Category Archives: Training

The 10 Worst Innovation Mistakes In A Recession (Update and Repost)

Are we in a recession? No.

Could we be in one real soon? Yes.

Regardless of what “the experts” tell you, two things are true.

  1. Trade Wars are BAD for the economy.
  2. Economic Alliance Breakdown (like Brexit) is BAD for the economy.

Both of these events can spark recessions, and are very statistically likely to at least spark localized recessions in some industries in some geographies. And while it’s hard to say which geographies and industries and to what extent due to the proliferance of alternative facts on even the major media outlets (which is what happens when you let party oriented moguls conglomerate holdings and reduce journalist headcount), it’s still not hard to say the risks are rapidly increasing.

It’s also not hard to say that, based on past behaviour, most organizations are bound to do the wrong thing when it starts. So, to this end, SI is reposting this classic piece from 2008 to remind you of what not to do if things get tight (which is based on a great piece on the 10 Worst Innovation Mistakes in a Recession that appeared in Business Week in January, 2008.

Moreover, making these mistakes creates a self-fulfilling prophecy that spirals you towards hardship.

  1. Fire Talent
    Talent is the single most important variable in innovation. And innovation is the single largest lever you have to increase productivity and decrease costs.
  2. Cut Back on Technology
    The rise of social networking and consumer power means that companies have to be part of a larger conversation with their customers. This requires technology. Furthermore, the best way to insure you are getting the best price is to tackle the right categories, as identified by spend analysis, with strategic sourcing decision optimization to make sure you are making the award with the lowest total cost of ownership. It’s also important to make sure that all of your invoices are submitted in an electronic format that can be automatically matched against contracted rates to make sure you are being overcharged. This requires leading-edge technology.
  3. Reduce Risk
    Innovation requires taking chances and dealing with failure. Although it’s important to control risk, trying to eliminate it entirely will just end up eliminating any chance for innovation at your company.
  4. Stop New Product Development
    This hurts companies when growth returns and they have fewer offerings in the marketplace to attract consumers. And with today’s rapid pace of technological change, you could even lose customers in a recession to a competitor who keeps innovating while you stand still.
  5. Replace a Growth-Oriented CEO with a Cost-Cutting CEO
    Most recessions only last two or three quarters and, these days, are relatively shallow. Penny-pinching CEOs don’t have the skills to grow when growth returns. Plus, a penny-pinching CEO is the most likely individual to fire your top talent.
  6. Retreat from Globalization
    Emerging markets are sources of new revenue, business models, and talent. And, like it or not, emerging economies like India and China are soon going to have more buyers for your product than the countries you’re currently selling to.
  7. Replace Innovation as Key Strategy
    … With Systems Management and Cost-Cutting. Once focus shifts away from innovation, it can be very hard to get the focus shifted back.
  8. Change Performance Metrics
    Shifting employee evaluations away from rewarding riskier new projects toward sustaining safer, older goals. This leads to risk-averse behavior and stifles innovation.
  9. Re-inforce Hierarchy over Collaboration
    A return to command-and-control management. This alienates creative-class employees, young Gen Y and X-ers, and stops the evolution of the corporation. In today’s world, companies that don’t evolve die – and they do it quickly. The average life-span of a Fortune 500 company is shrinking every year.
  10. Retreat into Moated Castles
    Cutting back on outside consultancies is seen as a quick way to save money. Yet, one of the key ways of introducing change into business culture is to bring in outside innovation and design consultants.

Remember that winners always emerge out of recessions and they always win on the basis of something new. If you don’t always have something new in your pocket, you’re not going to win. And if it is a recession, and you don’t have something brand spanking new to pull out of your pocket when the recession is over, you could literally be toast. Furthermore, even a recession provides growth opportunities. People still spend money. They still need to eat, maintain their homes, and their life-styles. The difference is that they don’t spend as much money and look considerably harder for the best deal. This means that they’re much more likely to waver on brand loyalty if you can provide them a better product on a better price – and this means that you can still grow by taking market share away from your competition.

So don’t make the innovation mistakes. If it is a recession, then whether you come out of it a winner or a loser is up to you.

Furthermore, if it is a recession, and your company supplies sourcing and procurement technology and services, then this should be a major growth period for you! After all, how else is your average blind-in-one-eye company going to save money? This means that not only do you have to make sure that you don’t make any of the top 10 innovation mistakes, but that you invest for a growth period because, if you play your cards right, it will be.

GDPR 8 – Security

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

One of the key changes in the GDPR is around the clauses and legal framework that surrounds the processing of personal data.

We will cover this in some detail in the next post (although we did hint at this one!). However, please bear with us as we also have to address cyber security to complete the background for displaying the processing requirements. Security will be a key component of the overall legal framework.

One of the key requirements in processing data is the cyber security that surrounds managing this type of information. The UK Supervisory Authority, the ICO (Information Commissioners Office) issues a wide ranging, practical advice for companies on their website. Given that many procurement analytics providers are now mature IT companies, many will have little to do cyber security wise. Many companies (including high volume email suppliers) have certified to the EU-U.S. Privacy Shield Framework and the Swiss-U.S Privacy Shield Framework. This is an excellent start as we have mentioned previously. The cost of doing this is comparatively small – and we understand that many small US companies have managed to achieve this – around 3000 software enterprises.

On a broader security level, the ICO recommends that companies implement at least the ten steps to Cyber Security model. This can be found on their website. For much smaller UK based data companies, they can achieve Cyber Security Essentials plus certification. This is around $400 USD.

However, it is highly likely that many web analytics provider security arrangements are already in place and exceed the basics. Logically, it may be worth pursuing ISO 27001 accreditation or higher. Like most certification, it can become an expensive and a time-consuming exercise. Many large suppliers may already have CCMv3 (Cloud Controls Matrix), NIST CSF (National Institute of Standards and Technology Cyber Security Framework) or PAS 555.

Is it really worth it? If we had a crystal ball, companies both within and outside of the European arena will come under increasing pressure to prove these controls are in place – and standards are likely to become a key selling point for winning European business. To that end – it is going to be part of the cost of doing business. The alternative is a breach and investigation. Cyber criminals have all the key attack elements in their favour – a confirmed breach could become a costly and damaging PR disaster.

Once vendors combine cyber controls and certification with the extensive legal requirements, it is likely to become a major differentiation point between suppliers. Question is … are vendors ready?

GDPR: What is Required of Processors / Controllers? (Part VII)

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

In our last article we noted that a key concept under GDPR (with respect to any data that potentially contains data that could identify an individual person) is the difference between a controller and processor, and what requirements are placed on each. Generally speaking, a spend analytics (service) provider will be a processor and may meet the requirements of a controller (and may not). [It all depends upon whether the customer provides them an ability to determine the purpose and/or means of data processing. In most cases, the provider will have some leeway and will be a controller as well.]

So, what does the regulation require of a processor/controller?

The first fundamental change is around where either the controller or the processor is not established within the Union.

In this case, suppliers will need to designate in writing a representative within the European Union.

“The representative shall be mandated to be addressed by supervisory authorities and data subjects for the purposes of the Regulation. Designation of a representative does not absolve controller or processor from legal liabilities”.

Simply, it means if you are outside of the EU, and you process any personal data that originates from within the EU area, you must have a representative within Europe.

This creates a range of issues as it may well imply that any provider that services data from multiple countries may require multiple representatives. It is likely that multiple representatives may be required as each supervisory authority within each European Country may require a representative.

However, given the volume of suppliers that are involved in managing and processing personal data outside of the European Union for EU clients, how well Supervisory Authorities can manage and track these volumes of suppliers is questionable. However, the fundamental shift in the regulation is that legally, suppliers must now declare that presence. If there are data breach problems later, and an investigation is required, it may well generate a much wide range of breach elements. Like unpicking the thread on a sweater, the Supervisory Authority has wide ranging investigative powers.

For those that opt to process or control personal data from the European-Union, the new Regulations contain a suite of additional procedural requirements. We will start to cover these elements in the next article. However, if you are unsure around the legal elements, as we have said on several occasions, we suggest you consult a Legal firm who specialises in the Regulations.

Thanks, Tony.

GDPR: Are you a Controller or a Processor (Part VI)

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

It was Glen Hoddle (English Soccer player) that wrote:

“I have a number of alternatives, and each one gives me something different”.

For many spend analysis providers (or other procurement tools providers) and their clients that manage personal data, the alternative may be simply to change nothing technically – and keep going with the status quo. In effect, implement the requirements of the GDPR regulations.

Like most alternatives there are trade-offs. If eliminating personal data is practicable – then that may be the first viable alternative for suppliers. However, leaving the process as-is and implementing the EU required controls may be the better option longer term.

However, there are several key changes required by 25th May. To be GDPR compliant requires those controls to be in place prior to that date.

The key concept in this article is ensuring that analytics suppliers understand the difference between a controller and processor. For commercial data that contains no personal data, this concept is inapplicable and no further action is required.

Under GDPR, the controller means:

“ … the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

In most cases, the controller will simply be the client.

After all, they will supply the data and direct what they want to happen with those transactions.

The processor is defined as:

“ … a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

To all intents and purposes, most spend analytics providers within (and external) to the EU may be either a controller or provider (or both).

For companies that use serviced systems outside of the EU, providers are therefore processors. Being outside of the EU creates a number of key criteria that need to be met for compliance.

There is also a very clear definition in the Regulation about what constitutes processing:

“ … It means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

Therefore, by default, any serviced analytics provider generically meets the definition.

So, what does this mean? Come back tomorrow for out next installment!

Thanks, Tony.

GDPR – still avoiding the problem? (Part V)

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at tony.bridger@data-trainingworx.co.uk.

In our last post we noted that those with extensive risk management experience know that avoidance is a key strategy for risk minimisation.

We also noted that this may well be a very feasible option f-or those analytics suppliers outside of the European Union.

The GDPR actively supports the anonymisation approach:

The principles of data protection should …. not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”

By removing or replacing data elements this satisfies another element of the Regulation – pseudonymisation:

the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” (Article 4).

Credit card or card account numbers can be used to identify a person – many card systems encrypt or hash the card number if expense managers are used. Once again, it pays to do the data homework.

The salvation for many spend analytics providers is to encourage the client to set data extract routines that eliminate these types personal data.

However, that still leaves us with the less easily manageable data component of personal data buried within invoice line descriptions or other ERP free text fields.

Once GDPR becomes recognised as the “new paradigm”, analytics providers are likely to claim that they have all sorts of (chargeable) capability to remove this data or anonymise it. This is more likely to revert to a line by line manual check as opposed to anything technically complex or ground breaking.

There is nothing intrinsically wrong with this approach. It may be time consuming but will follow the usual pattern of spend analytics data management. The first stage of the dataset build is historical data construction. If all historical spend data is checked and anonymised, then monthly refresh data is much lower volume – and patterns where personal data may exist may have already made their presence known – a pattern.

Vendors and clients are therefore taking all reasonable precautions with the data. If the data can have all personal elements removed, then GDPR does not apply. The “shotgun approach” for web providers is to use full access encryption…but this could be prohibitive in cost terms.

So, what is the risk? Spend data with personal data content has to align with the Regulation both within the EU — and transferring data outside of the EU. The use of surgical data techniques can reduce the risk and perhaps even reduce the data to non-personal in nature.

The alternative option is to leave the personal data and adhere to the range of controls that are required to manage that information. We have yet to cover these controls in any detail.

As we will discuss later in a later post, staff, employee data and personal data may also be subject to consents. A considerably more complex issue under GDPR. With new elements like right to be forgotten it may be simpler just to remove the data components.

No one said this was going to be easy.

Thanks, Tony.