Category Archives: Supplier Information Management

Advanced Supplier Management YESTERDAY — No Gen-AI Needed!

Back in late 2018 and early 2019, before the GENizah Artificial Idiocy craze began, the doctor did a sequence of AI Series (totalling 22 articles) on Spend Matters on AI in X Today, Tomorrow, and The Day After Tomorrow for Procurement, Sourcing, Sourcing Optimization, Supplier Discovery, and Supplier Management. All of which was implemented, about to be implemented, capable of being implemented, and most definitely not doable with, Gen-AI.

To make it abundantly clear that you don’t need Gen-AI for any advanced enterprise back-office (fin)tech application, and that, in fact, you should never even consider it for advanced tech in these categories (because it cannot reason, cannot guarantee consistency, and confidence on the quality of its outputs can’t even be measured), we’re going to talk about all the advanced features enabled by Assisted and Augmented Intelligence (as we don’t really have true appercipient [cognitive] intelligence or autonomous intelligence, and we’d need at least autonomous intelligence to really call a system artificially intelligent — the doctor described the levels in a 2020 Spend Matters article on how Artificial intelligence levels show AI is not created equal. Do you know what the vendor is selling?) that have been available for years (if you looked for, and found, the right best-of-breed systems [many of which are the hidden gems in the Mega Map]). And we’re going to continue with Supplier Management. (Find our series on Advanced Procurement — No Gen-AI Needed! Yesterday, Today, and Tomorrow; our series on Advanced Sourcing — No Gen-AI Needed! Yesterday, Today, and Tomorrow; and our series on Advanced Supplier Discovery — No Gen-AI Needed! Yesterday, Today, and Tomorrow through the embedded links.)

Unlike prior series, we’re going to mention some of the traditional, sound, ML/AI technologies that are, or can, be used to implement the advanced capabilities that are currently found, or will soon be found, in Source-to-Pay technologies that are truly AI-enhanced. (Which, FYI, might not match one-to-one with what the doctor chronicled five years ago because, like time, tech marches on.)

Today we move on to AI-Enhanced Supplier Management that was available yesterday (and, in fact, for at least the past 5 years if you go back and read the doctor’s original series, which will provide a lot more detail on each capability we’re discussing). (This article sort of corresponds with AI in Supplier Management Today Part I and Part II that were published in April, 2019.)

YESTERDAY

Auto-Fill Onboarding

While early 1st and 2st generation supplier management platforms required a supplier to create a full profile from scratch and enter all of their information, third generation platforms, which define expected formats for each field and have contextual awareness, can pull in the data from third party profiles, market databases, supplier forms, and even csv or xml exports of a supplier’s profile from another site.

Using classical semantic parsing, pattern matching, flexible reg-ex rules based data format validations, and any available meta data, even yesterday’s platforms could auto-fill the majority of a supplier profile form if the data was available in textual format for parsing.

Basic Community Intelligence

As per our coverage of supplier discovery, the reality is that this “AI” like functionality doesn’t require any “AI” at all. Community Intelligence just requires the amalgamation of data across customers, which is easy to do with multi-tenant SaaS as long as the customer agrees to sharing their reviews and insights (which could be part of the contract), and the supplier is made aware (which is part of the waiver to participate in customer events) of what is being shared.

It’s just math for averages, time series for trend series on those averages over time (of quality ratings, performance ratings, OTD ratings, etc.), and consolidation of tagged reviews. The only AI that would be needed is semantic processing if the platform provided a sentiment analysis across the community.

Real Time Performance Monitoring

As written five years ago, the last thing you want is to find out without warning that your primary supplier for a critical component in your new engine, control system, or IoT platform is bankrupt and no more shipments are coming; that a recent shipment has a 10% defect rate that is 10 times the acceptable, contracted, level; or that the custom factory redesign you just contracted for is going to take an extra six months when it should be 80% done.

Also, as written five years ago, none of this needs to be the case. There’s no reason a good platform could not alert you to leading indicators correlated with bankruptcy. Or a pattern of (slightly) late deliveries that is getting worse over time. That defect rates, even if within tolerance levels, have been increasing rapidly in recent shipments. Or that the last three key project milestones haven’t been met and the project is tracking to at least three months late.

With regards to early detection of bankruptcy, pull in financial risk scores monthly from your financial risk provider, look for downward trends (simple math), and monitor for alerts. Use the community intelligence identified above to identify late deliveries. Alternatively, if that’s not available, and it’s a big supplier with multiple customers in your country, monitor the public port data for its shipments … if they used to be every two months, but are now every three or four months, with an average volume per shipment that’s going down, that’s an indicator of trouble. With regards to your needs, track all of the rejected shipments at the warehouse, the returns, and keep a running tab on defect rate over time, again looking for trends in the wrong direction in terms of defects per shipment or returns per month.

There is so much you can do with just math. So do it!

Automated Issue Identification

As per our article five years ago, if the supplier management platform is integrated with organizational Sourcing, Procurement, and/or ERP systems, then the platform can automatically import objective supplier metric data as well as subjective supplier performance data from individuals across the organization that interact with the supplier.

Building on real time performance monitoring, the platform can monitor a whole host of metrics, trend them over time, identify drops that can signify issues, and alert the buyer if a dangerous drop is detected. Again, it’s just math.

Automated Risk Identification

The automated issue identification capabilities of a properly implemented and integrated supplier management platform are great, but as we have hinted above, the best platforms can also detect potential risks using leading indicators spit out by cross-organization metrics, trends, reports, and sentiment.

Remember, in addition to metric data, it can also take advantage of the community intelligence to identify early risk indicators. It can track the overall trend of promotion (against pre-existing tags) of a supplier for specific capabilities and the overall tone and sentiment of comments, and then compare that to the overall trend of anonymized price and performance data, and so on to detect when the performance or rating of a supplier is improving or declining, and, possibly, even how fast a rating might be declining which could indicate not just potential problems but risk.

Now integrate this to third party intelligence platforms with financial, CSR, operational, etc. risk and you start getting 360-degree risk profiles — and super early warning indicators since you never know where they are going to come from (the risk assessors, the community intelligence, or your own metrics). It’s all metrics, trends, and thresholds. Math. Good ol’ math.

Automated Resource Assignment

The best platforms support corrective action management, new product development, and supplier development initiatives. Each of these typically require project plans that require resources to support them, Always human resources and sometimes even physical organizational assets or IP assets (including software licenses).

If the platform is connected into a project management platform which has all of the information on organizational resources, and the organization’s asset management software, since the platform will know what skills are needed for the project, as well as what assets the supplier needs, it’s just a matter of best-match mapping. A great supplier management platform could do that through simple match computations and allocation tracking. When there are conflicts, it’s just a simple optimization problem for the best match.

SUMMARY

Now, we realize this was very brief, but again, that’s because this is not new tech, that was available long before Gen-AI, which should be native in the majority (if not the entirety) to any true best-of-breed Supplier Management platform, that is easy to understand — and that was described in detail in the doctor’s 2019 articles for those who wish to dive deeper. The whole point was to explain how traditional ML methods enable all of this, with ease, it just takes human intelligence (HI!) to define and code it.

The Sourcing Innovation Source-to-Pay+ Mega Map!

Now slightly less useless than every other logo map that clogs your feeds!

1. Every vendor verified to still be operating as of 4 days ago!
Compare that to the maps that often have vendors / solutions that haven’t been in business / operating as a standalone entity in months on the day of release! (Or “best-of” lists that sometimes have vendors that haven’t existed in 4 years! the doctor has seen both — this year!)

2. Every vendor logo is clickable!
the doctor doesn’t know about you, but he finds it incredibly useless when all you get is a strange symbol with no explanation or a font so small that you would need an electron microscope to read it. So, to fix that, every logo is clickable so you can go to the site and at least figure out who the vendor is.

3. Every vendor is mapped to the closest standard category/categories!
Furthermore, every category has the standard definitions used by Sourcing Innovation and Spend Matters!
the doctor can’t make sense of random categories like “specialists” or “collaborative” or “innovative“, despises when maps follow this new age analyst/consultancy award trend and give you labels you just can’t use, and gets red in the face when two very distinct categories (like e-Sourcing and Marketplaces or Expenses and AP are merged into one). Now, the doctor will also readily admit that this means that not all vendors in a category are necessarily comparable on an apples-to-apples basis, but that was never the case anyway as most solutions in a category break down into subcategories and, for example, in Supplier Management (SXM) alone, you have a CORNED QUIP mash of solutions that could be focused on just a small subset of the (at least) ten different (primary) capabilities. (See the link on the sidebar that takes you to a post that indexes 90+ Supplier Management vendors across 10 key capabilities.)

Secure Download the PDF!  (or, use HTTP) [HTML]
(5.3M; Note that the Free Adobe Reader might choke on it; Preview on Mac or a Pro PDF application on Windows will work just fine)

Technology for Supplier Onboarding is the NOW, not the Future!

In fact, for any company that hasn’t been in a cave for the last TWO (2) decades, it’s the past!

Needless to say, the doctor was shocked to see this recent headline in Supply Chain Digital that purported to answer why technology is the future for supplier onboarding because either you’re using technology for supplier onboarding today, or you’re not going to be around much longer as a company.

Without a good solution, the time it takes to collect and evaluate enough data to even determine if the supplier is legit, in your industry, appropriately certified, not on any banned lists, financially stable, with real customers, etc. is days, sometimes weeks. And then the time to evaluate the supplier to supply even a single product can be weeks, especially in direct, when you have to trace the product components down to the raw material source to make sure there are no conflict diamonds, no Congolese cobalt, and no indentured / kafala / slave labour in the mines your metals come from.

Even though the article headline is, well, wrong, there are some good points in the article.

Having a strategic approach to supplier onboarding is a key component of supply chain risk management. Most definitely. You don’t want to hook up with a supplier that’s just going to increase your risk, stop your production lines, bring regulatory and compliance investigations your way, and possibly get your CFO or CEO in hot water because you had them sign off on a supplier as being safe when, in fact, it was the business equivalent of a landmine.

With a properly configured supplier management solution, you can check that a supplier meets all of the basic regulatory requirements, financial requirements, and baseline operational requirements in a minute. Literally. You plug in the name and ONE governmental ID code and it pulls in every single piece of information in government systems, third party finance / ESG / Risk databases, insurance and compliance databases, and community intelligence gathered in its systems and indicates if the supplier:

  • failed any registration checks
  • failed any denied party checks
  • has any owners, directors, investors, or connected parties that failed a check
  • has filed its financial reports and is not rated as a going concern
  • has reasonable ESG ratings
  • has any reports of, or known connections to, forced/child/slave labour
  • has valid insurance
  • has valid regulatory compliance certificates
  • any other requirement that can be looked up from a public database

And you know if there are any alerts or failures within minutes, not hours, days, or weeks.

Which lets you dive into evaluating whether or not they can supply the product you need at the quality and quantity, and in a manner that is not quixotic to your business environment.

You can then define additional requirements for automatic lookup, ask for tier 2 suppliers, do the same automatic checks on those, specific to the component or raw material they are providing, and if all that passes, which you will know in minutes, then you can begin the real research in minutes, not hours, days, or weeks. And the real research can take days, or weeks (and sometimes more) in real time when you need to look deep into the production capabilities, the labour that is used, the materials that are used, and the quality of the finished good (which you may need to see a sample of). But the last thing you want to do is waste weeks trying to get to this point only to find out three weeks in that the supplier is on a banned list for one of your main marketplaces, the tier 3 uses cobalt from the Congo (and if you don’t know why that is bad, do ONE minute of web research [unless, of course, you are a psychopath or sociopath with no regard for human rights or even welfare]), or is facing multiple lawsuits for unsafe products in multiple countries.

It is imperative that C-suiters “act with urgency around risk”. Nothing could be truer. It seems that risk is doubling every day. You need to be ready, and while you can’t be ready for everything, you can minimize the chances of risk by ensuring that your suppliers are not adding risk and, in fact, as dedicated as you in minimizing their risk profile. Moreover, if you have a good supply base, they can work with you to mitigate the impact of disruptions when those disruptions rear their ugly head.

“This year we expect to see increased ESG regulation”. It’s coming, and the best way to be prepared for it is with systems that can run checks, collect the required data, flag potential issues, and make sure you keep on top of whatever you need to in order to comply with those regulations.

“Invest in your processes, to ensure you can do more with the same, or fewer, resources. This usually means automating your supply chain data, so you’re finding new suppliers or managing existing suppliers.” Definitely.

Technology has a vital role to play in supplier onboarding. Most definitely. Except you should have been using it for the past two decades, not looking for a solution today. Why do you think there are 100+ vendors offering supplier management solutions? Because they’ve worked wonders (relative to not having any solution) since they were first introduced two decades ago. And, most importantly, they’ve went from simple information management solutions to advanced data collection, validation, and risk assessment solutions where you can quickly validate, analyze, and decide if you want to even consider engaging with a supplier in minutes. You can also collaborate, develop, and implement supplier programs. And you can even orchestrate supply networks with modern solutions.

So if your solution doesn’t solve your CORNED QUIP mash of supplier management problems, maybe it’s time you found a new one. You can’t wait for the future to solve your supplier management problems, you need to solve them today!

10 Great Questions to Pre-Qualify a Vendor Before Onboarding for a Deep Dive, Courtesy of Certa

A recent article in the SCMR by Jag Lamba, the CEO of Certa, a Third Party Risk Management (TPRM) vendor headquartered in California and focussed on compliance, risk, and ESG had some very good questions to ask before engaging with a US vendor, but some of them were very US-centric and others took a platform based approach. (You certainly need a platform, but certain areas, like security, go beyond the platform.)

But if we generalize these questions, they are relevant for everyone, and make it clear why you need a Third Party Risk Management (TPRM) platform that goes just beyond key suppliers/vendors, and beyond product and service needs. (And if you’re wondering what you need a TPRM, check out Part 4A and Part 4B of our new Source-to-Pay+ series where we are currently focussing on Risk Management.) They’re also industry independent and can allow you to short circuit a time-consuming industry (product/service) specific diligence because if the third party fails any of these questions, why would you bother going deeper? Just move on to the next contender!

  1. Does the vendor meet the needs of its customer base?: Any major negative news headlines? Any drops in financial performance? Any grumblings on Glass Door? Any of your counterparts in local groups or associations using them and bad mouthing them?
  2. Does the vendor have the operational capability AND capacity to serve you?: If you need a modern machining process or a vendor who can produce a minimum of a million units, don’t bother with any vendors that don’t have the process or can’t produce a million units.
  3. What financial and sustainability reporting process are they subject to? : The best way to ascertain their ability to stay compliant with financial and other regulatory (like ESG) requirements is to review the government reports. (They may [white] lie in their marketing, and then claim you misinterpreted, but they’re not as likely to lie to the government who could fine them, criminally charge them [in some countries], or shut them down.)
  4. How do they approach security?: Not just cyber security, but facility security, personnel security, and information security. Over half the attacks come from the cloud because it’s easy when you leave a security hole, hackers don’t have to leave their basement, they can attack you half a world away, and face no repercussions because there are no extradition treaties and the local authorities just don’t give a f*ck if they aren’t doing any criminal activity in their country. But when that fails, their local counterparts try to break into the facilities — if the vendor stores unsecured physical copies of critical IP, local backups of sensitive IP on unsecured USB/Zip/Thumb drives, or a lot of money on site — all someone has to do is walk in with a workman’s uniform, enter the backroom to check the wiring when no one’s in it, stuff something in their workbag or pocket, and, buh-bye. If your personnel are not trained to detect social engineering attempts, then someone’s going to have a little chat with them, something like “Hi, what do you do? Oh, is that your doggie in the picture, what’s your doggie’s name? My doggie’s name was Scooter. You know it’s my birthday tomorrow. I’m a Scorpio. What about you? So you were born in 1979 and you’re a goat like me in the Chinese zodiac? Cool! Hey, you know that I was just reading that most people use their birthday and pet’s name as a password. I thought it was only me. What, you do too? Aww, so cute. Well, nice meeting you.” Network access granted! And then if you’re not ensuring all personal, confidential, or sensitive IP is clearly marked, only stored in locked filing cabinets, always encrypted, and those files only on secure, encrypted, network drives, hackers are going to easily find those files accessible from limited access accounts with weak-passwords accessible by brute force.
  5. Do they do business with any entities sanctioned in your country?: If so, they are probably a no-go. You don’t want to be only one degree of separation removed from a sanctioned entity. (And, of course, they shouldn’t be sanctioned — because you shouldn’t be considering them at all if they are!)
  6. Would you have a backup plan if their suppliers or partners they relied on got sanctioned?: i.e. if you need to locate a complete production line in one geography, and there is only supplier of a key raw material or part in that geography, maybe you’re looking in the wrong geography
  7. What is their viewpoint on diversity?: great suppliers encourage diversity and look for good people that represent the entire cross-section of humanity in the area in which they operate; they don’t have arbitrary goals or the one Token black in the C-suite to check a box; they hire all races, cultures, religions, ages, etc., train them all, and then promote the best (and, over time, they build a diverse management team)
  8. Are their objectives aligned with your objectives?: If your objective is quality and distinction for the wealthy, and their objective is cut costs no matter what, they are probably not the supplier for you.
  9. Do they have a sustainability program. And is it sensible?: In some jurisdictions, they not only have to report down to “Scope 3”, but stay within a limit for overall emissions, or get in (financial) trouble (with fines, etc.). And if you have to report as well for doing business with them, or to satisfy the regulatory requirements of a region you operate in, and they can’t report to you, that’s not good. Not good at all.
  10. What level of risk will they add to your business?: If you’re happy with the answers to the first 9 questions, before you dive deep into certifying their products and services, their production lines and capacities, etc., ask this first. If the risk is too great in general, it might be a no-go before you start. And this is why you need a comprehensive TPRM platform to do a preliminary assessment.

And yes, Certa is one platform that might be able to help you, and one you should add to your RFP invite list if you don’t have a TPRM. We will note that they’re not the only one (and this could be relevant if you are in the EU and need a local provider), and that we’ll list others in Part 10 of our Source-to-Pay+ series, but close by stating that you should not overlook Certa. They’ve been around for a decade, have raised over 50M, likely integrate into whatever you’re already using in your Source-to-Pay process (with integrations to 100+ platforms and data feeds), have pre-built solutions for Compliance / Risk / ESG, and have a number of Fortune 500 clients.

Source-to-Pay+ part 3: Corporate Risk

In Part 1 we noted that Risk Management went much beyond Supplier Risk, and the primitive Supplier “Risk” Management application that is bundled in many S2P suites. Then, in Part 2, we noted that there are risks in every supply chain entity; with the people and materials use; and with the locales they operate in. These risks come in all shapes and sizes. And any single risk can sink the company.

Today we are going to talk about some of the internal corporate risks and outline the function specific baseline capabilities that such a solution will normally possess.

Capability Description
Reputation/Brand A significant risk to a company is its reputation/brand, especially if it’s primarily selling to consumers. And the problem with reputation/brand damage is that it can come from anywhere. Quality issue that leads to a defect that causes consumers harm. Raw materials that are harmful to human health and might cause cancer, or worse, if consumed, inhaled, or even touched. An offensive statement (to a group of people) by an executive. A targeted online misinformation campaign by a disgruntled customer. Environmentalists who claim the organization is doing unnecessary environmental damage. Forced and Slave Labour. The repercussions of continuing to buy cobalt and copper from the congo while turning a blind eye to rampant sexual violence and rape. (An average of 48 victims are treated per day by Medicins Sans Frontieres, that’s 17,520 per year. And this has been going on for over a decade.)

And in these difficult times, you also have to deal with

  • Sourcing from countries engaged in “special military exercises” that have effectively started wars with other countries and
  • Sourcing from countries whose response to terrorist attacks have resulted in 10X the number of casualties caused by the terrorists.

In these two situations, it might be the case that most of your consumer base doesn’t care, but some will praise you while staying the course and helping the side they think is right (or good) while others will go out of their way to aggressively attack your brand for helping the side they think is wrong (or evil). And so on.

As such, the platform needs to be able to monitor news sources and social media. It must look for stories that could blow up, sentiment that could propagate, and events associated with related entities that could propagate. It must tie into multi-tier manufacturing systems and monitor raw materials, quality control systems to monitor production quality, It must tie into CSR/EHG systems to make sure the company is being environmentally conscious. And so on.
Sanctioned Entities An organization that does business with organizations on sanctioned or denied lists can get in serious trouble. It can be prohibited from doing business with government entities, fined, and the executives (criminally) charged. But it’s not just entities, it’s individuals as well. And it’s not just potential employees or contractors, but (potential) investors as well.

Its critical that the system tie into all sanction and denied party lists of every country it does business in, all lists of organizations that have had lawsuits brought against them (and the results if the lawsuits have been concluded), and lists of individuals who have investments in related corporations.
Fraud Every organization that makes money is at risk of being defrauded. That fraud can come from employees, including top executives, suppliers, third parties, and cyber criminals.

Such a system should integrate into the Supplier/Vendor Master and ensure that all invoices are coming from valid entities, the purchase order system to ensure the invoices match purchase orders and the payment amounts are valid, the payment system to make sure the payments go to accounts known to be associated with the vendor who sent the invoice, and no payments made without an invoice or appropriate counter-signed / doubly approved payment approval.

Such a system should also look at connections. Connections between the individuals in the organization who cut the PO, claim the services were delivered, make the payment, and the individuals who sent the invoice, verified the delivery, and accepted the payment.

Such a system should also integrate with the cyber monitoring and internet security systems and look for unusual activity that could indicate potential fraud.
Employees Employees are the biggest internal risks. And not just those who are looking to commit fraud, which will, hopefully, be a very small percentage of employees. There are also those who (might) have a conflict of interest, which could sway them in their decision making. And then there are the rest of the employees, who are human and make mistakes. Small mistakes like accidentally approving an invoice for 5K from a vendor who didn’t actually deliver the services, and might never deliver the services, because there are no processes in place to verify the delivery from approved vendors who have delivered in the past. Big mistakes like not locking down a port that allows a hacker to get into the local payment systems and alter the bank account for the 500K payment going out tomorrow. And everything in between.

This system should not only integrate with background check systems for employees who have access to the payment systems, but those who have access to restricted/classified IP, sensitive systems that need specialized training, and so on.

It should also integrate with certification and training systems to track an employee’s certifications and training.
GHG/Carbon In today’s climate, it’s important for a large company to track it’s internal carbon usage, not just the supply chain.

It’s likely that the organization will have it’s own system for carbon tracking. Such an organization will need to make sure the system is configured to track internal emissions and chain emissions separately, assign internal emissions to the company and the outbound chain as appropriate, and export the summaries to the corporate risk tracking system.
GDPR/Privacy GDPR is here, it must be respected, and failure to do so can be costly. But it’s not just GDPR an organization needs to be concerned with as privacy regulations are cropping up all over the world, and many countries in which the organization does business as a buyer, a seller, or both.

An organization must identify the private data it maintains on its employees, contractors, representatives of third parties, and the public. It must ensure such data is secured, encrypted, accessible only by those with explicit authority, and tagged as data the organization is legally allowed, or required, to keep and data that does not fall under that category. The location of such data must be indexed and the data, as well as all backups thereof, must be easily erased if someone asks to be forgotten (with the exception of any data the organization is legally required to maintain), and that must include all backups.
Contract The organization has contractual risk, both in the contracts with its suppliers as well as the contracts with its customers, and with respects to the contracts it never signed, but implied when it made the first order or purchase from a supplier. These risks include the losses from failure to complete its obligations as well as risks from suppliers and customers failing to complete theirs as well as force majeure risks and lack of of assignment to third parties and/or lack of adequate insurance coverage.

It’s critical that the Corporate Risk System integrate with all of the contract systems used by the organization, track contracts by risk type, identify lack of key clauses, and identify areas where lack of contracts or insurance put the organization at significant risk.
Epidemics/Pandemics The pandemic was not the last epidemic/pandemic the organization is going to face. More are coming. The organization needs to identify which parts of the operation are most at risk, what can be done to prepare for it, and what is in place when the worst happens.

As to how the system should support the planning, monitoring for, detection, and response to an emerging epidemic/pandemic, that’s probably organization dependent. But any Corporate Risk system that doesn’t at least recognize the need is not meeting the full problem.

A corporate risk system will also contain a host of generic analytics/planning/monitoring capabilities, but since many of these are, or at least should be, common among multiple types of risk systems, and since stand alone risk-focussed analytics applications are also part of the plethora of offerings out there, instead of discussing these generic features in this and every other article describing a particular focus/type of risk application, we will instead discuss these capabilities in an article dedicated to Risk Analytics and Monitoring near the end of this series.