Category Archives: Risk Management

Energy Buying Is Definitely Not For Those Looking for a Quiet — or Easy — Life

A recent article over on the CPO Agenda on how “energy buying is not for those looking for a quiet life” made some great points. As the article notes:

  • there is continuing political unrest in many oil-producing nations (and 20%+ of available oil goes to international shipping alone [Source])
  • the recent Japanese disaster has cause a renewed apprehension to nuclear energy production (and Germany is going to decommission its nuclear plants that supply 25% of the country’s electricity)
  • in most countries, renewable sources still account for less than 5% of electricity production
  • demand for fossil fuels is still rising, and the rapid rise of China and India which, combined, hold over 1/3 of the planet’s population combined, isn’t helping

Plus:

  • significantly increasing energy production from renewable sources, while now a technical feasibility, will cost many (many) Trillions of dollars which have to come from somewhere (as a side note, 2010 saw a record level of investment of over 240 Billion — but we probably need at least 10 times that for a rapid increase in the production of renewable power)
  • deregulated energy markets, which will soon account for a majority of state markets in the US, allow money grubbing financial types to play hedge games (and we know what eventually happens to hedge markets when Wall Street types get involved)

And:

  • energy cost models can be complex: costs of generation, transmission, storage, distribution over third party networks, and taxation, each with their own cost models, need to be taken into account

All-in-all, you are dealing with a very complex, and very volatile, commodity whose price performance can be almost impossible to predict even in the short term. And even if you manage to lock in a mid-term contract at great rates, what happens if prices spike and your provider goes bankrupt because it predicted downward performance and signed too many deals at the start of what was actually an upward trend? Or if you decide to generate your own electricity and your fuel supplier all of a sudden stops delivering? There will be sleepless nights. Unless you thrive on them, beware of energy buying. It’s not for the faint of heart.

Risk Detection Can Not Be Automated

No matter how many impressive white papers, including this recent one on Uncovering Surprising Supplier Behaviours Creating Organizational Risk by Atlantic Software Technologies, Inc. (an IBM Software Value Plus Business Partner). This white-paper recommends automation of inbound data classification to expedite throughput because automation of this function enables the organization to redeploy up to 40 percent of staff while increasing processing throughput as much as threefold. This is important because one cannot assess the true business value of a supplier relationship unless one understands his or her own personal relationship with the supplier. And, in order to really get a handle on the quality of the relationship, an organization has to
be able to collect and analyze data points from the multiple impact points throughout [its] supply chain, both internally and externally, not just the ones that are easily visible and retrievable
.

This is true. And, as the paper points out, if one does not understand the nature and quality of the relationship, one may never know that:

  • a supplier delay, just communicated to one of your employees, will impact multiple customers,
  • new international suppliers are being tapped to avoid single-sourcing risks, which might be causing quality risks, or
  • foreign nationals are handling sensitive information prohibited by export control laws (and this last risk could put an officer of the company behind bars).

But automating the processing and classification of unstructured data is not going to reduce risk. In reality, it’s going to increase risk. In a nutshell, here’s why.

Let’s say that external testing found lead paint on a children’s toy. If you’ve identified “lead paint” as a risk and set up a rule that alerts someone in Quality Control that a review is required, then you might feel you’ve mitigated the risk, as the document will come in, be sent to quality control, see that lead levels are present and well beyond tolerance, and tell Procurement to refuse the shipment. Problem solved. Right? Wrong!

What happens if the test was performed by an individual who speaks English as a second language, who trusts that all misspellings will be handled by Microsoft Word, and who mistypes “lead paint” as “led pant” in the report. Both are legal English words, and if you turn grammar checking off, Microsoft Word will not complain. Is the automated classifier going to catch this? Not likely. While you may remember to program in one or two misspellings, like “led paint”, or an abbreviation, like “ld pnt”, you are not going to come up with every possible misspelling, and you’re not going to want to because, if you include too many, you’ll get a lot of false positives (and misclassifications). If this is a product where tolerance is 0, and the test results are not acted on in time, not only could you be stuck with a multi-million dollar inventory that can’t be sold, but if a product makes it onto shelves, gets bought, and someone gets sick, that’s a lawsuit that could cost more than what it cost to develop and manufacture the first batch of products.

Now, there’s nothing wrong with deploying such technology to scan documents to look for documents of interest that should be reviewed, but it should not be the foundation of any risk management strategy. Good risk management entails identifying relevant risks and having a mechanism for anyone to report when a risk of interest may be materializing. Then someone knowledgeable about the risk reviews the situation and makes the call.

Food Costs are Still Spiking – Are You Ready for the Risks?

As per this recent FAO Food Price Index, food prices have surpassed the 2008 highs, and there is no end in sight.

Right now, the world is on the verge of riots around the globe, and this includes developed countries like Japan (where food riot fears [are] on the rise [wealthwire.com]). The riots in Tunisia and Algeria in January and Mogadishu from earlier this month are just a start. Over half of the world lives on US $2.50 a day or less. The lucky ones can barely afford to eat as it is. If food prices keep rising, they won’t be able to. Talk about political risk. We’ve even seen riots in England and Canada this year … imagine what will happen if a significant number of poor people in the developed world can no longer afford to keep a roof over their head and eat.

Risk Management Is Your Top Priority – But Are You Prepared for the Billion Dollar Threat?

As per this recent article over on Chief Executive that asks [if] your company is vulnerable to cyber-sabotage, if your company gets hacked, like Sony had its PlayStation Game Network hacked, then you too could be looking at about $1 Billion in tangible damages and an incalculable toll in lost customer goodwill, tarnished brand equity and sleepless nights for the corporate brain trust. Especially if you are in the Financial, Retail, Restaurant, or Hospitality sectors.

Cyber-Sabotage is on the rise. According to IBM, more than 8,000 new cyber-sabotage “vulnerabilities” were identified last year, up 27% from 2009.

But what can you do? The article recommends that you:

  • Become the Security Champion
    And put cyber-security at the top of corporate priority lists.
  • Beware of “Social-Engineering”
    Make upper managers aware of their own vulnerabilities to attacks that exploit the behaviour of strategically positioned individuals rather than involve a broad cyber-sabotage campaign.
  • Draw the Difficult Lines
    And set up an early warning system since it’s impossible to prevent every possible attack.
  • Dig to the Roots
    Be aware that unhappy contractors, customers or partners can become cyber-accomplices, and even cyber-criminals, if they are financially desperate enough.
  • Survey the Changing “Threat Landscape”
    The rapidly rising number of smart-phone “apps” is providing cyber-criminals with opportunities to exploit mobile-data networks.
  • Know the Four Common Categories of Cyber-Saboteurs
    • Foreign Government Intelligence Services
    • Transnational Criminal Enterprises
    • Corrupt Competitors
    • Corporate Insiders

It’s not bad advice, but it doesn’t really help. It’s great to fly a flag, but that’s not enough. And even if a manager knows he is vulnerable to social engineering, that doesn’t tell him how to tell when an individual might be trying to socially engineer information out of him. And just what should an early warning system look like? And how do you identify what individuals inside your four walls might turn on you? And how does knowing what types of cyber-saboteurs are out there help you stop them from penetrating your networks?

You need to know A LOT more than you do. And you’re not going to figure it out on your own. So you pretty much have two choices.

  1. Outsource to a “Cloud” Company that are masters of SaaS and Security or
  2. Hire a Security Consultancy with the Expertise to Not Only do a Security Analysis but to Train you on what needs to be done to Minimize Risk from a Technical and Social Perspective.

That, in a nutshell, is what you need to know, because unless IT Security is your business, you won’t master it.

The Control Provided by e-Sourcing is Only an Illusion – YOU HAVE NO CONTROL!

A recent post on one of the lesser known sourcing blogs indicated that, due to the lack of economic upturn in most of the developed world, maybe now is the time to finally try reverse auctions. The rationale, quotes from a CEO and his team that watched their first reverse auction that indicated that it was simple, powerful, easy to follow, effective, and, most importantly, if you read between the lines, gave them an illusion of control over the process and the results.

This, and some of the messaging coming from a few of the smaller e-Sourcing providers, is scaring me. I fear that adopters may believe that adopting this technology may give them some control. Well, as this recent article over on Chief Executive on why you should embrace tomorrow’s strategies clearly points out, you have NO control! You can manage the process, but you have no control over the outcomes. Why? For starters

  • Cartels, cabals, speculators, organized crime, and entire countries are constantly manipulating commodity prices.
    Case in point: China possesses over 90% of many of the rare earth metals used in many technologies (smart phones, batteries, etc.) and when they recently reduced exports, a steep price increase resulted that triggered a costly disruption of delivery of the precious commodities to global business.
  • Disasters are on the rise.
    Industrial, agricultural, and political disasters are increasing in frequency and wiping out production in entire regions. For example, the nuclear meltdown in Japan affected most businesses that rely on a Japanese supplier.
  • Global currency fluctuations, unforeseen credit crises, and economic stagnation are increasingly severe and unpredictably enduring.
    The extreme fluidity in the valuation of imported and exported goods, services, and components is as equally difficult to predict and manage.

No e-RFX or Auction is going to help you regain control over these economic nightmares that you have to deal with on a daily basis. And any provider that’s trying to sell you 1999 e-Sourcing technology to deal with the current economic stagnation doesn’t have a clue. There’s only one way you can even hope to adapt to the constantly changing reality, and that is through the adoption of a supply management platform with advanced data analytics capability. You have to constantly monitor, react, adapt, predict, plan for what-if, monitor, react, and adapt again. This requires extensive data acquisition, mapping, transformation, and analysis that only a real analytics solution, with advanced (spend) analysis, optimization, simulation, and reporting is going to provide. Don’t get fooled. All auction platforms give you in this day in age is a false sense of security. Sometimes an auction is the right way to go, but, most of the time, an auction (on its own), is not the answer.