We’ve all experienced the end of a relationship. Sometimes the two parties involved are no longer compatible. Maybe one party realizes that it just isn’t working out. Or they’ve found someone better. Or perhaps there’s been an unforgivable breach of contract.
Naturally we’re talking about an organization’s partnership with a third-party provider and the importance of mitigating third-party risk. There’s a distinct lifecycle to every business relationship—new relationships, existing and evergreen relationships, renewals and terminations.
Managing third-party contracts can be a delicate matter throughout this lifecycle. When it comes to terminating these contracts, the need to have a well-defined strategy already in place is paramount. A contingency plan built upon established business standards and best practices can help avoid damages, alleviate any reputational risks, and help facilitate a smooth exit.
There are four basic types of termination:
- Normal: The business relationship is no longer necessary or appropriate
- Cause: There is irreparable violation of contract terms
- Convenience: Either you or the vendor has a better arrangement/opportunity
- Regulatory/supervisory: The vendor cannot live up to regulatory expectations
“Third Party Contract Development, Adherence & Management,” © 2018 The Santa Fe Group, Shared Assessments Program
It’s crucial to ensure that the predetermined terms of the contract are acceptably fulfilled in the final stages of the third-party vendor relationship. This includes any ongoing services with the departing vendor; recovery of work product and intellectual property; data recovery and security; and a seamless transition to the new provider, if applicable.
More specific best practices will need to be implemented if the contract was terminated for cause. For example, was the provider appropriately rated? Did internal controls or assessment methods fail? Was Pen (penetration) testing conducted and evaluated by credentialed testers? These questions can help safeguard third-party business relationships and guide future contract negotiation processes.
In business, as in one’s personal life, it always helps to have an exit strategy, based on open communication and shared expectations agreed upon from the very beginning.
And, you should probably get that in writing.
A brief chat with Tom Garrubba, Senior Director/CISO of Shared Assessment, The Santa Fe Group
In your experience, what are some of the core reasons that a third-party contract is terminated for cause (i.e. fraud or misrepresentation)? What are some examples?
In most cases [the third party] is just not able to achieve what fits into the agreement. Basic cause is when vendors overpromise and underdeliver. Or if they’re falling way behind and start grossly misrepresenting what they said they could do. We need to monitor the contracts. You should be getting something back from the vendor for not living up to contract expectations.
I was in a situation at my previous employer where we had a vendor that did something kind of crafty. A company can turn to a vendor and say, we don’t really have much of an increase in budget next year so we need you guys to hold on to your fees. So this vendor took its offshore support and shifted it from India to China because it’s much lower cost.
They did it on the backend. They’re still supporting your system but now the cost went from $100/hour to $60/hour and they never told the business unit. They didn’t break the contract per se but what they did was kind of unethical, doing something and not telling us about it. You can’t say at that point, I’m taking my ball and going home. But they were banned from all new projects and not allowed to bid on upcoming projects.
How can a business protect itself to mitigate the inherent risks of working with third-party providers?
Get everything in the contract. Organizations I’ve had conversations with are not very good at it – they’re working in a silo. Sometimes they don’t want to focus on risk because they want to get things up and running.