’t met yet, and until they do, which could be years (and years and years) away (because no one has really thought about the hard center yet), for many companies, what they really need is a TPCM solution.