Category Archives: Supplier Management

Mercanis: Men with a Mission to bring Modern Volkswagen Efficiency with BMW Style to Source-to-Contract! Part 2

As discussed in Part I, Mercanis is a new Source-to-Contract mini-suite provider based in Berlin, Germany that is bringing a powerful, affordable, and easy to use solution to the mid-market that not only has core capabilities in sourcing, supplier management, analytics, and contract management, but also has core capabilities around risk assessment AND intake, which is not something we have traditionally seen in mid-market Source-to-Contract, and even enterprise Source-to-Contract and Source-to-Pay suites.

Logging into Mercanis takes the end user, who could be a buyer, an AP clerk, or an average employee who needs to go out to market for a product or service to do their job, to their customized dashboard (according to their role) where they can see an overview of their events/requests, contracts, suppliers (including individual supplier overviews) they manage or have access to, organizational spend they oversee, and other relevant information depending on the selected widgets.

Yesterday we overviewed Sourcing, Supplier Management, and Risk. Today we are going to overview Contracts, Spend Analysis, and Platform Administration.

CONTRACTS

Contract Management in Mercanis is straightforward contract document management with a sprinkle of contract creation capability. It stores all of the contracts and associated metadata, including the supplier, active term, value, type, and status (which is draft, pending, active, inactive, and archived by default). It’s easy to search, filter, retrieve, and view a contract at any time. Viewing takes the buyer to the summary screen, from which the user can drill into more detailed screens on payment, linked documents and contracts, stakeholders, relevant clauses, and other (custom) information screens as appropriate to the contract type. The system also supports the definition of tags and contracts can be tagged to categories or conditions of interest, such as sensitive of personal data, auto-renewing, special initiatives, and so on.

Uploading a contract in the Mercanis platform is easy. You drag and drop the document and it auto-extracts most of the key meta data elements that are described in the platform using OCR and advanced NLP. It’s not perfect (no system is, no matter how much fancy AI the systems claim), but it’s easy for the user to override any extract data that is not quite what they want, or not found, and index into the relevant part of the contract.

Finally, contract queries can be search and filter on metadata or Natural Language chat, which will learn from repeated use and adapt to the user’s natural language queries over time.

SPEND ANALYSIS

Basic Spend Analysis is integrated into the core and allows the user to select filterable widgets and dashboards that show spend by category, cost center, supplier, and other major identifier in the system (contract, sourcing event, etc.). It is instantiated with AP data on system implementation, which the system auto-maps to your pre-defined category taxonomy using (auto-generated) mapping rules consisting of suppliers and keywords/phrases/abbreviations/tags in the line item descriptions (identified by AI and curated by humans) and provides sourcing professionals insights from the date of go-live.

As with every other modern platform, it’s easy to drill into the categories (and sub-categories), suppliers, cost centers/business units, and contracts and see the associated transactions. Filters will also allow limiting to date ranges or other record values of interest. And it’s very easy to pop-up a supplier profile from a spend analytics widget or screen or a contract as the analytics, while basic compared to best-of-breed spend analysis tools, are fully integrated.

ADMIN

When it comes to platform administration, it is highly configurable by the organizational administrators. This administration includes the ability to configure approval paths, role groups, individual users, and workspaces (which roles can be limited to) as well as the company information your suppliers see about you. (It’s such a simple concept, but even many SRM platforms don’t make it easy for a supplier to access the customer information about you that they need as a supplier.) There can be different approval paths for every workflow including, but not limited to, supplier onboarding, sourcing (intake) request approval, sourcing awards, and contract approvals, including conditional/branching approvals based on arbitrary fields (such as amounts over or under 50K, product/service category, etc.). These flows can be built using a visual approval workflow builder that can support all standard Boolean logic and if/then/case conditionals.

Let’s dive into workspace configuration, as this is one of the most unique capabilities. The platform supports the definition of as many workspaces as you want, where each workspace can have its own dashboard, its own subset of modules, restricted/no admin access, approval workflows, and templates. Most importantly, a role can be associated with a workspace and when a user is associated with role, that is the workspace, and the only workspace, they will see when they log in. If necessary, the platform can support hyper-personalization natively.

In addition to the platform administration capabilities outlined above, the organization can define business units, manage its category tree (for sourcing and the built in spend analysis), define it’s default meta data requirements by contract type, visually manage all platform workflows (across all modules), manage its currency exchange rates, define its (supplier/RFQ) ratings, and define and manage the data collection templates for every module in the system including supplier data collection forms, pricing sheets, RFP questionnaires, and contract/document templates.

When it comes to workflows, just like the platform can support as many workspaces as you like, it can support as many workflows as you like for each process supported by the module. For example, you can not only have a different sourcing workflow for each category, but you can have multiple workflows based on expected spend. You can have different supplier onboarding workflows depending on category, geography, or a combination thereof (for example), different contract / document creation and management workflows (in addition to approval), and so on. And each can be linked to the associated module in the associated workspace. Highly configurable.

Workflow definition is enabled by the rule builder which is very flexible, and just like approval workflows, is completely visual, supports all Boolean logic, and allows rules to be easily defined in a rule chain that defines the category/ies, role group(s), workspace(s), discriminator (such as budget amount), and action (which can itself kick off another workflow).

The pricing sheets are very flexible and essentially act as mini-spreadsheets embedded in the sourcing tool. Allows for detailed cost break downs and calculations in both sourcing events, and analytic comparisons. The templates can have any number of elements and support all standard HTML components.

IMPLEMENTATION

The system can be implemented and configured for go-live in as little as two weeks, as long as the relevant supplier dataset and spend history can be provided day one and is complete enough that their processes can sufficiently classify the AP data on the first pass to the point that they can complete the processing with manual intervention within the timeframe. Note that the buying organization can choose to load all suppliers, all suppliers used within the last x months or years, or just currently active suppliers that will be used in sourcing events.

Mercanis is a great new entry to the mid-market Source-to-Contract space, especially considering all of the acquisitions and roll-ups of the last 5 years or so that took a lot of companies out of the mid-market and into the enterprise suite game. If you’re looking for a new S2C solution, and especially if you are based in Europe, Mercanis will make a great addition to your shortlist. It’s come a long way in a short time and the doctor has no reason to believe that they won’t continue to make significant progress, and add significant value, over the next few years while maintaining a price-point the mid-market can afford.

Mercanis: Men with a Mission to bring Modern Volkswagen Efficiency with BMW Style to Source-to-Contract! Part 1

Mercanis a new Source-to-Contract mini-suite provider based in Berlin, Germany that is bringing a powerful, affordable, and easy to use solution to the mid-market that not only has core capabilities in sourcing, supplier management, analytics, and contract management, but also has core capabilities around risk assessment AND intake, which is not something we have traditionally seen in mid-market Source-to-Contract, and even enterprise Source-to-Contract and Source-to-Pay suites.

Logging into Mercanis takes the end user, who could be a buyer, an AP clerk, or an average employee who needs to go out to market for a product or service to do their job, to their customized dashboard (according to their role) where they can see an overview of their events/requests, contracts, suppliers (including individual supplier overviews) they manage or have access to, organizational spend they oversee, and other relevant information depending on the selected widgets.

Today we’re going to discuss Sourcing, Supplier Management, and Risk.

SOURCING

Creating a sourcing event in Mercanis for new or previously sourced articles can be accomplished in just a few minutes as the platform was designed for high efficiency. With integrated intake, the system will either guide an organizational user to a self-serve sourcing event for articles (products/components/fixed services) in acceptable categories under a certain amount or funnel to the appropriate sourcing team, as appropriate.

When an organizational user wants something, they define their event name, a unique departmental project reference, category, budget, RFX due date, relevant organizational tags, affected business unit[s], preferred NDA (from those associated with the category), and then the system will either notify the requester that this needs to be a (strategic) sourcing event and direct it to the sourcing team or take the buyer to their (selected) workspace where they can set it up on their own.

In either situation, the next step is to select suppliers. Suppliers are auto-suggested by the system and it’s one click to select them (and the user can search for other known suppliers or even invite a new supplier for onboarding if they want to). After that, they select an appropriate pricing sheet (from those associated) which is automatically pulled in, and then they select appropriate RFP surveys that they want filled out (which are also auto-suggested based on the article). They can then launch the event immediately, or specify a later date, and at any time they can (come back and) add stakeholders.

For a single article, since everything is auto-suggested, they can literally select the core suppliers, price sheet, and surveys with a few clicks and launch a small event in a minute. Most events on an article or category can be reasonably defined in five to fifteen minutes (vs. the 15 hours for some first, and even second, generation suites).

In the Sourcing projects can be multi-round if necessary. Once the results come back, the buyer can kick off another event based off of that project and link it to the existing one to create a multi-round event.

Also, once response come in, as many stakeholders as desired can score it, the scores can be weighted, and once an award is decided upon, it can be sent to the contract module. Survey responses for each survey can be compared side-by-side for easy comparison against peers. And when the individual responses are scored, the buyer can see the assessment criteria scores graphically in spider graphs, including a calculated score based on total relative pricing. When it comes to price sheets, which can include embedded formulas, the buyer can select the prices of interest for side-by-side comparison as well. And to make the comparisons pop, the buyer can even shift to dark mode. While not always the best for data entry, it does make certain visual comparisons pop.

The entry point to sourcing is the dashboard which will summarize the requests, events by category, upcoming, and current sourcing events that need to be reviewed, managed, or awarded.

An organizational buyer can also two-click a new sourcing event by going to the article summary screen, locating the article of interest, clicking on it, defining an event name, selecting one of the associated sourcing workflows (defaulted if just one), selecting one of the associated pricing sheets (defaulted if just one), and confirming the event creation.

SUPPLIER MANAGEMENT

The Supplier Management module revolves around the Supplier Repository which organizes all supplier related information in the system with each supplier maintained by the system. It’s easy to search suppliers by name, category, location, associated transaction cost centers, and other information. Upon implementation, Mercanis can import all of your suppliers from your ERP, just a subset you mark as active, or only those suppliers used in the past x years.

On implementation, they will pull in as much information as they have, fill in gaps with any information they have in their system, and augment with a 360-degree profile they auto-generate using their AI tools that scrapes supplier websites and pulls in data from third party sites, Compliance Catalyst, Dun & Bradstreet and/or other third party supplier data providers you have a subscription to. This profile will include a short description, any known (reference) customers, categories the supplier (can) supply in your taxonomy, any known contacts, owners, known business units, primary / head office location, website and Linkedin URLs, and even known similar suppliers in your database. It will also contain direct links to any third party profiles you have access to, and can even pull all of that information into the platform for you.

This is in addition to the basic corporate information (and contacts) maintained by the system (which includes legal identifiers, basic accounting information, and location data), supplier states (which can be buyer organization defined), tiers (as the organization can track tier 2 suppliers or suppliers typically used by your suppliers, third party ratings (from the ERP or a data partner) and data that can be pulled in (which can be visually displayed in spider graphs), specific information collected during onboarding, and appropriate risk data (including cached data from any third party data feeds you have a license too). Note that suppliers can also be evaluated using organizational surveys that can be associated with them, and multiple evaluators can be associated with these surveys.

The SRM system also centralizes and maintains a record of all system activity, including sourcing events, contracts, risk profiles, and associated supplier analytics. It also tracks all associated tasks from across the system in one location, all associated (onboarding/sourcing/contract) requests, and any notes the buying organization wants to add.

New supplier creation is easy. It can be as easy as defining a name and email to kick-off the onboarding process, which will send a request to the buyer to provide the requested information. (Note that if you provide an appropriate legal identifier or URL and the supplier is in the Mercanis database, base information will automatically be populated to simplify the onboarding process for the supplier.)

Search can be customized to work on any given supplier identifier.

RISK

The risk module, primarily used in supplier pre-qualification, tracks country and industry risk across the globe and can instantly associate the relevant country and industry risks with an existing, or new, supplier based on its address and NAICS code. The platform uses over 40 different data sources to analyze country and industry risk in accordance with the German Supply Chain Act and computes a score for every country-industry risk correlation.

In addition, it can integrate with third party data from providers like IntegrityNext and Ecovadis and, for any supplier, pull in all the relevant data if the customer has the data feed licenses and automatically compute advanced risk measures using their data (from public sources) and third party data.

Come back tomorrow for Contracts, Spend Analysis, and Administration.

Need a strong Supplier Management Solution? Maybe you should get one made of Graphite …

Or at least virtual graphite … which was essentially the goal of the founders of GraphiteConnect when they launched the company five years ago in an effort to modernize supplier onboarding with a solution that would stand the test of time and solve many of the problems they encountered leading purchasing in their lost jobs which included:

  • time-consuming supplier onboarding (which just increased with first and second generation supplier management solutions which often extended what used to be a 2-day fax-based process to 2 weeks)
  • difficulty of adding requirements during a process or when a new legislation or initiative comes into effect
  • difficulty of maintaining supplier documents and data that needs to be updated/validated regularly
  • ensuring financial information is valid and has not been changed by an unauthorized party
  • tracking risk and privacy protection requirements from the start of the onboarding process
  • dealing with inaccurate (unverified) supplier data and manual ERP entry
  • etc.

They also realized that the only way for this to happen would be if the suppliers maintained their own data, but the only way a supplier could reasonably do that is if they only had to maintain that data once (as they saw the proliferation of effort on suppliers who had to upload the same information for every client in the big procurement and supplier management systems of the day). So they also wanted a system where the supplier could maintain ONE profile, which could be expanded with new common information requirements over time, and the supplier could grant (potential) customers the right to subscribe (and view) their data, including data that was validated with third party registries by the platform. Thus, they decided to build a neutral network of networks, modelling their solution off of social networks to reach the desired level of capability and functionality.

By adopting a network-of-networks approach, GraphiteConnect could enable quick, many-to-many sharing of key information requirements when a new data requirement came into play as a result of a new legislation (allowing a supplier to just push it out to all its customers on the network vs. responding to its customers one-by-one). This is because the network, unlike most supplier “networks” is designed to optimize information sharing and not procurement transactions. Furthermore, to make it even easier for suppliers to transact with their customers and vice versa, translation is localized in the platform (with 18 languages so far and more coming) so that the burden of translating core data elements (or at least the descriptors thereof) is not on the customers or the suppliers, with each party being able to work in their native language for efficiency.

Supplier and buyer data elements and documents (such as contracts) are fully segregated with data associated with the owning entity (again, buyer’s subscribe to supplier data elements of interest), which means that a buyer can never overwrite supplier data (especially legal entity, banking, or verified data) and vice-versa. This is very important because you can’t trust a “network” where the buyer can change your supplier data.

Onboarding is relatively quick and risk-aware, and is integrated into the search process so that, if the buyer can’t find the supplier in their (tier-1) supply base, and the supplier is already part of the GraphiteConnect network, the user will be able to quickly add the supplier as the platform will bring up all potential entities, making onboarding simply a matter of specifying what information is needed (which asks the supplier to share that data and provide any additional data not in their shareable public profile). And if not, like any other modern system, it’s a contact and an email and a few basic pieces of information (which we’ll discuss later) to invite the supplier, which, upon basic profile completion, will be verified and ready to fully onboard.

Onboarding has a well defined workflow, and both parties see where the process is at all times. Request, initial supplier response, buyer privacy and security reviews, and push to organization master data stores at a minimum, but the request/response can be multi-stage (i.e. you don’t request non-standard data until you do baseline risk/security/privacy assessments), including extra stages for revisions, and the workflow will expand or contract as necessary.

Search is great, and is fully guided. If you’re looking for a supplier for a product or service, you start by indicating what type of supplier you want, and it guides you through a series of questions to limit you down to an appropriate set of suppliers. For example, when you are looking for contract services, it will ask if you want an independent contractor or a company (and the desired company size). It will then ask service type, and drill down (e.g. independent contractor, IT, software engineer, .NET, etc.) until it gives you a tailored list to choose from (and invite for onboarding).

Pivoting to verification, GraphiteConnect integrates with the appropriate registries to verify and validate the vendor data elements in over 130 countries globally including, but not limited to, legal name and identifier, physical addresses, VAT/TAX/Government registration numbers, bank routings, sanctions lists, additional 3rd party sources for modern slavery, forced labour, compliance, ethics, financial viability, safety, sustainability, and cyber (including Darkbeam, and trust the doctor when he says that if you’re not shining a light on your suppliers’ cyber presence, someone else is, and looking for a way to use them as a back door into you).

Of course, a buyer is not limited to existing data, they can request additional data at any time from any supplier in their network. When they do so, the requested fields are added to a supplier’s virtual data room (that houses all of the different aspects of their profile), and when the supplier rep fills out that information, it automatically grants a subscription to the requesting buyer.

And of course, once the supplier is onboarded, it’s really easy to navigate through a supplier profile and find the exact piece of information you’re looking for due to the multi-part profiles, sub-categories in the profile, elements that dynamically expand and contract as needed, and so on. In addition to core data, the platform, like any good supplier management platform, collects contacts, action plans, documents, communications, and contracts related to a supplier (that are part of the buyer’s data room) in one place for the buyer.

The great thing about the platform is that it is a network built for entity connections, which means every entity, including the buyer, which could be a supplier to other buyers in the network, has it’s own profile (in a secure virtual data room that is fully encrypted) so all of it’s data is verified and securely maintained (and editable only by its authorized employees). This means that a buyer can not only share the information with the supplier that the supplier needs to transact with the buyer but to its customers as well — and do so in all cases with ease. More importantly, it means that, when necessary, the platform can create shared secured data rooms for collaborative editing of data fields and documents between a buyer and supplier that can pull in the relevant data from each party’s private data room for document auto-fill. And when the document/new data fields are complete, it can be pulled back into the relevant party’s data room (with an auto-subscription to the other party).

And the other great thing about the platform, is that it was designed with the realization that risk needs to be front and center from before an invite goes out to a potential supplier until the last service has been completed and the last product has left the wild. And the platform enforces risk awareness, and mitigation, from the minute a buyer wants to onboard a supplier until the supplier leaves your connections. When you want to onboard a supplier, the first thing you do is identify the primary product or service you are considering, whether the relationship is expected to be one time or ongoing, the anticipated (annual) spend, and, most importantly, the categories of your data the supplier will have access to as well as any personal data of your employees or customers they may have access to. Based on this, the platform can identify the types and levels of risk your organization will be subject to and automatically request the appropriate risk data in the invite (which could include custom survey/data requests that the supplier hasn’t seen before, and which will get added to their profile when the accept the invitation and fill out that data).

The UX is extremely streamlined for the tasks the average user needs to execute with just six main areas in addition to the home screen (and the settings screen):

  • tasks – which centralizes all of the buyer’s tasks when they login
  • contracts – which is the organization’s electronic filing cabinet with easy meta-data based search
  • connections – which is the entry point to search and onboarding
  • opportunities – which is where the platform centralizes initiatives around supplier diversity, ethics, clearance certifications, etc. where a buyer can setup a portal for interested suppliers who can meet certain goals and objectives to self-register and provide the requested information (for future customer onboarding and RFPs)
  • action plans – which is where ongoing activities are collected and managed (onboarding, reviews, etc.)
  • reports – which centralizes the activity reports

Furthermore, intake in GraphiteConnect is very extensible. It can be configured to meet the needs of your sourcing, contract, diligence, and procurement teams with supplier onboarding and management and it can be configured to push back the appropriate data into each source system that needs to interact // cache supplier data.

And unlike many other platforms that were designed with the expectation that initial customers would be primarily mid-market, as the founders are ex-Intel and Adobe, it was built for massive scale and can handle enterprise scale (which requires tens of thousands of active suppliers) with the same ease as mid-market scale (which requires thousands of active suppliers) and is a solution that any company can grow with (or integrate into their Source-to-Pay-Plus stack.

So if you’re looking for supplier management platform that can auto-validate, rapidly scale, and minimize supplier burden with it’s subscription/reference- based network architecture, maybe you should look at Graphite Connect. With their ability to quickly integrate with (Open) APIs, they can solve a lot of your intake and onboarding problems as well.

Technology for Supplier Onboarding is the NOW, not the Future!

In fact, for any company that hasn’t been in a cave for the last TWO (2) decades, it’s the past!

Needless to say, the doctor was shocked to see this recent headline in Supply Chain Digital that purported to answer why technology is the future for supplier onboarding because either you’re using technology for supplier onboarding today, or you’re not going to be around much longer as a company.

Without a good solution, the time it takes to collect and evaluate enough data to even determine if the supplier is legit, in your industry, appropriately certified, not on any banned lists, financially stable, with real customers, etc. is days, sometimes weeks. And then the time to evaluate the supplier to supply even a single product can be weeks, especially in direct, when you have to trace the product components down to the raw material source to make sure there are no conflict diamonds, no Congolese cobalt, and no indentured / kafala / slave labour in the mines your metals come from.

Even though the article headline is, well, wrong, there are some good points in the article.

Having a strategic approach to supplier onboarding is a key component of supply chain risk management. Most definitely. You don’t want to hook up with a supplier that’s just going to increase your risk, stop your production lines, bring regulatory and compliance investigations your way, and possibly get your CFO or CEO in hot water because you had them sign off on a supplier as being safe when, in fact, it was the business equivalent of a landmine.

With a properly configured supplier management solution, you can check that a supplier meets all of the basic regulatory requirements, financial requirements, and baseline operational requirements in a minute. Literally. You plug in the name and ONE governmental ID code and it pulls in every single piece of information in government systems, third party finance / ESG / Risk databases, insurance and compliance databases, and community intelligence gathered in its systems and indicates if the supplier:

  • failed any registration checks
  • failed any denied party checks
  • has any owners, directors, investors, or connected parties that failed a check
  • has filed its financial reports and is not rated as a going concern
  • has reasonable ESG ratings
  • has any reports of, or known connections to, forced/child/slave labour
  • has valid insurance
  • has valid regulatory compliance certificates
  • any other requirement that can be looked up from a public database

And you know if there are any alerts or failures within minutes, not hours, days, or weeks.

Which lets you dive into evaluating whether or not they can supply the product you need at the quality and quantity, and in a manner that is not quixotic to your business environment.

You can then define additional requirements for automatic lookup, ask for tier 2 suppliers, do the same automatic checks on those, specific to the component or raw material they are providing, and if all that passes, which you will know in minutes, then you can begin the real research in minutes, not hours, days, or weeks. And the real research can take days, or weeks (and sometimes more) in real time when you need to look deep into the production capabilities, the labour that is used, the materials that are used, and the quality of the finished good (which you may need to see a sample of). But the last thing you want to do is waste weeks trying to get to this point only to find out three weeks in that the supplier is on a banned list for one of your main marketplaces, the tier 3 uses cobalt from the Congo (and if you don’t know why that is bad, do ONE minute of web research [unless, of course, you are a psychopath or sociopath with no regard for human rights or even welfare]), or is facing multiple lawsuits for unsafe products in multiple countries.

It is imperative that C-suiters “act with urgency around risk”. Nothing could be truer. It seems that risk is doubling every day. You need to be ready, and while you can’t be ready for everything, you can minimize the chances of risk by ensuring that your suppliers are not adding risk and, in fact, as dedicated as you in minimizing their risk profile. Moreover, if you have a good supply base, they can work with you to mitigate the impact of disruptions when those disruptions rear their ugly head.

“This year we expect to see increased ESG regulation”. It’s coming, and the best way to be prepared for it is with systems that can run checks, collect the required data, flag potential issues, and make sure you keep on top of whatever you need to in order to comply with those regulations.

“Invest in your processes, to ensure you can do more with the same, or fewer, resources. This usually means automating your supply chain data, so you’re finding new suppliers or managing existing suppliers.” Definitely.

Technology has a vital role to play in supplier onboarding. Most definitely. Except you should have been using it for the past two decades, not looking for a solution today. Why do you think there are 100+ vendors offering supplier management solutions? Because they’ve worked wonders (relative to not having any solution) since they were first introduced two decades ago. And, most importantly, they’ve went from simple information management solutions to advanced data collection, validation, and risk assessment solutions where you can quickly validate, analyze, and decide if you want to even consider engaging with a supplier in minutes. You can also collaborate, develop, and implement supplier programs. And you can even orchestrate supply networks with modern solutions.

So if your solution doesn’t solve your CORNED QUIP mash of supplier management problems, maybe it’s time you found a new one. You can’t wait for the future to solve your supplier management problems, you need to solve them today!

10 Great Questions to Pre-Qualify a Vendor Before Onboarding for a Deep Dive, Courtesy of Certa

A recent article in the SCMR by Jag Lamba, the CEO of Certa, a Third Party Risk Management (TPRM) vendor headquartered in California and focussed on compliance, risk, and ESG had some very good questions to ask before engaging with a US vendor, but some of them were very US-centric and others took a platform based approach. (You certainly need a platform, but certain areas, like security, go beyond the platform.)

But if we generalize these questions, they are relevant for everyone, and make it clear why you need a Third Party Risk Management (TPRM) platform that goes just beyond key suppliers/vendors, and beyond product and service needs. (And if you’re wondering what you need a TPRM, check out Part 4A and Part 4B of our new Source-to-Pay+ series where we are currently focussing on Risk Management.) They’re also industry independent and can allow you to short circuit a time-consuming industry (product/service) specific diligence because if the third party fails any of these questions, why would you bother going deeper? Just move on to the next contender!

  1. Does the vendor meet the needs of its customer base?: Any major negative news headlines? Any drops in financial performance? Any grumblings on Glass Door? Any of your counterparts in local groups or associations using them and bad mouthing them?
  2. Does the vendor have the operational capability AND capacity to serve you?: If you need a modern machining process or a vendor who can produce a minimum of a million units, don’t bother with any vendors that don’t have the process or can’t produce a million units.
  3. What financial and sustainability reporting process are they subject to? : The best way to ascertain their ability to stay compliant with financial and other regulatory (like ESG) requirements is to review the government reports. (They may [white] lie in their marketing, and then claim you misinterpreted, but they’re not as likely to lie to the government who could fine them, criminally charge them [in some countries], or shut them down.)
  4. How do they approach security?: Not just cyber security, but facility security, personnel security, and information security. Over half the attacks come from the cloud because it’s easy when you leave a security hole, hackers don’t have to leave their basement, they can attack you half a world away, and face no repercussions because there are no extradition treaties and the local authorities just don’t give a f*ck if they aren’t doing any criminal activity in their country. But when that fails, their local counterparts try to break into the facilities — if the vendor stores unsecured physical copies of critical IP, local backups of sensitive IP on unsecured USB/Zip/Thumb drives, or a lot of money on site — all someone has to do is walk in with a workman’s uniform, enter the backroom to check the wiring when no one’s in it, stuff something in their workbag or pocket, and, buh-bye. If your personnel are not trained to detect social engineering attempts, then someone’s going to have a little chat with them, something like “Hi, what do you do? Oh, is that your doggie in the picture, what’s your doggie’s name? My doggie’s name was Scooter. You know it’s my birthday tomorrow. I’m a Scorpio. What about you? So you were born in 1979 and you’re a goat like me in the Chinese zodiac? Cool! Hey, you know that I was just reading that most people use their birthday and pet’s name as a password. I thought it was only me. What, you do too? Aww, so cute. Well, nice meeting you.” Network access granted! And then if you’re not ensuring all personal, confidential, or sensitive IP is clearly marked, only stored in locked filing cabinets, always encrypted, and those files only on secure, encrypted, network drives, hackers are going to easily find those files accessible from limited access accounts with weak-passwords accessible by brute force.
  5. Do they do business with any entities sanctioned in your country?: If so, they are probably a no-go. You don’t want to be only one degree of separation removed from a sanctioned entity. (And, of course, they shouldn’t be sanctioned — because you shouldn’t be considering them at all if they are!)
  6. Would you have a backup plan if their suppliers or partners they relied on got sanctioned?: i.e. if you need to locate a complete production line in one geography, and there is only supplier of a key raw material or part in that geography, maybe you’re looking in the wrong geography
  7. What is their viewpoint on diversity?: great suppliers encourage diversity and look for good people that represent the entire cross-section of humanity in the area in which they operate; they don’t have arbitrary goals or the one Token black in the C-suite to check a box; they hire all races, cultures, religions, ages, etc., train them all, and then promote the best (and, over time, they build a diverse management team)
  8. Are their objectives aligned with your objectives?: If your objective is quality and distinction for the wealthy, and their objective is cut costs no matter what, they are probably not the supplier for you.
  9. Do they have a sustainability program. And is it sensible?: In some jurisdictions, they not only have to report down to “Scope 3”, but stay within a limit for overall emissions, or get in (financial) trouble (with fines, etc.). And if you have to report as well for doing business with them, or to satisfy the regulatory requirements of a region you operate in, and they can’t report to you, that’s not good. Not good at all.
  10. What level of risk will they add to your business?: If you’re happy with the answers to the first 9 questions, before you dive deep into certifying their products and services, their production lines and capacities, etc., ask this first. If the risk is too great in general, it might be a no-go before you start. And this is why you need a comprehensive TPRM platform to do a preliminary assessment.

And yes, Certa is one platform that might be able to help you, and one you should add to your RFP invite list if you don’t have a TPRM. We will note that they’re not the only one (and this could be relevant if you are in the EU and need a local provider), and that we’ll list others in Part 10 of our Source-to-Pay+ series, but close by stating that you should not overlook Certa. They’ve been around for a decade, have raised over 50M, likely integrate into whatever you’re already using in your Source-to-Pay process (with integrations to 100+ platforms and data feeds), have pre-built solutions for Compliance / Risk / ESG, and have a number of Fortune 500 clients.