Category Archives: SaaS

The Best Way Procurement Chiefs Can Create a Solid Foundation to Capitalize on AI

As per our recent post on how I want to be Gen AI Free, the best way to capitalize on Gen-AI is to avoid it entirety. That being said, the last thing you should avoid is the acquisition of modern technology, including traditional ML-AI that has been tried and tested and proven to work extremely well in the right situation.

That being said, if you ignore the reference to Gen-AI, a recent article on Acceleration Economy on 5 Ways Procurement Chiefs Can Create a Solid Foundation had some good tips on how to go about adopting ML-AI with success.

The five foundations were quite appropriate.

1. Organize

A plan for

  1. exactly where the solution will be deployed,
  2. what use cases it will be deployed for,
  3. how valid use cases will be identified, and
  4. how the solution is expected to perform on them.

There’s no solution, even AI, that can do everything. Even limited to a domain, no AI will work for all situations that may arise. As a result, you need a methodology to identify the valid use cases and the invalid use cases and ensure that only the valid uses cases are processed. You also need to ensure you know the expected ranges of the answers that will be provided. Then you need to implement checks to ensure that no only are only valid situations processed but that only output in an expected range is accepted in any automated process, and if anything is outside the expected norms anywhere, a human with appropriate education and training is brought into the loop.

2. Create a Policy

No technology should be deployed in critical situations without a policy dictating valid, and invalid, use. Moreover, any technology definitely shouldn’t be used by people who aren’t trained in both the job they need to do and proper use of the tool. Even though most AI is not as dangerous as Gen-AI, any AI, if improperly used, can be dangerous. It’s critical to remember that computers cannot think, and only thunk on the data they are given (performing millions of calculations in the time it takes an average person to perform two). As such, the quality of output is limited both to the quality of data input and the knowledge built into the model used. Neither will be complete or perfect, and there will always be external factors not considered, which, even if normally not relevant, could be relevant — and only an educated and experienced human will know that. (Moreover, that human needs to be involved in the policy creation to ensure the technology is only used where, when, and how appropriate.)

3. Understand Your Platform(s) of Choice

Just like there are a plethora of Gen-AI applications, a lot of different vendors offer AI applications, and even if most are similar, not all are created equal. It’s important to understand the similarities and differences between them and select the one that is right for your business. (Consider the algorithms and models used, the extent of human validated training available, typical accuracy / results, and the vendor’s experience in your use case in particular when evaluating an AI solution.)

4. Practice

Introducing new tools requires process changes. Before introducing the tool, make sure you can execute the associated process changes, first by executing training exercises on the different types of output you might get and then, possibly by way of a third party who uses a tool on your behalf, using real inputs and associated outputs. While the AI may automate more of the process, it’s even more critical that you respond appropriately to parts of the process that cannot be automated or where the application throws an exception because the situation is not appropriate to either the use of AI or the use of the AI output. (And if you don’t get any exceptions, question the AI … it’s not likely not working right! And if you get too many exceptions, it’s not the right AI for you.)

5. ALWAYS Ask Yourself: “Does that Make Sense?”

Just like Gen-AI hallucinates, traditional AI, even tried-and-true AI that is highly predictable, will sometimes give wrong results. This will usually happen if bad data slips in, if the use case is on the boundary of expected use cases, or the external situation has changed considerably since the last time the use case arose. Thus, it’s always important to ask yourself if the output makes sense. For tried-and-true AI where the confidence is high, it will make sense the vast majority of the time, but there will still be the occasional exception. Human confirmation is, thus, always required!

With proper use, AI, unlike Gen-AI (which fails regularly and sometimes hallucinates so convincingly that even an expert has a hard time identifying false results), will give great results the majority of the time — so you should seek it out and implement it. Just also implement checks and balances to catch those rare situations it doesn’t and put a human in the loop when that happens. Because traditional use-cases are more constrained, and predictable, it’s a lot easier to identify and implement these checks and balances. So do it … and see great success!

Strategic Sourcing & Procurement for Technology Cost Optimization

Given that we recently published a piece noting that Roughly Half a Trillion Dollars Will Be Wasted on SaaS Spend This Year and up to One Trillion Dollars on IT Services, it’s obvious that one has to be very careful with technology acquisition as it is very easy to overspend on the license and the implementation for something that doesn’t even solve your problem.

As a result, you need to be very strategic about it. While you certainly can’t put the majority of your technology acquisitions (which can be 6, 7, and even 8 figures) up for auction (as products are never truly apples to apples to apples), you definitely have to be strategic about it. As a result, you should be doing multi-round RFPs and then awarding to the vendor who brings you the best overall value for the term you want to commit to, once all things are considered.

But these have to be well thought out … you need to make sure that you are only inviting providers that are likely to meet 100% of your must haves, 80% of your should haves, and 60% of your nice to haves (and, moreover, that you have really separated out absolute vs highly desired vs wanted but not needed because the more you insist on, especially when it’s not necessary, the shallower the vendor pool, and the more you are going to end up paying*).

To do this, as the article notes, you have to know what processes you need to support, what improvements you are expecting, what measurements you need the platform to take, and what business objectives it needs to support. Then you need to align your go-to-market sourcing/procurement strategy with those objectives and make sure the RFP covers all the core requirements (without asking 100 unnecessary questions about features you’ll never actually use in practice).

You also need to know what quantifiable benefits the platform should deliver, both in terms in tactical work(force) reduction (as the tech you acquire should be good at thunking), and the value that will be obtained from the strategic enablement (in terms of analysis, intelligence gathering, guided events, etc.) the platform should deliver. If it is a P2P platform, how much invoice processing is it going to automate, and, based on that, how much is it going to reduce your average invoice processing cost? If it’s a sourcing platform, how much more spend will you be able to source (without increasing person-power) and what is a reasonable savings percentage to expect on that? Understand the value before you go to market.

Then you need to understand how much support and help you need from the vendor. If you just want a platform that does a function, then you just need to know the vendor can support the platform in supporting that function. But if you need help in process transformation or optimization, customized development or third party tool integration for advanced/custom processes, etc. you need a vendor that cannot only provide services, but also be a strategic provider for you as well.

And so on. For more insights, we suggest you check out a recent article by Alix Partners on Strategic Sourcing and Procurement for Technology Cost Optimisation. It has a lot of great advice for those starting their strategic procurement technology journey.

*Just remember, if you’re a mid-market, and you’re flexible (i.e. define what a module needs to accomplish for you vs. a highly specific process) you can get your absolute functionality and most of your desired functionality for 120K in annual SaaS license fees, excluding data feeds and services. If you’re not flexible, or not really strict in really separating out absolute vs strongly desired vs nice-to-have, you can easily be paying four times that.

Also remember, if you’re enterprise, your absolutes and strongly desired are much more extensive, typically require a lot more advanced tech (like optimization, predictive analytics, ML/AI, etc.), and licenses fees alone will cost you in the 500K to 1M range annually at a minimum, not counting the 100K to 1M you will need to spend on the implementation, data cleansing and enrichment, integration, training, and real-time data feed access, so it is absolutely vital you get it right!

Source-to-Pay+ Part 9: Cyber

In Part 1 we noted that Risk Management went much beyond Supplier Risk, and the primitive Supplier “Risk” Management application that is bundled in many S2P suites. Then, in Part 2, we noted that there are risks in every supply chain entity; with the people and materials used; and with the locales they operate in. In Part 3 we moved onto an overview of Corporate Risk, in Part 4 we took on Third Party Risk (in Part 4A and Part 4B), in Part 5 we laid the foundation for Supply Chain Risk (Generic), in Part 6 we addressed the first major supply chain risk: in-transport, followed by the second major supply chain risk: lack of multi-tier visibility in Part 7. In our last article, Part 8, we discussed the baseline Analytics that should be part of all of the different risk systems we covered in Parts 3 through 7, as well as a control centre.

Today, in Part 9, we move onto Cyber Risks. In today’s hyperconnected SaaS world, nearly half of an organization’s data breaches originate in the cloud (see this recent article by Illumio on Cyber Magazine, for example). So cyber security is important, but not just for your organization — for your entire supply chain.

Note that we are not going to dive deep, there are plenty of security firms that will do that for you. We’re just going to highlight key points of risk that must be covered in your cyber security plan.

Internal Cyber Risk Monitoring and Prevention System
Risks that must be addressed.

Risk Description
E-mail Plenty of risks come in through e-mail. The biggest one you are likely aware of is fraudlent requests for payment from fraudsters posing as fake suppliers / service providers / consultants or new employees in a remote office asking you to approve an emergency payment. However, since fraudsters blast these far and wide (as it takes less work to create them), the most common fraudulent emails are usually phishing/ransom attempts where you have to click an email and enter your system login information to retain access to your email account (or another system you use). (Then they use those credentials you freely gave them to login to your systems, lock you out of them, and demand payment to unlock your account.)

Your email system needs to do more than identify an external sender. It, or the security plug in, needs

  1. to verify the originating domain of the email (since most fraudsters can’t mask the domain they send from),
  2. to identify the domain and location of the first intermediate server the message hits (since that can’t be masked unless they’ve hacked that) as well as if it matches the locale of the domain the email purports to come from, and
  3. to identify the domain of each embedded link and the company it belongs to (as fraudsters are great at registering domains just ONE letter of an actual domain and cloning the contents of the faked domain; e.g. chaEse.com vs chase.com … one is your bank, one will soon be scooped up by a fraudster who will skim account logins for a day during a “maintenance window”, then drain all the accounts dry (or at least to the transfer limits) the next day and wire the money to a foreign account in a jurisdiction with no extradition or banking treaties with the US, then empty the account the day after that, and then disappear never to be seen again …
Hacking Hackers will constantly be trying to penetrate your firewalls, the web servers and underlying operating systems of machines in the DMZ, the applications you are running, and the underlying security systems you use for monitoring and detection (but these are likely the most secure, especially if you are having them maintained and monitored by a professional, big name, IT security firm); You need to be monitoring for unusual activity, (D)DoS attacks, repeated login failures or access abandonments at particular ports or in particular application logs, and so on; You also need a few attractive honeypots that emulate the systems the hackers would want to access most, and if you don’t understand this, or why, talk to your security guru.
Ransomeware Hackers want to access your systems for two reasons, to steal money and IP or lock you out of them (if they can’t access any IP worth stealing or you don’t use any finance systems capable of [authorizing] payments) so you will pay them to get back into your systems. You need to be very careful to not only detect hacking attempts, but the installation of new software that is unrecognized / not authorized by security. This is because you could be totally screwed and have no choice but to pay the ransomware even if you do complete, incremental, daily backups across all systems because smart hackers will install the ransomware, let it sit for a few weeks or so, and then activate when you can’t roll back to a backup because you’d lose weeks or months of data (as you’d have to roll back to just before the ransomware was installed because the majority of backup systems would not be able to identify the actual file changes and there’s no way you could do a restore and not restore the ransomeware after the ransomware was discretely installed).
Infected Websites Your users love to surf, surf, surf the web and go where the hidden links take them. You can’t expect they will all keep their browsers up to date, keep the underlying OS up to date, and, simply put, not be careless. You need to enforce security software on their machine, and check for it, before that machine accesses your network and that the security software is up to date because if they visit the right infected website (from a fraudster’s point of view), it can be an instant hack and/or backdoor for the automatic installation of ransomware on their machine and/or your network.

External Cyber Risk Monitoring and Prevention System
Risks that must be addressed.

Risk Description
Compromised Supplier Site If a supplier site or system is compromised, and you engage with that system in any way, then your system could be compromised. You need a system that monitors for supplier system/site/cloud risks as well as (known) supplier breaches.
Compromised Data All of your systems run off of data. Compromised data is the easiest way to compromise a system. If an email gets intercepted and altered in-transit with a man in the middle account and the hacker changes bank account information, you’re paying a fraudster and not the supplier. If the third party risk metrics are adjusted, your system can be tricked to diverting all business to a single, new, supplier which, while a legal entity, was setup by the founder to take your money and run. And so on.
Compromised Identities Identity theft is on the rise, and it’s often the easiest way for a fraudster to get funds from a business. You need to track all known cases of identify theft associated with all individuals associated with all businesses associated with your business as you will need to do extra verifications on requests from those individuals.
Web-Based Vulnerabilities You need to be aware of where the biggest web-based vulnerabilities are in your suppliers and partners, make sure your suppliers and partners monitor and address those, and make sure you lock down your security to the max when you have to interact with their systems that are classified as high risk for vulnerability.

And more. There’s a lot of risk in cyberspace thanks to the fact that the information and financial worlds have merged, and your organization needs to be on top of it. Identify appropriate providers, or you will need very good luck to not fall victim to a significant cyber-based threat.

SaaS is everywhere. Are you SaaSy?

Back in our 39 Part Series to Help You Figure Out Where to Start with Source-to-Pay in part 13 we gave you some vendors to shop around to the rest of your organization if you thought you can’t touch the sacred cows of Legal, Marketing, and, new-to-the-sacred-cow-list, the SaaS used in other organizational departments.

While the management of SaaS spend was not that important in the early days, and even only moderately important near the end of the last decade, it’s become critical since COVID (when everyone had to go on-line) as software spending has now become the third largest expense for many organizations after employees and office costs (that many organizations, who realized that employees don’t have to be in an office everyday to do office tasks and who don’t feel the need to force people to go back to buff the egos of the micromanagers who have no useful skillset and feel they need to micromanage to add value, are now trying to minimize, even to the tune of paying huge penalties to reduce office space).

A recent article in the FinTech Times really puts this into perspective. Summarizing the EagleEye SaaS Spend Report (2023), which analyzed over 400M worth of SaaS transactions, recently released by CloudEagle, the article noted that companies spend an average of $1,000 to $3,500 per employee on SaaS, while smaller companies, with less than 100 employees, spending (up to) 1M annually (on 50 to 70 apps) and mid-size organizations, of up to 5,000 employees, spending up to 100M annually on 300 to 400 apps! OUCH!

The article also noted that the highest departmental spenders were Engineering (45%), Marketing (19%), Sales (17%), Finance (7%), Customer Success (7%), and HR (5%). (Note there is no Procurement in this list, and that any apps are obviously classified as finance or Engineering [which includes cloud providers], which is sad.) Engineering/IT makes sense, it supports the entire organization, but that’s a pretty high percentage for Marketing and Sales. However, it makes more sense when it notes that, in terms of the number of applications used, marketing leads with 76 and sales is third with 42. Why? (The answer: because there is no central management or strategy, there are multiple tools doing almost the same thing, and it’s just total chaos in those departments.)

Obviously, it is becoming vital to scrutinise how their software budgets are allocated and ensure every dollar spent returns a significant value, and the article gets it right when it notes this, and while it should be on the radar of every CFO and CIO to get this spending under control, the article really misses the mark when it doesn’t mention the CPO — who is probably best positioned to help the organization come up with a sound spending strategy, as it not only puts every purchase it makes under the microscope, but gets put under the microscope for every purchase it makes (as most organizations still see it as a cost center despite the enormous value it brings by containing costs under chaotic cadences of the markets it has to buy in).

Furthermore, the first step is to get a true understanding of SaaS spend across the organization, which is likely buried on P-Cards to hide just how much rampant, off-contract, off-protocol spend there is. To this end, we do recommend engaging an expert SaaS Analytics firm which has pricing benchmarks on the most commonly used SaaS applications across the major areas (IT/Engineering, Marketing, Sales, Finance, and HR) to help identify all the SaaS spending and the best opportunities for cost reduction through termination of under/un-utilized licenses, consolidation to one provider for a specific function, and re-negotiation. Most mid-size or larger organizations that do this the first time will identify almost 30% of cost savings opportunity, which can typically be fully materialized within two years (given typical contract lengths and how long it takes to make all the migrations).

And while the doctor can’t say which firm is likely the best for you without a consultation, he can say that many of the firms on that list can do a do a good job and you should quickly be able to zoom in on the top two or three for you with an RFP and a few phone calls. Basically, you’re looking for a company that’s in your region, has analyzed the SaaS spend of a number of companies in your industry, has good spend analytics technology, and benchmarks on the major player that you feel comfortable working with. (And has really good spend analysis. Yes, we said it twice. Because it is important.) Since you don’t have to enter into a subscription for an initial project, you can easily get started because if the company is not the best for you, you’ll still get value and can redo the project with a different company in a year or two. There’s no reason not to do it and you’re guaranteed to identify savings. So why not Get SaaSy, now, get SaaSy!

“Ooh, the way that you spend it
Makes me go crazy, show me you can end it
You could be saving more
Ooh, the way that you buy
Makes me go crazy, show you I can end it
You could be saving more

Much more
Much more
Much more

Get SaaSy, now, get SaaSy
Get SaaSy, now, get SaaSy
Get SaaSy, now, get SaaSy

Savings
Now (much more) …”

Procurement Automation: Good. Automated Procurement: Bad.

We shouldn’t have to say this. It should be very clear by now. But given that a number of vendors are using the terminology interchangeably, possibly to convince you they have the right solution, maybe it’s not clear. But it needs to be. Because procurement automation is NOT the same as automated procurement and while procurement automation, properly done, is the best investment an average over-burdened and under-resourced Procurement department can make, on the flip side, AI-driven automated procurement is the absolute worst. To put things in perspective, downgrading Excel to Lotus 1-2-3 would be a better move. But let’s back up, and start with some definitions.

Procurement Automation is the process of automating certain procurement tasks that can be best accomplished by machines and procurement automation technology is the technology that automates the tasks that can be best done by machines. In simpler terms, it automates the “thunking” by doing all of the tactical, almost mindless, work that is a waste of a senior Procurement professional’s time.

The Source-to-Pay cycle is full of tasks that are best done by machines when appropriate rules and boundaries are defined. For each major area, we’ll outline some of these tasks as an example.

Intake/Orchestration

Procurement Automation will analyze the request, identify similar requests made in the past, identify the actions used to resolve those requests, identify the suppliers considered and selected, the products and services used, and other information. It will present that information to the buyer, including the suggested actions, and allow the buyer to one-click initiate any of the suggested actions, which might include a sourcing event, contract renegotiation, catalog purchase, etc.

Sourcing

Procurement Automation will, when a user kicks off a sourcing event for one or more products, automatically bring up the suggested suppliers, automatically suggest the appropriate questionaries and forms, automatically suggest the appropriate Ts and Cs to insist on up front, automatically send the RFP to suppliers, automatically analyze the responses to make sure they are complete, in the correct format, and in an expected range; automatically compare the responses to find deviations from the norm; automatically highly the lowest and highest costs, CO2 factors, etc. and present all that information to the buyer.

Supplier Management

Procurement Automation will, when a supplier is selected, automatically handle the onboarding; monitor the data for changes; monitor the performance metrics; monitor the OTD; monitor third party financial and risk metrics; and alert the buyer to any issues and performance changes that are detrimental or may indicate forthcoming problems.

Contract Management

Procurement Automation will, when an award is selected, push the award into the Contract Management system, automatically generate the draft contract, send it to the supplier, highlight any redlines the supplier makes when it comes back and automatically inform the supplier if any non-negotiable terms and conditions (including those they agreed to when they responded to the RFP), and automate the generation of the response email when the buyer does their redlines.

e-Procurement

For catalog buys, it will automatically generate the POs, route them for necessary approvals, distribute them to the suppliers when approved, automatically match the ASNs when they come back, alert the buyers if ASNs are not received in a timely basis, and match the invoices when they come in.

Invoice-to-Pay

When the invoice comes in, it’s automatically matched to the purchase order, it’s checked for price accuracy, identified as partial or full, verified to be non-duplicate, and if any checks fail, it’s bounced back to the supplier with a description of the issues and a request for correction and resubmission. If the resubmission deals with the problems, it’s queued waiting for goods receipt/confirmation if not present, or matched if present. If the match is made, then it’s automatically sent down the approval chain, and if it’s not made within a certain time period, an alert is raised.

In all cases, it’s automating the tactical tasks that don’t require any decision making and only involving the human when necessary.

In contrast, Automated Procurement is the process by where entire procurement processes are handed over to the machine to fulfill instead of the human. In other words, when an intake request comes in and the buyer marks it for sourcing, an Automated Procurement solution will handle the entire event up to and including the award and auto-generate and distribute the Purchase Order(s). The buyer is completely bypassed and the right inventory showing up at the right time at the right price is left entirely up to the machine. Sounds good in theory. Looks good in practice when it actually works, which it will some of the time. But grinds the company to a halt when it fails.

A machine that pursues lowest cost will select an unproven non-incumbent supplier for a critical part when the suppler, who has not supplied that particular part to the company before, outbids the incumbent. It will not detect that the bid was made in an desperate attempt to help the financially struggling supplier stay in business, that the bid is not sustainable, and that the supplier is not capable of producing the part at the indicated level of quality. Then, when the first shipment is mostly defective, and the promised rush replacement order never arrives because the supplier goes out of business, the production line for the 75K luxury car folds all for lack of a single control chip. (A similar situation has occurred in the past. Recently, chip shortages stopped Cherokee production in 2021, and that wasn’t the first occurrence. Or even the second, or third.)

Machines are not intelligent. Not even close. And expecting them to make a good decision every time with no logic whatsoever (as modern Artificial Idiocy algorithms just stack probabilistic equations on top of probabilistic equations almost ad infinitum) is lunacy. So while you should invest in the best Procurement Automation tech you can get your hands on, you should steer clear of any and all Automated Procurement Solutions those fancy new startups try to sell you. While those solutions may work 90% of the time, that last 10% of the time, they won’t work that great. And, in particular, that last 1% of the time they will fail so miserable that the disruptions and losses that result will more than cancel out any and all savings and efficiencies you might get from the 90% of the time the tech worked in the beginning.