Contract Management: You have to know the contract exists, negotiate terms to mitigate risk for the organization and understand milestone and obligations prospectively.
As the CIO at a law firm with 650 attorneys across 15 offices, I can review upwards of 10 contracts per month. It is extremely important to thoroughly and completely review the business and legal terms of every contract to ensure your interests are represented and that you completely understand what you are about to sign. That being said, the sheer volume of contracts to be dealt with, to say nothing of their disparate subject matters and timelines, makes managing them a difficult task, to say the least. This is where a risk department—and an enterprise contract management system—can be a valuable asset to a CIO.
One of the most critical goals of contract review is to identify all the key data points that need to be tracked. These include renewal terms, service-level agreements, indemnity clauses, reassignments, and termination options. Then, once you have taken the time to painstakingly extract and document these key data points, you need some way to be able to effectively manage them. Not being able to recall the details quickly when you need to could have financial repercussions, lead to a contractual breach, or even worse. If your organization experiences loss of service, for instance, you do not want to scramble to figure out the service-level agreement (SLA) to identify what your course of action should be. If there is an automatic renewal clause and you miss the contractual date by which you need to notify a vendor you are terminating the service, you may be stuck having to pay for that service for some period of time. The financial impacts may be even more far-reaching because you may already have contracted with another vendor for that same service.
However, even before the review, negotiation, and finalization of contracts, many organizations struggle with the simple challenge of knowing the contract even exists in the first place. Using an enterprise contract management system allows you to identify and catalog the critical components of a contract and to easily and quickly recall them when needed. Once executed, contracts should be entered into a repository with report generation and date tracking capabilities, with the categories of importance varying from industry to industry. While having immediate access to the actual contract is also important, the quick snapshot of data is a critical step in understanding enterprise risk related issues. A good system can also alert you to upcoming critical events, like renewal. If you negotiate a contract in 2018, those terms may no longer be appropriate in 2023. You should understand the lifespan of your contracts and make sure to review them based on that timeline. Take the opportunity to renegotiate terms that no longer meet your needs.
Kim A. Wismer, CIO, Ballard Spahr LLP
Using an enterprise contract management system allows you to identify and catalog the critical components of a contract and to easily and quickly recall them when needed
While the CIO sees about 10 contracts per month, an organization’s risk group sees all contracts and can leverage language and lessons learned from the various contracts. Typically, the risk group will handle the cumbersome review and negotiation of key provisions with an eye toward saving the CIO time. For many decentralized organizations, the business-unit owner is often the only individual responsible for the review and execution of contracts, often without a basic understanding of the gravity of the provisions and without negotiation experience of any kind. Consider a basic Non-Disclosure Agreement (NDA)—the business-unit owner could take the time to carefully review the four-page NDA in size 6 font that a vendor last updated in the 1990s, or the business-unit owner could delegate the review to the risk department, which, in turn, will likely ask the vendor to execute your standard NDA. This creates a consistent internal workflow and allows your risk group to:
1. Understand the needs of the business
2. Understand the nature of the relationship with the contract partner, including the types of services being provided
3. Perform the necessary vendor / third-party assessments, and
4. Understand the provisions governing the relationship and obligations of the parties
Another benefit and risk strategy, especially in an organization that executes numerous contracts, is implementing consistent revisions to routine boilerplate terms in order to maintain consistency across enterprise-wide contracts. Insurance, indemnification, confidentiality, auto-renewal, and termination provisions are critical terms that appear in almost every modern contract, but the language will vary significantly from contract to contract. The organization can determine its risk appetite in advance and attempt to apply that across all related provisions within contracts with different parties. In the event of a reportable cyber incident, for example, knowing your internal stakeholders are comfortable with notice within 48hoursmakes a significant difference between striking or negotiating the word “immediately" to revising with a more reasonable “immediately but no later than 48 hours"—especially if applied consistently to all contracts. This, in part, eliminates the various contractual notification timeframes and provisions at play in the enterprise. If the organization, as a matter of policy, does not agree to reimburse for certain costs or does not agree to auto-renewal provisions, then catching and revising those provisions becomes routine to the risk group but peripheral to the decentralized business owner looking to execute quickly. With a decentralized system, and in addition to the need to track key deadlines, there are no controls over what has been agreed to and how those provisions may deviate from the organization’s standard policies and procedures.
The risk management aspect of enterprise contract management is also critical to ensure uniform review and negotiation of terms and to ensure a deep understanding of the provisions that you owe your clients and that your third parties owe you.
The need for enterprise contract management and risk review is illustrated brilliantly in various electronic data agreements. Consider a scenario in which your organization, which has decentralized contract management, suffers a reportable cyber incident or data breach affecting several clients. Where are your contracts? Are there reporting obligations that exceed those required by applicable law or statute? Did you agree to notify your clients immediately, promptly, within two hours, 24 hours, 48 hours, or 72 hours? Did you agree to email your contact, a generic client email address, or the client's own information services team? Is there a provision, for example, that requires the client's consent before you notify law enforcement or other third parties? How long would it take you to track down these contracts and provisions while managing a cyber incident and related obligations (if you even know they exist)? Since many electronic data agreements generally contain an indemnification provision that touches upon both breach of contract and the loss of data, violating any one of the above-referenced scenarios could increase your liability even if your organization maintains reasonable security standards. Centralized contract management alleviates many of these issues.
In closing, enterprise contract management allows organizations to control, track, and manage contracts and corresponding key terms and deadlines, better assess the organization’s business needs and risk appetites and enforce uniformity among common contractual provisions that affect virtually all contracts within the enterprise. They can be a powerful tool the risk department can use to make a CIO’s job—and life—easier