Category Archives: Supplier Management

Advanced Supplier Management TODAY — No Gen-AI Needed!

Back in late 2018 and early 2019, before the GENizah Artificial Idiocy craze began, the doctor did a sequence of AI Series (totalling 22 articles) on Spend Matters on AI in X Today, Tomorrow, and The Day After Tomorrow for Procurement, Sourcing, Sourcing Optimization, Supplier Discovery, and Supplier Management. All of which was implemented, about to be implemented, capable of being implemented, and most definitely not doable with, Gen-AI.

To make it abundantly clear that you don’t need Gen-AI for any advanced enterprise back-office (fin)tech, and that, in fact, you should never even consider it for advanced tech in these categories (because it cannot reason, cannot guarantee consistency, and confidence on the quality of its outputs can’t even be measured), we’re going to talk about all the advanced features enabled by Assisted and Augmented Intelligence that were (about to be) in development five years ago and are now (or should be) available in leading best of-breed systems. And we’re continuing with Supplier Management.

Unlike prior series, we’re identifying the sound, ML/AI technologies that are, or can, be used to implement the advanced capabilities that are currently found, or will soon be found, in Source to Pay technologies that are truly AI-enhanced. (Which, FYI, may not match one-to-one with what the doctor chronicled five years ago because, like time, tech marches on.)

Today we continue with AI-Enhanced Supplier Management that was in development “yesterday” when we wrote our first series five years ago but is now available in mature best of breed platforms for your Procurement success. (This article sort of corresponds with AI in Supplier Management Tomorrow Part I and Part II that were published in May, 2019 on Spend Matters.)

TODAY

Auto Profile Updates with Smart Information Selection

In our last article, we noted that in first, and many second, generation Supplier Management solutions, a supplier was always forced to create a profile by scratch, filling out a bevy of pre-defined form fields — even if they had all of that data in a well formed (metadata rich) xml or csv file. That’s why yesterday’s Supplier Management solutions contained functionality to auto-complete profiles wherever this data was easily available in standard formats.

But the biggest problem remained — supplier profile maintenance. A supplier profile is only accurate the second a supplier hits confirm/complete. Then, their main contact changed. They changed their mailing address. They moved HQ. They offered a new product. They dropped an old one. And so on. And, of course, they never maintained their profile, and you never verified it until you went to call, mail, or order and that person wasn’t there, the mail got returned, or the order was rejected (because the supplier no longer made the product). Then, you went to the website, found the new main line, called, navigated to the right person, got the right info, and maybe remembered to update the system.

So, as errors were discovered, some critical ones would be corrected, but most would remain unchanged or unnoticed and over the years errors — including information on critical insurance, regulatory approvals, and other key business requirements that put the organization at high risk if not verified — continued to pile up. After a few years, the record becomes more wrong than right. Not good.

So today’s solutions make use of the fact that information typically gets updated somewhere, even if not in the application. They monitor the supplier’s website for changes in contact information, invoices for address and product information, state and country registries for business information, and so on and when changes are detected, automatically update the supplier profile if the changes can be independently verified (through a third party authority, to prevent hacks or fraud from changing the system) or present the new data for approval to the relationship manager. All this takes is simple website and data source monitoring, scraping, reg-ex based pattern matching, and automated workflows. For complex information, a bit of semantic processing. Nothing beyond classical, proven, tried-and-true AI is needed.

Market Based Supplier Intelligence

Today’s supplier management platforms can integrate with multiple marketplaces, communities, partners, GPOs, and specialized compliance, sustainability, and risk data platforms, use rule-based transformations to harmonize all the data, and use built-in algorithms to extract intelligence at a market level.

Your company data gives you one view into a supplier; your vendor-based community, which is usually limited to similar companies in your industry that the vendor was able to sell, gives you another view; but the market gives you yet another view yet. Mathematically, one data point doesn’t tell you anything. If only nine other customers use the vendor and share their data through community intelligence, that gives you 10 data points, which gives you some data on the supplier’s performance and their performance for you relative to others, but 10 data points is not statistically significant. But if 30, 50, 100 data points can be collected from the market, that gives you deep insight with deep statistical significance.

On top of the data, and a few powerful cores (few, not a few thousand), all these platforms need is basic statistical calculations, trend analysis, classical machine learning, semantic processing, and sentiment analysis … all of which have been market ready for over a decade.

Real Time Relationship Monitoring

Relationships are more than just performing to a contract. They are about building a working arrangement that is beneficial to both parties. One where both are willing to admit problems, collaboratively explore potential solutions, and work together to achieve them. One where, when there are no problems, both are willing to find ways to improve.

As a result, relationship monitoring is more than just supplier performance monitoring. Especially since the relationship can be bad even when the performance is (still) (surprisingly) good, and the relationship can be (reported as) good when the performance is bad.

However, if you turn that semantic and sentiment analysis that was typically done on market data and public comments on internal communications, you can start to build up a picture of the overall viewpoint and sentiment on the relationship from both sides, what successes or issues are contributing to that, and if the situation is improving or deteriorating over time (by trending the number of spikes in communication with sentiment that is overly positive or negative). It’s not foolproof, as both sides could adopt strict, formal, communication no matter what, but since people are human, they tend to get hotheaded and lose tempers (and let the words fly) if they are really upset or jubilant when they are really happy (and let the praise fly), and while minor changes in relationship sentiment might not be caught (within tolerance), major changes will. Moreover, you’re not going to get rigid, controlled, strict, formal communication until threats of a lawsuit fly, but then it’s too late!

Automated Resolution Plan Creation, Monitoring, and Adjustment

Not only can supplier management platforms automatically detect issues (by rapid increases or decreases in trends or metrics), they can also correlate them to included resolution plan templates, automatically instantiate them and customize them to the issue in question, walk the supplier relationship manager through the resolution process, monitor progress, and automatically adjust the plan, and timeline, as needed as new information, good or bad, comes in.

Each default template can be correlated to a particular metric, trend, or sentiment driven situation, so selecting it is just a lookup. Instantiation is just filling in the blank with the appropriate category, product, service, and metric information, through reg-ex matching and search and replace. Robotic Process Automation (RPA) walks both sides through the process. Monitoring alerts either side when something is updated or not completed on time through more RPA. And adjustments can be made to trend lines based on average timelines on similar projects and current trends at each milestone.

Automated Risk Mitigation Strategy Identification

It’s one thing to detect risk, which is pretty easy along many dimensions when you have a lot of data at your disposal, and relatively straightforward to predict the likelihood of some risk events, but it’s a lot harder to determine which mitigation strategies should be employed when it looks like a risk is going to materialize.

But that doesn’t mean it can’t be done, or isn’t doable by the best of platforms. Just like a platform can come equipped with issue resolution plan templates, it can also come equip with standard risk mitigation strategies, which are essentially action plans to be automatically customized with the specific category, product/service, logistics, and supply line details. This is just pattern matching and semantic contextual awareness.

When all of this is combined with (near) real time monitoring across data sources, that are continually looking for relevant news sources, changes in metrics / prices / trends, etc, it’s like magic (although it isn’t). The platform detects risks, finds the most appropriate mitigations, and present it to the relationship manager. An all it uses is math, traditional machine learning, and traditional semantic/sentiment analysis. And, of course, a lot of up-front human intelligence (HI!) in the creation of this solution.

Automatic Real-Time Resource Re-Alignment

Corrective action plans and risk mitigation plans have something very important in common — people. People who create them, approve them, execute them, and monitor them. This requires resources to be constantly assigned, monitored, replaced as soon as they are unavailable or needed on more pressing assignments, and reassigned as the issue is resolved or the mitigation complete.

And while it will often be difficult for a project manager, or even a resource manager, to determine when to remove an organization’s best problem solver from a critical corrective action project to address a less critical risk mitigation project, or vice versa, even when the manager can’t think of someone else who could address the less critical risk mitigation project effectively, even when there is another moderately experienced problem solver that could step into the critical project, the software will be able to compute when that should happen if the organization defines the rules as to when that will happen based on hard metrics.

For example, if you define assignments to correlate resources to the projects with the highest cost (should the issue persist or the risk mitigate), and you define the cost of an issue based on its expected impact if unsolved, and the cost of a risk as its expected impact if unaddressed (using a fixed cost or a formula if those 10,000 processors don’t arrive and you have 10,000 vehicles you can’t complete), and you associate a seniority with each resource, it’s simply rank ordered matching.

If there aren’t enough resources for all problems, you can apply simple optimization to maximize the impact of your most senior resources. And, again, there is no Gen-AI needed!

SUMMARY

Now, we realize some of these descriptions, like yesterday’s, are also quite brief, but again, that’s because this is not entirely new tech, as the beginnings have been around for years, have been in development for a few years and discussed as “the future of” Procurement tech before Gen-AI hit the scene, and all of these capabilities are pretty straight-forward to understand. Moreover, if you want to dive deeper, the baseline requirements for most of these capabilities were described in depth in the doctor’s May 2019 articles on Spend Matters. The primary purpose of this article, as with the last, is to explain how more sophisticated versions of traditional ML methodologies could be implemented in unison with human intelligence (HI!) to create smarter Supplier Management applications that buyers can rely on with confidence.

Advanced Supplier Management YESTERDAY — No Gen-AI Needed!

Back in late 2018 and early 2019, before the GENizah Artificial Idiocy craze began, the doctor did a sequence of AI Series (totalling 22 articles) on Spend Matters on AI in X Today, Tomorrow, and The Day After Tomorrow for Procurement, Sourcing, Sourcing Optimization, Supplier Discovery, and Supplier Management. All of which was implemented, about to be implemented, capable of being implemented, and most definitely not doable with, Gen-AI.

To make it abundantly clear that you don’t need Gen-AI for any advanced enterprise back-office (fin)tech application, and that, in fact, you should never even consider it for advanced tech in these categories (because it cannot reason, cannot guarantee consistency, and confidence on the quality of its outputs can’t even be measured), we’re going to talk about all the advanced features enabled by Assisted and Augmented Intelligence (as we don’t really have true appercipient [cognitive] intelligence or autonomous intelligence, and we’d need at least autonomous intelligence to really call a system artificially intelligent — the doctor described the levels in a 2020 Spend Matters article on how Artificial intelligence levels show AI is not created equal. Do you know what the vendor is selling?) that have been available for years (if you looked for, and found, the right best-of-breed systems [many of which are the hidden gems in the Mega Map]). And we’re going to continue with Supplier Management. (Find our series on Advanced Procurement — No Gen-AI Needed! Yesterday, Today, and Tomorrow; our series on Advanced Sourcing — No Gen-AI Needed! Yesterday, Today, and Tomorrow; and our series on Advanced Supplier Discovery — No Gen-AI Needed! Yesterday, Today, and Tomorrow through the embedded links.)

Unlike prior series, we’re going to mention some of the traditional, sound, ML/AI technologies that are, or can, be used to implement the advanced capabilities that are currently found, or will soon be found, in Source-to-Pay technologies that are truly AI-enhanced. (Which, FYI, might not match one-to-one with what the doctor chronicled five years ago because, like time, tech marches on.)

Today we move on to AI-Enhanced Supplier Management that was available yesterday (and, in fact, for at least the past 5 years if you go back and read the doctor’s original series, which will provide a lot more detail on each capability we’re discussing). (This article sort of corresponds with AI in Supplier Management Today Part I and Part II that were published in April, 2019.)

YESTERDAY

Auto-Fill Onboarding

While early 1st and 2st generation supplier management platforms required a supplier to create a full profile from scratch and enter all of their information, third generation platforms, which define expected formats for each field and have contextual awareness, can pull in the data from third party profiles, market databases, supplier forms, and even csv or xml exports of a supplier’s profile from another site.

Using classical semantic parsing, pattern matching, flexible reg-ex rules based data format validations, and any available meta data, even yesterday’s platforms could auto-fill the majority of a supplier profile form if the data was available in textual format for parsing.

Basic Community Intelligence

As per our coverage of supplier discovery, the reality is that this “AI” like functionality doesn’t require any “AI” at all. Community Intelligence just requires the amalgamation of data across customers, which is easy to do with multi-tenant SaaS as long as the customer agrees to sharing their reviews and insights (which could be part of the contract), and the supplier is made aware (which is part of the waiver to participate in customer events) of what is being shared.

It’s just math for averages, time series for trend series on those averages over time (of quality ratings, performance ratings, OTD ratings, etc.), and consolidation of tagged reviews. The only AI that would be needed is semantic processing if the platform provided a sentiment analysis across the community.

Real Time Performance Monitoring

As written five years ago, the last thing you want is to find out without warning that your primary supplier for a critical component in your new engine, control system, or IoT platform is bankrupt and no more shipments are coming; that a recent shipment has a 10% defect rate that is 10 times the acceptable, contracted, level; or that the custom factory redesign you just contracted for is going to take an extra six months when it should be 80% done.

Also, as written five years ago, none of this needs to be the case. There’s no reason a good platform could not alert you to leading indicators correlated with bankruptcy. Or a pattern of (slightly) late deliveries that is getting worse over time. That defect rates, even if within tolerance levels, have been increasing rapidly in recent shipments. Or that the last three key project milestones haven’t been met and the project is tracking to at least three months late.

With regards to early detection of bankruptcy, pull in financial risk scores monthly from your financial risk provider, look for downward trends (simple math), and monitor for alerts. Use the community intelligence identified above to identify late deliveries. Alternatively, if that’s not available, and it’s a big supplier with multiple customers in your country, monitor the public port data for its shipments … if they used to be every two months, but are now every three or four months, with an average volume per shipment that’s going down, that’s an indicator of trouble. With regards to your needs, track all of the rejected shipments at the warehouse, the returns, and keep a running tab on defect rate over time, again looking for trends in the wrong direction in terms of defects per shipment or returns per month.

There is so much you can do with just math. So do it!

Automated Issue Identification

As per our article five years ago, if the supplier management platform is integrated with organizational Sourcing, Procurement, and/or ERP systems, then the platform can automatically import objective supplier metric data as well as subjective supplier performance data from individuals across the organization that interact with the supplier.

Building on real time performance monitoring, the platform can monitor a whole host of metrics, trend them over time, identify drops that can signify issues, and alert the buyer if a dangerous drop is detected. Again, it’s just math.

Automated Risk Identification

The automated issue identification capabilities of a properly implemented and integrated supplier management platform are great, but as we have hinted above, the best platforms can also detect potential risks using leading indicators spit out by cross-organization metrics, trends, reports, and sentiment.

Remember, in addition to metric data, it can also take advantage of the community intelligence to identify early risk indicators. It can track the overall trend of promotion (against pre-existing tags) of a supplier for specific capabilities and the overall tone and sentiment of comments, and then compare that to the overall trend of anonymized price and performance data, and so on to detect when the performance or rating of a supplier is improving or declining, and, possibly, even how fast a rating might be declining which could indicate not just potential problems but risk.

Now integrate this to third party intelligence platforms with financial, CSR, operational, etc. risk and you start getting 360-degree risk profiles — and super early warning indicators since you never know where they are going to come from (the risk assessors, the community intelligence, or your own metrics). It’s all metrics, trends, and thresholds. Math. Good ol’ math.

Automated Resource Assignment

The best platforms support corrective action management, new product development, and supplier development initiatives. Each of these typically require project plans that require resources to support them, Always human resources and sometimes even physical organizational assets or IP assets (including software licenses).

If the platform is connected into a project management platform which has all of the information on organizational resources, and the organization’s asset management software, since the platform will know what skills are needed for the project, as well as what assets the supplier needs, it’s just a matter of best-match mapping. A great supplier management platform could do that through simple match computations and allocation tracking. When there are conflicts, it’s just a simple optimization problem for the best match.

SUMMARY

Now, we realize this was very brief, but again, that’s because this is not new tech, that was available long before Gen-AI, which should be native in the majority (if not the entirety) to any true best-of-breed Supplier Management platform, that is easy to understand — and that was described in detail in the doctor’s 2019 articles for those who wish to dive deeper. The whole point was to explain how traditional ML methods enable all of this, with ease, it just takes human intelligence (HI!) to define and code it.

The Sourcing Innovation Source-to-Pay+ Mega Map!

Now slightly less useless than every other logo map that clogs your feeds!

1. Every vendor verified to still be operating as of 4 days ago!
Compare that to the maps that often have vendors / solutions that haven’t been in business / operating as a standalone entity in months on the day of release! (Or “best-of” lists that sometimes have vendors that haven’t existed in 4 years! the doctor has seen both — this year!)

2. Every vendor logo is clickable!
the doctor doesn’t know about you, but he finds it incredibly useless when all you get is a strange symbol with no explanation or a font so small that you would need an electron microscope to read it. So, to fix that, every logo is clickable so you can go to the site and at least figure out who the vendor is.

3. Every vendor is mapped to the closest standard category/categories!
Furthermore, every category has the standard definitions used by Sourcing Innovation and Spend Matters!
the doctor can’t make sense of random categories like “specialists” or “collaborative” or “innovative“, despises when maps follow this new age analyst/consultancy award trend and give you labels you just can’t use, and gets red in the face when two very distinct categories (like e-Sourcing and Marketplaces or Expenses and AP are merged into one). Now, the doctor will also readily admit that this means that not all vendors in a category are necessarily comparable on an apples-to-apples basis, but that was never the case anyway as most solutions in a category break down into subcategories and, for example, in Supplier Management (SXM) alone, you have a CORNED QUIP mash of solutions that could be focused on just a small subset of the (at least) ten different (primary) capabilities. (See the link on the sidebar that takes you to a post that indexes 90+ Supplier Management vendors across 10 key capabilities.)

Secure Download the PDF!  (or, use HTTP) [HTML]
(5.3M; Note that the Free Adobe Reader might choke on it; Preview on Mac or a Pro PDF application on Windows will work just fine)

Technology for Supplier Onboarding is the NOW, not the Future!

In fact, for any company that hasn’t been in a cave for the last TWO (2) decades, it’s the past!

Needless to say, the doctor was shocked to see this recent headline in Supply Chain Digital that purported to answer why technology is the future for supplier onboarding because either you’re using technology for supplier onboarding today, or you’re not going to be around much longer as a company.

Without a good solution, the time it takes to collect and evaluate enough data to even determine if the supplier is legit, in your industry, appropriately certified, not on any banned lists, financially stable, with real customers, etc. is days, sometimes weeks. And then the time to evaluate the supplier to supply even a single product can be weeks, especially in direct, when you have to trace the product components down to the raw material source to make sure there are no conflict diamonds, no Congolese cobalt, and no indentured / kafala / slave labour in the mines your metals come from.

Even though the article headline is, well, wrong, there are some good points in the article.

Having a strategic approach to supplier onboarding is a key component of supply chain risk management. Most definitely. You don’t want to hook up with a supplier that’s just going to increase your risk, stop your production lines, bring regulatory and compliance investigations your way, and possibly get your CFO or CEO in hot water because you had them sign off on a supplier as being safe when, in fact, it was the business equivalent of a landmine.

With a properly configured supplier management solution, you can check that a supplier meets all of the basic regulatory requirements, financial requirements, and baseline operational requirements in a minute. Literally. You plug in the name and ONE governmental ID code and it pulls in every single piece of information in government systems, third party finance / ESG / Risk databases, insurance and compliance databases, and community intelligence gathered in its systems and indicates if the supplier:

  • failed any registration checks
  • failed any denied party checks
  • has any owners, directors, investors, or connected parties that failed a check
  • has filed its financial reports and is not rated as a going concern
  • has reasonable ESG ratings
  • has any reports of, or known connections to, forced/child/slave labour
  • has valid insurance
  • has valid regulatory compliance certificates
  • any other requirement that can be looked up from a public database

And you know if there are any alerts or failures within minutes, not hours, days, or weeks.

Which lets you dive into evaluating whether or not they can supply the product you need at the quality and quantity, and in a manner that is not quixotic to your business environment.

You can then define additional requirements for automatic lookup, ask for tier 2 suppliers, do the same automatic checks on those, specific to the component or raw material they are providing, and if all that passes, which you will know in minutes, then you can begin the real research in minutes, not hours, days, or weeks. And the real research can take days, or weeks (and sometimes more) in real time when you need to look deep into the production capabilities, the labour that is used, the materials that are used, and the quality of the finished good (which you may need to see a sample of). But the last thing you want to do is waste weeks trying to get to this point only to find out three weeks in that the supplier is on a banned list for one of your main marketplaces, the tier 3 uses cobalt from the Congo (and if you don’t know why that is bad, do ONE minute of web research [unless, of course, you are a psychopath or sociopath with no regard for human rights or even welfare]), or is facing multiple lawsuits for unsafe products in multiple countries.

It is imperative that C-suiters “act with urgency around risk”. Nothing could be truer. It seems that risk is doubling every day. You need to be ready, and while you can’t be ready for everything, you can minimize the chances of risk by ensuring that your suppliers are not adding risk and, in fact, as dedicated as you in minimizing their risk profile. Moreover, if you have a good supply base, they can work with you to mitigate the impact of disruptions when those disruptions rear their ugly head.

“This year we expect to see increased ESG regulation”. It’s coming, and the best way to be prepared for it is with systems that can run checks, collect the required data, flag potential issues, and make sure you keep on top of whatever you need to in order to comply with those regulations.

“Invest in your processes, to ensure you can do more with the same, or fewer, resources. This usually means automating your supply chain data, so you’re finding new suppliers or managing existing suppliers.” Definitely.

Technology has a vital role to play in supplier onboarding. Most definitely. Except you should have been using it for the past two decades, not looking for a solution today. Why do you think there are 100+ vendors offering supplier management solutions? Because they’ve worked wonders (relative to not having any solution) since they were first introduced two decades ago. And, most importantly, they’ve went from simple information management solutions to advanced data collection, validation, and risk assessment solutions where you can quickly validate, analyze, and decide if you want to even consider engaging with a supplier in minutes. You can also collaborate, develop, and implement supplier programs. And you can even orchestrate supply networks with modern solutions.

So if your solution doesn’t solve your CORNED QUIP mash of supplier management problems, maybe it’s time you found a new one. You can’t wait for the future to solve your supplier management problems, you need to solve them today!

10 Great Questions to Pre-Qualify a Vendor Before Onboarding for a Deep Dive, Courtesy of Certa

A recent article in the SCMR by Jag Lamba, the CEO of Certa, a Third Party Risk Management (TPRM) vendor headquartered in California and focussed on compliance, risk, and ESG had some very good questions to ask before engaging with a US vendor, but some of them were very US-centric and others took a platform based approach. (You certainly need a platform, but certain areas, like security, go beyond the platform.)

But if we generalize these questions, they are relevant for everyone, and make it clear why you need a Third Party Risk Management (TPRM) platform that goes just beyond key suppliers/vendors, and beyond product and service needs. (And if you’re wondering what you need a TPRM, check out Part 4A and Part 4B of our new Source-to-Pay+ series where we are currently focussing on Risk Management.) They’re also industry independent and can allow you to short circuit a time-consuming industry (product/service) specific diligence because if the third party fails any of these questions, why would you bother going deeper? Just move on to the next contender!

  1. Does the vendor meet the needs of its customer base?: Any major negative news headlines? Any drops in financial performance? Any grumblings on Glass Door? Any of your counterparts in local groups or associations using them and bad mouthing them?
  2. Does the vendor have the operational capability AND capacity to serve you?: If you need a modern machining process or a vendor who can produce a minimum of a million units, don’t bother with any vendors that don’t have the process or can’t produce a million units.
  3. What financial and sustainability reporting process are they subject to? : The best way to ascertain their ability to stay compliant with financial and other regulatory (like ESG) requirements is to review the government reports. (They may [white] lie in their marketing, and then claim you misinterpreted, but they’re not as likely to lie to the government who could fine them, criminally charge them [in some countries], or shut them down.)
  4. How do they approach security?: Not just cyber security, but facility security, personnel security, and information security. Over half the attacks come from the cloud because it’s easy when you leave a security hole, hackers don’t have to leave their basement, they can attack you half a world away, and face no repercussions because there are no extradition treaties and the local authorities just don’t give a f*ck if they aren’t doing any criminal activity in their country. But when that fails, their local counterparts try to break into the facilities — if the vendor stores unsecured physical copies of critical IP, local backups of sensitive IP on unsecured USB/Zip/Thumb drives, or a lot of money on site — all someone has to do is walk in with a workman’s uniform, enter the backroom to check the wiring when no one’s in it, stuff something in their workbag or pocket, and, buh-bye. If your personnel are not trained to detect social engineering attempts, then someone’s going to have a little chat with them, something like “Hi, what do you do? Oh, is that your doggie in the picture, what’s your doggie’s name? My doggie’s name was Scooter. You know it’s my birthday tomorrow. I’m a Scorpio. What about you? So you were born in 1979 and you’re a goat like me in the Chinese zodiac? Cool! Hey, you know that I was just reading that most people use their birthday and pet’s name as a password. I thought it was only me. What, you do too? Aww, so cute. Well, nice meeting you.” Network access granted! And then if you’re not ensuring all personal, confidential, or sensitive IP is clearly marked, only stored in locked filing cabinets, always encrypted, and those files only on secure, encrypted, network drives, hackers are going to easily find those files accessible from limited access accounts with weak-passwords accessible by brute force.
  5. Do they do business with any entities sanctioned in your country?: If so, they are probably a no-go. You don’t want to be only one degree of separation removed from a sanctioned entity. (And, of course, they shouldn’t be sanctioned — because you shouldn’t be considering them at all if they are!)
  6. Would you have a backup plan if their suppliers or partners they relied on got sanctioned?: i.e. if you need to locate a complete production line in one geography, and there is only supplier of a key raw material or part in that geography, maybe you’re looking in the wrong geography
  7. What is their viewpoint on diversity?: great suppliers encourage diversity and look for good people that represent the entire cross-section of humanity in the area in which they operate; they don’t have arbitrary goals or the one Token black in the C-suite to check a box; they hire all races, cultures, religions, ages, etc., train them all, and then promote the best (and, over time, they build a diverse management team)
  8. Are their objectives aligned with your objectives?: If your objective is quality and distinction for the wealthy, and their objective is cut costs no matter what, they are probably not the supplier for you.
  9. Do they have a sustainability program. And is it sensible?: In some jurisdictions, they not only have to report down to “Scope 3”, but stay within a limit for overall emissions, or get in (financial) trouble (with fines, etc.). And if you have to report as well for doing business with them, or to satisfy the regulatory requirements of a region you operate in, and they can’t report to you, that’s not good. Not good at all.
  10. What level of risk will they add to your business?: If you’re happy with the answers to the first 9 questions, before you dive deep into certifying their products and services, their production lines and capacities, etc., ask this first. If the risk is too great in general, it might be a no-go before you start. And this is why you need a comprehensive TPRM platform to do a preliminary assessment.

And yes, Certa is one platform that might be able to help you, and one you should add to your RFP invite list if you don’t have a TPRM. We will note that they’re not the only one (and this could be relevant if you are in the EU and need a local provider), and that we’ll list others in Part 10 of our Source-to-Pay+ series, but close by stating that you should not overlook Certa. They’ve been around for a decade, have raised over 50M, likely integrate into whatever you’re already using in your Source-to-Pay process (with integrations to 100+ platforms and data feeds), have pre-built solutions for Compliance / Risk / ESG, and have a number of Fortune 500 clients.