Getting the P2P message heard when no-one is really interested
Everyone thinks they’re at the centre of the universe. In a business it’s the sales guys who claim all the credit for growth and profit. After all, how would the business thrive without customers? The R&D people will argue that without great products the sales guys would have nothing to sell. The CEO claims credit for leadership without which the business would have no direction. The founders want to be recognised for the bright idea they had in the first place that started the company. They are all right of course in the sense that all parts of a business play a critically important role but it is also true to say that some functions struggle more than others to gain recognition. Perhaps it’s because no-one really understands what they do or maybe they do understand – it’s just that it’s boring.
Working within a a business function that, to the outside is not really that interesting makes it very hard when it comes to securing budget or priority over other competing departments. Purchase to pay is about the least glamorous and least understood back office function that I can think of and so it’s a constant challenge to position P2P as a priority but there’s one tip I’d like to share that I’ve used to get attention and secure budget.
The problem with P2P is it’s boring. But it’s also critical especially to large businesses. Trying to explain why something that is a little arcane and dull is more likely to send people to sleep than to get them excited enough to support you. My recommendation is not to explain it at all – instead talk about something people do understand.
It is standard practice to maintain software that protects an organization from external vulnerabilities. As soon as a security patch is deemed safe, it’s applied at the earliest opportunity. Why wouldn’t you? Who would make a decision to knowingly remain exposed to a known threat if there’s protection available? A CFO wouldn’t think twice about supporting a programme to ensure that a business was safe from the threat of external attack whether it be from worms, trojans, bots or denial of service attacks. The CFO hasn’t got a clue what any of that means but he knows what he’s afraid of. If an IT geek tried to raise funds for an IT security budget by trying to teach the board how a worm works, he’d be laughed at. Instead, it’s best to simply fan the flames of fear and tell a few horror stories.
How serious is the IT threat? Some would say that the threat from third parties exploiting vulnerabilities in an IT infrastructure are immeasurable. If customer data is compromised it could bring down the whole company. But really, this is just one of the horror stories that gets people to pay attention. Of course there’s a serious risk in leaving a company’s IT infrastructure exposed to attack and I wouldn’t want to diminish it but let’s not pretend that the risk is always that big. Most IT security measures are simply pragmatic steps to ensure that data and systems are kept safe. It’s humdrum, a little bit technical and difficult to explain but to ignore it is foolhardy and is potentially – if rarely – disastrous.
This is very closely analogous to purchase to pay vulnerabilities. Maintain old paper processes, use shortcuts and lax controls and most of the time, nothing much will go wrong. But it is very sloppy housekeeping and, like IT security flaws, if unchecked, could lead to disaster. Persuading the business about the importance of POs and three way matching in AP will bore people to death – instead tell them a few horror stories. Don’t tell them the detail of what you need to do, just tell them what will happen if you fail to act. Use scary language like “vulnerabilities”, “fraud” and “theft”. Have some real life case studies to hand in your industry and tell your decision makers what could happen on their watch if they ignore your advice. Suddenly you will find that P2P is no longer boring.
Pete Loughlin can be found on twitter @peteloughlin