Effective Vendor Contracts For TPRM

How do you develop effective vendor contracts that keep pace with changing threats? This blogpost answers this question and is derived from Shared Assessments’ November 17, 2020 webinar on the topic.  This discussion points to flexibility, the most crucial approach to everything this past year, as being the single most important requirement for contracting with vendors in a dynamic risk environment.

Brad Keller (Senior Vice President & CSO, Shared Assessments) covered the factors impacting contract development, defined effective contracting for the full vendor lifecycle and finally, brought to light trends in contract management.  (Keller was joined by Kerin Sikorski, Principal Marketing Program Manager at Process Unity, a strong solution integrated closely with the SIG that specializes in automating third party risk programs.)

Factors Impacting Contract Development

Because the lifetime of a vendor contract exists within a rapidly changing world, you must build flexibility for monitoring, modification or revision before contract renewal. Risk Management has seen big changes to inherent risk resulting from the pandemic and regulatory landscape. This change calls for a more interactive, dynamic contracting process.

On top of maintaining the flexibility of vendor contracts, your program needs to ask how important a vendor’s service is to the organization. Can you deliver services to your clients if your vendor is impacted by a security event? What is the business impact (revenue, reputation and downtime) if a vendor service is unavailable? Balance these questions against these key factors impacting contract development: 

  • Regulatory Changes
  • Security event implications including:
    • Data breach/incident
    • Change management
    • Contract breaches
    • Performance related lapses
    • External events

Effective Contracting For Full Vendor Lifecycle

Whether you are considering the contract for a new relationship or for renewal, the process remains the same: it is critical that you know the risks from outsourcing any activity. As the diagram below shows, contracts map out your vendor relationship. Contracts set forth how you manage rights, roles, responsibilities and what the vendor is obligated to do for you, the customer, for the entirety of the relationship.

Vendor Lifecycle

Your vendor contracts should be built around your organizations’ business requirements and ensure your vendor can deliver on these.  To approach this correctly, while developing contracts:

  • Define business requirements – consider deliverables, time to market, support needed.
  • Define technical requirements –contemplate this from a data and IT security perspective.
  • Define vendor requirements – keep in mind needs for access, availability and insurance.
  • Examine vendor outsourcing – make sure your contracts cover fourth parties. (In fact, the contract can be used as a tool for understanding outsourced risk –if a company is concerned enough about the vendors’ management of subcontractors, contracting directly with the fourth party to fully understand risk in this area is an option.)

To ensure a vendor is performing their services at the levels your organization needs, you must clearly define success criteria! The absence of success points to a VERY important facet of contracting: exit strategy. The major types of contract termination arewell known:  normal circumstances (when the business relationship no longer necessary or appropriate), cause (irreparable violation of contract terms), convenience (one of you has a better arrangement/opportunity) or because of regulatory/supervisory causes.

A well-defined termination strategy is fair to both parties and outlines how the relationship will wind down through:

  • Ongoing services
  • Work product and IP transition
  • Keeping same vendor team in place
  • Cooperation with new provider
  • Need for parallel services
  • Cost
  • Data security and transfer/destruction –ability to validate
  • Recovery of data from any subcontractors/licensees –ability to validate requirements

Exit strategy needs to include contingency planning – what needs to happen if you need to transfer vendors?

Trends in Vendor Contracting

New regulations, changes in the threat landscape and interruptions in the supply chain require a new awareness during the contracting process. These changes include US and International data privacy laws, the evolving Internet of Things (IoT), and emerging cyber threats and technology risks as well as the impact of COVID-19.

Circling back to the flexibility that should uphold the third party contracting processes, contracts should develop time-bound exceptions for vendors to recover and resume operations in the face of disaster, but with caution. A Force Majeure clause will cover for the unforeseen (the norm this year) as it allows for legal termination of the contract due to delay in or failure of performance by either party due to “labor disturbance, national emergency, pandemic”. However, the standard Force Majeure clause does not contemplate revisions the relationship to account for unforeseen events making performance impossible (if only on a temporary basis).  Changes to the standard Force Majeure clause are then essential to guiding your business through challenging times.

In closing, effective vendor contracts keep pace with changing threats through flexibility, firm understanding of business needs, clear definition of success criteria and exit strategy.