Category Archives: Risk Management

Supply Disruption Has Been The Top Procurement Risk For At Least the Past 15 Years

… and it’s too bad it took the worst global pandemic in 100 years, two wars, exacerbated natural disasters (including one of the worst global wildfire years on record), and Panamanian droughts for Procurement leaders to realize this. (Basically, the fact that a Gartner survey finally confirmed this should not come as a shock!)

When you go back to basics (i.e. the business 101 that it seems most business leaders have been skipping for the last couple of decades), there are two truths that all businesses are subject to:

  1. Profit = Revenue – Expenses, which makes the CRO and the CPO the two most important people in the business, and if market conditions prevent revenue from increasing, the CPO becomes the most important
  2. Business that sell product need to make or acquire product to sell. This requires supply and people.

This says that, when you abstract it high enough, your two three primary risks are:

  • supply (no supply, no product; no product, no sales; no sales, no capital)
  • talent (the skilled resources to acquire/make the product economically and run the company)
  • capital (you need money for supply, talent, and operations)

And when you dive in, you see that supply disruption is far and above any other risk because:

  • today’s supply chains are global and require multiple forms of limited transportation
  • with thousands of suppliers in dozens of countries and regions (across 4, 5, and sometimes even more tiers)
  • which are all exposed to the economic, environmental, geopolitical, and societal risks in the locales in which they operate
  • which means you are exposed to all of the economic, environmental, geopolitical, and societal risks in which they operate!

Thus, if your extended supply chain spans 30 or 40 countries, then you are exposed to every risk of those 30 or 40 countries at all times!

Given the drastic increase in multiple

  • economic,
  • geopolitical,
  • societal, and
  • environmental

risks over the past two decades, as well as the increase in cyberattacks, which makes the weakest unknown supplier in your supply chain your weakest link (if a hack into their system provides a backdoor into their buyer one tier up the chain, which then provides a backdoor into their buyer one tier up, until the hackers trace their way back to you through a chain of back doors).

Given that, right now, multiple risks in multiple risk categories are materializing every day on this planet, at a rate that exacerbates annually, we are at the point where no company is going to even go a year without a risk event impacting their supply. (This doesn’t mean they won’t get it, just that it will be late or cost more, and either could cause substantial loss.)

So if you’re not sourcing and procuring with mitigation strategies in mind at all time, start now. Multi-tier visibility is no longer enough. Advance warning is no longer enough if you are not ready to act with another option.

What SHOULD Procurement Officials Learn from CrowdStrike?

A recent article over on on GovTech titled What Can Procurement Officials Learn from CrowdStrike caught my eye because I wondered if it contained the most important lesson.

The article, which sub-headlined on how CrowdStrike is a useful lesson for officials who draw up government IT contracts, pushing them to ask the question of how future contracts can prepare for any unplanned outages, hit on five important point(s) of modern SaaS / Cloud-powered technology.

  • additional safeguards are needed in IT contracts
  • even with safeguards, there is still the possibility of a cyberattack, so there must be an immediately actionable disaster response and recovery plan (which vendors must be able to live up to)
  • there should be alternate backup/failover options, even if non-preferred, and that can include paper in the worst case (as far as the doctor is concerned, it’s absurd when a store shuts down in broad daylight because they lost power or internet connectivity to the bank — that’s why we have cash and credit card imprint machines)
  • one should consider specifying liquidated damages up front, to prevent long drawn out lawsuits and delayed response time from the third party (who will want to avoid those damages)
  • consider cyber insurance, either on the vendor side or your side

Which is all good advice, but misses the most important point:

NEVER ALLOW A CRITICAL SYSTEM TO BE AUTOMATICALLY UPDATED (en masse)

Now, there’s a reason the military will exactly configure a system designed for single use and LOCK IT DOWN. That’s so it can’t accidentally go down from an unplanned / uncontrolled update when it’s needed most.

For example, there’s no way any update, no matter how minor, should be pushed out to a core airline operations terminal without an administrator monitoring the update (which could be on the vendor side IF the vendor maintains a [virtual] configuration that is the exact same as the customer’s configuration) and ensuring everything works perfectly after the update. And then the updates should be propogated to the rest of the terminals in a staged fashion. (Unless you’re dealing with a critical zero-day exploit that could expose financial or personal information, there’s no need for rapid updates; and even then, there should be techs on standby after that test update is complete just in case something goes wrong and a system has to be immediately rolled back or rebooted.)

Modern operating system installations, like Windows 11, can have up to 100,000,000 (that’s one hundreds million) lines of code and since you never know where the bugs are, there is no such thing as a low-risk update. Any update has the chance of taking down the OS or the application you are updating that is integrated with the OS.

But this is not the only critical lesson to takeaway. The next is:

For critical systems, your provider must maintain backup hot-swap redundant systems!

Once a configuration is confirmed to be bug-fee, it must be propagated to the backup, which must have a backup redundant data store with all transactions replicated in real-time (so that you’d never lose more than a minute or two of updates with an unexpected failure) that can be hot-swapped through a simple IP redirection should something catastrophic happen that takes down the entire primary system. This backup redundant system must have enough power to run all critical core operations (but not necessarily optional ones like reporting, or tasks that only need to be run every two weeks, like payroll, etc.) until the primary system can be brought back online. A catastrophic event like a rolling failure from a security or OS update or cyberattack should be recoverable in minutes simply by re-routing to the failover instance and rebooting all the local machines and/or restarting all the browser sessions.

Those are the lessons. If a system is so critical you cannot operate at all without it, you must have redundancy and a failover plan that can bring you back online with an hour, max.

The Sourcing Innovation Source-to-Pay+ Mega Map!

Now slightly less useless than every other logo map that clogs your feeds!

1. Every vendor verified to still be operating as of 4 days ago!
Compare that to the maps that often have vendors / solutions that haven’t been in business / operating as a standalone entity in months on the day of release! (Or “best-of” lists that sometimes have vendors that haven’t existed in 4 years! the doctor has seen both — this year!)

2. Every vendor logo is clickable!
the doctor doesn’t know about you, but he finds it incredibly useless when all you get is a strange symbol with no explanation or a font so small that you would need an electron microscope to read it. So, to fix that, every logo is clickable so you can go to the site and at least figure out who the vendor is.

3. Every vendor is mapped to the closest standard category/categories!
Furthermore, every category has the standard definitions used by Sourcing Innovation and Spend Matters!
the doctor can’t make sense of random categories like “specialists” or “collaborative” or “innovative“, despises when maps follow this new age analyst/consultancy award trend and give you labels you just can’t use, and gets red in the face when two very distinct categories (like e-Sourcing and Marketplaces or Expenses and AP are merged into one). Now, the doctor will also readily admit that this means that not all vendors in a category are necessarily comparable on an apples-to-apples basis, but that was never the case anyway as most solutions in a category break down into subcategories and, for example, in Supplier Management (SXM) alone, you have a CORNED QUIP mash of solutions that could be focused on just a small subset of the (at least) ten different (primary) capabilities. (See the link on the sidebar that takes you to a post that indexes 90+ Supplier Management vendors across 10 key capabilities.)

Secure Download the PDF!  (or, use HTTP) [HTML]
(5.3M; Note that the Free Adobe Reader might choke on it; Preview on Mac or a Pro PDF application on Windows will work just fine)

You Need a Plan to Mitigate Supply Chain Risks. But You Also Need a Platform.

A recent article over on Supply & Demand Chain Executive on Navigating a Supply Chain Management Toolkit noted that with a plan in place, organizations can quickly respond to any changes and help mitigate any supply chain risks.

Which is true, but how much of the risk they can mitigate is the question.

The article, which is very good and definitely worth reading (so check out the link), noted that problems arose as a result of COVID and disruptions since because many organizations use just-in-time inventory management (which we’ve already noted should have ended by now along with seasonality). The article also noted that the problems were often exacerbated by the fact that order processes were often not documented effectively and, in general, most organizations don’t spend the time and resources to really manage their supply chain. All of this is correct, as is the observation that these challenges can be alleviated with wholly embracing the tried-and-true methods for effective supply chain management because effective processes, measurements and accountability are … key to a supply chain that works for an organization.

But, on their own, not the key. Today, you also need a platform that enables the organization to:

  • quickly detect a risk event has occurred
  • quickly analyze the impact
  • quickly initiate any pre-defined mitigation plan
  • quickly implement new decisions and processes where the mitigation plan isn’t sufficient and doesn’t exist
  • monitor the impact of the risk event and the response in near real time

Otherwise, your process could be too slow, your measurements inaccessible and/or unrecorded, and your accountability (under audit) non existent.

For example, the article indicates you should start by getting a better grip on inventory management (which is correct, no product, no business for most companies), and that involves a self-assessment, forecast accuracy review, and inventory segmentation. All correct. But that doesn’t help you when all of a sudden there’s a fire in the factory, a strike at the port, or a strait/border closing. What do you do then?

It also tells you that you should focus on better supplier relations, which is also extremely important, and focus on vetting suppliers before you onboard them and then measuring them and computing the total cost of ownership of keeping them, which is also very important as suppliers should improve over time and costs should not inch up faster than inflation. It also mentions the importance of proper strategic sourcing (matrices) to get the right products from the right suppliers. Another definite. But fails to tell you what you do when all of a sudden a key supplier can’t deliver or becomes unavailable.

The answer here is you use all of your good relationships and data to immediately identify the next best supplier. If you were splitting award, you try to shift to the other supplier (if they can handle the volume — if you were doing an 80/20 split and the 80% supplier suddenly became unavailable indefinitely, the 20% might not be able to support you, or at least not for very long, and you will have to add a new supplier to the mix. If you were doing proper sourcing, and proper supplier vetting before including them in an event, then you already have potential suppliers — the runners up from your last event. A good platform will let you immediately identify them and immediately start another sourcing event to onboard a new supplier as fast as possible.

If you have a good logistics (sourcing) platform, and your primary carrier / route becomes unavailable, you may be able to identify another carrier / route that will get you the products on time, or at least be able to accelerate an order from a secondary source of supply while you wait for the first source through a lengthier route.

The point is, while you need great processes, measurements (to indicate if something is taking too long, such as an order acknowledgement or a delivery, which can be a sign of a potential risk event materializing), and accountability (to show you made efforts to detect and mitigate risks in a reasonable time frame), you can’t measure, execute processes, or provide unquestionable audit trails of accountability without a proper platform. Never forget that. (And for help, you can see our Source-to-Pay series which helps you to identify where to start with your acquisitions and what vendors you might need to look at.)

And again, remember to read the article on Navigating a Supply Chain Management Toolkit as it will help you understand the basic processes you need to put in place.