Contract Management

 View Only
  • 1.  Contract Management Q&A

    Posted 09-24-2019 02:51 PM

    Hi everyone, last week Venminder had their Third Party Risk Management Bootcamp! Check out contract management related questions that were asked during the sessions and chime in with further questions or thoughts. The team thought it would be helpful to share them and also provide answers. The event was three days, 6 sessions and 11 presentations long, covered by nine experts. It covered a lot of great information. If you're interested in viewing the recordings, you'll find the link on the Program Improvement library page.

    Q: How do you mitigate against being prisoners of non-compliant vendors who we have already contracted with and are providing critical services that will be costly and time consuming to move away from?
    A: First, make sure you're tracking all the contractual standards. Next, make sure you're documenting any deviations from the planned activities. Also, keep senior management and the board advised well in advance if you're planning to terminate the contract and why so that they're prepared to back you.

     

    Q: How do you implement service improvement plans in contracts?
    A: Carefully have Legal craft expectations on specific performance objectives and milestones in your service level agreements.

     

    Q: You make it sound like we should be creating the contract. In most cases, the contract is created by the vendor and we review it for items we want to be added to it. You asked about whether we have a section that determines what happens to our data. We do not always control this and sometimes it is not that easy to get this added to a contract.
    A: To me, that is a show-stopper. When ApplePay did that, I went running to my risk committee with my hair on fire practically – while ApplePay ended up winning with their boiler plate contract, of course, my concerns were documented for the record and noted should there have been a problem or concern in the next exam. Similarly, had their been an ensuing use of data violation or cross selling of information or UDAAP concern, I had protected us to some extent.

     

    Q: How do you handle vendors that do not have a contract?
    A: Attempt to gain at least a statement of work or some sort of written agreement.


    Brittany Padgett
    Community Manager
    Third Party ThinkTank