Source-to-Pay+ Part 4B: Third Party Risk, Part 2

In Part 1 of this series we noted that Risk Management went much beyond Supplier Risk, and the primitive Supplier “Risk” Management application that is bundled in many S2P suites (which is really more of a Supplier “Uncertainty” Management module). Then, in Part 2 of this series, we noted that there are risks in every supply chain entity; with the people and materials used; and with the locales they operate in. Then in Part 3 of this series we discussed inwardly focussed Corporate Risk Management, which some companies offer partial solutions to in the form of GRC (Governance, Risk, and Compliance) solutions.

Then, yesterday in Part 4A, we began our discussion of third party risks and outlined some of the specific baseline capabilities that such a solution should possess. Today we complete our discussion of third party risk and outline the remainder of baseline capabilities that we believe such a solution should possess.

Sustainability An organization needs to be sustainable, which it can only be if the suppliers it uses are sustainable as well. As such, a TPRM solution needs to monitor the sustainability of its suppliers. Their carbon footprint, or at least the footprint of the products/services they provide, associated GHG emissions, and (fresh)water utilization, especially if significant or beyond the norm (and reducable).

This part of the application should integrate with third party data feeds and assessments on sustainability as well as the integrated assessment module.
Commodity Markets Sudden, unexpected, price increases represent a great risk to the organization, no matter where they occur in the chain. Since it’s usually the supplier (or the supplier’s supplier) who buys the raw materials from the commodity markets, the organization often doesn’t know about the price increase until it’s too late. Thus, it’s critical that an organization monitor the commodity markets for any raw materials it needs in considerable quantity that can have a significant impact on its financials.

Thus, a good TPRM system will integrate with commodity market feeds and track the raw materials used in the relevant Bill of Materials of the organization. As such, the system should also integrate with the ERP and be able to pull in the raw materials the organization’s suppliers need to acquire in large quantities on a regular basis.
Location Considerations There’s a lot of risk associated with a location. Geopolitical, economic, natural disaster, and so on. The system should track all of the locations associated with each third party, the risks associated with the location, the likelihood, and, if possible, the potential impact.

This part of the solution should tie into the event monitoring, sentiment monitoring, third party feeds, and any other indicators that could indicate a location-based risk. When one is detected, all of the (potentially) impacted suppliers should be identified, and the potential severity of the event also identified.
Certificates The solution must track all appropriate certificates / certifications for third parties that the organization needs to verify that the organizations are compliant with regulations, have the appropriate insurance, and so on.

A good solution will also integrate with third parties that can verify the existence/issuance of the certificate, the dates of validity, and other key meta-data.
Industrial Accidents It’s important to keep track of any industrial accidents in the third parties you do business with, whether they have been cleaned up, what the impacts were, and whether or not the third parties have taken steps to prevent similar accidents from happening again. A supplier that could be shut down at any time due to an accident which has more than a negligible chance of occurring is not a reliable supplier. Plus, this can also impact reputation / brand.

Thus, the application needs to tap into organizational filings and disclosures to identify past accidents, event monitoring to identify accidents as they happen, assessments to get updates from suppliers as they clean up / recover, action plans that capture what the supplier/third party plans to do, and monitoring.
Recalls Just like its important to keep track of industrial accidents, it’s also important to keep track of recalls. For what, how often, and how severe. A supplier that has to regularly do recalls has quality (management) issues and is not a supplier you want to be relying on.

It’s important that the application track recalls, track any updates on those recalls, and track any news stories that led to those recalls. You also want to know how often a supplier has had to do a recall in the past.
Related Parties We’ve more-or-less stated this in many of the sections above, but it’s critical that you track the parties related with a supplier/third-party of interest. Those that supply, service, or invest in the third parties you rely on should also be tracked. In addition to tracking these, it’s critical to maintain the relevant relationships between the parties and keep this up to date.

The system should integrate with third party corporate registries that track ownership and relationship information and update the relationships in the TPRM as necessary.
Action Plans / Development Goals As we hinted at in our discussion of Industrial Accidents, it’s not enough to just track the risks, the likelihood, and indicators they are materializing / have materialized, an organization has to work with suppliers to minimize the likelihood and, should they materialize, minimize the recovery time and the impact on the organization.

The application must support the definition of a multi-stage plan, with multiple tasks per stage, collaborative development of the plan, approval workflows, and when the plan is instantiated, execution and tracking of the progress made by the third party. Basically, it’s customizable development program management for a third party.
Maturity Model The platform should support the definition of maturity models by third party (supplier) organization type, the mapping of third parties to these models, default action plans that can be instantiated to help a third party progress up the maturity model, and associated metrics to measure the aptitude of a third party at each level.

In other words, it’s not just point-based program management for the development of select capabilities in a third party, it’s integrated multi-faceted organizational management of a third party with monitoring, management, and reporting over time.

Moreover, a Third Party Risk Management (TPRM) will also contain a host of generic analytics/planning/monitoring capabilities, but since many of these are common, and since stand alone risk-focussed analytics applications are also part of the plethora of offerings out there, instead of discussing these generic features in this and every other article, as we noted in our coverage of Corporate Risk, we will instead discuss these capabilities in an article dedicated to Risk Analytics and Monitoring.

Source-to-Pay+ Part 4A: Third Party Risk, Part 1

In Part 1 we noted that Risk Management went much beyond Supplier Risk, and the primitive Supplier “Risk” Management application (that we prefer to call Supplier “Uncertainty” Management) that is bundled in many S2P suites. Then, in Part 2, we noted that there are risks in every supply chain entity; with the people and materials used; and with the locales they operate in. Then, in Part 3, we discussed inwardly focussed Corporate Risk Management, which some companies offer partial solutions to in the form of GRC (Governance, Risk, and Compliance) solutions.

Today we are going to talk about some of the third party risks and outline the function specific baseline capabilities that such a solution should possess. Before we get started on the risks, we should note that a third party risk management (TPRM) can also be used for Supplier Management as a supplier, in addition to being a second party, could also be one of the many “third parties” an organization has to worry about if it is a sub-tier provider contracted by another primary, first-tier, supplier of the organization and a good TPRM solution will contain all of the functionality in an average Supplier Risk/Uncertainty Management module in a Source-to-Pay solution and much, much more.

We’ll continue in yesterday’s format, outlining some of the key capabilities and what that may mean solution-wise. There are quite a few key capabilities. So many, in fact, that, as you may we’re actually breaking this article up into 2 parts.

Capability Description
Customizable Assessments No matter how many capabilities come out of the box, every organization is going to need to do a customized assessment of a third party at some point. Thus, any TPRM system must support the creation of customized assessments with arbitrary questions, multiple forms of answers (multi-select, numeric, free-form, etc.), customizable weighting systems (that also support group-based weightings using averages, medium, or weightings based on role) and customizable reporting on the results.

In addition, the system should come with a slew of starting, customizable assessments out-of-the-box on every area covered in the application, whether or not there are third party data feeds and assessments that can be sucked into the application for use by the client. (This is because most third party feeds and assessments come with a cost, which may not be worth it to the organization if that aspect is only relevant to a few suppliers or doesn’t cover all of the aspects an organization needs.)
Reputation/Brand As we noted in our last article, a significant risk to the company is its reputation/brand, and that includes reputation/brand risks that come from being associated with third parties with reputation/brand risks. As a result, an organization needs to keep on top of the reputation/brand of its suppliers and partners.

Thus, it needs a platform that can monitor news sources and social media and look for stories about all of its suppliers and partners that could blow up, sentiment that could propagate, and events that could cause repercussions through the supply chain.
Regulatory Compliance Organizations need to be compliant with regulations in every geography in which the organization does business, which means that it needs its core suppliers and key partners to also be compliant with those regulations. As a result, it needs to monitor all of its suppliers and their suppliers/partners for compliance with the regulations that are relevant to those suppliers/partners.

This may mean tracking certifications, tracking raw material inputs, tracking human resources assigned to projects, tracking carbon/GHG reports from the third party, and other key pieces of information. It may mean asking suppliers for additional (self) assessments, getting (temporary) access to third party data feeds, and having third party do compliance audits for you.
Ownership/Financials Just like your company cannot be associated with sanctioned entities, you need to be careful not to do business with suppliers who are (partially) owned or controlled by sanctioned entities as well or who are doing business with sanctioned entities to support your organization. In addition, you don’t want to be doing business with suppliers or third parties who are financially unstable, as their bankruptcy could negatively impact your business.

Thus, this system must tie into all sanctioned and denied party lists of every country it operates in, cross-reference the ownership and partners of all suppliers/third parties the company does business with against the sanction list, and monitor ownership changes as they occur. In addition, it should tie into systems that monitor financials of public companies as well as systems that judge the financial stability of private companies.
Human/Labour Rights Legislation has been introduced and/or is being considered in many jurisdictions around the world that make your organization responsible for any abuses of human or labour rights in the supply chain. It’s important to have systems that can monitor for human/labour rights in the supply chain, even if this is only through integrations with third parties that do (independent) on-site assessments.

This should also make use of the brand/reputation monitoring module that monitors news sources, events, and related data feeds to scan for anything that could indicate a human/labour rights violation.

Come back tomorrow for Part 4B as we continue our discussion of Third Party Risk.

The first jobs lost to OpenAI were at OpenAI? I LOVE IT!

In honour of the first five jobs that were lost to OpenAI, at Open AI (where it was announced the CEO, president, and 3 senior staff were stepping down and/or let go this week).

To the tune of I Love It by Icona Pop (feat. Charli XCX)!

I got this feeling on the winter day when you were gone
You crashed your car into the bridge
I watched, you let it burn
You threw our shit into a bag and pushed it down the stairs
You crashed your car into the bridge

I don’t care, I love it
I don’t care

I got this feeling on the winter day when you were gone
You crashed your car into the bridge
I watched, you let it burn
You threw our shit into a bag and pushed it down the stairs
You crashed your car into the bridge

I don’t care, I love it
I don’t care

I’m on an Earthern road, you’re in the Milky Way
You want me down on earth, but you’re up in space
You’re so damn hard to find, that AI took over
You said it’d take our jobs, but it f*ck3d you over!

I love it
I love it

Amazon: Resistance May Be Futile — But It’s Growing in the Masses!

Note: This content was originally posted on LinkedIn on November 15, 2023.

On November 15, 2023, Jason “the prophet” Busch of Spend Matters noted on LinkedIn that

Resistance is Futile.

[because] Amazon Business Reshape (in Chicago) is “the new Ariba Live” according to multiple people I’ve spoken to this week.

And stated that what struck him was:

how Amazon seemingly has one obsessive goal: drive usage, volume and value so customers keep coming back.

and that:

If it’s not already, I’m guessing Amazon Business will soon be a Fortune 500 P&L lurking inside a Fortune 5 company (and it’s going to be high on the list itself in the years to come).

among other things.

And while Usage, Volume, and Value will drive companies to try Amazon Business; without good SERVICE levels, when the contract ends, or even worse, if there’s no contract, when “Amazon” fails them spectacularly, will those customers actually return? (Remember that they see Amazon, not the vendor behind Amazon where the spectacular failure may actually occur.)

And, more importantly, if their service in their customer segment, where many of these business leaders will first experience Amazon is poor, will they trust Amazon Business for their business? (Is it not reasonable to expect service levels are the same across the board?)

I say this because I personally experienced Amazon customer service levels in Canada go from stellar (and the best of all the online merchants) to what I would consider the exact opposite of stellar in a very short amount of time in 2021/2022. I’m not the only person I know who cancelled Prime, which meant I went from buying, from a quick estimate, 600+ a month (for close to a decade after being a regular customer in North America for over 20 years) and a plan to move more business spend to Amazon to absolute ZERO (0) over a year ago (and my spend has stayed at that level since then).

This was also at roughly the same time complaints in the US skyrocketed to the point that the FTC stated that “Amazon has allegedly used dark patterns to trick millions of users into enrolling in its Prime program and trapping them“. (See this link.)

I know it’s different business units, different programs, different options for legal recourse, and different amounts of money at play, but my point is this.

1) the largest market for Amazon Business by far is the small business market — hundreds of thousands of companies that can’t afford a fancy (and expensive) Procurement solution (and would love a “free one” handed to them on an AWS platter)

2) the small business market is a market where ONE person usually makes the decision, not a team, and the decision is made as much on emotion as it is made on numbers; if that person had a less than stellar experience with Amazon personally, will they trust them for their small business if there is any other option available to them?

(Basically, while the doctor agrees that everything the prophet said might be true in the Mid-Size and Larger Enterprise market, we need to note that there are only thousands of large global enterprises [The Fortune 1000/Global 3000]; only tens of thousands of mid-size enterprises; but millions of small enterprises. Millions. That’s where the volume is!)

In other words, Amazon Business Reshape might have the excitement (after all, what else is new? the answer is, sadly, not much), but will it last? And will the excitement lead not just to an uptick, but sustained momentum and growth for Amazon Business?

9% of Companies Claim To Be Ready to Managed Risks Posed by AI? Bull Crap.

the doctor could not believe the recent headline in Forbes that said Only 9% of surveyed companies are ready to manage risks posed by AI. Because there is no way that 9% of companies are ready to manage the risks posed by AI. There’s no way even 0.9% of companies are ready to manage the risks posed by AI.

Why? Because of the rampant introduction of massive LLMs and DNNs that no one understands, for which I’m sure we’ve yet to seen the last of the abysmal failures, hallucinations, and suicide coaxing. There’s simply no way we can even begin to predict all of the potential errors they are going to make, the risks they are putting us under, the repercussions if those errors are made and risks materialize, and how the risks can be minimized, if not mitigated. No way whatsoever.

Not only is it theoretically impossible to be fully prepared, but when you consider that the average organization is not even equipped to handle regular software failures, how can the average organization expect to handle a software-based AI failure it can’t even predict?

The article, which quoted a recent study by RisKonnect (who are obviously able to detect and protect against most types of risk by using RisKonnect, and maybe that’s why they are so confident they can protect and defend against AI risks, but RisKonnect is for traditional enterprise and third-party risk, not cyber risk, and definitely not AI risk — no one can protect against a risk when they don’t even know what the risk is), did quote some very useful statistics on areas of concern. Specifically, of the companies surveyed

  • 65% are concerned about data and cyber,
  • 60% are worried about employees making decisions on erroneous information,
  • 55% are worried about employee misuse and ethical risk,
  • 34% are worried about copyright and intellectual property, and
  • 17% are worried about discrimination risk.

The risks are the right risks, and the order of priority is about the right order, but the percentage of companies concerned is much too low.

1. 100% of companies should be concerned about data and cyber. Not only are we in the age of state-sponsored hacking, which makes any company with useful confidential designs and information a target, but with almost all significant commerce being conducted online, all companies are a target for financial fraud.

2. 100% of companies that need to make decisions based on data analysis should be concerned about erroneous information, as all companies have bad data, and the bigger the company, the worse the data.

But none of these match the risks of AI. As per the quote in the article from Caitlin Begg, an over-reliance on AI can risk robotic, insensitive, spammy, or off-topic messaging, and that’s just the beginning. As noted, most companies haven’t simulated their worst case scenario, and since one can’t even predict what that is with AI, they aren’t even close to ready. It’s not just another article in the organization’s tech stack, even though the article seemed to indicate it is. One can prioritize transparency, accountability, threat and vulnerability monitoring, and risk mitigation, but when most AI applications can’t explain their actions, aren’t accountable humans, have no realistic threat and risk assessments, and there is no way to mitigate risk except not to use the technology in the first place for any decision that should be made by a HUMAN, it’s just not enough.

The precautionary steps are not to identify where AI can be most effective and incorporate it, the steps should be to

  1. identify where partners and third parties are using AI and putting your organization at risk
  2. identify where employees might be using unapproved web-based AI applications and put a stop to it
  3. identify where your SaaS providers are not only using, but introducing, AI into their applications after purchase and delivery and ensure that any utilization is bounded, tested, and properly constrained to prevent risk

Then, instead of unbounded AI, identify appropriate automation technologies that can be properly configured, integrated, and managed as part of an enterprise stack. And reap the rewards while your competitors deal with risks.