Category Archives: Technology

Roughly Half a Trillion Dollars Will Be Wasted on SaaS Spend This Year and up to One Trillion Dollars on IT Services. How Much Will You Waste?

Before we continue, yes, that is TRILLION, numerically represented as 1,000,000,000,000, repeated twice in the title and yes we mean US (as in United States of America) dollars!

Gartner projects that IT spend will surpass 5 Trillion this year. When you consider that 30% of IT spend is usually for software, and that one third (or more) of software spend is wasted (for unused licenses, which is why we have a whole category of IT and SaaS specialists that analyze your out-of-control SaaS and software spend and typically find 30% to 40% overspend in a few days), that means that roughly half a trillion dollars will be wasted on software this year.

Even worse, Gartner projects that spending on IT Services will reach 1.5 Trillion. And the waste here could be two thirds! Now, we all know that you need IT services to implement, integrate, and maintain those IT systems you buy. But how much do you need? And how much should you pay? Consider that an intermediate software developer should be making 150K a year (or 75/hour), that says that an intermediate implementation specialist shouldn’t be making any more than that, and not billed at more than 3 times that (or 225/hour). But how much are you being billed for relatively inexperienced implementation consultant, with maybe a few years of overall experience and maybe six months on the system that you are installing? the doctor knows that rates of $300 to $500 are not uncommon for these resources that are oversold and overcharged for.

But this isn’t the worst of it. As per our upcoming article Fraud And Waste Are Not The Same Thing, many implementation “partners” will try to get all they can get and make sure that when you go in for a penny, you go in for a pound and they will push for:

  • frequent change orders during implementation, usually billed at excessively high day rates as they have to “divert resources” or “work overtime”
  • unnecessary customizations or real-time integrations that are an extensive amount of work (and cost) when out-of-the-box or daily flat-file synchs are more than sufficient
  • extensive “process evaluation” or “process transformation” processes that are well beyond what you need to eat up consulting hours
  • extensive “best practice” education when your practices are good enough for now and/or those best practices are already encoded in the system you just bought and paid a pretty penny for and just following the default process gives you the same education

That will often double to triple the cost. But that’s not the worst of it. As per comments the doctor has made on LinkedIn, he regularly hears stories of niche providers losing 200K deals because customers said their quote was too low because all the Big X companies quoted over 1,000K for what should be 100K worth of work in their view (and, right or wrong, if a niche firm comes in less with a detailed proposal, they should be evaluated — maybe the Big X, with a very general request, over estimated your requirements and the effort, or maybe the niche firm completely underestimated it — how will you know if you don’t evaluate all the responses?). Literally. This is because, as the doctor has noted in previous posts and comments on LinkedIn:

  • they don’t have always have the talent in advanced tech (and even The Prophet has noted their lack of talent in areas of advanced tech in multiple LinkedIn posts, though he has been much more diplomatic than the doctor in discussing their lack thereof; but he did note in a 2024 advice post that consultancies are going to have a hard time attracting talent this year) — for every area, an average firm will have a team leader who’s a superstar, two or three handpicked lieutenants who are above average, and then 20 to 40 benchwarmers who are junior and not always worth the rate they are charging);  now, as with every general observation, there are exceptions (with some Big X recently acquiring a number of best-in-class technology, analytics, and AI vendors that give them top-notch world class talent, and others actively recruiting top talent form the best tech firms, but every firm is different, and, most importantly, every need is different — it’s up to you to fully qualify your need, review the proposal carefully, and vet the proposed talent, otherwise, it’s your fault if you overpay, fail miserably, and don’t get value
  • some of these firms have an incredible overhead — they got big in good times and built posh offices to house the partners making more than top lawyers who have a lifestyle to maintain (or, in some cases, they just acquired expensive real estate in premiere locations)
  • they don’t always have the knowledge of, or experience in, modern tools — some of which are ten times more powerful than last generation tools; this, of course, means that, in these situations, Big X benchwarmers are using last generation tools which take ten times the manual labour to extract value from
  • etc.

Unless you want to pay 1K an hour, at some of these firms, you’re not guaranteed getting that one superstar resource trying to be the front end to two dozen projects that his three lieutenants are trying to manage, all of which are staffed by junior to intermediate individuals who can barely follow the three to five year old playbook.   (While if you chose a different Big X firm that just acquired a whole consultancy with dozens of top analysts, it’s a different story.)

There’s a reason that The Prophet predicted in his 9th prediction that SaaS Management Solutions [will] Start to Eat Services Procurement Tech and that many companies will go in house if they have tech expertise. Because he realizes that these consultancies will have a hard time not only hiring, but retaining, tech talent when they have hiring freezes, salary freezes, and reduced engagements as more and more companies can’t afford the ridiculous rates they’ve been charging recently. (Companies may not have had a choice during COVID where it was implement on-line collaboration and B2B tech or perish, but now they do.)

But there are still many companies who will, when they encounter a (perceived) tech need, immediately pick up the phone and call their favorite Big X firm and bring them in to help them understand who to bring in for an engagement, instead of widening the net to niche providers who might be 3 to 5 times cheaper, and who will deliver results at least as good, if not better, or, if their proposals won’t cut it, will validate when that multi-million proposal is a great value and will deliver the expected ROI.

Now, again, the doctor would like to stress that, despite how much he insists they are usually not the right solution for specialist advanced tech implementations that aren’t the enterprise systems and suites they usually implement, that Big X are not all bad, and sometimes worth many times more than the high fees they charge. [See when should you use Big X?] Most of these companies started off as management/operational/finance/strategy consultants and grew big because they were one of the best, and in certain domains, each of these companies still are. As they grew, they added more areas and became experts in those.  But no company can, and should, be expected to be an expert in everything!

And while there will be exceptions to the rule (as every one of these companies has some tech geniuses), the reality is that when you need more bodies than there are talented bodies in an entire industry, you’re not going to get them and, because consultancies are not cool when you want to be a tech superstar (and join a startup that becomes a unicorn), the ratio of superstar to above average to average to below average talent in these organizations is much thinner than in multinational tech companies (like Alphabet, Apple, Meta, Microsoft, etc.)  (Because if they were the best of the best, there’s no way they’d lay off 10,000 employees at a time every time the market jitters.)

In short, manage that IT services spend carefully, or you’ll be double paying, triple paying, or worse and providing a big chunk of the roughly ONE TRILLION DOLLARS in IT services overspend that the doctor predicts will happen (again) this year. (Unless, of course, you agree with Doctor Evil who says, why make trillions when we could make … billions. Because that’s exactly what happens when you overpay for software and services. Don’t expect the Big X or Mid-Market to say anything as they get the majority that overspend, and that’s how they stay so profitable.  Plus, they usually need those revenues to deliver what you’re asking for, as ill-defined projects mean they need to make a lot of assumptions and often over engineer to decrease the chance you will be disappointed in the result!  In other words, if you overpay due to your lack of research and preparation, it’s on you. )

Technology for Supplier Onboarding is the NOW, not the Future!

In fact, for any company that hasn’t been in a cave for the last TWO (2) decades, it’s the past!

Needless to say, the doctor was shocked to see this recent headline in Supply Chain Digital that purported to answer why technology is the future for supplier onboarding because either you’re using technology for supplier onboarding today, or you’re not going to be around much longer as a company.

Without a good solution, the time it takes to collect and evaluate enough data to even determine if the supplier is legit, in your industry, appropriately certified, not on any banned lists, financially stable, with real customers, etc. is days, sometimes weeks. And then the time to evaluate the supplier to supply even a single product can be weeks, especially in direct, when you have to trace the product components down to the raw material source to make sure there are no conflict diamonds, no Congolese cobalt, and no indentured / kafala / slave labour in the mines your metals come from.

Even though the article headline is, well, wrong, there are some good points in the article.

Having a strategic approach to supplier onboarding is a key component of supply chain risk management. Most definitely. You don’t want to hook up with a supplier that’s just going to increase your risk, stop your production lines, bring regulatory and compliance investigations your way, and possibly get your CFO or CEO in hot water because you had them sign off on a supplier as being safe when, in fact, it was the business equivalent of a landmine.

With a properly configured supplier management solution, you can check that a supplier meets all of the basic regulatory requirements, financial requirements, and baseline operational requirements in a minute. Literally. You plug in the name and ONE governmental ID code and it pulls in every single piece of information in government systems, third party finance / ESG / Risk databases, insurance and compliance databases, and community intelligence gathered in its systems and indicates if the supplier:

  • failed any registration checks
  • failed any denied party checks
  • has any owners, directors, investors, or connected parties that failed a check
  • has filed its financial reports and is not rated as a going concern
  • has reasonable ESG ratings
  • has any reports of, or known connections to, forced/child/slave labour
  • has valid insurance
  • has valid regulatory compliance certificates
  • any other requirement that can be looked up from a public database

And you know if there are any alerts or failures within minutes, not hours, days, or weeks.

Which lets you dive into evaluating whether or not they can supply the product you need at the quality and quantity, and in a manner that is not quixotic to your business environment.

You can then define additional requirements for automatic lookup, ask for tier 2 suppliers, do the same automatic checks on those, specific to the component or raw material they are providing, and if all that passes, which you will know in minutes, then you can begin the real research in minutes, not hours, days, or weeks. And the real research can take days, or weeks (and sometimes more) in real time when you need to look deep into the production capabilities, the labour that is used, the materials that are used, and the quality of the finished good (which you may need to see a sample of). But the last thing you want to do is waste weeks trying to get to this point only to find out three weeks in that the supplier is on a banned list for one of your main marketplaces, the tier 3 uses cobalt from the Congo (and if you don’t know why that is bad, do ONE minute of web research [unless, of course, you are a psychopath or sociopath with no regard for human rights or even welfare]), or is facing multiple lawsuits for unsafe products in multiple countries.

It is imperative that C-suiters “act with urgency around risk”. Nothing could be truer. It seems that risk is doubling every day. You need to be ready, and while you can’t be ready for everything, you can minimize the chances of risk by ensuring that your suppliers are not adding risk and, in fact, as dedicated as you in minimizing their risk profile. Moreover, if you have a good supply base, they can work with you to mitigate the impact of disruptions when those disruptions rear their ugly head.

“This year we expect to see increased ESG regulation”. It’s coming, and the best way to be prepared for it is with systems that can run checks, collect the required data, flag potential issues, and make sure you keep on top of whatever you need to in order to comply with those regulations.

“Invest in your processes, to ensure you can do more with the same, or fewer, resources. This usually means automating your supply chain data, so you’re finding new suppliers or managing existing suppliers.” Definitely.

Technology has a vital role to play in supplier onboarding. Most definitely. Except you should have been using it for the past two decades, not looking for a solution today. Why do you think there are 100+ vendors offering supplier management solutions? Because they’ve worked wonders (relative to not having any solution) since they were first introduced two decades ago. And, most importantly, they’ve went from simple information management solutions to advanced data collection, validation, and risk assessment solutions where you can quickly validate, analyze, and decide if you want to even consider engaging with a supplier in minutes. You can also collaborate, develop, and implement supplier programs. And you can even orchestrate supply networks with modern solutions.

So if your solution doesn’t solve your CORNED QUIP mash of supplier management problems, maybe it’s time you found a new one. You can’t wait for the future to solve your supplier management problems, you need to solve them today!

Forget Consequence Free. I wanna be Gen-AI Free!

To the tune of Consequence Free by Great Big Sea.

Na na-na, na na na-na na na!
Na na-na, na na na-na na na!

Wouldn’t it be great,
if no one ever was redundant?
Wouldn’t it be great,
if we made all the decisions?

I’ve always said,
All the rules are made for bending.
And if I did the right thing,
What’s wrong with that vision?

I wanna be Gen-AI free!
I wanna be where humans always matter.
I wanna be Gen-AI free!
And say: Na na-na, na na na-na na na!
Oh! Na na-na, na na na-na na na!

I could really use,
To lose my ethical conscience.
Cause I’m getting sick,
Of feeling angry all the time.

I won’t abuse it,
Yeah I’ve got the best intentions.
For a little bit of anarchy,
But not the hurting kind.

I wanna be Gen-AI free!
I wanna be where humans always matter.
I wanna be Gen-AI free!
And say: Na na-na, na na na-na na na!
Oh! Na na-na, na na na-na na na!

Oh! I couldn’t sleep at all last night,
‘Cause I had AI on my mind.
Why can’t we leave it all behind,
You know it could be that easy.

It just takes one person
Wouldn’t it be great,
If the CEO made that call
We could do the work,
And we would never get the slip.

Wouldn’t need to worry about illogic or bad data.
We could slip off the edge,
And never worry about the fall.

I wanna be Gen-AI free!
I wanna be where humans always matter.
I wanna be Gen-AI free!
And say: Na na-na, na na na-na na na!
Oh! Na na-na, na na na-na na na!
Oh! Na na-na, na na na-na na na!

the doctor, while an early adopter of SSDO, rule-based RPA, Machine Learning, and other “AI” technologies, is serious here. Gen-AI is garbage at best, bull crap the majority of the time, and toxic waste when it fails. What other technology produces hallucinations, hate speech, and hot (as in stolen) data on a regular basis? What other technology has literally convinced people to commit suicide?

It’s not ready for prime-time, and may never be. Go back to carefully constructed NLP solutions on carefully designed data sets that actually work. We don’t need Artificial Idiocy where you need more training in prompting to have a chance at solving a problem than developers need training in coding to write a reliable deterministic algorithm that actually solves the problem. Sure it seems to work “okay” 90% of the time with normal usage, but what about that 9% of the time it doesn’t or the 1% it fails so drastically it could cost you millions of dollars in direct and indirect damages? Is it worth it? (The answer is NO!)

Some light reading. More can be found by Googling Gen-AI Fails and similar search terms.

An Introduction to TPCM: Third Party Compliance Management

TPRM: Third Party Risk Management is Big. Really Big. In fact, as evidenced by recent investments over the past year (Spectrum’s 200M investment in RapidRatings in 2022, Vista Partners acquisition of Resilinc, and now the 1.2B acquisition of Exiger by Carlyle and Insight), it’s HUGE. Actually HUGE! (Not Trump huge. In fact, the exact opposite. 😉 )

Why? The pandemic finally caused the space to wake up and realize not only how significant long-term disruptions are, but how much risk has been embedded in over-extended global supply chains over the last thirty-plus years (thanks to the global sourcing craze started by the Big X and Mid-Sized Consultancies that chimed in during the 90s as a method of “cost savings”, which really just resulted in “spend transference” to big consultancy pockets and the buildup of risk, and risk related debts, in the supply chain that, just like technical debt, always comes due someday). Big corporations have finally realized they need to manage that risk, or at least maintain constant visibility into it, if they want to get the supply they need to just stay in business. (At the end of the day, “cost savings” don’t matter if you don’t actually stay in business, which is what happens when you don’t receive any products to sell. So you need to assure supply first, and then avoid unnecessary cost second — especially since there is no real “savings”, just cost avoidance with improved processes, designs, networks, management, etc.)

As a result, these companies, who were mostly clueless about the risks (sometimes by choice), needed solutions now to at least get insight into the risks so they could plan mitigations, or at least take action when something happened. Since their traditional enterprise / manufacturing resource management, supply chain, source-to-pay, or back-office systems didn’t give them the insight they needed, they finally started to turn to TPRM (and in some case, broader SCRM – Supply Chain Risk Management) systems in a big way.

And that’s great. Until it isn’t. As a result of all of the supply chain failures and the impending disasters they created across supply chains, not just health and defense, governments have started taking action and introducing a lot more regulatory compliance into the mix. This is at the same time they are waking up to the wild west of technology and introducing a lot more regulation into the mix around personal data and use of AI. And with fraud and money laundering seemingly increasing without end, there’s a lot more regulation around partner due diligence. And then there is the reality that the world is heating up (whether you believe in climate change or not), that this heating up is contributing to an extremely substantial increase in natural disasters, that temperature is correlated with carbon and greenhouse gasses (GHG) in the atmosphere, that we are currently producing a lot of carbon and GHG as a species, and while we may not have been entirely responsible for getting here (as there are other factors that cause temperature to naturally rise and fall on a planetary scale — although the changes we’ve seen in the last few decades have historically taken centuries or millennia looking at the geological record), we need to do everything we can to not make it worse (or risk natural disasters on a scale that have not been seen for millennia, and that have sometimes even led to extinction level events in the past). In response to this, countries are making commitments to the Conference of the Parties of the UNFCCC and instituting legislation limiting the carbon you can create (without fines or fees to offset that, presumably fines or fees that will be invested in greener energy options, but we have to admit many governments haven’t thought that far ahead) and the amount of other pollutants you can pump out.

In other words, not only do companies have to worry about more risks than they are aware of, they also have to deal with more regulations than they can easily keep track of (and, when they’re not on the ball, they don’t find out about them until they get a fine) — as well as dedicate way more time than they should gathering the required information for, and filling out, the appropriate reports and filings.

Moreover, and this shouldn’t surprise you, the vast majority of TPRM (and even SCRM-TPRM) systems don’t help with this at all. While they can be configured to detect issues that may represent potential violations, they generally don’t collect the reporting data that is required and typically don’t provide the detailed trickle-down visibility that is needed to verify that key requirements — such as personal data protection, no forced labour, etc. — are truly adhered to throughout the chain.

That’s why many big multi-national organizations, especially those that collect and process personal data, do a lot of global importing or exporting, or deal with extended supply chains and have to comply with extensive privacy regulations AND data protection laws in the finance sector, have to comply with hundreds of sanctions and denied party lists globally (as well as ensure there are no connected beneficial entities on those lists), and/or need visibility down to the source on human rights needs a solution that understands the regulations they are subject to, encodes the data they need to collect and the violations (special types of risk) they need to monitor for, and helps them produce the reports and regulatory filings they need to make.

And the only system that can do this is a Third Party Compliance Management solution, which has some commonality with a Third Party Risk Management solution, but also a lot of differentiation as well. Most organizations won’t know they need such a solution, as they won’t even know that such a solution exists (as there’s not many solutions and not much buzz about them … yet). Hopefully this post will change all that. Even though the solutions are two sides of the same coin, the sides haven’t met yet, and until they do, which could be years (and years and years) away (because no one has really thought about the hard center yet), for many companies, what they really need is a TPCM solution.

10 Great Questions to Pre-Qualify a Vendor Before Onboarding for a Deep Dive, Courtesy of Certa

A recent article in the SCMR by Jag Lamba, the CEO of Certa, a Third Party Risk Management (TPRM) vendor headquartered in California and focussed on compliance, risk, and ESG had some very good questions to ask before engaging with a US vendor, but some of them were very US-centric and others took a platform based approach. (You certainly need a platform, but certain areas, like security, go beyond the platform.)

But if we generalize these questions, they are relevant for everyone, and make it clear why you need a Third Party Risk Management (TPRM) platform that goes just beyond key suppliers/vendors, and beyond product and service needs. (And if you’re wondering what you need a TPRM, check out Part 4A and Part 4B of our new Source-to-Pay+ series where we are currently focussing on Risk Management.) They’re also industry independent and can allow you to short circuit a time-consuming industry (product/service) specific diligence because if the third party fails any of these questions, why would you bother going deeper? Just move on to the next contender!

  1. Does the vendor meet the needs of its customer base?: Any major negative news headlines? Any drops in financial performance? Any grumblings on Glass Door? Any of your counterparts in local groups or associations using them and bad mouthing them?
  2. Does the vendor have the operational capability AND capacity to serve you?: If you need a modern machining process or a vendor who can produce a minimum of a million units, don’t bother with any vendors that don’t have the process or can’t produce a million units.
  3. What financial and sustainability reporting process are they subject to? : The best way to ascertain their ability to stay compliant with financial and other regulatory (like ESG) requirements is to review the government reports. (They may [white] lie in their marketing, and then claim you misinterpreted, but they’re not as likely to lie to the government who could fine them, criminally charge them [in some countries], or shut them down.)
  4. How do they approach security?: Not just cyber security, but facility security, personnel security, and information security. Over half the attacks come from the cloud because it’s easy when you leave a security hole, hackers don’t have to leave their basement, they can attack you half a world away, and face no repercussions because there are no extradition treaties and the local authorities just don’t give a f*ck if they aren’t doing any criminal activity in their country. But when that fails, their local counterparts try to break into the facilities — if the vendor stores unsecured physical copies of critical IP, local backups of sensitive IP on unsecured USB/Zip/Thumb drives, or a lot of money on site — all someone has to do is walk in with a workman’s uniform, enter the backroom to check the wiring when no one’s in it, stuff something in their workbag or pocket, and, buh-bye. If your personnel are not trained to detect social engineering attempts, then someone’s going to have a little chat with them, something like “Hi, what do you do? Oh, is that your doggie in the picture, what’s your doggie’s name? My doggie’s name was Scooter. You know it’s my birthday tomorrow. I’m a Scorpio. What about you? So you were born in 1979 and you’re a goat like me in the Chinese zodiac? Cool! Hey, you know that I was just reading that most people use their birthday and pet’s name as a password. I thought it was only me. What, you do too? Aww, so cute. Well, nice meeting you.” Network access granted! And then if you’re not ensuring all personal, confidential, or sensitive IP is clearly marked, only stored in locked filing cabinets, always encrypted, and those files only on secure, encrypted, network drives, hackers are going to easily find those files accessible from limited access accounts with weak-passwords accessible by brute force.
  5. Do they do business with any entities sanctioned in your country?: If so, they are probably a no-go. You don’t want to be only one degree of separation removed from a sanctioned entity. (And, of course, they shouldn’t be sanctioned — because you shouldn’t be considering them at all if they are!)
  6. Would you have a backup plan if their suppliers or partners they relied on got sanctioned?: i.e. if you need to locate a complete production line in one geography, and there is only supplier of a key raw material or part in that geography, maybe you’re looking in the wrong geography
  7. What is their viewpoint on diversity?: great suppliers encourage diversity and look for good people that represent the entire cross-section of humanity in the area in which they operate; they don’t have arbitrary goals or the one Token black in the C-suite to check a box; they hire all races, cultures, religions, ages, etc., train them all, and then promote the best (and, over time, they build a diverse management team)
  8. Are their objectives aligned with your objectives?: If your objective is quality and distinction for the wealthy, and their objective is cut costs no matter what, they are probably not the supplier for you.
  9. Do they have a sustainability program. And is it sensible?: In some jurisdictions, they not only have to report down to “Scope 3”, but stay within a limit for overall emissions, or get in (financial) trouble (with fines, etc.). And if you have to report as well for doing business with them, or to satisfy the regulatory requirements of a region you operate in, and they can’t report to you, that’s not good. Not good at all.
  10. What level of risk will they add to your business?: If you’re happy with the answers to the first 9 questions, before you dive deep into certifying their products and services, their production lines and capacities, etc., ask this first. If the risk is too great in general, it might be a no-go before you start. And this is why you need a comprehensive TPRM platform to do a preliminary assessment.

And yes, Certa is one platform that might be able to help you, and one you should add to your RFP invite list if you don’t have a TPRM. We will note that they’re not the only one (and this could be relevant if you are in the EU and need a local provider), and that we’ll list others in Part 10 of our Source-to-Pay+ series, but close by stating that you should not overlook Certa. They’ve been around for a decade, have raised over 50M, likely integrate into whatever you’re already using in your Source-to-Pay process (with integrations to 100+ platforms and data feeds), have pre-built solutions for Compliance / Risk / ESG, and have a number of Fortune 500 clients.