Category Archives: Risk Management

Dangerous Procurement Predictions Part II

As per our first post, if you read my predictions post, you know SI hates predictions posts. It fully despises them because the vast majority of these posts are pure optimistic fantasy and help no one. Why are the posts like this? Because no one wants to hear the sobering reality off of the bat in the new year and the influencers care more about clicks than actually helping you.

But the predictions are not only bad, they’re dangerous. And to make sure you don’t fall for them and make bad decision based on them, we’re going to tackle some of the most dangerous predictions, which include predictions that look innocuous at first glance (like the last prediction on how a big legacy suite will go out of business) but hide the dangerous consequences of what will actually happen if a big suite finds itself in big trouble. Today we tackle the next four, and you can be sure this won’t be the last post in our series. Feeds are still being flooded with prediction posts, and I’m done ignoring the insanity.

4. The jobs market will be tough for the first half of the year, but will start to pick up in Q3 and Q4.

The job market is tied to the economy, and everyone predicts the job market will rebound when the economy picks up. But here’s the thing. Even when the economy picks back up, the job market never does quite as well as the last time. And the economy isn’t going to magically improve half-way through the year. This is the exact same thing we’ve been told the last two years, and it hasn’t happened.

First off, most of the first world economies around the world are flat, borderline recession, or in recession. Secondly, the only thing propping the US economy up right now is AI, and the money circles keeping it afloat as all the AI, Hardware, and Software companies keep moving the same money around investing in each other to keep each other afloat. If the bubble bursts, the US is in trouble, and the economy will quickly flush itself down the toilet. And the job market will go with it.

Considering only the big tech giants who have been hoarding cash for the last few years are in good shape, and everyone else is trying to conserve cash to survive not only the current market but a potential recession, the last thing they are going to do is hire unless absolutely necessary to fill a critical role as a result of a departure. Remember, they’ve spent the last two years using AI as an excuse to lay people off and are always looking for the next excuse to lay people off, not hire them!

Jobs will continue to be super scarce, and only the best will have a chance to land one.

5. We’re in the early stages of a broader pushback (against unnecessary upgrades or technology investments).

A few companies smartening up and saying no to forced big provider upgrades, eight (8) figure consultancy projects, and big Gen-AI investments is not pushback. There have always been a few leaders who have broken away from the pack, did the math, and made the right decisions, but the pack is still charging ahead on Gen-AI. Every big software shop except IBM (who hired a CEO who can actually do math) has invested heavily in Gen-AI, which still loses four dollars for every dollar of revenue, despite any hopes of a real return in the near future and a 94% failure rate.

Let’s face reality. I warned this space about The Vendor In Black nineteen years ago and how he always Comes Back sixteen years ago, no one took heed then, and no one is taking heed now. The business model of the enterprise software space, which has not changed for the two decades I’ve been covering it, is to solve the problem created by the old sh!t by selling the customers the new sh!t that comes with new problems so they can sell even newer sh!t in three years to fix those (and so on). Same old story. Only the vendor names change.

6. We Won’t Buy Things; We’ll Orchestrate Ecosystems.

This prediction likely came straight from the A.S.S.H.O.L.E. and anyone who repeats it should be ashamed of themselves. There are no AI Employees. Claims to the contrary are false and anyone making those demeaning and degrading claims is simply dehumanizing you. And, as we have clearly explained, you definitely don’t want agentic buying because it will happily spend your money not only on stuff you don’t need but stuff that doesn’t exist and, if you’re super unlikely, stuff that is highly illegal. You need wood, it will buy up all the Minecraft wood because it’s cheap and call your problem solved. And that’s if you’re lucky. If you’re not, it will fulfill your resin need with an illegal purchase of hash (the drug) on the dark web (which is labelled resin so the poster can claim they never advertised an illegal drug). And so on.

Plus, as we have already noted, most of today’s “orchestration” platforms in Source-to-Pay are really ORCestration platforms and can barely connect a handful of major Source-to-Pay offerings. They’re nothing close to what is needed to orchestrate ecosystems.

7. Boards will Zero in on Supply Chain Security and Supplier Risk shifts from quarterly PowerPoints to continuous “signalops”.

Just like they won’t invest more in cybersecurity, they won’t invest more in supply chain security until they lose a shipment in the tens of millions. After all, they’ve got supply chain insurance, why should they care? Especially since their current security measures have been sufficient up until now.

But here’s the thing. When the economy goes down, jobs go down. And then two things happen. People get desperate and turn to crime. And criminals, when their investments in drugs, alcohol, gambling, prostitution, and other quasi-legal through illegal activities start losing money because unemployed people run out of money to spend on their vices, these criminals get desperate too — and high value theft becomes more attractive. A temporarily unguarded truck here. A container there. An entire warehouse. And so on.

If it’s critical raw materials they can move (like rare earths), in-demand finished electronics they can sell (like iPhones, where a single container will contain at least 20M worth), military equipment or weapon (component)s that are now in demand globally, they’ll take bigger and bigger chances, especially if there are weaknesses in security. It’s not just cyber attacks that are going to increase, it’s physical attacks, supply chains aren’t ready, and companies won’t even stop preparing them until they lose tens of millions, don’t recover it all through insurance, and risk losing their insurance entirely. No one likes the math of risk prevention because, when it works, you don’t see the return. Even though it’s so much cheaper than insurance! And that’s why, in the majority of organizations, nothing will change.

Dangerous Procurement Predictions Part I

If you read my predictions post, you know SI hates predictions posts. It fully despises them because the vast majority of these posts are pure optimistic fantasy and help no one. Why are the posts like this? Because no one wants to hear the sobering reality off of the bat in the new year and the influencers care more about clicks than actually helping you.

But given how dangerous and costly the hopeful fantasy has become, not only did SI swallow its disgust and give you a realistic predictions post, but it’s going to collect and lay bare the most dangerous of the predictions that, even if seemingly innocuous, will lead you astray if you believe them. And now some of the influencers and LinkedIn aficionados are taking up the claims, and the charge, but like many other claims, they are overstated.

Today we tackle the first three, but you can expect this to be the first of many posts as dangerous prediction posts flood your feeds for the rest of the month.

1. The “Great Convergence” Accelerates

The claims of of the ORChestration providers is that all roads lead to them, the convergence will accelerate, and you won’t have to worry about what you need because, as long as you have orchestration, you’ll have it all!

For example, if you want to use the largest orchestration provider in S2P, your are limited to the platforms they have already integrated. The same goes for the second or third largest. Plus, if the providers you want to integrate aren’t reasonably sized Source to Pay providers, good luck expecting the workflow to support them appropriately.

Moreover, they were built to minimally support the existing solutions, not emerging solutions in the Source to Pay and extended Supply Chain Marketplace. In other words, the convergence will continue at a snails pace, but it will never be great!

2. “X” Finally Gets Modern Attention

It doesn’t matter what X is — if X has been needed, but ignored, for the last ten years, it’s NOT going to all of a sudden be addressed this year. For whatever reason, it will continue to be ignored.

Example #1, Cybersecurity.

As per my recent post on breaking down the risks: IP / cyberattacks, the risk of cyberattacks has been high since 2014, a year when 71% of organizations were affected by a successful cyberattack! Ten years later, 70% of small to medium sized businesses are still getting hit by cyberattacks. (Which means that if it was going to get major attention, shouldn’t 2014 have been the year?!?)

Nothing has changed — the reason? Cybersecurity is seen as a cost, not a return. So, when a successful attack results in significant losses, organizations spend on improved cybersecurity, and ignore it until the next significant successful attack hits, and that is the only time they will spend for new systems across the board, and that’s it. That’s why cybersecurity, inside and outside the organization, won’t get any more attention this year than last year.

Example #2, Risk Management.

There’s a big reason it’s been the exact same risks in the state of procurement studies and reports for at least the last five, if not the last ten, years. It’s because, despite the fact that risks keep increasing, no one ever does anything about it … there’s no additional investment in risk management software. Why? Again, it’s seen as a cost and not an investment. And when you’re already paying for insurance, why pay for what, at best, seems like more?

Even though the cost of insurance will soon be unaffordable given that natural disaster and fraud losses are going through the roof, if you can even get insurance at all, risk management solutions are still being ignored by every organization that hasn’t suffered a major loss as a result of a risk-related event. (And who knows if insurance will cover AI losses when AI escapes the vending machine? It’s a question you should definitely be asking!)

Example #3, Direct.

That’s supply chain, right? Right?

Wrong! But that’s the view that the vast majority of Source-to-Pay providers have taken since the beginning. Sure a few big suites picked up a few smaller players that specialized in direct sourcing, but that’s about it from the big players. And there are a few startups here and there, but they’re all overlooked, underfunded, and not getting any traction.

Because it’s hard. Damn hard. And the majority of S2P players don’t want hard. They want easy. They built easy. They sell easy. And that’s all they want to do. (And, often, all they can do!)

We could continue, but you get the point.

3. One of the big legacy S2P suites will go out of business.

This is a prediction straight from the genius of Gary Wright. Only a Dream Weaver would predict this! This has happened exactly once since our space began in the late 1990s, and it wasn’t exactly going out of business, it was a big acquirer deciding the space wasn’t profitable enough and shutting the vendor down. Specifically, it was IBM shutting down Emptoris and shunting all the customers to SAP Ariba in 2017.

Every big provider in this space is controlled by PE who have poured tens, hundreds, or thousands of millions (that’s billions) into the firm. If it starts losing money, and if they think they can’t turn it around, rather than shutting it down, they’ll flip it to another firm at a loss (to recover some investment) who will pick up some fire sale acquisitions, integrate them, update the UX, install a whole new management team, fluff it up, rebrand it, and bring it out with a whole new spin. Like ERPs, Suites never die. Even if they’re twenty years behind the times.

So if a new big player hits the scene, check under the covers, do a bit of research, and dig up those skeletons. PE knows how to make everything old new again, but tech is not like fashion, and you don’t want two decades old SaaS, as that’s just the same old sh!t.

Breaking Down the Risks: Corruption/Fraud

Since we have had corporations, we have had corruption. This is another risk that’s not going away. Plus, fraud is rising rapidly!

Expounding the Pounding

There’s a huge amount of potential corruption and fraud that you need to worry about. It’s not something that anyone wants to talk about but it is something that needs to be talked about a lot more than it is considering that global corporate losses to fraud were estimated at 5 Trillion in 2024, or about 5% of global revenue! Fraud, for now, is the only risk more costly than natural and climate disasters.

When it comes to corruption and fraud, there are three places it can come from: inside (corruption), outside (fraud), and, the hardest to detect, internal and external partnerships (collusion).

Internally, you need to worry about situations like the following:

  • disguised procurements to bypass processes (such as split purchases)
  • false evaluations / awards
  • false expense claims

Externally, you need to worry about situations like:

  • supplier impersonation / false supplier
  • partial delivery (but full invoice)
  • bid rigging and collusion

And when you have parties on the inside and outside collaborating, you might get:

  • conflicts of interest
  • credit card / p-card fraud
  • kickbacks and bribery

And, we’re sad to say, this is just scratching the surface. The reality is that there are at least 15 major types of fraud you need to worry about in Procurement, and some are pretty hard to catch. Properly documenting these and the proper steps you can take to minimize your chances of falling victim isn’t an article, it’s a white paper. I know, I wrote an unpublished one a year ago. But we will give you a few tidbits to get you thinking in the right directions.

Reducing the Risk

In order to truly minimize the risks and reduce your fraud losses to minimal, vs the more-or-less industry average of 5% of revenue, you need to take a lot of precautions. Some of the most important ones are:

TP(C/R)M:Third Party Compliance/Relationship Management and Vetting
You need to ensure that all suppliers, carriers, and other third parties you plan to do business with are real, legitimate, vetted entities and that you have also vetted their owners/directors and vetted with the owners/directors the people you are signing the contracts with and accepting payment instructions from are employees.

CyberSecurity & CyberTracking
You need to install and maintain state of the art cybersecurity and cybetracking and make sure the source of every electronic communication is traced back to its source and the originating domain ALWAYS confirmed. Very smart cybercriminals can not only mask from and reply to fields on emails requesting a change in payment details, but they will register / hack and steal domains that are extremely similar to the company being impersonated. If the company is McDonalds.com, then, guess what, they will acquire (control of) MacDonalds.com and a quick scan of the email headers might be enough to convince even a moderately astute individual the request is genuine.

e-Procurement/Invoice-to-Pay/Accounts Payable
With mandatory minimum 3-way match before ANY payment is approved – NO EXCEPTIONS. The purchase order must match the goods receipt which must match the invoice.

There’s more that must be done, but this is where you start. It will prevent a lot of the common and easily prevented fraud.

Breaking Down the Risks: Regulatory compliance issues

There will always be a need to comply with local laws and regulations. Always. So let’s get to it.

Expounding the Pounding

Regulations abound (especially in Europe), and the products/services you sell and buy need to conform to all of them. These regulations relate to the materials, production methods, human resources, carbon and waste production, storage and transport, packaging, and even labelling.

And the severity of non-compliance can be severe. For each violation, your punishment for violations can range from fines to seizure to criminal charges! Even for the most innocuous aspect of product management: labelling. If the labels are incomplete, you can be fined. If the labels are not in the required language, your products can be seized and held indefinitely or destroyed. And if the labels are intentionally inaccurate, because you are trying to skirt regulatory requirements by not reformulating your production to exclude banned materials or meet the maximums for potentially dangerous materials, you can be criminally charged.

Moreover, regulations and requirements can be different in every single country you source from, ship through, and ship to and your organization needs to be aware of all of them so a “gotcha” doesn’t put your organization in a difficult situation without supply but with regulators breathing down your neck and threatening large fines, product destruction, and/or criminal charges.

Reducing the Risk

There’s no easy, or even, complete answer here, but what you need to build is:

Compliance 360.

You need a solution that

  1. tracks all of the relevant human resources, health & safety, production/(hazardous) material utilization, carbon/GHG production, packaging, labelling, and transport regulations for each country you build in, ship through, and sell in that can also
  2. match that regulation to each product/component/material you buy so that you can ensure that your supplier, carrier, or risk management department is aware of, and conforms to, the regulations as appropriate

This is much easier said than done. This requires

  1. providers who track the appropriate regulations in each country and how they translate into specific requirements that companies need to meet
  2. the capability to merge all of this regulatory insight into a common framework
    (often through a specialized platform)
  3. the capability to match these regulatory requirements to specific products … and this requires a system that maintains complete harmonized product (and product related) information from design and manufacturing through packaging and labelling to transport and storage along with countries of production/transport/sales to match to the regulations. Guess what? Unless you’ve harmonized all of this data into a common, integrated data model for multi-level planning (as you would if you integrated direct sourcing with supply chain and logistics, as per the series the doctor and Bob Ferrari did on why Direct Sourcing needs to be integrated with Supply Chain, summarized in Part 7), your chances of matching requirements to products are quite low. Not good!

This is one of the most extensive, and most involved risks, because there can be dozens to hundreds of requirements you need to adhere to in each region in which you do business, depending on the product (line) in question, but it is one you need to get a good grip on or supply assurance is going to become significantly harder as time goes on.

Breaking Down the Risks: Supply shortages/constraints / Competitive alternatives

Supply will never be assured. You have to be ready for that! Let’s again begin by expounding the pounding and then give a few tips on reducing the risks.

Expounding the Pounding

In some ways, this is one of the key risks contributing to the rising cost/spend pressure risk that we discussed in our last article, because even if an organization doesn’t see it, their tier 1 (and tier 2) suppliers will!

However, it is definitely its own category as there might be a surplus of supply, but current constraints make it inaccessible. For example, in the rare earths category in particular, the majority of global supply might be from one or two countries. If those countries become inaccessible due to a sanction, border closing due to a war or geopolitical unrest, or a logistics (cost) nightmare, then you effectively have a shortage even if there are theoretically stockpiles in a warehouse waiting for someone.

Plus, you don’t just have constraints around production, you have them around logistics (how many pallets can fit in the truck, how many pallets in the container, how many containers you can have on the ship, etc.), intermediate storage, export and import (as there are quotas and limits and passing those can be costly), and so on. All of these constraints can impact your supply and cause chaos.

Reducing the Risk

The two generic answer(s) here are the same as two of the answers to the risk of rising costs in our last post. You need to ensure that you always have

  1. Alternate Supply Sources Always Active
  2. Alternative Product/Component/Material Pre-Defined

That’s it. If supply is not available from supplier A, you need to have a supplier B on retainer (low minimum contract) ready to go. If there is all of a sudden no significant source for a material (due to a disaster, border closing, or trade route interruption), then you need to have an alternate design that can use an alternate material and switch production.