Category Archives: Risk Management

Are 45% of Enterprise Leaders Asleep at the Wheel?

According to a short recent article over on Supply Chain Brain on Next-Gen Supply Chains: The Transformative Role of Supply Chain Leaders in Today’s Business which quoted a GEP and Economist Study on “Next-Gen Supply Chains: The Transformative Role of Supply-Chain Leaders in Today’s Business”, 55% of enterprises anticipate a major supply chain disruption to strike at any time.

Are 45% of enterprise leaders asleep at the wheel? The chance of a disruption has been getting worse by the day for at least the last decade (if not the last two)! In 2014, Reslinc tracked almost 300 major global supply chain disruptions across natural disasters, factory explosions, labor disputes, power outages, chemical spills and geopolitical upheavals that impacted the supply chains of multiple global companies. That’s almost one major disruption a day, every day!

In 2013, at least 8 out of 10 companies had experienced a major supply chain disruption in the last two years (Supply Chain XChange). By 2014, one year later, 3 in 4 supply chain professionals admitted they experienced a chronic supply chain disruption. (APICS) Since then, natural disasters (fires, hurricanes, tsunamis, etc.) have increased year over year. Geopolitical conflicts, including wars, are on the rise. So are droughts, and now we have the double shipping whammy of the reduced capacity of the Panama canal part of the year and the ongoing Red Sea Crisis. We also have sanctions with unintended consequences, power shifting to the BRICs, world class pandemics, and a country Big X Consultancies made us 100% dependent on willing to shut down entire cities at a moment notice on an impossible zero-tolerance policy. We’re literally at the point where every company has an almost 100% chance of experiencing a considerable disruption in the next 12 months.

So I ask again, are 45% of enterprise executives asleep at the wheel?

Supply Disruption Has Been The Top Procurement Risk For At Least the Past 15 Years

… and it’s too bad it took the worst global pandemic in 100 years, two wars, exacerbated natural disasters (including one of the worst global wildfire years on record), and Panamanian droughts for Procurement leaders to realize this. (Basically, the fact that a Gartner survey finally confirmed this should not come as a shock!)

When you go back to basics (i.e. the business 101 that it seems most business leaders have been skipping for the last couple of decades), there are two truths that all businesses are subject to:

  1. Profit = Revenue – Expenses, which makes the CRO and the CPO the two most important people in the business, and if market conditions prevent revenue from increasing, the CPO becomes the most important
  2. Business that sell product need to make or acquire product to sell. This requires supply and people.

This says that, when you abstract it high enough, your two three primary risks are:

  • supply (no supply, no product; no product, no sales; no sales, no capital)
  • talent (the skilled resources to acquire/make the product economically and run the company)
  • capital (you need money for supply, talent, and operations)

And when you dive in, you see that supply disruption is far and above any other risk because:

  • today’s supply chains are global and require multiple forms of limited transportation
  • with thousands of suppliers in dozens of countries and regions (across 4, 5, and sometimes even more tiers)
  • which are all exposed to the economic, environmental, geopolitical, and societal risks in the locales in which they operate
  • which means you are exposed to all of the economic, environmental, geopolitical, and societal risks in which they operate!

Thus, if your extended supply chain spans 30 or 40 countries, then you are exposed to every risk of those 30 or 40 countries at all times!

Given the drastic increase in multiple

  • economic,
  • geopolitical,
  • societal, and
  • environmental

risks over the past two decades, as well as the increase in cyberattacks, which makes the weakest unknown supplier in your supply chain your weakest link (if a hack into their system provides a backdoor into their buyer one tier up the chain, which then provides a backdoor into their buyer one tier up, until the hackers trace their way back to you through a chain of back doors).

Given that, right now, multiple risks in multiple risk categories are materializing every day on this planet, at a rate that exacerbates annually, we are at the point where no company is going to even go a year without a risk event impacting their supply. (This doesn’t mean they won’t get it, just that it will be late or cost more, and either could cause substantial loss.)

So if you’re not sourcing and procuring with mitigation strategies in mind at all time, start now. Multi-tier visibility is no longer enough. Advance warning is no longer enough if you are not ready to act with another option.

What SHOULD Procurement Officials Learn from CrowdStrike?

A recent article over on on GovTech titled What Can Procurement Officials Learn from CrowdStrike caught my eye because I wondered if it contained the most important lesson.

The article, which sub-headlined on how CrowdStrike is a useful lesson for officials who draw up government IT contracts, pushing them to ask the question of how future contracts can prepare for any unplanned outages, hit on five important point(s) of modern SaaS / Cloud-powered technology.

  • additional safeguards are needed in IT contracts
  • even with safeguards, there is still the possibility of a cyberattack, so there must be an immediately actionable disaster response and recovery plan (which vendors must be able to live up to)
  • there should be alternate backup/failover options, even if non-preferred, and that can include paper in the worst case (as far as the doctor is concerned, it’s absurd when a store shuts down in broad daylight because they lost power or internet connectivity to the bank — that’s why we have cash and credit card imprint machines)
  • one should consider specifying liquidated damages up front, to prevent long drawn out lawsuits and delayed response time from the third party (who will want to avoid those damages)
  • consider cyber insurance, either on the vendor side or your side

Which is all good advice, but misses the most important point:

NEVER ALLOW A CRITICAL SYSTEM TO BE AUTOMATICALLY UPDATED (en masse)

Now, there’s a reason the military will exactly configure a system designed for single use and LOCK IT DOWN. That’s so it can’t accidentally go down from an unplanned / uncontrolled update when it’s needed most.

For example, there’s no way any update, no matter how minor, should be pushed out to a core airline operations terminal without an administrator monitoring the update (which could be on the vendor side IF the vendor maintains a [virtual] configuration that is the exact same as the customer’s configuration) and ensuring everything works perfectly after the update. And then the updates should be propogated to the rest of the terminals in a staged fashion. (Unless you’re dealing with a critical zero-day exploit that could expose financial or personal information, there’s no need for rapid updates; and even then, there should be techs on standby after that test update is complete just in case something goes wrong and a system has to be immediately rolled back or rebooted.)

Modern operating system installations, like Windows 11, can have up to 100,000,000 (that’s one hundreds million) lines of code and since you never know where the bugs are, there is no such thing as a low-risk update. Any update has the chance of taking down the OS or the application you are updating that is integrated with the OS.

But this is not the only critical lesson to takeaway. The next is:

For critical systems, your provider must maintain backup hot-swap redundant systems!

Once a configuration is confirmed to be bug-fee, it must be propagated to the backup, which must have a backup redundant data store with all transactions replicated in real-time (so that you’d never lose more than a minute or two of updates with an unexpected failure) that can be hot-swapped through a simple IP redirection should something catastrophic happen that takes down the entire primary system. This backup redundant system must have enough power to run all critical core operations (but not necessarily optional ones like reporting, or tasks that only need to be run every two weeks, like payroll, etc.) until the primary system can be brought back online. A catastrophic event like a rolling failure from a security or OS update or cyberattack should be recoverable in minutes simply by re-routing to the failover instance and rebooting all the local machines and/or restarting all the browser sessions.

Those are the lessons. If a system is so critical you cannot operate at all without it, you must have redundancy and a failover plan that can bring you back online with an hour, max.

The Sourcing Innovation Source-to-Pay+ Mega Map!

Now slightly less useless than every other logo map that clogs your feeds!

1. Every vendor verified to still be operating as of 4 days ago!
Compare that to the maps that often have vendors / solutions that haven’t been in business / operating as a standalone entity in months on the day of release! (Or “best-of” lists that sometimes have vendors that haven’t existed in 4 years! the doctor has seen both — this year!)

2. Every vendor logo is clickable!
the doctor doesn’t know about you, but he finds it incredibly useless when all you get is a strange symbol with no explanation or a font so small that you would need an electron microscope to read it. So, to fix that, every logo is clickable so you can go to the site and at least figure out who the vendor is.

3. Every vendor is mapped to the closest standard category/categories!
Furthermore, every category has the standard definitions used by Sourcing Innovation and Spend Matters!
the doctor can’t make sense of random categories like “specialists” or “collaborative” or “innovative“, despises when maps follow this new age analyst/consultancy award trend and give you labels you just can’t use, and gets red in the face when two very distinct categories (like e-Sourcing and Marketplaces or Expenses and AP are merged into one). Now, the doctor will also readily admit that this means that not all vendors in a category are necessarily comparable on an apples-to-apples basis, but that was never the case anyway as most solutions in a category break down into subcategories and, for example, in Supplier Management (SXM) alone, you have a CORNED QUIP mash of solutions that could be focused on just a small subset of the (at least) ten different (primary) capabilities. (See the link on the sidebar that takes you to a post that indexes 90+ Supplier Management vendors across 10 key capabilities.)

Secure Download the PDF!  (or, use HTTP) [HTML]
(5.3M; Note that the Free Adobe Reader might choke on it; Preview on Mac or a Pro PDF application on Windows will work just fine)