Most third party risk managers eventually deal with bad vendor contracts. In most cases, these contracts – which lack important provisions or no longer conform to regulatory requirements or organisational guidelines – pose significant risks to the organisation. Many of these risks can be mitigated, doing so requires a well-defined process, a robust third party risk management capability and the right mindset.
It’s important to note that poorly drafted or outdated vendor contracts exist in most organisations. It’s not a reflection on the company, but a painful reality of the lack of coordination between risk management and contracting groups.
In the past, I conducted comprehensive reviews of vendor contracts at major financial institutions. These reviews routinely unearthed numerous contracts that were out of alignment with current corporate standards, regulations and/or best practices. As veteran IT writer John Edwards asserts in a new CIO article, “Like death, taxes and network downtime, bad contracts are a fact of life for most IT leaders.”
John was kind enough to reach out to me for some insights while researching his article, “7 Tips for Getting Out of a Bad Vendor Contract.” The overall guidance and specific steps John presents in his piece are right on the mark, and I encourage you to give it a read. While addressing the interview questions John put to me, I reviewed several considerations that are important for third party risk managers to keep in mind when dealing with unacceptable contracts, including:
Risk and value are crucial to assess:
When determining what is problematic about a vendor contract, it is important to first gain a high-level understanding of the risk the organisation faces if the contract is not revised. It is similarly important to determine the value of the vendor relationship to the organisation. By understanding the magnitude of risk and the value of the relationship, third party risk managers will have a better sense of how aggressively they should push for changes to the contract.
Modifications can be made at any time:
Contracts can be modified even when they are not up for renewal. Changes in regulatory requirements, industry standards and technology are the most frequent reasons driving the need for adjustments. You can always approach a vendor and lay out reasons for altering the contract.
Contract modifications can be costly and time-consuming for both parties:
The better the relationship is, the more likely the vendor will be to engage in a meaningful discussion about changing the contract. That’s important because contract modifications can be a costly and laborious endeavor for both the organisation and the third party. When you clearly convey your business rationale for the change, your vendor is more likely to collaborate with you on a solution. That said, you also should be prepared to offer concessions given that the changes may create additional costs for the vendor. It is also helpful to develop and agree on a timeline to implement the operational changes needed to comply with the terms of the revised contract.
Be prepared for termination:
In cases where the vendor is unwilling to modify the contract (and where the organisation is unwilling to accept the attendant risk), termination may be the only option. Terminating a vendor relationship works most effectively when defined processes are in place for managing any transfer of data (or other assets), validating vendor compliance with termination requirements, and selecting a replacement vendor.
Ideally, terminations can be avoided when bad contracts are uncovered. This positive outcome is more likely to occur when a vendor views your organisation as a critical business partner and is willing to work with you to find a solution acceptable to both parties.
About The Author
Brad Keller, Senior Vice President – Santa Fe Group and Shared Assessments Program has been developing and leading risk management programs for more than 30 years. Brad came from Prevalent Inc. where he was Senior Director for Third Party Strategy, focused on assisting clients with the evaluation and enhancement of their third party programs. In his previous stint as a Santa Fe Group employee, he led the development of Vendor Risk Management Maturity Model (VRMMM) and the Certified Third Party Risk Professional (CTPRP) program. He spent many years in Banking, where he was responsible for risk management, privacy, and regulatory compliance, including third party oversight. Brad has served as an online privacy and compliance officer where he was responsible for the implementation and management of the policies and processes for third party contract compliance.
This blog was originally published by Shared Assessments and is used with their kind permission.