David England, Director
“The best contract is the one you never have to pull out of the drawer.”
That adage describes the idyllic sourcing relationship of old – one built on trust, open communication and aligned objectives. In such an environment, specific contractual terms and obligations rarely need to be called upon, since both sides understand their roles and are committed to success.
While a nice sentiment, the idea that detailed scrutiny of contracts needn’t be a top priority is rapidly becoming a dangerous anachronism. This is especially true in the Financial Services sector, where increasingly rigorous regulatory requirements are raising the bar of third-party risk management to unprecedented heights. In today’s environment, any bank or other financial institution that fails to rigorously document its contractual obligations regarding supplier oversight and compliance, and to thoroughly demonstrate its due diligence in ensuring that those obligations are met, faces the prospect of significant fines and penalties.
Anyone who doubts that the stakes are high should refer to Bulletin 2013-29 from the Office of the Comptroller of the Currency (OCC), which states that a “bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.”
What that ultimately means is that banks must demonstrate adherence to regulatory standards and are liable for risks occurring at any point throughout the entire sourcing lifecycle. All information associated with the relationship must be captured, documented and accessible to regulators to ensure due diligence and compliance at each phase.
Three key issues raised include:
Pre-contracting documentation: Under emerging guidelines and standards, all activity occurring before a contract execution must be captured, documented and accessible. Specifically, communications during initial planning, RFP development and provider evaluations are subject to regulatory scrutiny to ensure that evaluations of suppliers were properly conducted.
Organizational communication: The contracting process typically involves multiple organizations – IT, vendor management, compliance and audit, for example. Seamless handoffs are imperative, but in most enterprises, standard contracting review processes either don’t exist, are imperfect or are rarely observed. This increases the risk that one department will mistakenly assume that its rigorous compliance processes are followed by other departments. The result is actions slip through the cracks. Rigorous oversight of contracting practices across business units is therefore imperative.
Prioritization: The contracting process creates a Pandora’s Box of potential compliance violations. Simply identifying and addressing them haphazardly will lead compliance teams down a series of gopher holes. While this approach will extinguish ad hoc sparks of risk, unattended bonfires will likely be blazing elsewhere. Standard, disciplined approaches are needed to identify risks and rate them by various criteria, such as likelihood and scale of monetary, brand and customer impact.
Bottom line: the notion that rigorous oversight of specific contractual terms is secondary to a relationship of trust – if it was ever true in the first place – is no longer valid. Today, trust and innovation must be built upon a foundation of contract discipline that clearly defines, specifies and verifies mutual obligations from the outset of the relationship and throughout the sourcing lifecycle. Without that foundation in place, clients and providers place themselves in significant peril.
Put differently, a contract that’s been sitting in a drawer for several years will lead to some very unpleasant surprises when the regulators come calling.