Oh, such a nice dream -- skipping the contract review process! Please don’t do that! Your only approach, really, is to create a well-documented process, then identify all potential risks before signing the contract. The saying, hindsight is 20/20 fits perfectly when it comes to contracts, doesn’t it? In an ideal world, the department managing the contracting process would be notified by the business unit far in advance with plenty of time to review the contract. But it’s not an ideal world! If you think cutting corners doesn’t lead to problems, think again!
Stop in Your Tracks!
In the eyes of your business unit, taking time to stop may appear to just slow down the progress of executing the contract. But, if so, they overlook the fact that doing so creates an opportunity to fully evaluate their own needs and requirements.
Same applies to third-party vendors. It is impossible to execute a well written contract if you don’t know the vital details regarding the potential relationship with third-party vendors. That’s another reason to ask the key questions and research all the issues surrounding all business requirements.
Let the word CONTRACTS ask the key questions
Compliance -- are there any compliance risks?
Regulatory requirements vary among industries. You may run into instances where a potential third-party vendor is not regulated by the same regulatory agency -- or not even regulated at all!
- Such a case cannot pass as the third-party vendor.
- Therefore, to ensure your organization is protected, include the appropriate legal terms and conditions within the contract that the third-party vendor will comply with the regulatory requirements of your organization.
Operational -- what risks may result due to failed or inadequate performance caused by the third-party vendor’s employees, subcontractors or system errors or breaches resulting from internal or external events?
- Consider the impact of technology, people, and the demands of regulatory requirements.
- Request to review the third-party vendor’s Business Continuity Plan and Disaster Recovery Plan.1
- Based on the type of products or services, verify a contract section exists that includes information regarding pandemics.
Negotiation -- what are the drivers of the relationship?
- Pricing is important, but pricing is not the only factor to consider when negotiating a contract.
- Amounts and quantities must be determined. Therefore:
- Request to have shorter or longer terms;
- inquire about upgrades;
- make sure the payment terms are feasible; and
- determine any incentives available.
Transactional -- what is the impact if you discover that a third-party vendor has system errors caused by human error, insufficient or failed procedures?
- Include Service Level Agreement (SLAs) and Key Performance Indicators (KPIs) within the contract.2
- Business units should review the SLAs and KPIs to evaluate the performance of the third-party vendor.
Reputational -- what is the third-party vendor’s reputation?
- Perform conduct-enhanced due diligence searches to identify if concerns exist regarding the third-party vendor such as negative news, alerts, branding, lawsuits, breaches, etc.3
- Tools are available that can assist with automating real-time searches during the onboarding process and continuous monitoring.
Assess -- has the third-party vendor completed a risk assessment and due diligence review to identify inherent risk and residual risk factors?
- Issue a risk assessment and due diligence questionnaire based on the third-party vendor’s risk level.4
- Ongoing monitoring is also important during the lifecycle of the contract to determine if concerns exist or if additional language is needed during the renewal process.
Concentrate -- do relevant contracts exist with your third-party vendor(s)?
- Identify potential alternative third-party vendors.
- Try to avoid having all your eggs in one basket with same third-party vendor.
Termination -- what could be the impact if the contract is terminated unexpectantly by either party?
- Find out the termination notification requirements.
- Determine if penalties exist for early termination.
- Consider the time it will take to replace the third-party vendor.
Solvency -- would there be a significant impact if the third-party vendor unexpectantly went out of business or could no longer provide the product or service?
- A thorough review and monitoring of the third-party vendor’s financial stability is highly recommended before you execute the contract; and
- A subject matter expert should perform this during the ongoing monitoring process.
Even after you have understood potential risks, remember that all third-party vendor relationships are not equal. The subject matter experts will know what to look for during their reviews and will understand how the frequency of ongoing monitoring will be determined based on the third-party vendor’s risk level.
Look Beyond the Obvious – key stakeholders
It is important to collaborate with others throughout the organization and identify the appropriate internal stakeholders you expect to review the contract. You need many perspectives to review a contract, because each contract section applies critically to specific areas within your business.
Based on the type of contract, you will need to engage one or more of the following key stakeholders:
- The Business Unit seeks to fulfill business needs which might include doing one or more of the following:
- mitigating the risk;
- improving the process;
- reducing expenses;
- knowing the applicable regulatory requirement;
- enhancing revenue opportunities;
- being strategic and innovative throughout all activities; and
- drilling down to identify all specific business needs.
- Procurement helps the business unit operate within the third-party vendor selection process; negotiates the terms and conditions of the contract; and provides any additional support to the business unit throughout the contract lifecycle.
- The legal team reviews the contract from a legal perspective and will ensure the appropriate clauses exist within the contract.
- The vendor risk team seeks to identify and mitigate potential residual and inherent risks by performing initial and ongoing risk assessments and due diligence reviews.
- The information security team reviews the supporting documentation as well as the third-party vendor’s ability to protect the organization’s proprietary information and non-public personal information (NPPI) provided by customers or business partners.
Remember -- all reviews and redlines should be trackable and monitored, and each subject-matter expert should review the contract from different perspectives. Having that paper trail will keep all thoughts on track and help establish expectations across all departments.
Furthermore, internal meetings are essential, because they give all parties a chance to discuss concerns and better understand the business requirements and objectives of any new third-party vendor relationship.
Top 2022 Risks
Other risks to consider are more relevant than ever. These include cyber risks, information security, and environmental, social and governance (ESG). Gartner offers an excellent breakdown of the top 2022 Risks.5
Active Listening Pays Off
In addition to asking good questions, listening to the business unit and the potential third-party vendor, it is essential to have a good (win-win) business relationship from the start. A well written contract will clearly spell out the details of the relationship. Additional clauses may be needed to ensure the proper language is in place.
Include key clauses You may want to consider adding the following clauses to the contract in case these are not included already:
- A right to audit clause
- The completion of due diligence questionnaire by the third-party vendor who will also:
- provide audited financials;
- permit onsite visits;
- provide supporting documentation regarding the third-party vendor’s information security position;
- provide evidence of adequate insurance coverage throughout the lifecycle of the contract based on the type of service (i.e., cyber insurance, professional liability, worker’s compensation, or other types of insurance.).
- Details regarding the return of data (include format and timing)
- Retention of information by the third-party vendor
- Proof of destruction of data and proprietary information by the third-party vendor
Trust and Verify – avoiding breaches
An article published by TechRepublic in November 2020 reported that a study found 31% of third-party vendors could do considerable damage to organizations if breached.6 This means 31% of vendors are considered a material risk in the event of a breach. So, in addition to having the third-party vendor complete the due diligence questionnaire, taking additional steps will allow you to identify how to mitigate potential risk.
Potential options to consider during the trust and verify process may include conducting an onsite visit, scheduling a virtual meeting with the third-party vendor’s subject matter experts, and implementing continuous monitoring tools that provide real-time alerts.
Good documentation is critical - Document, Document, and Document.
Avoid Buyer’s Remorse
Rushing to get a contract signed can be very costly in many ways. If you are seeing a pattern within your organization of contracts not being properly vetted before being executed, you need to respond immediately. Understanding why the gaps exist and then assessing corrective actions will obviously improve the process. Get support from executive management to close these gaps as soon as possible to avoid having buyer’s remorse and be sure to do this before the regulators discover any potential problem.
Hindsight means seeing something now that could arise after the fact. Once both parties have fully executed the contract, both organizations must live with all that comes with that contract. Having the key internal stakeholders engaged sooner rather than later will assist with mitigating potential risks.
You always will experience some risk which comes with all third-party vendor relationships and that’s why it’s naive to treat each risk level equally. Executive management should determine an organization’s risk appetite to detect next steps.
Sign and Date on the Dotted Line
The information within this article is not an exclusive list of risks that can occur prior to signing a contract. Highlighted are some reminders of areas that are often forgotten or overlooked. Key takeaways are:
- establish a written process,
- take your time, and
- remain consistent.
STOP, LOOK, and LISTEN prior to executing that contract. You will be glad you did!
- See also Are You Reviewing Your Vendor’s BCP and Disaster Recovery? Venminder Article 2020
- Service Level Agreements (SLAs) you make with your customer generally defines how your relationship will work in the future. By contrast, Key Performance Indicators (KPIs) are the measurements (aka metrics) your organization or department uses to analyze how well a team performed against agreed standards.
- See Enhanced Due Diligence for High Risk Customers, a DealRoom article. Business continuity develops ways to keep a business up and running during a disaster; disaster recovery focuses on how to restore data access and IT infrastructure after a disaster.
- What is a due diligence questionnaire – 6 DDQ Examples, a Security Scorecard article
- See Gartner press release March 7, 2022, titled Gartner Identifies Top Security and Risk Management Trends for 2022. See also Gartner press release, Sydney, Australia, June 21, 2022, titled Gartner Unveils the Top Eight Cybersecurity Predictions for 2022-23
- Study finds 31% of third-party vendors could cause significant damage to organizations if breached, Jonathan Greig, TechRepublic, November 20, 2020.
ABOUT THE AUTHOR
Chris has an extensive background within the banking and consumer finance industries with an emphasis in regulatory compliance and third-party risk management. Her skillset includes the ability to identify solutions to improve internal processes. She is an initiative-taker, and an exceptional analytical person. These skills have assisted Chris in successfully developing and implementing the current Third-party Risk Management program at her organization.