Monthly Archives: December 2023

Data-Driven Workforce Planning — WTF?

Data is good. And you should make use of it all the time. And while data might help you identify gaps in your work force capability, it can’t help you plan your future workforce. Why? A couple of reasons. First of all, you don’t know what’s coming down the pipe in future Procurement and Supply Chain needs and issues. Secondly, existing skill sets may not be enough to address those future needs and issues (which could require evolved versions of current skill sets or even entirely new skill sets). So while the doctor would agree that the 14% of Procurement Leaders who believe they have adequate talent to meet future needs are idiots that never look at the data, he would also argue that looking at the data alone will not allow one to adequately define their workforce needs.

Planning implies you are building a workforce for the future. Data can only identify gaps in your workforce today. And while you need to fill those gaps to conquer today’s challenges, put out the fires, and get to the point where you can start seriously thinking about the future, analyzing historical data is not going to get you there. You need to look at how new technologies will change production, how new technology will change logistics (not just green vehicles, but better planning technologies, more efficient cross-docking techniques, etc.), how regulations will impact trade, and so on. There’s no data on that yet (other than patent documents, vendor spec sheets, draft legislation, and so on). So how can you analyze data you don’t have?

So, why do we need to talk about this? Well, Info-Tech Research group is flooding the PR and Business News Wires with an article on how data-driven workforce planning is key to future-proofing organizations. And while data-driven workforce planning is key to getting your workforce right today, as we just explained above, it can’t future proof your workforce because you don’t know what skills your future workforce will need.

Yes, there are serious talent shortages in IT and Procurement. Yes, it reinforces the reality that a proactive approach to workforce management is something that most organizations should have been doing a decade ago. Yes data-driven insights are often the fastest way to see where you don’t have enough people or enough people with the right skills to tackle the job. And yes tools that can help you are highly valuable. But don’t confuse solving today’s challenges with people you will hire tomorrow with solving the problem of future workforce planning.

Now, if you hire the right people with the right education and the right skill sets in analytics and the ability to learn on their own, they will be more prepared than those employed by your peers. This may put you in a better place, as they may even have the skills to identify the gaps when the world changes, but there are no guarantees. So find top talent with the education, drive, and ability to learn, continually train them, give them time to look ahead once in a while, and you’ll be better off than those who just hire the cheapest resource they can to put out the latest fire.

Consumer Dynamics are shifting like never before. But how does that affect Procurement?

Beyond the obvious, of course. But let’s backtrack.

A recent article over on Fortune noted that consumer dynamics are shifting like never before while purporting to give us some insights from Executives from Instacart, Atlassian, Nordstrom, and Black & Decker [who] share their strategies. However, the insights it shared related to the challenging technology environment the companies, and teams, face daily and not the consumer market in general, which is a very important topic not covered much by most of the publications and analysts that focus on how great the technology (especially AI-backed technology that may or may not work at all) is, but not how it helps you address the consumers that your organization is in business to serve.

Now, it’s easy to track change in demand if you have a good POS system, a good inventory system, at least weekly (if not daily) synchs, and a good DiY (Do-it-Yourself) Analytics system with baseline trend analysis capabilities that can signal changes in demand, the need for rapid reorders to prevent stock-outs, and increasing changes in demand as a result.

It’s not always as easy to track why. Sometimes there’s a strong correlation between the sales and a particular campaign, between the sales and a sustainability initiative, between the sales and recent price decreases in the product line or price increases in a competitor’s product line, or between the uptick in sales and competitor stock-outs, and in this case it can seem obvious, even if it’s not. For example, the campaign may have had nothing to do with it, it could have been the result of a single influencer promoting the product. The sustainability initiative may have had nothing to do with it, as customers may have known it would only impact the next generation of the product. The price decreases may have had little to do with it because it may have already been one of the lowest priced products available at the time as well as the one with the best brand reputation. The competitor stock outs may not have had anything to do with it because those might have been the higher priced products that were only stocked in low quantities anyway.

Moreover, even if you can determine the why with some statistical confidence, that still does not identify the underlying root cause as to why customers reacted to the campaign, the sustainability initiative, the price decreases, or the stock-outs. Are customers shifting towards your brand, adopting a preference for certain products, responding to certain messaging, or just veering away from certain competitors (or at least certain competitor products).

More importantly, how can you predict these trends early, when they are just starting, so that you can make the appropriate Procurement decisions in time to meet the shift in demand better than your competition. Certainly predictive trend analysis (using traditional machine learning fine-tuned to your problem domain) will help, but only if you can identify the right data sets and indicators, which will also mean being able to detect shifts in early sentiment early. So sentiment analysis (not overblown generalized error-prone Gen-AI) will also help.

But that’s just the beginning. Technology indicates possibilities, maybe even probabilities, but not guarantees. For that, you will need a human based assessment of the situation. And possibly an anthropological one. If you want to get ahead, you will need to think ahead of the crowd.

Why Should Small Businesses Invest in Procurement Software?

Plenty of reasons, but the doctor was surprised to see that one of the best articles for a small business layperson that listed some of these reasons was an article on Intelligent Living on 7 Reasons Why Small Businesses Should Invest in Purchasing Software. While e-Procurement vendors are usually targeting mid-size, or larger, organizations (as they want 6-digit deals, and small businesses can’t afford more than 5-digit deals, and micro businesses not more than 4-digit deals), e-Procurement software, especially turn-key self-serve software, is beneficial for small (and micro) businesses as well because it helps organizations of all sizes.

All organizations spend money, and as a result, all organizations can overspend, get defrauded, spend too much time on tactical (thunking) tasks, etc. Low-end baseline 80% e-Procurement solutions can help them immensely, even those that cost as little 500 to 1500 a month. (Yes, they exist. After all, why did the doctor say that 120K is enough for full Source-to-Pay.)

The article points out the following seven (7) benefits of e-Procurement solutions in everyday layman terms which an average small business person should be able to understand.

Automated Purchase Orders
Quickly generate accurate purchase orders from catalog items or repeat buys and push the orders into your Accounts Payable (AP) and/or inventory systems.
Vendor Management
Unified view, complete order and contract history, and automated alerts.
Budget Control
Set budgets, monitor spending against budgets in real time, and set alerts when budgets are (close to being) exceeded.
Real-time Analytics
Real-time spending reports against up-to date data with simple trend analysis.
Enhanced Security
SaaS providers that have industry standard security certifications need to stay on top of cyber security, something the average small business would really struggle with.
Integration with Other Systems
Most small businesses are not very tech-savvy and a platform that integrates with the other systems they use is very useful to them.
Scalability
Most of this software can scale up to support more users, more catalogs, more POs, more transactions, etc.

In fact, as a small business, the only other things you would care about starting off is:

Invoice Matching
to make sure the invoice matches the PO (or is from a known vendor if it’s for a one-time off-catalog product or service you wouldn’t normally do a PO for)
Contract Tracking
basic governance with document storage with searchable, indexable, metadata for quick location for price and term verification

Again, e-Procurement is great for small businesses (and some of the providers in Part 37 of our Source-to-Pay+ Series are priced right for smaller businesses). It’s even greater to see plain language explanations of the benefits that small business owners can understand.

Top 10 words or phrases to ban from an RFP response, Part 2

In this two-part article we are giving you the top 10 words or phrases you should ban from RFP responses if you want a meaningful response to your technology / technology-backed / technology assisted RFP that’s not full of meaningless buzzwords, ambiguity, misdirection, or some combination thereof. The simple fact of the matter is that if you allow any of these phrases, you are not getting an answer, or at least not an answer you need.

5. Best Practices

This one might drive you even crazier than some of the buzzwords coming up. It would dive the doctor crazier than the next two buzzwords except for the fact that vendors/service providers are a bit more honest here — they are delivering “their” best practices. However, their “best practices” are not necessarily “best practices” appropriate for you or your organization, not necessarily better than their peers, not necessarily new, not necessarily old, and so on. It’s vague. Too damn vague. You want them to describe explicitly what process / service improvements they will bring to you, how those improvements will help you, and what results the vendor/service provider expects that you will see. Not just “best practices”. As the doctor recently read somewhere, “best practices” are the learnings based on what a service provider was doing three years ago. Some will still be relevant, but with markets and technology always evolving, some won’t. Again, you need solutions, not “best practices”.

4. Sustainable Practices

Yes, you want sustainable practices. Sustainability is key, and not just because it’s becoming a regulatory compliance issue, or necessary to maintain a good brand image, but because it’s necessary to maintain a source of supply and a reliable supply chain. However, at the end of the day, “sustainable practices” is just as vague as “best practices” or “sustainable procurement” and even more impossible to gauge without deep details. You absolutely, positively, without a doubt need your vendors to describe their practices and processes in detail so that you can judge how sustainable they are and if they are sufficiently sustainable for you.

3. Innovation

This one should drive you crazy. How many times have you read “we are a very innovative” or “our innovative solution” or “innovation is our number one goal”. Great. WTF does that mean? What have they done that is ACTUALLY innovative? And how did that innovation create a better product/service/solution than you could get from their three closest competitors? What is their latest improvement, what does it actually do, how is it better than the last version, how does it compare to the closest competitor, and is it good enough to actually warrant a cost increase? Every vendor and their mascot claims to be innovative, but most aren’t, and most of those that are, aren’t that much more innovative than their closest competitor, and it rarely justifies a significant quote increase.

2. Automation

Yes, you want automation, but only if the automation is appropriate for the solution you need, the business processes you use, and the business practices you want to adopt. Plus, you want controllable automation, not an automated product/service that is not controllable. If you allow a provider to say they have automation, they are going to assume that’s enough of an answer and you won’t actually know what kind of automation they have, to what extent it can be customized, how hard it is to configure, how often it needs to be checked/monitored, etc. You need the vendor to specify how the solution works.

1. AI

Especially Gen-AI. As we have explained repeatedly, there is no true AI, most marketing is bull crap, and when companies try to do too much or go too broad with AI, what they deliver is Artificial Idiocy.

Besides, as a buyer of technology for a technology, technology-backed or technology-assisted solution, you don’t care about AI vs. no AI, you care about whether the solution will do what you need it to do, do it efficiently, do it effectively, and do it in a way that can be supported for the lifetime of the solution. The best products in our space have never needed AI, or even had access to AI, and they worked just fine using traditional analytical algorithms, optimization, classical machine learning trained and tweaked to a specific problem, and so on.

Let’s be clear that the promises of “AI” are not new, and that these promises have NOT delivered for the last 60 years. Let’s repeat that. AI has NOT delivered for the past SIXTY years. In the 1970s, shortly after the founders of AI started researching early systems, it was hailed as the future of computing. Nope. Then in the 1980s we were told AI would give us expert systems that would replace specialists. Nope. Then in the 1990s we were told 4GLs and 5GLs would enable the emergence of true AI. Nope. Then in the 2000s with the emergence of the internet and early distributed (cloud) computing models and the ability to create deep neural networks, we were told we’d finally get true AI. Nope. Then in the 2010s with the emergence of turn-key cloud platforms, map-reduce, multi-core processors supporting more parallel computation, and neural network optimization, we were again told we’d have true AI. Nope. And now, with ChatGPT and Gen-AI, we’re told we’re finally there. H3ll NO! AI is BS. Don’t look for AI. Look for solutions that work.

So ban the buzzwords. Maybe then you’ll get some real insight into real solutions.

Source-to-Pay+ Part 9: Cyber

In Part 1 we noted that Risk Management went much beyond Supplier Risk, and the primitive Supplier “Risk” Management application that is bundled in many S2P suites. Then, in Part 2, we noted that there are risks in every supply chain entity; with the people and materials used; and with the locales they operate in. In Part 3 we moved onto an overview of Corporate Risk, in Part 4 we took on Third Party Risk (in Part 4A and Part 4B), in Part 5 we laid the foundation for Supply Chain Risk (Generic), in Part 6 we addressed the first major supply chain risk: in-transport, followed by the second major supply chain risk: lack of multi-tier visibility in Part 7. In our last article, Part 8, we discussed the baseline Analytics that should be part of all of the different risk systems we covered in Parts 3 through 7, as well as a control centre.

Today, in Part 9, we move onto Cyber Risks. In today’s hyperconnected SaaS world, nearly half of an organization’s data breaches originate in the cloud (see this recent article by Illumio on Cyber Magazine, for example). So cyber security is important, but not just for your organization — for your entire supply chain.

Note that we are not going to dive deep, there are plenty of security firms that will do that for you. We’re just going to highlight key points of risk that must be covered in your cyber security plan.

Internal Cyber Risk Monitoring and Prevention System
Risks that must be addressed.

Risk Description
E-mail Plenty of risks come in through e-mail. The biggest one you are likely aware of is fraudlent requests for payment from fraudsters posing as fake suppliers / service providers / consultants or new employees in a remote office asking you to approve an emergency payment. However, since fraudsters blast these far and wide (as it takes less work to create them), the most common fraudulent emails are usually phishing/ransom attempts where you have to click an email and enter your system login information to retain access to your email account (or another system you use). (Then they use those credentials you freely gave them to login to your systems, lock you out of them, and demand payment to unlock your account.)

Your email system needs to do more than identify an external sender. It, or the security plug in, needs

  1. to verify the originating domain of the email (since most fraudsters can’t mask the domain they send from),
  2. to identify the domain and location of the first intermediate server the message hits (since that can’t be masked unless they’ve hacked that) as well as if it matches the locale of the domain the email purports to come from, and
  3. to identify the domain of each embedded link and the company it belongs to (as fraudsters are great at registering domains just ONE letter of an actual domain and cloning the contents of the faked domain; e.g. chaEse.com vs chase.com … one is your bank, one will soon be scooped up by a fraudster who will skim account logins for a day during a “maintenance window”, then drain all the accounts dry (or at least to the transfer limits) the next day and wire the money to a foreign account in a jurisdiction with no extradition or banking treaties with the US, then empty the account the day after that, and then disappear never to be seen again …
Hacking Hackers will constantly be trying to penetrate your firewalls, the web servers and underlying operating systems of machines in the DMZ, the applications you are running, and the underlying security systems you use for monitoring and detection (but these are likely the most secure, especially if you are having them maintained and monitored by a professional, big name, IT security firm); You need to be monitoring for unusual activity, (D)DoS attacks, repeated login failures or access abandonments at particular ports or in particular application logs, and so on; You also need a few attractive honeypots that emulate the systems the hackers would want to access most, and if you don’t understand this, or why, talk to your security guru.
Ransomeware Hackers want to access your systems for two reasons, to steal money and IP or lock you out of them (if they can’t access any IP worth stealing or you don’t use any finance systems capable of [authorizing] payments) so you will pay them to get back into your systems. You need to be very careful to not only detect hacking attempts, but the installation of new software that is unrecognized / not authorized by security. This is because you could be totally screwed and have no choice but to pay the ransomware even if you do complete, incremental, daily backups across all systems because smart hackers will install the ransomware, let it sit for a few weeks or so, and then activate when you can’t roll back to a backup because you’d lose weeks or months of data (as you’d have to roll back to just before the ransomware was installed because the majority of backup systems would not be able to identify the actual file changes and there’s no way you could do a restore and not restore the ransomeware after the ransomware was discretely installed).
Infected Websites Your users love to surf, surf, surf the web and go where the hidden links take them. You can’t expect they will all keep their browsers up to date, keep the underlying OS up to date, and, simply put, not be careless. You need to enforce security software on their machine, and check for it, before that machine accesses your network and that the security software is up to date because if they visit the right infected website (from a fraudster’s point of view), it can be an instant hack and/or backdoor for the automatic installation of ransomware on their machine and/or your network.

External Cyber Risk Monitoring and Prevention System
Risks that must be addressed.

Risk Description
Compromised Supplier Site If a supplier site or system is compromised, and you engage with that system in any way, then your system could be compromised. You need a system that monitors for supplier system/site/cloud risks as well as (known) supplier breaches.
Compromised Data All of your systems run off of data. Compromised data is the easiest way to compromise a system. If an email gets intercepted and altered in-transit with a man in the middle account and the hacker changes bank account information, you’re paying a fraudster and not the supplier. If the third party risk metrics are adjusted, your system can be tricked to diverting all business to a single, new, supplier which, while a legal entity, was setup by the founder to take your money and run. And so on.
Compromised Identities Identity theft is on the rise, and it’s often the easiest way for a fraudster to get funds from a business. You need to track all known cases of identify theft associated with all individuals associated with all businesses associated with your business as you will need to do extra verifications on requests from those individuals.
Web-Based Vulnerabilities You need to be aware of where the biggest web-based vulnerabilities are in your suppliers and partners, make sure your suppliers and partners monitor and address those, and make sure you lock down your security to the max when you have to interact with their systems that are classified as high risk for vulnerability.

And more. There’s a lot of risk in cyberspace thanks to the fact that the information and financial worlds have merged, and your organization needs to be on top of it. Identify appropriate providers, or you will need very good luck to not fall victim to a significant cyber-based threat.