What are your Vendor Compliance/Third-Party risk program norms when presented a contract/instrument wherein the service organization WILL NOT accept redlines/modifications/etc.?
What we've done as of recently, is to start by asking the service organization whether they will contemplate our proposed modifications, prior to investing the time and resources into the endeavor, so as to not waste our time if they will not consider changes. Does anyone else follow this practice, or do others feel that the endeavor of reviewing the contract language & making propositions should be taken on even if the service organization is unlikely to or has even stated that they will not allow alterations? We've recently had an internal stakeholder raise the concern that asking them whether they will consider changes gives them the opportunity to say "no." I understand this way of thinking, but I am also trying to consider the time and resource constraints involved with reviewing an instrument against an unwavering counterparty.
Another aspect that I am curious how your organizations handle is in instances where the service provider will not agree to any modifications, what is the role that Vendor Compliance/Third-Party risk plays? Do you all simply pass the contract along to the executive stakeholder and inform them that in order to proceed, they must read and understand (and accept, assign, or mitigate) the risks? Or does your team do something more in depth to assist the executive stakeholder such as reviewing it with them, create checklists for them, etc. I am observing a lack of ownership by executive stakeholders when it comes to reading and understanding the actual responsibilities and terms of the agreements and am beginning to wonder if it has to do with my approach.
Any thoughts you can share on these matters would be greatly appreciated!
We always review the contract and determine risk in the contractual language. We will request redlines for items that are non-negotiables. Sometimes that means we will not proceed with a contract for the service. Depending on the service and risk of missing contract language, the approval to proceed with the risk may require governance committee approval. So depending on the risk, the business may not have the authority to accept the risk.
We also don't mention redlines until we review the contract and have specific reasons for our request.
I review the contract and send the redlines regardless. Even if vendors respond that they're not willing to make modifications, I have my redlines and notes to send to the vendor owners, making them aware of the terms in the contract that are either risky or undesirable. Either way, the contract should be / needs to be reviewed so the risks can be identified.
I don't think seeing a lack of ownership is just you. I've worked in this realm at two different places and have see it at both.
The initial contract is likely written in favor of the vendor. We would never consider asking the vendor up front if they will accept modifications.
We have in-house counsel for contract reviews, and they let the Business Owner know which redlines are "nice to have" vs. "deal-breakers." In the case of a deal-breaker, Counsel works with the Business Owner and vendor to try different approaches to modifications to get the contract approved.
If modifications are not possible and depending on the product/service, existence of other possible vendors, and other criteria, the issue would be escalated to senior management for an "accept the risk" approval, or "walk away" decision.