Daniel Robbins, VP-ISO, State Bank and Trust Company
Stakeholders are a very important aspect of managing overall performance expectations within an organization. It is a good business practice to keep those stakeholders engaged and informed for optimal effectiveness. With this obligation, how does your Contract Management process and protocols achieve the requirements of a highly effective program today?
One of the first things to contemplate in answering that question is how much money an organization may be leaving on the table when it comes to the hundreds and maybe even thousands of contracts they must manage. Inefficiencies can cause more than just productivity issues; it can cost money, impact future income, add unacceptable risk, and become a legal nightmare if not managed properly. How would your stakeholders feel about the downside of not having an effective contract management process?
In my experience from a team perspective, the more depth of involvement and review by stakeholders and those responsible for risk management, the better the outcome will be in your contract oversight in managing providers, plus the benefit of controlling current and future purchasing costs. The “set it and forget” mode of managing contracts would be disastrous in today’s cyber intense environment for many reasons.
Confidentiality, integrity, and availability of information are mission-critical
There needs to be a clear set of objectives that must be achieved in performing the right protocol for Contract Management. The following are the top three objectives that would be mandates to achieve overall success:
Objective #1 – There should be no surprises in your Contract Management outcomes. To avoid this, automation is a critical requirement. Having a third party tracking information system that is easily maintained as related to due diligence for performance review is the baseline of any program. Providing appropriate reporting keeps contract information up to date and should go a long way to eliminating surprises such as termination fees, conversion fees, and service deficiencies.
An Enterprise Contract Management tracking system also will help in keeping track of regulatory requirements and any non-compliance with contractual commitments. Included should be the support of a third party based risk assessment that will document the review of System and Organization Controls Reports (SOC I, II, and III) showing any deficiencies that could be deal breakers. Third party entity controls have become more critical due to cyber-crime activity hitting an organization through a contractual third party. An authentic risk management approach to contract and third party management will pay dividends to the organization.
Objective #2 – Be certain that a third party has an internal sponsor and an appropriate criticality rating for the contract. It is important to identify the most critical third party’s for your company and then have an overarching plan for how to deal with a critical third party if they were impacted by a disaster. Again, automation for this objective is also important to be able to properly categorize and denote action items for review.
How quickly and accurately could you grasp the impact that a major weather event would have in affecting your business? Knowing the critical third parties and having a synopsis of their Disaster Recovery or Business Continuity Plans would put your organization a step ahead in the event of a declared disaster. In addition, how would a third party contractually react to your operational disaster? Including this level of analysis as part of the third party due diligence and recorded in an Enterprise Contract Management tracking system will give stakeholders valuable insight to expectations in the event that disaster occurs.
Objective #3 – Make sure your contracts protect your company’s assets. Everyone has had some shady character trying to pass a spurious contract off on them, but today’s business risk comes in the form of properly protecting company assets such as proprietary information and client data. Confidentiality, integrity, and availability of information are mission-critical. As a consequence, how your contracts address the protection of company assets is an important priority for successful Enterprise Contract Management.
Would you be able today to pull together an accurate snapshot of what third parties have access to valuable data across the enterprise? A third party may store your client data while another might store employee data, and yet another third party could store proprietary business data in completely different locations. Have you seen the larger picture of risk and exposure when all of the dots are connected? In addition, contracts must contain language about the security and disposal of the data (think GDPR) and issues such as a contract stating that your client’s data may be stored in another country, all of this will be easily tracked when consolidated with enterprise level automation.
Overall Outcome – Performance measures or benchmarks for stakeholders will be obtained. Compliance with applicable laws and regulations will be tracked and third party risk will be better tracked leading to no surprises in managing contracts with an Enterprise Contract Management approach and protocol.