Category Archives: Risk Management

What SHOULD Procurement Officials Learn from CrowdStrike?

A recent article over on on GovTech titled What Can Procurement Officials Learn from CrowdStrike caught my eye because I wondered if it contained the most important lesson.

The article, which sub-headlined on how CrowdStrike is a useful lesson for officials who draw up government IT contracts, pushing them to ask the question of how future contracts can prepare for any unplanned outages, hit on five important point(s) of modern SaaS / Cloud-powered technology.

  • additional safeguards are needed in IT contracts
  • even with safeguards, there is still the possibility of a cyberattack, so there must be an immediately actionable disaster response and recovery plan (which vendors must be able to live up to)
  • there should be alternate backup/failover options, even if non-preferred, and that can include paper in the worst case (as far as the doctor is concerned, it’s absurd when a store shuts down in broad daylight because they lost power or internet connectivity to the bank — that’s why we have cash and credit card imprint machines)
  • one should consider specifying liquidated damages up front, to prevent long drawn out lawsuits and delayed response time from the third party (who will want to avoid those damages)
  • consider cyber insurance, either on the vendor side or your side

Which is all good advice, but misses the most important point:

NEVER ALLOW A CRITICAL SYSTEM TO BE AUTOMATICALLY UPDATED (en masse)

Now, there’s a reason the military will exactly configure a system designed for single use and LOCK IT DOWN. That’s so it can’t accidentally go down from an unplanned / uncontrolled update when it’s needed most.

For example, there’s no way any update, no matter how minor, should be pushed out to a core airline operations terminal without an administrator monitoring the update (which could be on the vendor side IF the vendor maintains a [virtual] configuration that is the exact same as the customer’s configuration) and ensuring everything works perfectly after the update. And then the updates should be propogated to the rest of the terminals in a staged fashion. (Unless you’re dealing with a critical zero-day exploit that could expose financial or personal information, there’s no need for rapid updates; and even then, there should be techs on standby after that test update is complete just in case something goes wrong and a system has to be immediately rolled back or rebooted.)

Modern operating system installations, like Windows 11, can have up to 100,000,000 (that’s one hundreds million) lines of code and since you never know where the bugs are, there is no such thing as a low-risk update. Any update has the chance of taking down the OS or the application you are updating that is integrated with the OS.

But this is not the only critical lesson to takeaway. The next is:

For critical systems, your provider must maintain backup hot-swap redundant systems!

Once a configuration is confirmed to be bug-fee, it must be propagated to the backup, which must have a backup redundant data store with all transactions replicated in real-time (so that you’d never lose more than a minute or two of updates with an unexpected failure) that can be hot-swapped through a simple IP redirection should something catastrophic happen that takes down the entire primary system. This backup redundant system must have enough power to run all critical core operations (but not necessarily optional ones like reporting, or tasks that only need to be run every two weeks, like payroll, etc.) until the primary system can be brought back online. A catastrophic event like a rolling failure from a security or OS update or cyberattack should be recoverable in minutes simply by re-routing to the failover instance and rebooting all the local machines and/or restarting all the browser sessions.

Those are the lessons. If a system is so critical you cannot operate at all without it, you must have redundancy and a failover plan that can bring you back online with an hour, max.

PaymentWorks: Vendor Onboarding for Payment Assurance!

Founded over a decade ago in 2013, PaymentWorks is still a relatively unknown player in the Source-to-Pay space and the Supplier Management (and more exactly, Supplier Assurance) space in particular. Founded to solve a particular problem in the financial services industry (namely, ensuring the supplier is who they say they are; is not sanctioned, debarred, uninsured, or non-compliant; and the accounts they give you do belong to them), they have found their niche in the mid-market in any services or indirect industry where supplier assurance is key to supplier selection, onboarding, award, and payment.

In the average mid-sized organization, the average Procurement team spends too much time finding vendors, verifying their validity, verifying they aren’t on a prohibited list, onboarding them, maintaining their information, and constantly answering questions from the employee that wants the vendor onboarded, the vendor, and managers on both sides as to where Procurement is in the process. All of this takes time, a lot of time, and, sometimes, so much time that shortcuts need to be taken to meet deadlines and key information is missed, verifications are not done, and, sometimes, fraudulent invoices and payment instructions slip through.

And this doesn’t even consider the data management issues when supplier-related data is stored in the ERP, the procurement platform, the accounts payable platform, the compliance platform, and nothing is ever synched. The data nightmares compound problems, compound risk, and compound loss. Much of it is preventable, with the right data, processes, and verifications.

PaymentWorks was founded to be the digital supplier platform for organizational vendor master data management in a manner that ensured that supplier data was always complete, accurate, and verified before any supplier selection, award, order, or payment was made. And that’s what they’ve built, for the mid-market. And while there are a number of modern onboarding solutions that solve the data management nightmare, there are few that do critical verifications still, fewer still that do bank verifications, and almost none that do indemnifications against ACH fraud risk. (In fact, among the 100+ Supplier Information Management players, the only real competitive technology capability in this aspect is Apex Analytix, but their focus is entirely on the Large Enterprise [and not the mid-market].) And we haven’t even mentioned the fact that they actually understand the vendor side. But we’ll get to that.

The Buying Organization

The PaymentWorks platform sits in front of the ERP (or another back-office system that serves as the back-office system of record if it’s not the ERP), and works by intercepting all data requests (pulls) and data updates (pushes) and ensuring that the data retrieved is authorized and up to date and the data pushes are always verified. It also handles the synchronizations between the ERP and all of the systems that handle supplier data. And, of course, it has a fully fleshed out portal that enables the administrators, the buyers, and the organizational employees who need to interact with the vendor and/or purchase their products or services.

The platform has five main components:

  • Vendor Master
  • Supplier Portal Management
  • Messaging
  • Reporting
  • Payment Process Management

Vendor Master

The platform collects four main categories of information:

  1. Business and Tax Information: contains business name, tax and registry identifiers, and related information — the baseline is common to all client organizations and clients can add additional configurable fields
  2. Addresses and Contact Information: HQ office and primary contacts, common to all client installations, and additional address and contacts as desired by the client
  3. Banking and Payment Information: bank account information, which can be tokenized for security, preferred payment method, and any additional (security) fields the client wants
  4. Additional Compliance Information: any insurance, compliance, diversity, and related information desired by the client, configured on a client by client basis

When a supplier enters this area of the application, they see a dashboard which displays the status of all vendors (along with a visual progress bar) that can be quick filtered on key fields in the side bar. They can select any visual display to drill into a vendor, or search for a vendor to drill into. They can also upload supplier files from the ERP, and this data is used to alert the buyer if the information on a form conflicts with any data in their ERP. The buyer can then choose to reject the form/supplier (if they determine it is a fraudulent submission), override the information in the ERP (if the ERP info is wrong), amend the information (if the ERP information is partially right), add a parent/child relationship (if the supplier is a child organization), or add a new record (and possibly archive or delete the old one). (They can also configure the invoice file processing rules for invoice status files they will be pushing to the platform from the AP system.)

From here, the client can also access, review, pause (for more information), accept, or reject any and all registrations and updates to all vendor information. (Rejection can be final rejection or temporary, returning the registration to the vendor for updated information.) For each vendor, they can access the organizational status of the vendor (onboarding, approved, banned, etc.) at all times as well as the status of all information. They can also quickly jump to associated invoice and payment information tracked by the system (from P2P / AP pushes).

The key aspect of the vendor profile management is the automatic validation of business and banking information and the automatic search against all relevant sanction/debarment lists. In addition, the platform can collect compliance and diversity certificates, appropriate metadata, and configure rules for notification upon impending expiry. Not only are all of these validations automatic, but the platform will immediately inform you if key information is missing or in an invalid format, and if it’s verified or unverifiable (and likely invalid) if in an incorrect format.

A powerful feature of the platform for US clients is that it can auto-generate W-X forms for vendors required by the client organization, and save the vendor a lot of manual effort.

Supplier Portal Management

This is where the administrator can control the optional information collected during the supplier onboarding (core information common to all vendors is always collected and cannot be changed), and buyers can invite new vendors for onboarding, that get their own custom invite link and custom sub-portal. (Yes, sub-portal — each vendor on the PaymentWorks platform has a single portal where they provide the information common to all buyers they interact with, and sub-portals where they specify the custom information requested by each client and interact with that client — more in the vendor section.)

Messaging

This is where the buying organization can communicate with a vendor securely and all messages are logged, secure, searchable, and auditable as they are unalterable once logged.

Reporting

The platform comes with about two dozen built-in reports that can be selected from the reporting screen. These reports include, among others:

  • Uploaded Suppliers Report (which suppliers uploaded from the ERP were found in the existing network)
  • (Vendor) Invitation Approval Audit Report (all invitations and associated status info)
  • Returned Registrations Report (all vendors who have had their submission returned, for what reason, and how many times)
  • Registration Approval Audit Report (all decisions and by who)
  • Vendor Onboarding Report (all records and status)
  • Custom Field Report (custom information collection)
  • Payer User Role (for all users)
  • Delivered Payment Reports (all data from P[ayment]I[nstruction]F[ile]s sent to the bank)
  • etc.

And all can be fully filtered on every reporting dimension. These reports are in addition to (custom) dashboards that can overview information of interest (for the specific client organization) at a glance.

Payment Process Management

The platform, which accepts invoice status and payment record pushes from ERP systems, tracks all invoice and payment statuses, pushes those to the relevant vendors, and allows a buyer to quickly determine the status of an invoice or payment. Once verified, it will also push PIFs to the bank.

The platform supports virtual cards, ACH, accelerated ACH (early payment discounts), and checks and can verify domestic bank accounts accordingly. In addition, as mentioned before, they can tokenize/mask the bank account information and make it so that all the buyers see are the tokens while the actual bank account information is securely stored only on their systems (and capable of being unmasked only by an authorized administrator) to heighten payment security and help the organization prevent internal / collusion fraud. Finally, if the client uses their system with the appropriate security protocols in place (such as tokenization), they will indemnify the client against domestic ACH fraud as they stand behind their verifications and security.

The Vendor Portal

As mentioned above, a really cool feature about the PaymentWorks platform is they get it right and a supplier only has to register on the platform once, only ever has to remember the login for, and access, one portal, and onboarding for a new client is limited to additional non-common information required by that client. But let’s step back a bit.

The first time a brand new supplier is invited by any client of the PaymentWorks platform, they ware walked through the onboarding process in a guided step-by-step manner that asks them questions about their business type, locations, banking, insurance, and diversity information in a manner that ensures they are only asked to provide the appropriate, relevant, information to their business type. (For example, businesses need different information for corporations and for individual / sole proprietorships.) Mandatory and optional fields are clearly delineated, formats clarified, and key identifying information confirmed.

Once they are onboarded by at least one client, they gain full access to their vendor portal where they can see all of their customers, and click into each to see information specific to that customer or complete a registration process or update. They can also see all of the invoice status information provided to them by their customers, all of the remittances made by the customer along with correlation of those remittances to their individual invoices, any messages from their customers, their core profile business & banking information (which they can submit updates to, which will be verified by PaymentWorks before they will be allowed), and any relevant PaymentsWorks news or updates.

Validations

As indicated above, a key capability of the platform is all of the automatic validations designed to ensure all relevant supplier business, compliance, and payment data is valid at all times. These include, but are not limited to:

  • IRS TinCheck (provided tax id matches provided legal name)
  • StreetySmarts USPS address validation (real address that can accept mail)
  • Early Warning System + Proprietary PaymentWorks banking verifications combined (account is owned by the tax id you intend to pay via EWS); for those bank accounts not covered by EWS, the PaymentWorks platform assesses risk and will verify (or not) based on our data.
  • Choice of more than 800 federal and state sanctions lists to continuously monitor, including OFAC, Sam.gov, debarment, etc.

If you want to know whether a specific list is monitored, or can be integrated, or want more details on the integrated lists and verifications, PaymentWorks will be happy to provide this information to you. Simply reach out directly.

Summary

PaymentWorks is a relatively unique Supplier Management offering in the compliance and payment verification space whose only competitor you would have heard of is Apex Analytix (a heavyweight with the price tag to match), and the only platform of its kind designed with a focus on the vastly underserved mid-market in entity verification, banking verification, and vendor compliance. And while we’ve covered a few good providers as of late for vendor diversity / compliance in general in the mid-market, if your organization’s greatest need is verification and compliance around business legitimacy and payments, then PaymentWorks is a vendor that should definitely be on your shortlist. This also holds true if you are a large enterprise with a good supplier management solution in place as part of your Source-to-Pay suite that doesn’t do these compliance verifications, as it can be easily plugged in (since it sits on top of the ERP and can intercept all the relevant traffic) to allow Finance and Risk to do compliant on-boardings and key profile maintenance, and then all of the day to day supplier performance/[other] compliance/risk/development management can be done in your existing solutions.

MeRLIN Sourcing, A Platform With a Twist …

INTRODUCTION

When their founders were young men
they paced the fact’ry floors
from Vellore down to Chennai
they must have walked ’em all
cause they learned all of the problems
that plagued the Procurement side.
Those listen, look, and learn guys
sure made a lean platform.

The founders of MeRLIN, who started Rheinbrucke Consulting in 2013, started developing a stand-alone application for direct source-to-contract (and, for those who need it, source-to-pay) in 2018 using their decades of experience supporting direct manufacturing clients. MeRLIN was then frst released it to the market in 2022, after ensuring it actually solved the problems they were seeing and met the needs of the companies they were working with.

(While some companies might take it as a badge of honour to get a “minimally viable product” to market in a year, the reality is that when it comes to manufacturing enterprises, nothing you can develop in a year will actually solve more than a fraction of their problems, and unless what you deliver can integrate tightly into their existing enterprise software landscape, it won’t be adopted, or even bought. That’s why there are so many offerings in indirect [many of whom will succumb to the marketplace madness] and so few that offer true direct sourcing solutions, and fewer still that offer fully integrated source-to-contract / source-to-pay suites.)

PLATFORM SUMMARY

MeRLIN, which bills itself as a Source-to-Contract platform for Direct Material (primarily Discrete Manufacturing) Sourcing, is actually a Source-to-Pay platform where the Procure-to-Pay platform capabilities are baseline (and wouldn’t go head-to-head with best-in-class) and designed for the mid-market (and large enterprise) clients that don’t have a Procurement solution in place already (either through the ERP, AP, or a third party system). Since most larger enterprises have some form of decent P2P, MeRLIN decided to focus primarily on the critically underserved strategic sourcing marketplace in discrete manufacturing and direct sourcing and the capabilities all of the companies the founders worked with in manufacturing were universally missing.

MeRLIN was designed as a modular solution where

  • a client could license just the modules they wanted/needed,
  • common modules, and capabilities, were broken out into their own modules so their was no duplication of functionality, and
  • key modules could be augmented with additional value-added functionality not typically found in average products.

MeRLIN has all the standard modules you’d expect in a Source-to-Contract:

  • (Program &) BoM Management (Requirement for any Direct Solution)
  • Requisition Management (Intake)
  • Sourcing (Event) Management (Sourcing)
  • Supplier Management (SXM)
  • Contract Management & Contract Authoring (CLM)
  • Reports & Dashboard (Reporting & Analytics)

As well as basics for Procure-to-Pay:

  • Purchase Order Management
  • Invoice & Payment Management

But also has modules for:

  • Demand Management (Consolidation of Requirements from Requisitions, Manufacturing Programs, and MRPs)
  • Category Management (Part/BoM grouping & management)
  • Supply Chain Compliance (GSCA / LkSG)
  • Supply Management (Document & Shipment Management)

and the standard suite foundational modules of:

  • Master Data Management
  • Business Administration
  • Security Management
  • System Management

And even modules for:

  • Strategic Project Management (Project Management/Orchestration)
  • Finance Management (Budgets, Prices)

We’re not going to discuss all the modules and instead focus in on just the core Source-to-Contract modules, as they are the modules that are critical to direct sourcing and the modules that will allow you to understand the value, and potential, MeRLIN has for you.

Supplier Management

Supplier Management is designed to onboard, evaluate, approve, and manage suppliers, including their contacts, surveys, ratings, and documents. Qualification starts with a simple request based on supplier name, country, email, and unique (DUNS) identifier. Based on the supplier category, the next step will be to send the suppliers the qualification surveys and pull in the external risk information, send it to technical and risk reviewers, and if that passes, it will go off to compliance to ensure the supplier can comply with all necessary regulations the company is subject to and then, if that passes, the supplier will get a registration invite to provide all of the additional information necessary to do business with the company as well as details on additional products and services.

Supplier Management captures all of the core company information, locations, accounts, questionnaires, risk information and scores, compliance reviews, scorecards, and approvals. For each of these there are standard fields, and as many additional fields can be added by the customer organization as needed.

Compliance Management

Collects and manages the organizational policies, supplier policy statements, compliance surveys, audits, risks, scorecards, and complaints. It can accept all documents, support custom surveys, import third party data from financial and environmental (and other) risk providers, provide you with compliance scorecards, and automatically extract and centralize all “risks” from the surveys based on scores and/or responses in a risk management view.

Moreover, in full compliance with the German Supply Chain Act (GSCA, known as the LkSG within Germany), MeRLIN provides the buying organization, each of their suppliers, and their entire employee base, a unique portal where they can register complaints. They have upgraded their platform to fully support the GSCA and can also support other supply chain acts as well (and future releases will encode more out-of-the-box support, even though it can already be custom figured on a client-by-client basis to support the majority of acts out there).

Requisition

Requisitions can be used as traditional requisitions for purchase orders against existing contracts for goods and services normally used by the company or as intake requests for sourcing. When they are used as intake requests, they go to a central management screen where the buyer can group them by material, bill of material, and/or category to identify sourcing event requirements and then create a sourcing event off of a bundle of them.

Sourcing

Sourcing is primarily RFX based, but auctions are supported as well off of base RFQs. A sourcing event can be kicked off from one or more requisitions, a category, a BoM, or an event template, which can consist of one or more RFIs, questionnaires, and line-items with custom price breakdowns in the RFQ. Associated with the RFQ can be the suppliers, addendums, budgets, stakeholders, terms and conditions, contract template, event schedule, and ongoing Q&A.

In addition to being able to review bids by total cost per unit and evaluation score (by the relevant stakeholders), the application also supports automatic award recommendation by criteria which can include target award by supplier, range of suppliers to split the award between, minimum and maximum shares, and preferred supplier status.

Contract “Authoring” & Management

The platform is primarily “signature” and “execution” management, as authoring is simply the packing up of contract templates, terms and conditions, specifications, and associated addendums for agreement by electronic signature. The electronic signature capability is compliant with USA regulations and most European regulations for private enterprise contracts. Once the contract is signed, the platform can manage the project timeline, stakeholders, documents, events, milestones, and obligations. In addition, the user can define alerts against any event, milestone, document, obligation or other entity on status change or due date.

Reporting & Dashboards

Reporting and Analysis in MeRLIN is through widget-based dashboards that summarize any data of interest in the system. Right now there are hundreds to select from in the reporting library, with more being added as needed. For each of the built in reports and dashboards (on suppliers, spend, process, etc.), the user can apply multiple filter options and save the configuration to their liking. There is no Do-It-Yourself (DiY) widget report builder yet, but more DiY analytics enhancement is on the roadmap.

Strategic Project Management

This is MeRLIN‘s built in project management capability where a user can define and instantiate RFX templates, supplier onboarding workflows, contracting processes from award specifications, procurement processes, and even entire Source-to-Procure projects which collect all of the necessary templates and workflows together. In addition, leadership is provided with a high level overview of sourcing projects.

Master Data Management

All of the system master data templates can be altered by the user including, but not limited to, currencies and conversions, items, locations, plants, prices, suppliers, contract metadata and milestones, and other key items. The customer can control it’s master data and master data identifiers.

Business Administration

All of the templates in the system can be managed and customized in the business administration section including, but not limited to supplier onboarding, qualification, evaluation, and audit questionnaires, product and item templates, requisitions, RFQs, purchase orders, contract terms, contracts, statements of work, email, and workflow templates.

Bill of Materials Manager

A key aspect of Direct Sourcing is managing the Bill of Materials. In the Merlin platform, that can be done through the BOM Manager, which unlike basic direct sourcing platforms, can maintain as many versions of a Bill Of Materials as the organization wants to maintain (for correlation with historical sourcing and procurement and cost estimates during new product design and/or product modification).

These versions can be uploaded from the ERP (or your PLM of choice with custom integration) or created in the BOM Manager, and this creation can be from scratch or from a previous BoM version which can be copied and modified as needed.

The best part of MeRLIN‘s BOM manager is its built-in ability to allow for easy should-cost analysis during NPD and BOM (re)design. Once a BOM has been uploaded or created, the user can click a button to “cost” and it will automatically find prices for every component in the BOM for which it has a price from a contract (first), catalog/commitment (second), or quote (third). Then, the user can push the remaining items to the Demand Management module for quick quote (or import into the internal catalog from a connected source) or simply create a place holder item (with an estimated cost). They can then return to the BOM Manager and re”cost” the BOM to get a complete cost estimate, which can be compared against the cost of all prior BoM versions (that were costed). This allows the organization to understand the costs associated with BOM changes over time (independent of supplier or distributor pricing changes). Gone are the days where you have to use a completely separate application to do BOM cost estimation.

Finally, the next update to the BOM Manager will allow for the user to enter a cost estimate directly in the BOM manager for materials/parts not yet quoted for even quicker price estimates, and those estimates will be clearly marked as internal estimates only.

Other Capabilities

We’re not going to discuss the procurement modules as they are not MeRLIN‘s focus (but we will assure you that they cover the foundations if you don’t have P2P and need it), demand management as you know what forecasting should do, category management (and category strategy management) as that is rather self explanatory, or finance management, as budget and price management is also straight forward.

The Full Picture

The platform is quite deep in all core areas and one could write pages about each module and its deep capabilities, but hopefully this is enough to convey the facts that

  • the MeRLIN platform was designed from the ground up to support direct and discrete sourcing,
  • has the capability to support these projects from inception to contract signing through the very last order against the award, and
  • goes beyond just raw sourcing capability to related capabilities of supplier risk, compliance, and execution (tracking the order to the delivery and qualification)

CONCLUSION

Given the relative lack of true direct and discrete sourcing platforms in the mid-market, MeRLIN is a platform you should definitely be aware of. If you’re in direct manufacturing, automotive, aerospace, and related industries, you might want to check them out today.


It’s for discrete wizards,
it’s a platform with a twist.
A discrete wizard
needs a tech assist …

The Sourcing Innovation Source-to-Pay+ Mega Map!

Now slightly less useless than every other logo map that clogs your feeds!

1. Every vendor verified to still be operating as of 4 days ago!
Compare that to the maps that often have vendors / solutions that haven’t been in business / operating as a standalone entity in months on the day of release! (Or “best-of” lists that sometimes have vendors that haven’t existed in 4 years! the doctor has seen both — this year!)

2. Every vendor logo is clickable!
the doctor doesn’t know about you, but he finds it incredibly useless when all you get is a strange symbol with no explanation or a font so small that you would need an electron microscope to read it. So, to fix that, every logo is clickable so you can go to the site and at least figure out who the vendor is.

3. Every vendor is mapped to the closest standard category/categories!
Furthermore, every category has the standard definitions used by Sourcing Innovation and Spend Matters!
the doctor can’t make sense of random categories like “specialists” or “collaborative” or “innovative“, despises when maps follow this new age analyst/consultancy award trend and give you labels you just can’t use, and gets red in the face when two very distinct categories (like e-Sourcing and Marketplaces or Expenses and AP are merged into one). Now, the doctor will also readily admit that this means that not all vendors in a category are necessarily comparable on an apples-to-apples basis, but that was never the case anyway as most solutions in a category break down into subcategories and, for example, in Supplier Management (SXM) alone, you have a CORNED QUIP mash of solutions that could be focused on just a small subset of the (at least) ten different (primary) capabilities. (See the link on the sidebar that takes you to a post that indexes 90+ Supplier Management vendors across 10 key capabilities.)

Secure Download the PDF!  (or, use HTTP) [HTML]
(5.3M; Note that the Free Adobe Reader might choke on it; Preview on Mac or a Pro PDF application on Windows will work just fine)