Category Archives: Technology

The Public Sector is Giving Procurement Integrity A Bad Name … Can the Private Sector Fix It?

A recent article over on Global Government Forum on Procurement Integrity: A Big Problem That’s Worse Than Most Organizations Think, pointed out that errors, fraud and abuse in procurement cost governments and organizations millions of dollars every year, and even though recent headlines in the US (TriMark, Booz Allen Hamilton), UK (NHS, Royal Mail), and Canada (ArriveCan) are starting to shine the light on the extent of (public sector) procurement fraud, the problem is still bigger than you think. Much bigger.

Current estimates are that organizations, across the public and private sectors, lose 5% per year due to procurement errors, abuse, and fraud. Given that Global GDP is about 85 Trillion dollars, at 5%, that’s 4 TRILLION dollars estimated to be lost annually to errors, abuse, and fraud. And that’s probably a low-ball estimate due to the fact that we just calculated that Over One TRILLION dollars will be wasted on IT software and services due, primarily, to lack of knowledge and/or outright stupidity (and not malicious intent, but if it’s easy for consultancies and third parties to considerably over bill for legitimate goods and services that you need, imagine how much they are fleecing you for goods and services that you don’t need and may not even receive).

It’s highly likely that the true cost of errors, abuse, and fraud (internal, collusion, and external) is closer to 10% of total GDP, or close to EIGHT TRILLION. That’s at least twice the GDP of every country on the planet except China and the United States. That’s a BIG PROBLEM, which is definitely not being helped by the 100M to Multi Billion Procurement Frauds being reported almost monthly across major western economies — and multi-million dollar fines don’t repair the damage. (They don’t even come close.)

This is damage which Procurement needs to repair — because Procurement is the only department that has any hope of putting proper procedures, processes, and platforms in place to minimize the errors; training the organizational employees on proper procedures and monitoring the implementations to prevent abuse; and putting in place proper detection systems to detect, and prevent, potential fraud and quickly identify and track it when it happens.

Unless all the bucks go through, and stop at, a modern Procurement department run by a CPO who puts in place proper people, processes, and platforms, loss is going to continue to run rampant. Which means that while the public sector is failing us daily, the Private sector has to step up and restore the integrity of Procurement. It can start by utilizing some of the the techniques in the linked article, and continue by continually learning and implementing the best technology and processes it finds to not only uncover significant savings in inflationary times, but return integrity and trust into big business, and give governments who have lost their way a model to follow.

And for more details on Bad Buying to avoid, and how to achieve Procurement with Purpose, the doctor suggests you start by following the great public procurement defender, Peter Smith.

Strategic Sourcing & Procurement for Technology Cost Optimization

Given that we recently published a piece noting that Roughly Half a Trillion Dollars Will Be Wasted on SaaS Spend This Year and up to One Trillion Dollars on IT Services, it’s obvious that one has to be very careful with technology acquisition as it is very easy to overspend on the license and the implementation for something that doesn’t even solve your problem.

As a result, you need to be very strategic about it. While you certainly can’t put the majority of your technology acquisitions (which can be 6, 7, and even 8 figures) up for auction (as products are never truly apples to apples to apples), you definitely have to be strategic about it. As a result, you should be doing multi-round RFPs and then awarding to the vendor who brings you the best overall value for the term you want to commit to, once all things are considered.

But these have to be well thought out … you need to make sure that you are only inviting providers that are likely to meet 100% of your must haves, 80% of your should haves, and 60% of your nice to haves (and, moreover, that you have really separated out absolute vs highly desired vs wanted but not needed because the more you insist on, especially when it’s not necessary, the shallower the vendor pool, and the more you are going to end up paying*).

To do this, as the article notes, you have to know what processes you need to support, what improvements you are expecting, what measurements you need the platform to take, and what business objectives it needs to support. Then you need to align your go-to-market sourcing/procurement strategy with those objectives and make sure the RFP covers all the core requirements (without asking 100 unnecessary questions about features you’ll never actually use in practice).

You also need to know what quantifiable benefits the platform should deliver, both in terms in tactical work(force) reduction (as the tech you acquire should be good at thunking), and the value that will be obtained from the strategic enablement (in terms of analysis, intelligence gathering, guided events, etc.) the platform should deliver. If it is a P2P platform, how much invoice processing is it going to automate, and, based on that, how much is it going to reduce your average invoice processing cost? If it’s a sourcing platform, how much more spend will you be able to source (without increasing person-power) and what is a reasonable savings percentage to expect on that? Understand the value before you go to market.

Then you need to understand how much support and help you need from the vendor. If you just want a platform that does a function, then you just need to know the vendor can support the platform in supporting that function. But if you need help in process transformation or optimization, customized development or third party tool integration for advanced/custom processes, etc. you need a vendor that cannot only provide services, but also be a strategic provider for you as well.

And so on. For more insights, we suggest you check out a recent article by Alix Partners on Strategic Sourcing and Procurement for Technology Cost Optimisation. It has a lot of great advice for those starting their strategic procurement technology journey.

*Just remember, if you’re a mid-market, and you’re flexible (i.e. define what a module needs to accomplish for you vs. a highly specific process) you can get your absolute functionality and most of your desired functionality for 120K in annual SaaS license fees, excluding data feeds and services. If you’re not flexible, or not really strict in really separating out absolute vs strongly desired vs nice-to-have, you can easily be paying four times that.

Also remember, if you’re enterprise, your absolutes and strongly desired are much more extensive, typically require a lot more advanced tech (like optimization, predictive analytics, ML/AI, etc.), and licenses fees alone will cost you in the 500K to 1M range annually at a minimum, not counting the 100K to 1M you will need to spend on the implementation, data cleansing and enrichment, integration, training, and real-time data feed access, so it is absolutely vital you get it right!

Finally! A “Think Tank” Article that Gets It Right!

the doctor has been reading a lot of “think tank” and “thought leader” articles lately that are completely off the mark. Some are so bad that he’s wondering if the publications are paying interns who know nothing about the space to use “chat j’ai pété” (Chat-GPT) to hallucinate content for them. (And, as you’ve seen, some are so bad and/or make him so angry that he just has to rant about them. Our space don’t get no regard at all as it is. The last thing we should be doing is providing anyone who takes the time to read about it with misleading or wrong information).

All that being said, Supply Chain Brain recently published an article on 2024 Predictions: A New Era of Strategic Supply Chain Design by Donald Hicks, the CEO of Optilogic. In it, he makes six predictions for the new era of strategic supply chain design in 2024.

The first five predictions were good.

1. A shift from short-term to strategic thinking.

COVID demonstrated that we’ve reached the end of short-term JIT thinking, and the recent geopolitical turmoil since has only heightened that reality. Any company that wants to survive has to go back to focus on mid-to-long term strategic thinking that will help it mitigate the plethora of risks it is being hit with and assure supply.

2. An end of the age of unlimited cheap suppliers.

Especially since the majority of these were based in China. As the author notes, China-US relations are deteriorating fast and the Chinese economy is underperforming. Moreover, as a result of COVID, logistics are uncertain and considerably more expensive from China (due to less carrier space, as many ships were scrapped during COVID for insurance settlements, and the need to sail around the capes, due to the Red Sea situation and the prolonged Panamanian drought). So, companies need to start looking elsewhere, and since they let their best suppliers in Mexico and South America wither and die, there aren’t many good options at the moment.

3. Demand for vendor transparency.

In addition to customers becoming more discerning, as the author notes, there are more supply chain regulations that need to be adhered to globally, more sustainability regulations, more denied party regulations, and so on. Companies need to know who they’re dealing with; that all supply chain, sustainability, and regulatory requirements are met; and that any desires of its customers can be met.

4. Market turmoil and the rise of new leaders.

This year is projected to witness down rounds, market turmoil, and a reassessment of strategies. Most definitely. VC went too hot and heavy before COVID trying to force unicorns where the foals weren’t even breeding stock, and then lost heavy in the SVB failure; and PE, trying to get a piece of the payments, online collaboration, and/or FinTech market during COVID paid ridiculous multiples for rather basic offerings that weren’t even complete — and that would never demand the price tag the investors expected. As a result, these PE firms are now looking at payback timeframes of a decade or more, if they’re lucky. This means that cash is sparse, investments will be sparser, and some companies (that overspent and can’t get the valuation) will not survive.

5. Digital Twin Skepticism.

Every supply chain technology vendor is clamouring to tell you about their digital twin capability, but the term “digital twin” is a marketing creation that can’t live up to its ambitious name. Companies don’t always have all the data (or quality data) relating to supplier orders and timelines, inventory levels and factory production in separate operational systems, much less a single location.

There’s no digital twin without complete data, and there’s no complete data. Modern manufacturing companies and direct buyers are figuring this out and not falling for outlandish claims anymore.

The sixth prediction was absolutely fantastic!

6. Artificial intelligence exhaustion, and a return to old-school evaluation.

Hear, hear! Smart companies are getting fed up of the ridiculous claims made by new Open/Gen-AI companies and the paltry results that were delivered, if any. They’re also fed up of the high-price tags relative to the limited value they’re received from “AI” so far.

Thus, rather than relying on the mere claim of being AI-enabled, companies should be expected to showcase their capabilities, substantiate their claims with proof, and provide clear reasons for belief, signalling the return to a more traditional approach to purchasing decisions.

Hear, hear!

Another “think tank” article on digitizing procurement that’s off-the-mark!

A recent article in Supply Chain Brain noted that you should be seizing the opportunity for digitizing procurement and the doctor completely agrees. Nothing should be paper based in Procurement today. There’s no excuse for it.

And yes, multiple developments in supply chain are converging to create an unprecedented digital opportunity for procurement professionals. Furthermore, if you work on mastering and combining emerging and maturing technologies in strategic ways since procurement teams are in a position to reshape how they work, and create value across the supply chain, you can revolutionize Procurement and business performance.

But digitizing, by definition, means moving processes from scrolls to systems, from the dark basement to the illuminated screens. It DOES NOT mean that:

  • you use Gen-AI or even machine learning
    there may be tasks where you apply point-based ML, but that comes after the digitization of an appropriate process
  • you use cognification to illuminate (concealed) processes
    especially when it could illuminate you should never have digitized the process in the first place
  • you accelerate workflow through automation
    you automate what you can, and while that includes the acceleration of tactical paperwork processing and thunking, sometimes humans have to step back and think about the data received, insights produced, and options available before making a decision … you don’t accelerate whatever amount of time it takes a human to make a good decision (and, instead, focus on automating and accelerating any non-strategic tactical “thunking” tasks that prevent them from focussing their brain power where it’s really needed)
  • you go straight to content personalization
    when the users might not even know how to use the baseline systems (and, in the process, create a nightmare for the support personnel)

Digitizing Procurement starts by:

  • understanding what processes you are using now
  • understanding if they are appropriate or they should be optimized
  • identifying off-the-shelf best-of-breed modules, mini-suites, suites, and/or
    intake-to-orchestrate platforms and implementing them
  • identifying key points where RPA, ML, or other advanced techs can make the process even more efficient
  • then identifying the right advanced tech to use

Not starting with it. You should never try to run a race before you can walk. The only “impactful opportunity” identified in the article you should start with is

  • adopting ecosystem thinking to enhance data

At the end of the day, nothing works well without good data. So get the data right, and everyone aligned to get the data right, and that will get you further, and help you do better, than any piece of modern tech you can try to throw at the problem.

Darkbeam: Shining a Light on your Supply Base Cyber Risk

In part 9 of our Source-to-Pay+ series, we talked about the need for cyber risk monitoring and prevention because, in today’s hyper-connected SaaS world, nearly half of an organization’s data breaches originate in the cloud. These risks don’t just come from cyber criminals. Some come from less-than-scrupulous employees and others come from suppliers, even well meaning ones. After all, who cares if the front door is locked when the back door is wide open.

Why do you care about your supplier’s back door? What do cyber-criminals want?

  • money
  • valuable intellectual property
  • exploitable personal data

Where can they get this?

  • account hacking, which is hard, or payment redirection, which is a lot easier
  • your ultra-secure server which is locked down tighter than Fort Knox with everything on it encrypted in 256-bit AES encryption, or the relatively unprotected Google Drive your supplier stores it on (as the file will be open to anyone who can compromise the account)
  • your double encrypted HR database stored in a secure AWS instance or the plain-text Microsoft word documents stored on the supplier’s sales rep laptop with its unencrypted hard drive and an utter lack of virus protection and internet security software

In other words, if your supplier has:

  • a lot of your money coming its way
  • your intellectual property
  • your executives’ personal data

and their cybersecurity is not as good as yours, you can be sure the cybercriminals are going to be going to, and through, them to get to you.

So you need to know which of your suppliers are at risk, so you can reach out to them and work with them to close the holes and eliminate the risks to them, and you. And for suppliers that you do significant business with (and regularly send million dollar payments), who hold your patented IP (for custom manufactured electronics, etc.), or store your employees and/or customers HR data, you need to not only assess their vulnerabilities but continuously monitor for threats.

You need a supplier vulnerability assessment and monitoring solution that can identify vulnerabilities, help you communicate those to your supplier, detect improvements, and, most importantly, identify new threats as they emerge that could cost you, or your supplier, significantly.

Darkbeam is one of these solutions. The Darkbeam solution offers both of these capabilities, continuous vulnerability monitoring across your entire supply base (at a very affordable price point that starts at a mere £25,000 a year, which is low-end for any cybersecurity solution) and continuous threat monitoring, and assessment, of critical suppliers in your supply base (which you can add for an incremental cost that can be as low as £10,000 a year for your ten most critical suppliers).

The vulnerability assessment solution monitors:

  • Connections: SSL certificates and associated validations (hosts, IP, TLS, etc.)
  • Privacy: e-mail and cloud servers and configurations and breaches (esp. email addresses)
  • HTTPS: web site configuration, cookies, and port security
  • DNS: DNS record completeness, security, and recent changes
  • Blacklist: domain and email blacklist monitoring
  • Exposure: shared host identification, domain permutation monitoring, favicon, exposed subdomain monitoring, etc.

Cyber-weakness in each of these areas is highly relevant because it could allow hackers and cyber-criminals to exploit your supplier, and you, in ways that include, but are not limited to, the following:

  • an expired SSL certificate could allow a cybercriminal to register a fake certificate that validates a fraudulent facsimile of the actual site
  • exposed email accounts could allow a cybercriminal to masquerade as a supplier representative and change banking details for payment
  • an insecure site configuration could provide a backdoor into your entire network
  • incomplete DNS records could be completed by a cybercriminal and redirect traffic to a fraudulent site
  • if a domain shows up on a blacklist it could prevent email/traffic to/from the domain; and if emails show up on a blacklist, it could indicate compromised emails and/or emails not being received by their intended recipients
  • if a supplier’s website is on a shared host that is used by a lot of other sites (that are insecure), a number of (one-character-off) permutations of the supplier’s domain have been registered, favicons are being replicated, etc. then that is a strong sign the supplier is being targeted by cyber criminals (that could be coming for you, or your customers, through them)

Based on their assessment, they will compute a cyber-risk score (out of 999), the lower the better, and the higher the more concerned you should be (and the sooner you should reach out to your [potential] supplier to have a conversation about what they are doing to increase their cybersecurity, especially if they have, or will have, your IP or personnel data).

The threat monitoring and assessment solution is a service-based solution where the Darkbeam cyber-intelligence team continuously monitors the web and dark web for potential threats, investigates those threats when they are detected, and if the threats are relevant, they send you a report on which you can take immediate action which can include, but not be limited to, involving the proper authorities, that they have experience working with in multiple countries.

They literally monitor dozens of legit security and threat-intelligence sites (where general cyber security firms release warnings of cloud or software insecurity along with known breaches) as well as dozens of dark-web sites where shady characters like to sell, or at least indicate the presence of, IT, Trade and Finance secrets they should not have. On many occasions, they have detected breaches and data theft even before the supplier’s IT team knew about it (and definitely well before you did, if you were ever told).

If an incident or threat is detected, the threat report you receive will outline the issue (e.g. data exposure / breach), the root cause (e.g. system breach, ransomware, etc.), when it was detected, how it was confirmed, and what is currently being done / monitored. It will then outline the perceived severity (e.g. medium due to potential IP leakage, high due to personal data likely being stolen) as well as any potential follow on risks (i.e. personal logins that can compromise other systems). It will summarize the currently known information uncovered by the analysts and the current status (which could be ongoing). And it will provide current recommendations, such as reaching out to the supplier, changing logins and/or locking down your systems, reaching out to various agencies, etc.

All in all, Darkbeam is a great Supply Chain Cybersecurity solution and should be on your consideration list if you don’t have such a solution already. Cyber attacks are coming, and it’s best to be ahead of the issue, then behind it.