Category Archives: SaaS

Darkbeam: Shining a Light on your Supply Base Cyber Risk

In part 9 of our Source-to-Pay+ series, we talked about the need for cyber risk monitoring and prevention because, in today’s hyper-connected SaaS world, nearly half of an organization’s data breaches originate in the cloud. These risks don’t just come from cyber criminals. Some come from less-than-scrupulous employees and others come from suppliers, even well meaning ones. After all, who cares if the front door is locked when the back door is wide open.

Why do you care about your supplier’s back door? What do cyber-criminals want?

  • money
  • valuable intellectual property
  • exploitable personal data

Where can they get this?

  • account hacking, which is hard, or payment redirection, which is a lot easier
  • your ultra-secure server which is locked down tighter than Fort Knox with everything on it encrypted in 256-bit AES encryption, or the relatively unprotected Google Drive your supplier stores it on (as the file will be open to anyone who can compromise the account)
  • your double encrypted HR database stored in a secure AWS instance or the plain-text Microsoft word documents stored on the supplier’s sales rep laptop with its unencrypted hard drive and an utter lack of virus protection and internet security software

In other words, if your supplier has:

  • a lot of your money coming its way
  • your intellectual property
  • your executives’ personal data

and their cybersecurity is not as good as yours, you can be sure the cybercriminals are going to be going to, and through, them to get to you.

So you need to know which of your suppliers are at risk, so you can reach out to them and work with them to close the holes and eliminate the risks to them, and you. And for suppliers that you do significant business with (and regularly send million dollar payments), who hold your patented IP (for custom manufactured electronics, etc.), or store your employees and/or customers HR data, you need to not only assess their vulnerabilities but continuously monitor for threats.

You need a supplier vulnerability assessment and monitoring solution that can identify vulnerabilities, help you communicate those to your supplier, detect improvements, and, most importantly, identify new threats as they emerge that could cost you, or your supplier, significantly.

Darkbeam is one of these solutions. The Darkbeam solution offers both of these capabilities, continuous vulnerability monitoring across your entire supply base (at a very affordable price point that starts at a mere £25,000 a year, which is low-end for any cybersecurity solution) and continuous threat monitoring, and assessment, of critical suppliers in your supply base (which you can add for an incremental cost that can be as low as £10,000 a year for your ten most critical suppliers).

The vulnerability assessment solution monitors:

  • Connections: SSL certificates and associated validations (hosts, IP, TLS, etc.)
  • Privacy: e-mail and cloud servers and configurations and breaches (esp. email addresses)
  • HTTPS: web site configuration, cookies, and port security
  • DNS: DNS record completeness, security, and recent changes
  • Blacklist: domain and email blacklist monitoring
  • Exposure: shared host identification, domain permutation monitoring, favicon, exposed subdomain monitoring, etc.

Cyber-weakness in each of these areas is highly relevant because it could allow hackers and cyber-criminals to exploit your supplier, and you, in ways that include, but are not limited to, the following:

  • an expired SSL certificate could allow a cybercriminal to register a fake certificate that validates a fraudulent facsimile of the actual site
  • exposed email accounts could allow a cybercriminal to masquerade as a supplier representative and change banking details for payment
  • an insecure site configuration could provide a backdoor into your entire network
  • incomplete DNS records could be completed by a cybercriminal and redirect traffic to a fraudulent site
  • if a domain shows up on a blacklist it could prevent email/traffic to/from the domain; and if emails show up on a blacklist, it could indicate compromised emails and/or emails not being received by their intended recipients
  • if a supplier’s website is on a shared host that is used by a lot of other sites (that are insecure), a number of (one-character-off) permutations of the supplier’s domain have been registered, favicons are being replicated, etc. then that is a strong sign the supplier is being targeted by cyber criminals (that could be coming for you, or your customers, through them)

Based on their assessment, they will compute a cyber-risk score (out of 999), the lower the better, and the higher the more concerned you should be (and the sooner you should reach out to your [potential] supplier to have a conversation about what they are doing to increase their cybersecurity, especially if they have, or will have, your IP or personnel data).

The threat monitoring and assessment solution is a service-based solution where the Darkbeam cyber-intelligence team continuously monitors the web and dark web for potential threats, investigates those threats when they are detected, and if the threats are relevant, they send you a report on which you can take immediate action which can include, but not be limited to, involving the proper authorities, that they have experience working with in multiple countries.

They literally monitor dozens of legit security and threat-intelligence sites (where general cyber security firms release warnings of cloud or software insecurity along with known breaches) as well as dozens of dark-web sites where shady characters like to sell, or at least indicate the presence of, IT, Trade and Finance secrets they should not have. On many occasions, they have detected breaches and data theft even before the supplier’s IT team knew about it (and definitely well before you did, if you were ever told).

If an incident or threat is detected, the threat report you receive will outline the issue (e.g. data exposure / breach), the root cause (e.g. system breach, ransomware, etc.), when it was detected, how it was confirmed, and what is currently being done / monitored. It will then outline the perceived severity (e.g. medium due to potential IP leakage, high due to personal data likely being stolen) as well as any potential follow on risks (i.e. personal logins that can compromise other systems). It will summarize the currently known information uncovered by the analysts and the current status (which could be ongoing). And it will provide current recommendations, such as reaching out to the supplier, changing logins and/or locking down your systems, reaching out to various agencies, etc.

All in all, Darkbeam is a great Supply Chain Cybersecurity solution and should be on your consideration list if you don’t have such a solution already. Cyber attacks are coming, and it’s best to be ahead of the issue, then behind it.

Does Your Procurement Process Take Too Long, Maybe You Need to Zip Through It!

Zip is an interesting player. Started in 2020 to innovate the (lack of) intake in the Procurement world, they managed, through sheer ease of use and organizational friendliness, to embed themselves in a number of large organizations, get major investor attention, and, in less than four years, catapult themselves to a unicorn valuation.

However, as a result of those investments, they’ve been hiring good engineers as fast as they can find them, beefing up the orchestration, extending the product footprint (with baseline source-to-contract as well as some procure-to-pay capability), and launching a new integration platform, which is essential for source-to-pay-plus orchestration. They are making quite rapid progress in a space where many (but not all) larger companies have considerably slowed in their introduction of new innovation.

Marketing itself as procurement orchestration, Zip was founded to address the facts that:

  • purchasing is now distributed across numerous departments, and individuals, in today’s organizations,
  • (significantly) more cross functional approvals are required to control cost and risk, and
  • the ERP is not enough, and the plethora of apps and systems a modern organization needs are disconnected.

Now that they have powerful workflow creation capability, integration capability, and overall orchestration capability that can enable whatever you have (including Workday, Ariba, and Coupa), they now address the core problems they were formed to solve.

With the Zip platform, you can:

  • connect all individuals who need to purchase with all departments that need to be involved and vice-versa,
  • integrate all of the departments that need to review and approve purchasing (related) decisions, and
  • get visibility into each stage of the process across ALL of the organization’s systems (and even complete some tasks in the Zip platform where it has the corresponding Source-to-Pay capability).

On top of this you can:

  • integrate third party data feeds as well as applications to get insights and power analytics you need at any step of the process,
  • run cross-platform reports across performance and timelines as well as all spend, risk, and related data in the system,
  • manage your vendors and their data (which could be spread across a dozen systems) from one central viewpoint, and
  • manage your organizations (and subsidiaries) by department, category, etc.

The two-fold reason that you can do all this is because the Zip platform is really good at:

  • workflow management and
  • platform, and most importantly, data integration.

We’ll start with workflow management.

In the Zip platform, workflows are incredibly customizable. Workflows can:

  • have as many steps as required
  • which can be defined as sequential or parallel … and the workflow will not advance until all parallel steps are completed
  • have as many states as is needed (though most will only need a few states: locked, ready, in progress, approved, rejected (and sent back), rejected [and process terminated], etc.)
  • have as many sub-tasks and/or associated approvers as needed (so if the Legal Review needs two sign offs due to different policies that have to be met or the Finance Review needs two sign offs to ensure transparency, no problem)
  • have as many conditions as necessary for workflow selection / triggering (so you can have different procurement workflows by sub-category by geography if need be)
  • have as many triggers and dynamic data pulls defined as needed to instantiate a step once unlocked (e.g. bring up all vendors associated with a product, all approvers associated with a role, etc.)
  • link to as many external systems as required, with each (sub)task associated with the app/system in which the integrated party may perform his or her task
  • have as many details and associated documents as necessary
  • for Procurement, link to associated products, vendors, and / or contracts
  • etc.

And this is why the Zip Platform is so easy to use by, and attractive to, the average purchaser / requisitioner in an organization.

When an average user wants to buy, all they have to do is

  1. log into Zip via SSO (which can be configured to orchestrate organizational workflows beyond Procurement),
  2. indicate they want to purchase something
  3. select what they want to purchase
  4. make a few category/specification sub-selections to help the platform narrow in to the appropriate workflow (e.g. Facility Services, Janitorial; Computing and Electronics, Laptop;)
  5. if there are pre-approved vendors and/or products, the vendors/products; if not, they can select their own vendors/products
  6. answer a few [sub]-category dependent associated questions on the contract type, corporate or personal data that will be shared, etc.
  7. indicate the budget (amount) they wish to use (if appropriate)
  8. and submit the request …

The process is kicked off, the requisite data / document / survey collection is begun, those involved in the process are notified (and have visibility into the tasks they (potentially) have (coming), and the requester has full visibility into where the process is at all times (as the system will synch with external systems on predefined intervals between 15 minutes and 24 hours, usually depending on how often the external systems are used and what restrictions there are on access [e.g. some systems don’t have an API and do daily exports, and for systems with real-time APIs, the user can force synch anytime they want). But, most importantly, events that used to take hours to create and weeks to coordinate, can be created in minutes and the coordination effort is non-existent — the system handles everything for you.

When a user logs in, they can go to their (task) dashboard and see all the projects they are involved in, all the tasks they are assigned in those projects, and drill into all of the open tasks they need to work on now. They can also see how long the task has been open, when it is/was due, the average time taken on a task of that type, and the average time the user takes to do the task (if they drill into the appropriate report).

Moreover, if vendors are involved, vendors are invited and taken to their own portal where they see the event and only see what additional information is required (as anything requested upon onboarding is already available.

It’s also very easy to setup and administer, which is also critical for a modern platform. At any time, a user with appropriate authority can:

  • define, modify, and even inactivate workflows, as appropriate using a very easy to use no-code workflow builder where the users visually define the steps; select the actions; define the rules, actions, and triggers, etc.
  • define or modify (approval) statuses
  • define or modify the organization’s category hierarchy
  • define or modify new or existing survey templates which allow the user to add sections, questions, selection lists, etc.
  • create new system fields and documents and associate them with the appropriate system objects
  • create or modify the lookup types
  • add or modify user access rights, down to geographies, departments, workflows, function access rights
  • define or modify the organizational hierarchy (subsidiaries, departments, queues, locations, GL entities)
  • define roles, users, and permissions
  • define bank accounts and vendor (virtual) cards
  • add (out-of-the-box) or modify integrations, or launch the new low-code Zip Integration Platform that allows customers to build their own connector to any system with an Open (REST) API
  • define the default reports (vendor, spend, performance, etc.)

While we’re not covering them in this post, we should note that Zip has a P2P module (that 42% of its customers use) and a new Sourcing Module, and that Zip is actively working on new capabilities and module(s).

The new capabilities we can discuss now, on the Q1/Q2 roadmap, are:

  • NLP-based intake for even easier usability and up-front integration of Slack, Teams, and other collaboration platforms to allow workflows to be kicked off in those platforms
  • predictive analytics — the analytics module is being upgraded and it will include recommendations for spend management and process improvement using trend analysis, machine learning, and other techniques that can be used to provide the user with additional insight

In other words, Zip, which has well over 300 enterprise customers, is zipping along and intends to keep doing so. The great thing is that you don’t need to replace any of your enterprise systems, including any best of breed systems you have for sourcing or procurement, but instead connect them together to maximize the value you get out of them. Zip is an(other) I20 — intake to orchestrate — system that is certainly worth being aware of and checking out if system, process, or stakeholder orchestration and collaboration is a challenge in your enterprise.

Source-to-Pay+ Part 9: Cyber

In Part 1 we noted that Risk Management went much beyond Supplier Risk, and the primitive Supplier “Risk” Management application that is bundled in many S2P suites. Then, in Part 2, we noted that there are risks in every supply chain entity; with the people and materials used; and with the locales they operate in. In Part 3 we moved onto an overview of Corporate Risk, in Part 4 we took on Third Party Risk (in Part 4A and Part 4B), in Part 5 we laid the foundation for Supply Chain Risk (Generic), in Part 6 we addressed the first major supply chain risk: in-transport, followed by the second major supply chain risk: lack of multi-tier visibility in Part 7. In our last article, Part 8, we discussed the baseline Analytics that should be part of all of the different risk systems we covered in Parts 3 through 7, as well as a control centre.

Today, in Part 9, we move onto Cyber Risks. In today’s hyperconnected SaaS world, nearly half of an organization’s data breaches originate in the cloud (see this recent article by Illumio on Cyber Magazine, for example). So cyber security is important, but not just for your organization — for your entire supply chain.

Note that we are not going to dive deep, there are plenty of security firms that will do that for you. We’re just going to highlight key points of risk that must be covered in your cyber security plan.

Internal Cyber Risk Monitoring and Prevention System
Risks that must be addressed.

Risk Description
E-mail Plenty of risks come in through e-mail. The biggest one you are likely aware of is fraudlent requests for payment from fraudsters posing as fake suppliers / service providers / consultants or new employees in a remote office asking you to approve an emergency payment. However, since fraudsters blast these far and wide (as it takes less work to create them), the most common fraudulent emails are usually phishing/ransom attempts where you have to click an email and enter your system login information to retain access to your email account (or another system you use). (Then they use those credentials you freely gave them to login to your systems, lock you out of them, and demand payment to unlock your account.)

Your email system needs to do more than identify an external sender. It, or the security plug in, needs

  1. to verify the originating domain of the email (since most fraudsters can’t mask the domain they send from),
  2. to identify the domain and location of the first intermediate server the message hits (since that can’t be masked unless they’ve hacked that) as well as if it matches the locale of the domain the email purports to come from, and
  3. to identify the domain of each embedded link and the company it belongs to (as fraudsters are great at registering domains just ONE letter of an actual domain and cloning the contents of the faked domain; e.g. chaEse.com vs chase.com … one is your bank, one will soon be scooped up by a fraudster who will skim account logins for a day during a “maintenance window”, then drain all the accounts dry (or at least to the transfer limits) the next day and wire the money to a foreign account in a jurisdiction with no extradition or banking treaties with the US, then empty the account the day after that, and then disappear never to be seen again …
Hacking Hackers will constantly be trying to penetrate your firewalls, the web servers and underlying operating systems of machines in the DMZ, the applications you are running, and the underlying security systems you use for monitoring and detection (but these are likely the most secure, especially if you are having them maintained and monitored by a professional, big name, IT security firm); You need to be monitoring for unusual activity, (D)DoS attacks, repeated login failures or access abandonments at particular ports or in particular application logs, and so on; You also need a few attractive honeypots that emulate the systems the hackers would want to access most, and if you don’t understand this, or why, talk to your security guru.
Ransomeware Hackers want to access your systems for two reasons, to steal money and IP or lock you out of them (if they can’t access any IP worth stealing or you don’t use any finance systems capable of [authorizing] payments) so you will pay them to get back into your systems. You need to be very careful to not only detect hacking attempts, but the installation of new software that is unrecognized / not authorized by security. This is because you could be totally screwed and have no choice but to pay the ransomware even if you do complete, incremental, daily backups across all systems because smart hackers will install the ransomware, let it sit for a few weeks or so, and then activate when you can’t roll back to a backup because you’d lose weeks or months of data (as you’d have to roll back to just before the ransomware was installed because the majority of backup systems would not be able to identify the actual file changes and there’s no way you could do a restore and not restore the ransomeware after the ransomware was discretely installed).
Infected Websites Your users love to surf, surf, surf the web and go where the hidden links take them. You can’t expect they will all keep their browsers up to date, keep the underlying OS up to date, and, simply put, not be careless. You need to enforce security software on their machine, and check for it, before that machine accesses your network and that the security software is up to date because if they visit the right infected website (from a fraudster’s point of view), it can be an instant hack and/or backdoor for the automatic installation of ransomware on their machine and/or your network.

External Cyber Risk Monitoring and Prevention System
Risks that must be addressed.

Risk Description
Compromised Supplier Site If a supplier site or system is compromised, and you engage with that system in any way, then your system could be compromised. You need a system that monitors for supplier system/site/cloud risks as well as (known) supplier breaches.
Compromised Data All of your systems run off of data. Compromised data is the easiest way to compromise a system. If an email gets intercepted and altered in-transit with a man in the middle account and the hacker changes bank account information, you’re paying a fraudster and not the supplier. If the third party risk metrics are adjusted, your system can be tricked to diverting all business to a single, new, supplier which, while a legal entity, was setup by the founder to take your money and run. And so on.
Compromised Identities Identity theft is on the rise, and it’s often the easiest way for a fraudster to get funds from a business. You need to track all known cases of identify theft associated with all individuals associated with all businesses associated with your business as you will need to do extra verifications on requests from those individuals.
Web-Based Vulnerabilities You need to be aware of where the biggest web-based vulnerabilities are in your suppliers and partners, make sure your suppliers and partners monitor and address those, and make sure you lock down your security to the max when you have to interact with their systems that are classified as high risk for vulnerability.

And more. There’s a lot of risk in cyberspace thanks to the fact that the information and financial worlds have merged, and your organization needs to be on top of it. Identify appropriate providers, or you will need very good luck to not fall victim to a significant cyber-based threat.

SaaS is everywhere. Are you SaaSy?

Back in our 39 Part Series to Help You Figure Out Where to Start with Source-to-Pay in part 13 we gave you some vendors to shop around to the rest of your organization if you thought you can’t touch the sacred cows of Legal, Marketing, and, new-to-the-sacred-cow-list, the SaaS used in other organizational departments.

While the management of SaaS spend was not that important in the early days, and even only moderately important near the end of the last decade, it’s become critical since COVID (when everyone had to go on-line) as software spending has now become the third largest expense for many organizations after employees and office costs (that many organizations, who realized that employees don’t have to be in an office everyday to do office tasks and who don’t feel the need to force people to go back to buff the egos of the micromanagers who have no useful skillset and feel they need to micromanage to add value, are now trying to minimize, even to the tune of paying huge penalties to reduce office space).

A recent article in the FinTech Times really puts this into perspective. Summarizing the EagleEye SaaS Spend Report (2023), which analyzed over 400M worth of SaaS transactions, recently released by CloudEagle, the article noted that companies spend an average of $1,000 to $3,500 per employee on SaaS, while smaller companies, with less than 100 employees, spending (up to) 1M annually (on 50 to 70 apps) and mid-size organizations, of up to 5,000 employees, spending up to 100M annually on 300 to 400 apps! OUCH!

The article also noted that the highest departmental spenders were Engineering (45%), Marketing (19%), Sales (17%), Finance (7%), Customer Success (7%), and HR (5%). (Note there is no Procurement in this list, and that any apps are obviously classified as finance or Engineering [which includes cloud providers], which is sad.) Engineering/IT makes sense, it supports the entire organization, but that’s a pretty high percentage for Marketing and Sales. However, it makes more sense when it notes that, in terms of the number of applications used, marketing leads with 76 and sales is third with 42. Why? (The answer: because there is no central management or strategy, there are multiple tools doing almost the same thing, and it’s just total chaos in those departments.)

Obviously, it is becoming vital to scrutinise how their software budgets are allocated and ensure every dollar spent returns a significant value, and the article gets it right when it notes this, and while it should be on the radar of every CFO and CIO to get this spending under control, the article really misses the mark when it doesn’t mention the CPO — who is probably best positioned to help the organization come up with a sound spending strategy, as it not only puts every purchase it makes under the microscope, but gets put under the microscope for every purchase it makes (as most organizations still see it as a cost center despite the enormous value it brings by containing costs under chaotic cadences of the markets it has to buy in).

Furthermore, the first step is to get a true understanding of SaaS spend across the organization, which is likely buried on P-Cards to hide just how much rampant, off-contract, off-protocol spend there is. To this end, we do recommend engaging an expert SaaS Analytics firm which has pricing benchmarks on the most commonly used SaaS applications across the major areas (IT/Engineering, Marketing, Sales, Finance, and HR) to help identify all the SaaS spending and the best opportunities for cost reduction through termination of under/un-utilized licenses, consolidation to one provider for a specific function, and re-negotiation. Most mid-size or larger organizations that do this the first time will identify almost 30% of cost savings opportunity, which can typically be fully materialized within two years (given typical contract lengths and how long it takes to make all the migrations).

And while the doctor can’t say which firm is likely the best for you without a consultation, he can say that many of the firms on that list can do a do a good job and you should quickly be able to zoom in on the top two or three for you with an RFP and a few phone calls. Basically, you’re looking for a company that’s in your region, has analyzed the SaaS spend of a number of companies in your industry, has good spend analytics technology, and benchmarks on the major player that you feel comfortable working with. (And has really good spend analysis. Yes, we said it twice. Because it is important.) Since you don’t have to enter into a subscription for an initial project, you can easily get started because if the company is not the best for you, you’ll still get value and can redo the project with a different company in a year or two. There’s no reason not to do it and you’re guaranteed to identify savings. So why not Get SaaSy, now, get SaaSy!

“Ooh, the way that you spend it
Makes me go crazy, show me you can end it
You could be saving more
Ooh, the way that you buy
Makes me go crazy, show you I can end it
You could be saving more

Much more
Much more
Much more

Get SaaSy, now, get SaaSy
Get SaaSy, now, get SaaSy
Get SaaSy, now, get SaaSy

Savings
Now (much more) …”

MarketDojo has stepped up it’s Mid-Market Game!

The last time we covered MarketDojo (which recently had a majority stake in the company acquired by Esker) was in 2016 where we noted that marketdojo opens the dojo to suppliers as well after introducing you to MarketDojo in 2014 back when it was a simple RFX/e-Auction platform with some category intelligence and SIM (in our posts on how you could walk your own way and plan your own path). Since then, they have improved the platform greatly. For details on some of these improvements, we recommend their 2016 Vendor Analysis on Spend Matters by Jason Busch (Part I, Part II, and Part III) and their 2020 Vendor Analysis on Spend Matters by Magnus Bergfors (Part I, Part II, and Part III) [Pro or ContentHub subscription required].

Today, we’re going to quickly overview the primary capabilities of the platform, and then focus in on the new and advanced capabilities added since our last review.

MarketDojo is primarily an e-Sourcing platform with foundational supplier management (information and relationship capabilities) and contract tracking (baseline governance). (They still have their categorydojo solution, where they identify current market opportunities that you may want to pursue, but that isn’t the focus of this piece, so we will refer you back to previous articles for details on that functionality.)

e-Sourcing primarily consists of (multi-round) RFX capability, lot-based e-Auctions, and quick quotes (for quick one-time buys/quotes where full sourcing events are not needed). e-RFX creation is quick and easy — define some basic meta-data under settings, add any necessary documents, create the specific questionnaires and additional supplier data collection forms, define the items (which can be lotted in RFX as well as Auctions), add the collaborators (that can be given full access or limited view access), and even invite new suppliers (which can be onboarded later if the responses to the survey forms look good).

The major improvements and/or differentiation since we covered them last is in the


event instantiation
they now support templates, with a library of out-of-the-box templates (for the categories they track in categorydojo and then some) for RFX and e-Auction as well as custom templates built by the organization
survey creation
(in beta) you can now use Bard to identify common questions / characteristics of a category or product/service and then edit the form accordingly [which is a decent use of NLP, gives you some good ideas you might miss but keeps you, the intelligent human, in full control]
lots
lots now support transformational bids (where bids can be marked up by a percentage or a fixed amount to implement switching costs or penalties for reduced quality/utilization rations) as well as bids in DPD (Dynamic Parcel Distribution), FOB (Free on Board), and EXW (ExWorks).
bids
bids can defined as a complex formula over an arbitrary number of bid components and they support a brand new formula builder
collaborators
collaborators weren’t part of the initial solution, and they didn’t have tiered access
bid ranking
easily see the top bid for every item in every lot in a default lowest cost award scenario and easily dive in to see all the bids for every item of every lot in rank order
bid component ranking
see how every bid component ranks against all supplier bids for an item; this helps you identify the cost components that a #2 or #3 supplier (that you want to do business with) is not competitive on (such as freight, overhead, etc.), which might allow you to work with the supplier to get those cost components down to make their bid more competitive
dynamic RFX round creation
you can easily create a new round and control which suppliers and collaborators from the current round get invited to a new round

And, of course, the quick-quote functionality is brand new. These are super simple. All that a requester has to specify is what do they want, when do they want it by, what requirements must be satisfied, what are the payment terms, and which (approved) suppliers should it go out to and off the quote request can go. They can also attach spec documents, add special instructions, and request physical copies, but that’s not necessary. And if they want a certain currency or quotes in a certain unit of measure, that can also be specified. When the quotes come back, they’ll see an easy-to-understand quote summary and can choose one for award. Easy-peasy and, most importantly, the spend is captured and can be managed.

The supplier information management primarily covers the onboarding of new suppliers, to ensure that the appropriate information is captured, and then supports ongoing maintenance of the data. Onboarding is quite simple. A buyer defines the basic supplier information (name and corporate e-mail address), adds any mandatory and optional tags (such as DPST Tier, ESG, Minority, specialized category, etc.), selects the questionnaires they want the supplier to answer (of which a default set will be automatically selected upon tag definition), identifies the business users, either by role or by name, that will approve the forms as the supplier returns them, and then the corporate/contact email the onboarding request will be sent to (and the language the request should be sent in — it’s relevant to note that MarketDojo now supports 23 languages in its platform, but if you want the forms in 23 languages, someone will need to translate them, unless you are using MarketDojo out-of-the-box forms where those forms have already been translated).

The relationship management solution is straight-forward as well and is primarily designed to track supplier contacts and organizational users, associated sourcing events (that they participated in, not just awards), onboarding status (by requested survey/form) and associated surveys, contracts, identified innovation opportunities, and activities. Activities have a type (such as call, task, objective, audit, review), an assigned organizational user who is responsible for ensuring the supplier completes the activity, associated documents, organizational (and user) notes, and possibly even an (optional) associated hierarchy of sub-tasks.

Reporting has been updated and is currently supported in PowerBI through MarketDojo’s OpenAPI (and it is also supported by MarketDojos partner SpendKey) and the default built in reporting suite is pretty decent for a Sourcing platform with click-through dashboards on contracts, sourcing events, suppliers, overall spend, spend by category, spend by supplier, spend by country, spend distribution, PO (vs non-PO) Analysis, Compliance, and even Supply Chain Geographic Coverage. While not a full-fledged analytics platform by any stretch of the imagination, it’s enough to give buyers some insights as to where they may want to begin their analytics efforts if they are looking to increase savings, increase diversity, increase compliance, or decrease risk.

Contract management is baseline. It’s basically a searchable meta-data index of contracts, which can be associated with suppliers. However, for smaller mid-size organizations, that might be all they need.

MarketDojo is a great mid-market SIM-powered sourcing platform at an affordable mid-market price point.