Contract Management

 View Only
  • 1.  Aggregate Risk Exposure

    Posted 01-19-2023 09:05 AM

    Hello all! I'm reaching out to this group to solicit feedback, best practices, or lessons learned related to potential risk exposure associated with ever expanding relationships with third parties and how other organizations may address aspects of this exposure in terms of their agreements. I've provided a hypothetical example below:

     The Really Great Co. (TRGC) is a third party to our organization and over time our relationship with them has expanded to include additional services. Each new service adds a new Statement of Work to the existing Master Services Agreement. The Master Services Agreement was negotiated when there was one service with TRGC meaning that some areas such as insurance requirements, as an example, were designed in consideration of just one service. Other contractual considerations may be in areas of indemnification, limitation of liability, etc. where the agreement may have not considered future engagements.

     As we consider this scenario and any potential adjustments to our process we would like to understand if any other organization has addressed similar circumstances and if so, what was done? Should areas such as insurance, indemnification, limitation of liability, etc. be revisited or renegotiated with every new SOW, when certain triggers are met (number of services, dollars spent), or only at MSA expiration or renewal? Are there situations or considerations that I may be overlooking? 

    I appreciate any info!



  • 2.  RE: Aggregate Risk Exposure

    Posted 01-20-2023 09:11 AM
    Eric,
    In these instances, re-negotiating the MSA or terms as new SOWs are being reviewed by Legal and negotiated would be a good start.  Older agreements may not have some of the basic privacy, data protection, insurance, right to audit, and other provisions that we may need or want to have, so addressing those as they come up for renewal or in some cases re-negotiating in term is a great idea. The more difficult task is identifying and determining all of the various components you need or want in an agreement and figuring out how to incorporate those (with your Legal teams) as part of the contract negotiation or renewal process.  Just my thoughts, hope this is helpful.

    ------------------------------
    Brandon Mayfield
    Vendor Management
    ------------------------------



  • 3.  RE: Aggregate Risk Exposure

    Posted 01-20-2023 09:20 AM

    Hi Eric,

     

    We periodically add new products or services that are provided by our existing vendors. If we haven't vetted the vendor in recent months (depending on their risk level), or if there are separate documents for the new product or service, such as a separate SOC report, we will obtain the new documents and then vet the product and vendor. We run the new product/vendor through our Enterprise Change Management Committee, that is made up of members of IS, IT, Compliance, Audit, ERM, Legal and Vendor Management We review the documentation applicable to each of us and determine if we want to move forward. If yes, resources and priority levels are assigned to get it on the project list.

     

    I hope this helps.

     

    Cheryl

     






  • 4.  RE: Aggregate Risk Exposure

    Posted 01-20-2023 09:23 AM
    As good practice you should be reviewing your supplier segmentation annually and hopefully this way you'll pick up on increased levels of spend or service scope creep. Alternatively get yourself on the sign-off for Statements of Work!!

    ------------------------------
    Martin
    ------------------------------