Welcome to this week’s Third Party Thursday! My name is Branan Cooper and I’m the Chief Risk Officer here at Venminder.
In this video, we’re going to cover:
- Regulatory guidance on contract management
- General tips on how best to standardize your approach to contracts
- 13 ideas to guide your contracts
Effective contract management isn’t difficult, it just takes discipline.
The FFIEC provides great guidance in their IT examination handbook regarding vendor contracting. You can use it as a checklist when entering a new vendor relationship or when renegotiating a contract with an existing vendor.
But, GOOD contract management is really all about execution. An enterprise-wide discipline to diligent contract management will ensure maximum value from your outsourced relationship. We see thousands of vendor contracts come across our desks so we thought we’d share a few of the best practices you won’t find in the FFIEC handbook.
Here are 13 good tips to get you started…
- Ensure a complete copy of every 3rd party agreement is stored safely and securely off-site in one single location with multiple user access.
- Use a reliable tool (not Outlook) to track auto renew and expiration dates.
- Even if one person in your organization ultimately owns a vendor relationship/contract, make sure more than one staff member receives auto-renewal notification.
- Pull out those evergreen contracts on a recurring basis, take a quick look and make sure there are no surprises lurking.
- Within your organization, clearly define contract signing authority and the internal processes required post signature.
- Never let a contract auto renew. This takes discipline. A lot of discipline. Nothing is broken, the vendor is performing so it’s easy to move on to more urgent matters.
- Revisiting a contract isn’t always about price. (Although at the very least a moderate loyalty discount should be in order if you plan to give them more term.) It’s your opportunity to:
- Address any performance issues.
- Upgrade if warranted.
- Have a compliance conversation with non-compliant vendorsd.
- Check the contract against the FFIEC guidance and correct any gaps.
- Validate the risk vs. the reward of the relationship.
- Do a market check to make sure you have the right product at a fair price.
- If you don’t have SLA’s in your contract, now is the time to fix that! SLA’s are likely to be your only recourse with a non-performing vendor. And don’t forget, non-performance can be defined many ways. What if your vendor is not financially healthy? That is likely to manifest in poor delivery. So while you won’t likely get termination provisions for poor financial performance, you can get termination provisions for failure to deliver. We can’t stress enough how important SLA’s are to your ability to exit a contract when you have the wrong vendor.
- Never enter a contract without a legal review.
- Don’t mistake a legal review for a compliance review. Your lawyers will protect your liability but, depending on their level of experience with regulatory compliance, they could miss the issues that make it difficult for you to meet your on-going due diligence requirements
- On the subject of compliance, have that conversation before you enter the contract and memorialize it in the contract. We see way too many occasions where the vendor refuses to comply (“we don’t release our financials to clients”) and you’re stuck with unnecessary/unknown risk until the next renewal date.
- Clearly understand the inherent risk of the vendor and address that in the contract. For example, if it’s disastrous to your organization if that vendor is hacked, then define the information security expectations clearly as well as notification and remediation requirements
- One more point on the subject of compliance...if your vendor won’t comply, replace them. Compliance isn’t optional for you. It never should be for them either
To recap, I'm Branan Cooper and thank you for listening! If you haven't already, subscribe to the Third Party Thursday series.