Category Archives: Risk Management

When a Conflict Starts, It’s Already Too Late For Procurement To Pay Attention!

Supply Chains are not only hurting, they are breaking, and they have been since the US and Israel renewed the conflict with Iran and more-or-less brought the Strait of Hormuz to a close for pretty much every western country that is associated with the US.

A Strait that is critical not only for

  • global energy (as it normally sees 20% to 25% of global oil passing through it daily)

but also for

  • natural gas (up to 25%, at least it will further delay the AI Data Centers)
  • fertilizer (as it saw up to 50% of urea, ammonia, and sulphur supply passing through it daily, with the former a key fertilizer component)
  • methanol (but at least bootleggers will have to use real grain alcohol now) and petrochemicals
  • etc.

In other words, the Strait being close off is not just a logistics nightmare for the shipments you were expecting that needed to pass through the Strait on time, it’s a nightmare across your entire supply chain as all of your suppliers dependent on the oil, natural gas, chemicals, gasses, etc. that normally pass through the Strait daily are also suffering their own nightmares. Delays will compound through the chain for the lucky ones, and the rest will see shipments just stop.

And articles that tell you this is a leadership moment are missing the point.

Where it was critical, you should already have known your exposure, had monitoring in place, and been alerted the day the conflict started that an issue was coming your way.

Where supplier Force Majeure was unacceptable, you should already have had the flexibility in your contract to shift, pause, or end the contract immediately upon supplier failure.

Where supply was critical, you should have been geographically dual-or-tri sourcing with order escalation clauses built into the contracts so you can quickly secure supply when potential shortages are detected.

Where margins are tight or costs can vary widely based upon external events, your cost models should already be taking this into account, should be monitoring for market price changes, and should be updated upon such changes with immediate alerts if prices shift beyond typical market fluctuations.

And strategic and critical suppliers will already be treated as such. They will be given fair margins, access to buyer expertise that will help them with efficiency and negotiating their own raw material contracts, and placed in a financial position where they too can dual or tri-source and explore optionality in their own supply chains.

Because, as Paul Martyn commented on one of the many articles on why the conflict is apparently time to pay attention and step up (even though, as we stated in our opening, it’s already too late):

If you:

  • defer supplier investment –> you pay in disruption
  • squeeze supplier margin –> you pay in resilience loss
  • ignore (supply chain) optionality –> you pay in constrained decisions and lack of supply

The answer, of course, is to be paying attention to any high risk or high impact category from the day you identify it to the day you end the last product line that uses it. And to use the Busch-Lamoureux Exact Purchasing model to properly place your category, determine which cost factors and risks you need to track, how often, when alerts should be triggered, what mitigations can be taken up front, and what actions need to be taken when an issue likely to cause a disruption arises.

Tired of Geopolitical Chaos? You Wouldn’t Be if You Were Prepared!

In a recent article, Koray Köse pointed out that Geopolitics Now Lives in the P&L because it can re-price your inputs, trap working capital, and./or change who you are allowed to buy from or sell to, all with the stroke of a pen by a single individual entrusted with too much power.

And, as Koray points out, most organizations are structurally unprepared. This is partially because fewer than half of companies have visibility beyond tier-one suppliers, but mostly because the majority of organizations have to scramble and allocate resources to figure out whether or not the event has changed cost, liquidity, access, or structural dependency.

And, as Koray points out, organizations that don’t know what the real impact of major events on them are will:

  • panic dual- (or tri-) source and increase cost without reducing real risk (as sometimes they’ll source from another distributor or supplier with the same risk in the same region subject to the same events)
  • knee-jerk re-shore, waste 18 to 36 months, and increase costs without addressing the core issue
  • sign emergency renewals at premiums for risks that never materialize
  • continually react in a manner that achieves nothing

and, simply, burn time and value by not doubling down focus on the events that really matter to them. Because they don’t know what those events are.

That’s because they haven’t

  • identified their key product lines,
  • broken them down into components,
  • identified those that have limited supply items or rely on rare earths or other limited substances,
  • mapped the supply chains for those limited items, rare earths, or other limited substances, and
  • marked the supply chains they (and their current suppliers) are currently using

so that, when their constant 24/7/365 global monitoring solution detects a significant event, they can quickly determine

  • what active supply chains it impacts,
  • what substances, rare earths, or items could be impacted,
  • to what extent they are relying on those substances, rare earths, or items,
  • what components they are in,
  • what product lines are impacted and to what degree, and
  • what alternatives the organization has

This way you instantly know

  • what the impact is,
  • what other options you have, and
  • what the cost of those would be

If the event impacts a supply that is easily obtainable from other, unaffected regions; that is only used in a couple of low revenue (and lower profit) product lines, or that can be replaced simply by shifting supply to other suppliers with which you have existing relationships (and contracts), you can simply ignore it; but if the event could cut off a key substance, rare earth, or part, and you were sole sourcing, you need to leap into action immediately to contract another source of supply (before your competition does and its gone).

The only way you can do this is if you did a proper risk assessment of each major component, raw material, and item, and tracked your current and potential sourcing options. i.e. you did proper risk mitigation planning.

But if you take the time to do proper category assessment and risk mitigation planning, you’ll be well on your way to Köse’s Sophisticated Simplicity that will allow you to identify the one or two events that really matter, address those, and get on with business while the world burns around you. (Or, you can continue to react blindly and burn with it. Your choice. Either way, follow Koray. You can’t manage supply without being aware of what threatens it.)

You Really Don’t Need to Read Another State of Procurement Report for Five Years!

Just read this 34 part series and you can ignore the 10+ surveys / studies / reports that will be collectively released by every major ProcureTech consultancy and analyst firm this year (which will likely include, but not be limited to: Capgemini, Deloitte, Everest Group, EY, Hackett, McKinsey, PwC, and many, many more)! We say this with certainty because we reviewed all of the reports they put out for the last 5 years and the vast majority of the content was the same year-after-year and firm-after-firm. You can practically count on any survey/study that tackles barriers, risks, and concerns to overlap with the following at least 80%, and that these will be the most significant barriers, risks, and concerns. In fact, in five years, only one concern will have changed, and that’s the tech-du-jour, because that’s all that was really different between 2025, 2020, 2015, etc.

You’re welcome!

You Don’t Need To Read Another State of Procurement Study for the Next 5 Years!

Top Barriers to Success

Breaking Down The Major Procurement Risks with High or Moderate Impact

Primary Concerns for Procurement Leaders

BONUS

Dangerous Procurement Predictions Part II

As per our first post, if you read my predictions post, you know SI hates predictions posts. It fully despises them because the vast majority of these posts are pure optimistic fantasy and help no one. Why are the posts like this? Because no one wants to hear the sobering reality off of the bat in the new year and the influencers care more about clicks than actually helping you.

But the predictions are not only bad, they’re dangerous. And to make sure you don’t fall for them and make bad decision based on them, we’re going to tackle some of the most dangerous predictions, which include predictions that look innocuous at first glance (like the last prediction on how a big legacy suite will go out of business) but hide the dangerous consequences of what will actually happen if a big suite finds itself in big trouble. Today we tackle the next four, and you can be sure this won’t be the last post in our series. Feeds are still being flooded with prediction posts, and I’m done ignoring the insanity.

4. The jobs market will be tough for the first half of the year, but will start to pick up in Q3 and Q4.

The job market is tied to the economy, and everyone predicts the job market will rebound when the economy picks up. But here’s the thing. Even when the economy picks back up, the job market never does quite as well as the last time. And the economy isn’t going to magically improve half-way through the year. This is the exact same thing we’ve been told the last two years, and it hasn’t happened.

First off, most of the first world economies around the world are flat, borderline recession, or in recession. Secondly, the only thing propping the US economy up right now is AI, and the money circles keeping it afloat as all the AI, Hardware, and Software companies keep moving the same money around investing in each other to keep each other afloat. If the bubble bursts, the US is in trouble, and the economy will quickly flush itself down the toilet. And the job market will go with it.

Considering only the big tech giants who have been hoarding cash for the last few years are in good shape, and everyone else is trying to conserve cash to survive not only the current market but a potential recession, the last thing they are going to do is hire unless absolutely necessary to fill a critical role as a result of a departure. Remember, they’ve spent the last two years using AI as an excuse to lay people off and are always looking for the next excuse to lay people off, not hire them!

Jobs will continue to be super scarce, and only the best will have a chance to land one.

5. We’re in the early stages of a broader pushback (against unnecessary upgrades or technology investments).

A few companies smartening up and saying no to forced big provider upgrades, eight (8) figure consultancy projects, and big Gen-AI investments is not pushback. There have always been a few leaders who have broken away from the pack, did the math, and made the right decisions, but the pack is still charging ahead on Gen-AI. Every big software shop except IBM (who hired a CEO who can actually do math) has invested heavily in Gen-AI, which still loses four dollars for every dollar of revenue, despite any hopes of a real return in the near future and a 94% failure rate.

Let’s face reality. I warned this space about The Vendor In Black nineteen years ago and how he always Comes Back sixteen years ago, no one took heed then, and no one is taking heed now. The business model of the enterprise software space, which has not changed for the two decades I’ve been covering it, is to solve the problem created by the old sh!t by selling the customers the new sh!t that comes with new problems so they can sell even newer sh!t in three years to fix those (and so on). Same old story. Only the vendor names change.

6. We Won’t Buy Things; We’ll Orchestrate Ecosystems.

This prediction likely came straight from the A.S.S.H.O.L.E. and anyone who repeats it should be ashamed of themselves. There are no AI Employees. Claims to the contrary are false and anyone making those demeaning and degrading claims is simply dehumanizing you. And, as we have clearly explained, you definitely don’t want agentic buying because it will happily spend your money not only on stuff you don’t need but stuff that doesn’t exist and, if you’re super unlikely, stuff that is highly illegal. You need wood, it will buy up all the Minecraft wood because it’s cheap and call your problem solved. And that’s if you’re lucky. If you’re not, it will fulfill your resin need with an illegal purchase of hash (the drug) on the dark web (which is labelled resin so the poster can claim they never advertised an illegal drug). And so on.

Plus, as we have already noted, most of today’s “orchestration” platforms in Source-to-Pay are really ORCestration platforms and can barely connect a handful of major Source-to-Pay offerings. They’re nothing close to what is needed to orchestrate ecosystems.

7. Boards will Zero in on Supply Chain Security and Supplier Risk shifts from quarterly PowerPoints to continuous “signalops”.

Just like they won’t invest more in cybersecurity, they won’t invest more in supply chain security until they lose a shipment in the tens of millions. After all, they’ve got supply chain insurance, why should they care? Especially since their current security measures have been sufficient up until now.

But here’s the thing. When the economy goes down, jobs go down. And then two things happen. People get desperate and turn to crime. And criminals, when their investments in drugs, alcohol, gambling, prostitution, and other quasi-legal through illegal activities start losing money because unemployed people run out of money to spend on their vices, these criminals get desperate too — and high value theft becomes more attractive. A temporarily unguarded truck here. A container there. An entire warehouse. And so on.

If it’s critical raw materials they can move (like rare earths), in-demand finished electronics they can sell (like iPhones, where a single container will contain at least 20M worth), military equipment or weapon (component)s that are now in demand globally, they’ll take bigger and bigger chances, especially if there are weaknesses in security. It’s not just cyber attacks that are going to increase, it’s physical attacks, supply chains aren’t ready, and companies won’t even stop preparing them until they lose tens of millions, don’t recover it all through insurance, and risk losing their insurance entirely. No one likes the math of risk prevention because, when it works, you don’t see the return. Even though it’s so much cheaper than insurance! And that’s why, in the majority of organizations, nothing will change.

Dangerous Procurement Predictions Part I

If you read my predictions post, you know SI hates predictions posts. It fully despises them because the vast majority of these posts are pure optimistic fantasy and help no one. Why are the posts like this? Because no one wants to hear the sobering reality off of the bat in the new year and the influencers care more about clicks than actually helping you.

But given how dangerous and costly the hopeful fantasy has become, not only did SI swallow its disgust and give you a realistic predictions post, but it’s going to collect and lay bare the most dangerous of the predictions that, even if seemingly innocuous, will lead you astray if you believe them. And now some of the influencers and LinkedIn aficionados are taking up the claims, and the charge, but like many other claims, they are overstated.

Today we tackle the first three, but you can expect this to be the first of many posts as dangerous prediction posts flood your feeds for the rest of the month.

1. The “Great Convergence” Accelerates

The claims of of the ORChestration providers is that all roads lead to them, the convergence will accelerate, and you won’t have to worry about what you need because, as long as you have orchestration, you’ll have it all!

For example, if you want to use the largest orchestration provider in S2P, your are limited to the platforms they have already integrated. The same goes for the second or third largest. Plus, if the providers you want to integrate aren’t reasonably sized Source to Pay providers, good luck expecting the workflow to support them appropriately.

Moreover, they were built to minimally support the existing solutions, not emerging solutions in the Source to Pay and extended Supply Chain Marketplace. In other words, the convergence will continue at a snails pace, but it will never be great!

2. “X” Finally Gets Modern Attention

It doesn’t matter what X is — if X has been needed, but ignored, for the last ten years, it’s NOT going to all of a sudden be addressed this year. For whatever reason, it will continue to be ignored.

Example #1, Cybersecurity.

As per my recent post on breaking down the risks: IP / cyberattacks, the risk of cyberattacks has been high since 2014, a year when 71% of organizations were affected by a successful cyberattack! Ten years later, 70% of small to medium sized businesses are still getting hit by cyberattacks. (Which means that if it was going to get major attention, shouldn’t 2014 have been the year?!?)

Nothing has changed — the reason? Cybersecurity is seen as a cost, not a return. So, when a successful attack results in significant losses, organizations spend on improved cybersecurity, and ignore it until the next significant successful attack hits, and that is the only time they will spend for new systems across the board, and that’s it. That’s why cybersecurity, inside and outside the organization, won’t get any more attention this year than last year.

Example #2, Risk Management.

There’s a big reason it’s been the exact same risks in the state of procurement studies and reports for at least the last five, if not the last ten, years. It’s because, despite the fact that risks keep increasing, no one ever does anything about it … there’s no additional investment in risk management software. Why? Again, it’s seen as a cost and not an investment. And when you’re already paying for insurance, why pay for what, at best, seems like more?

Even though the cost of insurance will soon be unaffordable given that natural disaster and fraud losses are going through the roof, if you can even get insurance at all, risk management solutions are still being ignored by every organization that hasn’t suffered a major loss as a result of a risk-related event. (And who knows if insurance will cover AI losses when AI escapes the vending machine? It’s a question you should definitely be asking!)

Example #3, Direct.

That’s supply chain, right? Right?

Wrong! But that’s the view that the vast majority of Source-to-Pay providers have taken since the beginning. Sure a few big suites picked up a few smaller players that specialized in direct sourcing, but that’s about it from the big players. And there are a few startups here and there, but they’re all overlooked, underfunded, and not getting any traction.

Because it’s hard. Damn hard. And the majority of S2P players don’t want hard. They want easy. They built easy. They sell easy. And that’s all they want to do. (And, often, all they can do!)

We could continue, but you get the point.

3. One of the big legacy S2P suites will go out of business.

This is a prediction straight from the genius of Gary Wright. Only a Dream Weaver would predict this! This has happened exactly once since our space began in the late 1990s, and it wasn’t exactly going out of business, it was a big acquirer deciding the space wasn’t profitable enough and shutting the vendor down. Specifically, it was IBM shutting down Emptoris and shunting all the customers to SAP Ariba in 2017.

Every big provider in this space is controlled by PE who have poured tens, hundreds, or thousands of millions (that’s billions) into the firm. If it starts losing money, and if they think they can’t turn it around, rather than shutting it down, they’ll flip it to another firm at a loss (to recover some investment) who will pick up some fire sale acquisitions, integrate them, update the UX, install a whole new management team, fluff it up, rebrand it, and bring it out with a whole new spin. Like ERPs, Suites never die. Even if they’re twenty years behind the times.

So if a new big player hits the scene, check under the covers, do a bit of research, and dig up those skeletons. PE knows how to make everything old new again, but tech is not like fashion, and you don’t want two decades old SaaS, as that’s just the same old sh!t.