Most third party risk managers eventually deal with bad vendor contracts. In most cases, these contracts – which lack important provisions or no longer conform to regulatory requirements or organizational guidelines – pose significant risks to the organization. Many of these risks can be mitigated, be doing so requires a well-defined process, a robust third party risk management capability and the right mindset.
It’s important to note that poorly drafted or outdated vendor contracts exist in most organizations. It’s not a reflection on the company, but a painful reality of the lack of coordination between risk management and contracting groups. In the past, I conducted comprehensive reviews of vendor contracts at major financial institutions. These reviews routinely unearthed numerous contracts that were out of alignment with current corporate standards, regulations and/or best practices. As veteran IT writer John Edwards asserts in a new CIO article, “Like death, taxes and network downtime, bad contracts are a fact of life for most IT leaders.”
John was kind enough to reach out to me for some insights while researching his article, “7 Tips for Getting Out of a Bad Vendor Contract.” The overall guidance and specific steps John presents in his piece are right on the mark, and I encourage you to give it a read. While addressing the interview questions John put to me, I reviewed several considerations that are important for third party risk managers to keep in mind when dealing with unacceptable contracts, including:
- Risk and value are crucial to assess: When determining what is problematic about a vendor contract, it is important to first gain a high-level understanding of the risk the organization faces if the contract is not revised. It is similarly important to determine the value of the vendor relationship to the organization. By understanding the magnitude of risk and the value of the relationship, third party risk managers will have a better sense of how aggressively they should push for changes to the contract.
- Modifications can be made at any time: Contracts can be modified even when they are not up for renewal. Changes in regulatory requirements, industry standards and technology are the most frequent reasons driving the need for adjustments. You can always approach a vendor and lay out reasons for altering the contract.
- Contract modifications can be costly and time-consuming for both parties: The better the relationship is, the more likely the vendor will be to engage in a meaningful discussion about changing the contract. That’s important because contract modifications can be a costly and laborious endeavor for both the organization and the third party. When you clearly convey your business rationale for the change, your vendor is more likely to collaborate with you on a solution. That said, you also should be prepared to offer concessions given that the changes may create additional costs for the vendor. It is also helpful to develop and agree on a timeline to implement the operational changes needed to comply with the terms of the revised contract.
- Be prepared for termination: In cases where the vendor is unwilling to modify the contract (and where the organization is unwilling to accept the attendant risk), termination may be the only option. Terminating a vendor relationship works most effectively when defined processes are in place for managing any transfer of data (or other assets), validating vendor compliance with termination requirements, and selecting a replacement vendor.
Ideally, terminations can be avoided when bad contracts are uncovered. This positive outcome is more likely to occur when a vendor views your organization as a critical business partner and is willing to work with you to find a solution acceptable to both parties.