Why Procurement Practitioners Need a New Provider Bill of Rights: Ariba, SAP, and Data Security


For you history buffs out there, what’s most curious about the original Bill of Rights is the limited judicial impact (i.e., legal enforcement) it had for a century and a half since it was originally enacted. There’s a procurement corollary to this as well, so stay with me for a minute. According to Wikipedia anyway, “the Bill of Rights had little judicial impact for the first 150 years of its existence; in the words of Gordon S. Wood, ‘After ratification, most Americans promptly forgot about the first ten amendments to the Constitution.’ The Court made no important decisions protecting free speech rights, for example, until 1931.”

No judicial enforcement for 150 years? That’s a long time. But to say that the Bill of Rights was not effective from day one would be a huge understatement. In fact, much of the original bill of rights became so deeply engrained in the culture and belief structure of the original states that the truly legal implications took a back seat to embedded societal norms and beliefs. Consider just the First Amendment to the constitution (the first “right” in the Bill of Rights): “Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.”

Fundamental to the ethos of the US? You betcha. But, of course, legal enforcement would have to ultimately follow the protections the First Amendment afforded. By the same token, as I attempt to spell out a Provider Bill of Rights for procurement, one could argue that the legal enforcement of certain areas (e.g., data protection, privacy, etc.) will take many years to evolve and will ultimately do so on a region-by-region (e.g., EU) or country-by-countrry basis. Yet the business implications of these beliefs are already rooting themselves deeply in certain industries. As I wrote in the previous installment:

While you may roll your eyes at the degree by which PO and invoice data is strategic IP, some of the supporting documents needed to pay third parties performing energy exploration work can contain highly sensitive information.  In other industries such as Financial Services / Insurance, Media & Entertainment, Public Sector, IT/Telecom, etc. you can imagine how such stringent security is critical to protect confidentiality, the corporate brand, and even the safety & well being of the process participants themselves.

Let’s stay on this issue of data security for a moment. Consider Ariba’s lack of deeper security support for standards (compared with Quadrem) coupled with SAP’s hard push to move buyers onto the supplier network by virtue of upgrading to Ariba’s “network applications” (see PBOR Right #1). The sum of these policy choices – and they are choices that SAP/Ariba have made based on business decisions rather than technology limitations – is creating friction for many in the SAP/Ariba ecosystem, by their own choice or otherwise.

Granted, what’s funny (peculiar, not “haha” funny) is that Quadrem will actually be taking a step backwards if it doesn’t support the data security requirements of PIDX, CIDX, and broader exchange protocols such as RNIF, AS2, SOAP, and the like. So, whether it’s SAP, Oracle, or any other large provider, the ability to provide a healthy ecosystem of partners tied into some type of a platform (offered as a service) will become increasingly important and valued by buyers as siloed application functionality becomes increasingly commoditized.

If SAP/Ariba do not move quickly, they will find that a new generation of business network providers such as supply chain information networks (e.g., Elemica, E2open, GT Nexus, etc.) will move in to provide platforms as a service that offer loosely coupled native applications sitting alongside applications and service partners who will increasingly use the same platform components to build their offerings. In other words, the market is already starting to self-correct for the lack of flexibility on SAP/Ariba’s part around data security (which we sincerely hope they’ll reevaluate or at least provide options around).

We fully expect some day that various bodies, legislators, and courts (perhaps in the EU) will challenge SAP/Ariba and others around data security, perhaps as it pertains to the impact of data security around small businesses or sole proprietors, breaching established norms. But this could be decades away. In the meantime, the market may very well self-correct, just as the early citizens of the US and their elected officials adopted the First Amendment (and other elements of the Bill of Rights) without needing the courts to tell them so.

In future posts, I'll discuss how SAP, Oracle, and others (e.g., IBM) compare in such focused PaaS offerings. Yet, as I've alluded to how data confidentiality goes hand-in-hand with data security, in the next post, I'll talk in more detail about its importance in a B2B context.

First Voice

  1. The Business Network:

    Pierre, great article. We couldn’t agree more. For Hubwoo, our customer’s data security is a primary focus: http://www.hubwoo.com/datasecurity/

Discuss this:

Your email address will not be published. Required fields are marked *