The Evolving Role of the CPO in 2021 and Beyond
Crises are great teachers. One business lesson from 2020 is that while global supply chains may be efficient, they are not always resilient. The COVID-19 pandemic caused so much disruption that it laid bare the inherent risks that exist in a “just in time” supply chain philosophy. This was a blaring wake-up call that supply chain risk must be better managed, and in this, procurement has an essential role.
In the past, procurement has too often been an afterthought in business strategy and planning. Value was sought in the margins, and procurement was primarily focused on transactions, supporting business requests after decisions were already made. With disparate processes and criteria that were often siloed by function or business unit, risk mitigation was more reactive than proactive, which owed in part to limited visibility into the supply chain.
Using legacy, on-premise technology and a patchwork of single-purpose solutions, many CPOs lacked an enterprise-level view of vendor risk management. These challenges persist. found that only half of CPOs enjoy high or very high visibility into tier 1 suppliers, and 90% of organisations rated their visibility into extended supply networks as moderate to very low.
Given instances of fraud, the need for regulatory compliance, and the impact disruptions have on operations and revenue, procurement requires a deeper understanding of the supply base. This includes understanding a third-party’s ownership structure, its portfolio of customers and partners, the strength of its finances, and a variety of other factors that impact resilience and reputation.
A silver lining of the challenges in 2020 is that executives increasingly appreciate that procurement is a core capability that can support enterprise growth. As a component of this, there is a growing call for procurement strategy to align with brand strategy. Consumers, customers, investors, and analysts factor corporate responsibility into their decisions. In the current social climate, aligning brand values with procurement decisions supports a healthy, differentiating view of an enterprise’s social accountability.
Heading into 2021, these themes are priorities for procurement. Yet, recognising the need does not in of itself expand a CPO’s capacity to manage risk and cost.
An Opportunity to Transform
In Deloitte’s Flash Survey, 64% of CPOs reported they are shifting from assuring supply continuity into new efforts to adapt supply chains to the post-pandemic world. In some ways, what’s old is new again. Procurement offices are striving to make better sourcing decisions, including dual sourcing. CPOs are also looking to expand their supplier base. The Flash Survey showed that 31% of CPOs rank “refining geographic supplier base” as the primary tactic for expanding, and another 24% reported their approach as a “shift to nearshore/regional.”
While these efforts move toward resilience, they also inject more potential risk into the supply chain. A risk assessment during onboarding with periodic reviews is insufficient, as CPOs require a real-time view of the supplier risk profile. Fortunately, there are third-party capabilities that permit this, allowing a company to calculate not just the risk to the enterprise (e.g., supply reliability, brand reputation), but also the risks a vendor may encounter.
Meanwhile, CPOs face the dual imperative of managing cost and price. The Flash Survey showed that the highest current priority for CPOs is cost management, receiving about eight times more day-to-day focus than other areas. With strained revenue, procurement must understand how costs and commitments impact cash flow and identify ways to reduce or defer those commitments. At the same time, CPOs must continue cost-effective category management, seizing efficiencies and savings where available.
When it comes to managing risk, spend management transparency, and aligning business strategies, conventional approaches to procurement are not up to the task. Manual spreadsheets, offline modelling, and legacy technology do not support enhanced risk, spend, and third-party management. The time to transform procurement is now.
An end-to-end transformation initiative may seem hard, particularly as enterprises focus on cost management. And yet, this is precisely what is needed to enhance management capabilities with a direct impact on the bottom line. World-class S2P processes and tools are a business imperative, not just a procurement function.
Consider a future state where KPIs allow procurement to more effectively monitor costs, contract leakage, and vendor management. Standardised processes are enabled through leading cloud-based applications, which evolve and improve over time. Procurement has a broader, deeper understanding of traceable and accurate data that guides decision making and elevates category management strategies to their full potential.
This world-class procurement is attainable. CPOs will face new challenges and identify new opportunities in the months and years ahead, and when procurement is transformed, they will be positioned to do more than survive. They will thrive.
Google and NIST Address Supply Chain Cybersecurity
As high-level supply chain attacks hit the news, Google and the U.S. National Institute of Standards and Technology (NIST) have both developed proposals for how to address software supply chain security. This isn’t a new field, unfortunately. Since supply chains are a critical part of business resilience, criminals have no qualms about targeting its software. That’s why identifying, assessing, and mitigating cyber supply chain risks (C-SCRM) is at the top of Google and NIST’s respective agendas.
High-Profile Supply Chain Attacks
According to Google, no comprehensive end-to-end framework exists to mitigate threats across the software supply chain. [Yet] ‘there is an urgent need for a solution in the face of the eye-opening, multi-billion-dollar attacks in recent months...some of which could have been prevented or made more difficult’.
Here are several of the largest cybersecurity failures in recent months:
- SolarWinds. Alleged Russian hackers slipped malicious code into a routine software update, which they then used as a Trojan horse for a massive cyberattack.
- Codecov. Attackers used automation to collect credentials and raid ‘additional resources’, such as data from other software development vendors.
- Malicious attacks on open-source repositories. Out of 1,000 GitHub accounts, more than one in five contained at least one dependency confusion-related misconfiguration.
As a result of these attacks and Biden’s recent cybersecurity mandate, NIST and Google took action. NIST held a 1,400-person workshop and published 150 papers worth of recommendations from Microsoft, Synopsys, The Linux Foundation, and other software experts; Google will work with popular source, build, and packaging platforms to help companies implement and excel at their SLSA framework.
What Are Their Recommendations?
Here’s a quick recap: NIST has grouped together recommendations to create federal standards; Google has developed an end-to-end framework called Supply Chain Levels for Software Artifacts (SLSA)—pronounced “Salsa”. Both address software procurement and security.
Now, here’s the slightly more in-depth version:
- NIST. The organisation wants more ‘rigorous and predictable’ ways to secure critical software. They suggest that firms use vulnerability disclosure programmes (VDP) and software bills of materials (SBOM), consider simplifying their software and give at least one developer per project security training.
- Google. The company thinks that SLSA will encompass the source-build-publish software workflow. Essentially, the four-level framework helps businesses make informed choices about the security of the software they use, with SLSA 4 representing an ideal end state.
If this all sounds very abstract, consider the recent SolarWinds attack. The attacker compromised the build platform, installed an implant, and injected malicious behaviour during each build. According to Google, higher SLSA levels would have required stronger security controls for the build platform, making it more difficult for the attacker to succeed.
How Do The Proposals Differ?
As Brian Fox, the co-founder and CTO at Sonatype, sees it, NIST and Google have created proposals that complement each other. ‘The NIST [version] is focused on defining minimum requirements for software sold to the government’, he explained, while Google ‘goes [further] and proposes a specific model for scoring the supply chain. NIST is currently focused on the “what”. Google, along with other industry leaders, is grappling with the “how”’.