Category Archives: Compliance

Keep Your Procurement On PACA with FSMA with Procurant!

We don’t cover specialist Procurement providers much here on SI because many don’t have much in the way of domain specific product functionality (and differ primarily on domain knowledge, terminology customization, and service offerings), but some, like Procurant, go beyond the basics and offer domain specific functionality of relevance that the market needs to take note of. Especially when such functionality can help an organization be compliant with current and, most importantly, incoming regulations they are not ready for.

Procurant, marketing itself as a strategic platform for perishables that does Procurement AND Food Safety, offers the following core functionality:

  • P2P (Procure to Pay) for Perishables
  • Inspections (recording and auditing)
  • Traceabillity that is mobile-enabled and FSMA 204 compliant
  • Market Intelligence
  • Food Safety (workflow and remote sensor integration) (not covered in this article)

It’s the one-stop solution for retail grocers, especially those with US operations, that need to manage their perishable supply chain in a manner that is both PACA and FSMA compliant. (And if you’re a grocery retailer that does NOT know what those acronyms stand for … Uh-Oh! Better find out and give Procurant a call ASAP — because failure to comply can not only result in fines but [supply chain] shutdowns.)

Procurement/Procure-to-Pay wise there isn’t much that’s unique in core functionality (as the uniqueness is with the integrated support for the perishable space), but it’s all there, and we’ll start with the core so you can be confident the core is on par with other best-of-breed Procurement solutions.

With respect to quote management, the platform contains integrated RFQ / price request that makes it really easy to not only request (updated) quotes from suppliers, but get a commitment on that price (for a certain time or volume; i.e. one week or 100 pallets). When you get a commitment, the system tracks orders against that commitment, and then lets you know when the quote has expired because the commitment has been used up (and if you still need more product, you need a new quote with a new commitment).

With respect to order management, the solution makes it easy to select products for orders from the built-in catalog, from order templates (guides), or from demand forecasts (which can pulled in from the forecasting/demand management system OR created natively in Procurant using weighted average outbound for the last 12 weeks, with more forecasting algorithms coming in a future release). The platform even supports the definition of automatic (replenishment) orders, should the organization choose that functionality. Once the order is assembled, it’s very easy to send it to the supplier for fulfillment.

Moreover, as Procurant ‘s P2P also contains integrated support for carriers and logistics (due to the need to monitor the entire produce supply chain and ensure food safety every step of the way), in Procurant, you can also assemble orders by truckload, as you don’t want to be under-shipping if not absolutely necessary (as it takes the same amount of energy to maintain the temperature when refrigeration is necessary whether the truck is almost full or almost empty) and it’s easier to trace when you decide who is shipping what, when, and on which truck. One great feature of the platform is that it’s super easy to assemble an order for a carrier. It’s just a matter of dragging and dropping order line items until the platform notifies you that the last line won’t fit in the truck (as you can encode a max # pallets, weight, and volume by truck and as soon as one limit is reached, the platform lets you know). No complex training on a sophisticated TMS required.

As a result of this deep support for logistics and carriers, purchase orders can be incredibly detailed and include shipping dates, carrier, load reference number(s), and even cross docks.

Also, order management is multi-state and the system will track and notify if there is an:

  • order modification by the buyer
  • order modification by the supplier
  • order cancellation by the supplier
  • order reconciliation by the supplier (on being notified the goods received didn’t match the PO)

and all changes by any party are maintained in a secure, unalterable, audit log.

With regards to order management, the buyers can choose whether or not the supplier can split orders, remove items, or add substitute orders. Whether or not they can change prices (or just quantities to match availability), and even when modifications will be accepted. Similarly, the administrator can determine the order creation capability the buyers have access to … whether or not they have (to use) guides, whether they can create cross-dock orders, etc.

With respect to invoice management, it’s super easy for a supplier to flip a PO to an invoice. All they have to do is enter the actual quantity shipped by line item and submit. The invoice then goes into a wait state until a receipt is entered, at which point if there is a discrepancy, the invoice is sent back to the supplier for correction before it goes into the normal processing queue, where it would be held up until the discrepancy was resolved, which could delay payment considerably if the organization has long approval chains for corrections and exception processing.

The platform also tracks supplier fill rates, so you can quickly see which suppliers are fulfilling the POs they accept and living up to your expectations and which suppliers are not. It also has price watch capability, and can alert you whenever PO or quote prices exceed current (or historical) prices by a certain percentage.

And, of course, there’s a dashboard which summarizes current tasks and open orders and great search and filter functionality to find just the orders, invoices, or quotes you are looking for.

The platform also integrates the inspection reports from their inspection app and, for any fulfilled order, you can quickly bring up the full report that summarizes the inspection (packaging, appearance, condition, flavor, and quality) on each item delivered as well as the number of items rejected. Also integrated with the Procurement platform is the Inspection Module that contains the overall inspection summary dashboard, dill downs by supplier, scorecards by supplier, and other key reports and data points on inspections. The inspect application is a mobile app that workers can use at the warehouse on or the dock to inspect the quality of goods as they come in and, if necessary, reject them on the spot.

What’s really cool is the Track and Trace capability where, for any item, you can see the entire journey from the source lot to the warehouse or the store shelf, as appropriate. You just need a GTIN, lot number, order number, SKU, or product description and, optionally, a date range and you see the store shipments, receivings at your warehouses, vendor shipments, and base lots. And you can click into each store shipment, receiving, vendor shipment, or lot and see complete details (such as the ship to, date, and receiver for a store shipment; order #, sales order, Lot, shipper, shipment date, and cases for a vendor shipment; etc.). And with their next release, the (default) output report formats will be usable for FSMA compliance. (Again, if you do grocery retail and you don’t know why this is critical, you better find out soon!)

Finally, their Market Intelligence Capability in Procurant Connect provides Commodity Pricing, Weather, and Transportation analytics and tracking. The commodity pricing tracks price movements across all commodities by region; the weather pane integrates forecasts down to the county level; and the transportation analytics tracks average load fees by lane (defined by city pairings), as well as price changes and shipper / transportation availability (surplus, slight surplus, adequate, slight shortage, or shortage).

Procurant can integrate with your ERP and AP (payment) system, your TMS (or onboard carriers natively, which is something not many P2P systems can do as carrier management is critical in perishable supply chain management), and your supplier master (for supplier onboarding) if it’s not your ERP.

All-in all, Procurant is a fantastic solution for the perishable supply chain procurement and one that absolutely has to be on the short list of any grocery retailer that needs to get a handle on their perishable supply chain in a manner that will allow them to be fully PACA and FSMA compliant.

SmartCube: Putting a Nice Box Around Industrial MRO for Commissioning and SPIR Procurement for Projects

There are dozens (and dozens) of Procurement Solutions out there, especially for indirect procurement, as that’s where it all started. There are also a dozen or so good solutions for BoM (Bill of Material) direct procurement for manufacturers who need to source to build the products they are selling. However, when it comes to acquiring MRO assets, and spare parts to maintain them, there are very few solutions — and even less for managing procurement and inventory from a (commissioning) project perspective.

Most Procurement Professionals assume that this is handled by the ERP/MRP or the asset management platform but the reality is that the ERP/MRP will only track product specifications for approved products and materials, the asset management will only track assets that are actually delivered, and most of the sourcing is done old school — email and Excel spreadsheets, which is not a great solution. First of all, it is very time consuming for both parties to fill out all the information manually and send documents back and forth. Secondly, it is very error prone as the technical specifications will require detailed part numbers, identifiers, standards, etc. where one miskey can totally invalidate an entire record that might have taken days to put together. Thirdly, as the sheet is not in a version control system, it’s hard to control who can access it when and ensure updates are properly maintained and not missed or overwritten. Fourth, given that an average asset will require 10 or 15 associated spare parts, and multiple assets will need to be acquired at a time, an average sourcing process will take a minimum of two weeks (if not much [much] longer).

SmartCube has developed two tools to handle 1) the pre-commissioning Procurement of components and systems for major projects (such as new plant creation or plant renovation, utility construction, ship construction, etc.), as well as the commissioning process and 2) the material/part master, and the procurement projects needed for the ongoing support (as plants will require production line maintenance and upgrades, utilities will constantly require new regulation and control systems, ships always need upgrades, etc.) along with the procurement and management of the spares required to keep the components and systems running when something breaks.

This is done through their two primary offerings of I-SPIR, which they bill as an interaction and collaboration platform to allow multiple project partners and collaborators to input, collect and share spare parts information (SPIR) between all stakeholders in real time for asset-intensive industries, and I-MAT, that they bill as autonomous warehouse management & material master cleansing & coding platform for any asset heavy industry.

SmartCube I-SPIR

First, some background. SPIR stands for Spare Parts Interchangeability Record, which is basically a list of equipment and spare parts that a manufacturer or supplier recommends that a project owner or asset manager should purchase in order to develop and maintain their industrial plant or process. Once the purchase suggestions, or modifications thereto, are accepted, the project owner then matches the purchases to the material master data in the ERP, if there are appropriate product records, or pushes the appropriate records to the material master.

SPIR is a lot more than just a slight modification to the direct procurement process, because it’s not purchasing materials and parts to build products for sale, but components and systems to keep a process running or a plant (utility, or vehicle) operating. It’s also a well-established systematic supply chain process used for tracking and recording information on various replacement parts used in industrial operations. The process involves:

  • Inventory Management: inventory must be established and properly maintained, and it must include what (parts), where (storage facility, room, and shelf), who (is responsible for), how many (quantity) and why (associated components or systems)
  • Identification: every component needs a unique identifier (and any manufacturing identifiers it’s associated with)
  • Documentation: specifications, function(al requirements), compatibility, and any standards met
  • Interchangeability Assessment: a thorough assessment that takes into account design, materials, operating requirements, and other relevant factors
  • Recording: that identifies parts that a given part can be substituted for, which includes a link to the assessment as well as information on the manufacturer, supplier(s), and lead times (for restock)
  • Maintenance: the record must continually be reviewed, updated as needed, and deactivated when the part is no longer needed or approved

When it comes to identifying components and associated spare parts, and executing SPIR projects, the process is similar to a traditional sourcing process:

  • Identify the need
  • Determine the specifications
  • Research potential substitutes
  • Evaluate compatibility
  • Select the replacement and make the award
  • Update records

It’s Procurement, but Procurement with needs not typically addressed. That’s why a specialized system is needed that takes into account all of the specialized aspects not addressed in traditional direct Procurement systems. That’s the system that SmartCube has created for Industrial MRO with its I-SPIR solution. The module has the following primary components.

Projects & Packages

In the I-SPIR platform, projects correspond to systems and packages to related sets of one or more modules (and each module will require one or more spares to maintain it).

SPIR Processes

Once a project has been defined, the system makes it super quick and easy to request spare parts for one or more components or systems. Setting up a SPIR project is simply a matter of:

  • selecting the master project
  • selecting the responsible individuals (for QA, Evaluation, Assessment, DCC, PRE, Coordination)
  • selecting the supplier
  • providing the basic SPIR info (Doc ReF, PO, Due Date, System & Area of intended use)
  • uploading any necessary documentation
  • sending it to the supplier

Once the supplier receives the SPIR, they can select the part they are willing to provide simply by specifying their ID, the original manufacturer name and OEM part number (if they are acting as a distributor) if they already have the SPIR in their system or it’s in EQHub, a third party SPIR database that contains pre-vetted products with validated information which, when imported, is tagged as already validated information (which can allow an organization to accept the part without having to go through a full evaluation). If the part does not already exist in the system or EQHub, a popup will allow the supplier to enter all of the required information, which will then have to go through a full evaluation process on the buyer’s end.

When the SPIR is returned, the system walks the individuals on the buying team through the process, which consists of:

  • Quality Assurance: is the data valid and are the specifications appropriate
  • Evaluation: classify the Spare against key asset tracking attributes of redundancy, repair/discard, consequence, and criticality and define/override the auto-suggested quantities
  • Assessment: asses the overall purchase against the inventory and finance requirements
  • DCC: verify the DCC data
  • Final Approval and Order: final approval and place the order

Tag Management

The platform makes it easy to manage asset tags and provides downloadable templates for quick upload. This simplifies integration with ERP/MRP/Asset Management systems and material masters.


The main entry point summarizes the projects the user has ongoing and their current states for easy project location, access, and management:

  • To Do: tracks the SPIR requests that need to be opened, re-submitted, evaluated for quality, concluded, etc.
  • New: new Projects & SPIRs recently opened and awaiting supplier submission
  • Open: Projects that are open where team members need to assess submitted SPIRs
  • Overdue: Projects that are overdue
  • Rejected: SPIRS that have been rejected (and need to be returned or recast to new suppliers)
  • Submitted: tracks the supplier submissions (that need to go through the SPIR process)
  • Concluded: SPIRS that have been concluded

SmartCube I-MAT

SmartCube‘s other major offering is their materials “master” management and inventory platform that was specifically designed for supporting material and inventory requirements during (new) plant/site/rig construction and commissioning, plant/site/rig retrofit/upgrade and commissioning, cross-platform / site based material and inventory management (where the organization doesn’t have an ERP/MRP integrations that support that), and other temporary or permanent material and inventory management scenarios not adequately handled by the ERP.

The platform is designed to serve as a part and material master as well as an inventory master for the locations and projects not managed by the ERP/MRP (which, for organizations running on the BIG ERPs like SAP or Oracle, or older ERPs, are any temporary/construction/retrofit/commissioning project where inventory needs to be managed separately and off-site in a yard, on a rig, etc. until the project is done). It’s very easy to load products and materials into the SmartCube I-MAT platform as it allows for easy CSV upload (in addition to direct ERP integration if you so desire, both for initial load and final push when you are done with the project).

In addition, as part of their latest release, they have automatic (potential) duplicate detection and simplify the process of merging duplicates and cleansing the material / product master. They also make it one click to deactivate products (and make it clear when a certain product should not be ordered).

Upon implementation, it’s really easy to define (and upload):

  • Vendors: that are providing the products and materials
  • Tag Numbers: standard (asset) tag numbers (for system integration)
  • Projects: the projects currently being managed through the system
  • Product States: Evaluating / Accepted / Offsite / InTransit / Not Found / Destroy / etc.
  • Locations: Onshore / Offshore / Yard / Europe Warehouse / USA Warehouse / etc.
  • Imports: upload a file and track the imports
  • Deactivated Products: for easy identification and management
  • Users: and their associated permissions

Once the data is loaded, it’s really easy to search for any product using a free-text search on all key fields, or an in-depth filter-driven search on each supported product field. In other words, filters aren’t just limited to material/part name, number, tag, project, vendor, etc. It’s also easy, once a search and drill down is performed, to select all or a subset for batch editing where all products are missing the same data or need the same field updated.

Once a product is selected, it’s easy to bring up, and if necessary, edit all of the associated data, which includes all of the standard part/material fields, as well as perform standard inventory operations. The system understands the standard actions of:

  • Add Stock: increase the stock at the selected location
  • Move/Transfer Stock: move the stock from its current location to the selected location
  • Withdraw Stock: mark the stock as withdrawn and used

In addition, you can (re-)set the status of any product at any time for any reason (which you can capture) if you have the appropriate authority. Plus, when you move or transfer stock, you can indicate the type of transfer and withdrawal (if you define multiple types of transfer and withdrawals, such as consumption, returned, trashed, queued for destruction, etc.).

Plus, coming soon, if you are doing a transfer from one location to another that requires shipping (such as from a rig to onshore or one country for another), the platform will automatically export data for manifest creation in third party shipping systems (either through an API integration or through a flat file CSV export for loading in the third party system).

The entire system has been designed to be incredibly easy to use and support the primary requirements of a temporary project not supported by a traditional ERP/MRP material master or inventory management system:

  • easy off-site management
  • collaboration
  • high quality data

… and eliminate the need for error-prone spreadsheets and shadow processes that were created to get around the limitations of systems that were setup for managing acquisitions and inventory for traditional production line utilization, which is not the case in facility/plant construction and/or upgrade.

Both solutions are delivered as SaaS and no integration with ERP’s are required. Last but not least, the amount training needed is very limited as the design focuses on ease of use. Once a decision is made to use one or the other solution (or both) you can be up and running in matter of days if integrations are not required. Integration with ERPs and other systems is typically only a matter of a few weeks.

As explained in detail, if you need to do a lot of sourcing for pre-commissioning, commissioning, and asset-maintenance, SmartCube is a system you should add to your (very) short list as traditional indirect (and even direct) Sourcing/Procurement systems just weren’t setup for the type of sourcing and (temporary) inventory management you need to do (while SmartCube checks all the necessary boxes and then some).

The Prophet‘s 2024 Procurement Prediction Number 10

A “CFA-like” Credential Emerges in Procurement and Supply Chain B+.

The Prophet says that the procurement and supply chain industries, similar to most others, excluding finance, are lacking any certifications/credentials, by those “in the know,” as a superior qualification for a job than even a top degree from a world-class or specialized university which is totally true.

The Prophet also says that organizations such as CIPS, ISM, SIG, etc., might disagree with this viewpoint which is also totally true. The Prophet does note that he supports all of these organizations, which the doctor does as well, and that he believes their training materials are highly valuable, which the doctor doesn’t across the board. (the doctor has seen some of their training materials. While some of their training materials provide a very good foundation, some of their training materials are not so good. Most of these organizations are very weak when it comes to analysis, tech-backed processes and practices, government/industry specific compliance requirements, risk management in today’s increasingly fragile global supply chains. etc. But when so many Procurement departments are struggling with the basics, understanding what their role is, and how ethics should enter the equation, we do need these organizations and that is why the doctor supports them while reminding you to do your homework when it comes to training. Use them for their strengths, not their weaknesses.)

The Prophet then suggests that in 2024, credentials will take on new meaning, and the best ones, particularly those challenging to obtain and requiring rigorous exams (which many fail), similar to the CFA in finance, will begin to take on a new significance in Procurement.

the doctor agrees with the principle, but does not agree it will happen this year, or even next year. Why? This will only happen with industry regulation, and that only happens in two situations.

  1. when an industry-led body gains enough support from the majority of professionals in an industry to make it a de-facto requirement in any employer of any size to get a high-level procurement job; no organization yet has that weight, and we’re not going to see the NLPA, SIG, APS, etc. all fold into the ISM, and definitely not into CIPS, which is pseudo-global (as it has made progress in some of the Commonwealth); this means that we’d need to see a new industry initiative that gave all parties representation and allowed them all to contribute to the standard and exam — for this to form, a certification to be adopted, and a test accepted will take years
  2. when a government forces a requirement that can only be met by a certification (and either creates their own or adopts one); governments move slow, and when we have the situation in the US where
    1. the republican focus is on ripping democrats apart for what they didn’t do, rolling back human rights to the fifties, and installing a wannabe dictator as President-for-Life
    2. the democrat focus is on shaming the republicans, selectively protecting the human rights they want, and taking up the former republican war mantle (since Trump just wants to be a dictator, which doesn’t profit the military complex) and doing everything they can to back Ukraine and Israel (including risking World War III with their Middle East bombing of Yemen vs. just destroying every Houthi vessel launched into the water)

    and the situation in the UK where

    1. the conservatives are too busy trying to keep Dishy Rishy from making them the laughing stock of the political world (as he’s so far disconnected from the common person he has no clue)
    2. the liberal (democrats) are too busy trying to counter the conservative support for the global wars and lack of focus on the situation at home by being extra woke (and we know how that fared in America) …
    3. when we look at the NHS mess and postal service mess and their apparent unwillingness to do anything meaningful about it (for longer than should be humanly possible to ignore a crisis), it seems that good procurement is the last thing on their mind

which are the two countries that would need to lead such an effort (as the EU is very focussed on climate change and AI and struggling to hold itself together now with active protests in about a third of its member states on any given day; heck it’s too focussed on attacking the farmers, already forgetting what happened when Stalin called the Farmers the enemy of the state. (See this article, for example).

Thus, while such regulation is sorely needed, it’s not likely to happen, if it happens at all, until the later part of the decade (unless, of course, The Prophet and the The Public Defender want to once again band together and take up the charge and lead the effort to bring all the necessary parties together).

The Prophet was dead on with three of the primary reasons we need it.

  • GPAs are no longer a measure of academic performance in many universities.
    The Prophet notes that, according to the Yale Daily News, “Yale College’s mean GPA was 3.70 for the 2022-23 academic year, and 78.97 percent of grades given to students were A’s or A-’s,” including the hard sciences and engineering! He also notes that the Michigan State Broad Business School (which includes the Supply Chain and Procurement degree programs) also experiences significant grade inflation, with 80% of students in 3 out of 5 undergraduate classes earning a 4.0. (Source)
    The situation is even worse in China where you don’t even get accepted to some Universities unless you are an A- or better student, and where you are under intense pressure to maintain that A, to the point where a student will drop out (or commit suicide) rather than risk being thrown out for not maintaining it. Now, this would be great except for the fact that As are often contingent on rote memorization and learning to do the work the “state way”, not always with any free thinking whatsoever. (And then graduating ONLY if they think you’ll agree to share what you learn when they allow you to go outside China for that Post-Doc/Professor position).
    The situation is better in Canada [except Quebec], but there are some Universities / Departments that are under great pressure to remain competitive to maintain grant and industry funding, and others where the professors are so overworked that they don’t even bother to confirm that a Master’s student in Engineering can manually calibrate an oscilloscope or a Master’s student in Computer Science can appropriately identify and test for all boundary cases in a simple procedure. (Remember, the doctor has been a Professor, and maintains regular contact with Professors and knows this to be truth.) How could you trust either to validate your equipment or your code? (He couldn’t!) (Regarding Quebec, the current premiere is taking Quebec’s status as a nation within a nation and essentially discriminating against anyone who is not French and willing to speak French as a first, and only, language. [See this article, for example.])
  • DEI/affirmative action preferences, which still exist (despite the supreme court ruling and their illegality if they enforce admitting or hiring a less qualified candidate), have removed objective academic criteria in both degree-based programs and industrial training programs. This has resulted in candidates who might only be a D being admitted to programs because of their minority status while non-minority candidates with Bs were excluded.
  • The best talent may no longer be pursuing traditional college or graduate programs. There needs to be an objective means of evaluating hard and learned skills for those who cannot afford or do not wish to invest time in university studies, especially those who have taken industry training programs or annex courses specific to what they need as well as obtained relevant real world experience under a mentor. (There’s a reason there used to be apprenticeships; some learning onlly happened under the guidance of a mentor.)

The only other reason that needs to be mentioned in the doctor‘s view is

  • without a certification, how can you know that any candidate, no matter how experienced and skilled they appear, knows all of the foundations you need them to know? With so many different definitions of sourcing, procurement, and purchasing; so many different thoughts on what an individual should know about analytics, supplier identification, supplier vetting/onboarding/management/development, negotiation, contracting, global trade, logistics, risk identification and management, compliance, finance / finance support, etc., how can we have a solid baseline with a (multi-level) certification program?

It would be great if 2024 is the year that we saw this certification, but while we desperately need it, the doctor believes that, unfortunately, it’s still years away. (But he will challenge The Prophet to step up and make it happen!)

Brooklyn Solutions: An Answer to Your Third Party Compliance Management Challenges!

In our last article, we introduced you to the oft-overlooked area of Third Party Compliance Management which is not adequately addressed in the majority of Third Party Risk Management solutions, despite beliefs to the contrary. And those of you who pay attention probably realized that in addition to telling you about the challenge, we were also going to tell you about one potential solution (and give you a starting point in your research).

One starting point is Brooklyn Solutions, founded in 2018 to automate and scale vendor management for compliance standpoint across the enterprise. In order to ensure compliance, they offer not one, but four core modules to address all the relevant areas — third party risk management, third party relationship management, and third party contract management in addition to third party compliance management (as they all feed into the compliance pie) — as well as two auxiliary modules for ESG (which is an area all its own) and Digital Assessment Frameworks (for automated digital assessments in the supply chain tail). They already have global customers with over 1,000 users across multiple industry sectors which they support with offices in the US, UK, and South America.

Note that their holistic approach to compliance management (by tracking the vendors the organizations interacts with, the contracts that govern key relationships, and risks they are subject to in order to collect the necessary information to ensure compliance) is not just because of the criticality of compliance (as lack thereof can result in massive fines and even criminal charges to executives in some countries), but because a lack of compliance with organizational policies and contracts can lead to an average overspend of 9% to 15% in contract value in an average organization as per Gartner, Deloitte, PWC, McKinsey & Company, Bain & Company, CIPS, and the WorldCC. In this economic climate, that’s not something any company can afford!

Considering how many CLM solutions are on the market, you’re probably wondering how so much value leaks, especially since the classic cause of lavish leakage was due to lack of good e-Procurement systems that could m-way match the invoice to the PO, the pricing to the contract pricing, the line items to the goods (and services marked) received, and so on to make sure what was paid was what was agreed to. That’s because most CLM systems that claim to “govern” a contract are actually just glorified electronic filing cabinets that track the metadata and alert you when it’s expiring. And even if they allow you to break out obligations, most don’t track the extent to which they are mapped, monitor the risks that can lead to disruptions that can lead to a significant loss, assess the downstream parties that can put you in non-compliance, ensure performance is at agreed upon levels, and so on. Furthermore, even though the more advanced systems will support negotiation, all that does is allow you to identify value (not capture it), or perform (process) analytics, and that’s just helping you get efficient in the partial process the system supports, not efficient in capturing the value. That’s why Brooklyn Solutions focuses on ongoing contract and risk management from a compliance viewpoint AFTER the contract is signed rather than focussing on all of the pre-contract-signing and onboarding activities that the majority of traditional S2P, CLM, and TPRM vendors are focussed on.

It does this by allowing the organization to define as many workflows and actions as it needs to define in order to ensure all processes necessary for compliance are met. The workflows can be tailored to precisely what the organization needs. We’re not going to go too deep into workflow construction, as you’re probably familiar with how it will work if you have a supplier / third party onboarding platform that also allows you to configure the process, but point out one key difference between workflow construction in Brooklyn Solutions vs. many other platforms. The one key difference we are going to point out is that the logic is not only conditional and fine grained but can trigger other processes based upon the responses which can themselves trigger other processes and allow for as much branching as needed to get the information an organization needs to manage the risk, maintain the relationship, fulfill the contract, and ensure compliance — and these (sub) workflows can even branch back into the right point of the main process when the time is right.

These workflows can also punch out to third-party systems and automatically pull in risk and compliance data into the platform, data which can trigger new risk and compliance workflows if the data that comes back is too risky or potentially non-compliant. The configuration capability is extremely flexible. Essentially, Brooklyn Solutions is an orchestration platform built for managing third parties, contracts, risks, and compliance in a cohesive whole.

Contract Management Overview

Since the contract management solution is focussed on obligations, SLAs & KPIs, issues and workflows and was designed to help the organization ensure that the negotiated terms are adhered to, and value achieved, it’s functionally a meta-data driven application and the entry point is an analytics dashboard that gives you deep contract analytics on obligations, reviews, documents, SLAs, (open) risks, and (current) actions. It’s easy to dive into any aspect and see detailed status; this includes diving into obligations and getting an overview of how many are pending, overdue, and non-compliant; into (open) risks and see those where there are actions and the status of associated actions; into documents and how they breakdown by active vs inactive contracts, addendums, etc.; and so on.

The obligation tracking is exceptional. You can fully define what the obligation is, who is involved, what workflow is required to complete it, whether or not it’s a critical path obligation for a contractual, risk, or compliance requirement, the relevant financials, and the frameworks being used as well as track activities and associated action items, associated documents, and status. The obligations can also be linked to related parties in the supply chain and tracked down to the source supplier or supplier that need to adhere to them easily using Sankey Diagrams.

Relationship Management Overview

Relationship management in Brooklyn Solutions isn’t the touch-feely relationship building that Procurement sells as a way to become a “customer of choice” and “reduce costs”, nor is it the activity definition and tracking capability of a traditional old-school SRM application (where the “R” stands for Relationship, and not Risk). It’s a data and metric tracking application focussed on SLAs and KPIs, performance scorecards and monitoring, and regular policy and governance reviews to ensure everything stays on the up and up.

It’s also one of the perfect solutions to plug into the Customer-Supplier-Management gap left by P2P/S2P systems between the PO and the Invoice as it allows you to

  • onboard suppliers and ensure core data requirements are collected and fulfilled
  • quickly get complete, 360-degree, supplier profiles
  • define and assign actions and issues and track the status
  • collaborate with the third party at any time
  • kick of governance reviews as needed

Supplier profiles not only consist of basic organization and contact information, but all associated contracts and documents, obligations, risk profiles and data, performance data and scorecards, associated actions (in all states), and interactions including meeting minutes and upcoming meetings. They also allow you to drill into the relationship hierarchy UP and DOWN the chain.

Risk Management Overview

The risk management application is all about tracking organizational risk ratings (as well as what a supplier can do to reduce their risk rating), risk indicators and monitoring risk levels and allowing the organization to quickly find out, for any supplier contract, obligation or compliance requirement what the currently assessed risk is. They are colour coded in a matrix that allows a buyer to quickly dive into the high or moderately high risks that could pose a critical compliance risk, dive in, and address them.

It’s also very easy to get an overview of the entire portfolio of risks tracked in the system, the risks with the worst scores or least/no controls, the suppliers with the most concentration of risk, the individuals who own the most risk (either through suppliers, contracts, relationships, etc.), and so on. You can quickly identify the high risks, which ones can be reduced, what can be done, and how the effort can be initiated, and kick it off.

All risks are scored on a 1 to 25 scale that is meant to gauge the impact vs. probability which is mapped against the organizational typical risk tolerance to quickly identify those risks that are too high with respect to organizational tolerance (red), slightly higher than tolerance (yellow), and well below (green), with orange between yellow and red and dark green between yellow and light green.

Compliance Management Overview

The fourth, and most important of the four primary modules, is compliance management which, unlike prior generation compliance and GRC (Governance, Risk, and Compliance) solutions that were built to help you collect compliance data for reporting, was designed to ensure the organization was digitally fit for audit. And yes, there’s a difference. When a platform collects data simply for the purpose of completing a report, it’s a static piece of data in one place that can be queried individually or spit out as part of a pre-coded data dump for report creation. It technically solves the reporting problem, but it doesn’t solve for audit.

When your organization undergoes an audit, it’s more about the data that goes in an annual report. Where did it come from? When? Who verified it? Why was it deemed acceptable? Did you explore all of the necessary elements in making the determination?

For example, if you’re undergoing a GDPR compliance audit because someone complained that you don’t protect personal data and you hand over a report that says all the personal data you have is encrypted, and that you have annually tested processes in place to verify that all personal data you aren’t legally required to keep by law on an individual can be quickly deleted, it still doesn’t satisfy a compliance audit if you use third-party data services (“processors”) to store and process some of that data.
If you haven’t a) fully verified they are fully compliant with the regulations and can do the same purges in your tests and b) fully verified any third parties they use can do the same, you can’t claim to be fully compliant. For example, a cloud service might use a third party for managing its database and another cloud service to identify personal data that might not be appropriately tagged. If those third parties used by your cloud service aren’t fully compliant, then your cloud service isn’t fully compliant and you aren’t fully compliant. And that’s trouble that you would not identify in a compliance solution built for reporting and not for audit.

Since Brooklyn Solutions was built for audit, you can drill into the supplier profile, see their connected parties, and, in particular, the third parties that manage their systems and data and whether they have completed their audits, have the appropriate certifications, and run (and report) the proper tests annually. If not, you can reach out to them directly, send them the surveys, collect the reports, and do your own compliance analysis if you need to. And then, when the auditor comes in and asks you to prove you did the necessary exercises to ensure compliance, you can go into the system, show them all the parties you directly deal with that may have access to your customers personal data, drill into them, show that you know all their suppliers, show that you ensured that each of them were compliant, and so on down to the last service provider in the chain that may, even indirectly, have access to your customer’s personal data. Since it can handle the GDPR example above, which is one of the toughest audits you could get, you know it can handle any other supply chain audit as well.

No matter what question the auditor asks about a report you submit, with a few pieces of information and a few clicks, you can drill in to not only show exactly what answered, but where the data came from, why, what processes you used in collecting it, and how confident you were. You can also show all of the historical actions, reviews, in-platform conversations, documents, etc. It’s a full fact-based history, not a partial viewpoint based on the memory of the best organizational expert.

Also the holistic TreeMap overviews of compliance areas or risk areas (based on financial risk impact or some other indicator) makes it quite clear to an organization just how well they are doing, or not doing (and quickly dive into the areas where the compliance is the least or the risk the highest).

The only real shortcoming is that, while it can be configured to ensure compliance for any global regulation you can think of, as of now, only four compliance requirements are fully supported out of the box: the German Supply Chain Act, the EU EBA/EIOPA guidelines, the UK PRA Outsourcing regulations, and GDPR. This is because they’ve spent the last five years building all of the core capabilities required for holistic third-party compliance management (and started in the Financial Services sector, coding for those regulations first).

However, now that they’ve built and fleshed out all the core capabilities, and natively integrated it all into one consistent view (for every module you purchase), which is backed up by powerful AWS QuickSight dashboards that can be drilled, filtered, and searched on any data dimension, they plan to start adding more out-of-the-box support for global regulations over the next few years. Whether it will be by area (of ESG, CSR, etc.) or industry has yet to be determined, but with all of the necessary capability built into the platform, it won’t be hard for them to add more acts in a relatively short time frame. It’s just regulatory expertise, obligation data element identification, and workflow coding at this point.


With respect to Brooklyn Solutions‘ near-term roadmap, they will soon be releasing a number of “Gen AI” capabilities built on appropriately trained next-generation large language models (LLMs) for natural language processing (NLP) that use human curated data sets relevant to the problem at hand. These new capabilities, which are designed to increase user efficiency, could make some users three times as efficient (or more) in their jobs as they are now. (Right now, power users in the platform have been measured to be 200% more efficient in their responsibilities than before when they were working without the help of Brooklyn Solutions.) The new “Gen AI” capabilities are being deployed to power the following new capabilities:

Meeting Agenda Generation
Identify the supplier or action team, and the platform will scan all associated actions, flows, contracts, risks, and compliance requirements and create an agenda based on open / incomplete items and changes since the last meeting (which can be quickly edited or adjusted based on the desires of the meeting organizer)
Executive Meeting Summary
Attach a transcript of the meeting meetings (which can be auto generated using the transcription capability of most modern video conferencing platforms) and any supporting documents and it will generate an executive summary
Report Generator
Similarly, select a supplier or contract and time-period, and items of interest (events, contracts, risks, compliance requirements, etc.) and the solution will generate a written summary of the items of interest, highlighting those that are (scored) high or low, fully formatted and exportable to docX, xlsX, and pptX
Automated Survey Creation
Identify the risk, capability, and/or compliance requirement you are concerned with, where you are concerned with it, how concerned you are with it, and how intrusive / work intensive you want it to be for your suppliers (by way of a max question count) and the platform will use its built-in knowledge of the risk, capability, and/or compliance requirements and its library of surveys/templates to auto-generate a survey and send it to all suppliers in, or dependent on, the region in question
Contract Clause Explainer
Highlight any clause in the contract and the solution will translate that clause into everyday layperson English (or for those clients in the UK, the King’s English on special request, as that requires a special configuration), and provide one or more examples of where that clause would come into effect and/or how it may be used
Contract Search by Topic
For example, if you want to identify all clauses in a contract that might relate to or satisfy GDPR, the solution will automatically identify the key requirements of GDPR, determine the most likely terminology that would appear in the contract, search for that, contextually analyze the clauses, and return those most likely to relate to GDPR with an everyday language definition of each. The same can be applied to any “contract clause” you can define, such as termination, audit right, price increase, and sub-contractor to name but a few.


In a nutshell, Brooklyn Solutions is one of the most complete Third Party Compliance Management solutions the doctor has ever seen. If compliance is an issue for your organization, be sure to add them to your shortlist.

An Introduction to TPCM: Third Party Compliance Management

TPRM: Third Party Risk Management is Big. Really Big. In fact, as evidenced by recent investments over the past year (Spectrum’s 200M investment in RapidRatings in 2022, Vista Partners acquisition of Resilinc, and now the 1.2B acquisition of Exiger by Carlyle and Insight), it’s HUGE. Actually HUGE! (Not Trump huge. In fact, the exact opposite. 😉 )

Why? The pandemic finally caused the space to wake up and realize not only how significant long-term disruptions are, but how much risk has been embedded in over-extended global supply chains over the last thirty-plus years (thanks to the global sourcing craze started by McKinsey and their ilk in the 90s as a method of “cost savings”, which really just resulted in “spend transference” to big consultancy pockets and the buildup of risk, and risk related debts, in the supply chain that, just like technical debt, always comes due someday). Big corporations have finally realized they need to manage that risk, or at least maintain constant visibility into it, if they want to get the supply they need to just stay in business. (At the end of the day, “cost savings” don’t matter if you don’t actually stay in business, which is what happens when you don’t receive any products to sell. So you need to assure supply first, and then avoid unnecessary cost second — especially since there is no real “savings”, just cost avoidance with improved processes, designs, networks, management, etc.)

As a result, these companies, who were mostly clueless about the risks (sometimes by choice), needed solutions now to at least get insight into the risks so they could plan mitigations, or at least take action when something happened. Since their traditional enterprise / manufacturing resource management, supply chain, source-to-pay, or back-office systems didn’t give them the insight they needed, they finally started to turn to TPRM (and in some case, broader SCRM – Supply Chain Risk Management) systems in a big way.

And that’s great. Until it isn’t. As a result of all of the supply chain failures and the impending disasters they created across supply chains, not just health and defense, governments have started taking action and introducing a lot more regulatory compliance into the mix. This is at the same time they are waking up to the wild west of technology and introducing a lot more regulation into the mix around personal data and use of AI. And with fraud and money laundering seemingly increasing without end, there’s a lot more regulation around partner due diligence. And then there is the reality that the world is heating up (whether you believe in climate change or not), that this heating up is contributing to an extremely substantial increase in natural disasters, that temperature is correlated with carbon and greenhouse gasses (GHG) in the atmosphere, that we are currently producing a lot of carbon and GHG as a species, and while we may not have been entirely responsible for getting here (as there are other factors that cause temperature to naturally rise and fall on a planetary scale — although the changes we’ve seen in the last few decades have historically taken centuries or millennia looking at the geological record), we need to do everything we can to not make it worse (or risk natural disasters on a scale that have not been seen for millennia, and that have sometimes even led to extinction level events in the past). In response to this, countries are making commitments to the Conference of the Parties of the UNFCCC and instituting legislation limiting the carbon you can create (without fines or fees to offset that, presumably fines or fees that will be invested in greener energy options, but we have to admit many governments haven’t thought that far ahead) and the amount of other pollutants you can pump out.

In other words, not only do companies have to worry about more risks than they are aware of, they also have to deal with more regulations than they can easily keep track of (and, when they’re not on the ball, they don’t find out about them until they get a fine) — as well as dedicate way more time than they should gathering the required information for, and filling out, the appropriate reports and filings.

Moreover, and this shouldn’t surprise you, the vast majority of TPRM (and even SCRM-TPRM) systems don’t help with this at all. While they can be configured to detect issues that may represent potential violations, they generally don’t collect the reporting data that is required and typically don’t provide the detailed trickle-down visibility that is needed to verify that key requirements — such as personal data protection, no forced labour, etc. — are truly adhered to throughout the chain.

That’s why many big multi-national organizations, especially those that collect and process personal data, do a lot of global importing or exporting, or deal with extended supply chains and have to comply with extensive privacy regulations AND data protection laws in the finance sector, have to comply with hundreds of sanctions and denied party lists globally (as well as ensure there are no connected beneficial entities on those lists), and/or need visibility down to the source on human rights needs a solution that understands the regulations they are subject to, encodes the data they need to collect and the violations (special types of risk) they need to monitor for, and helps them produce the reports and regulatory filings they need to make.

And the only system that can do this is a Third Party Compliance Management solution, which has some commonality with a Third Party Risk Management solution, but also a lot of differentiation as well. Most organizations won’t know they need such a solution, as they won’t even know that such a solution exists (as there’s not many solutions and not much buzz about them … yet). Hopefully this post will change all that. Even though the solutions are two sides of the same coin, the sides haven’t met yet, and until they do, which could be years (and years and years) away (because no one has really thought about the hard center yet), for many companies, what they really need is a TPCM solution.