What blocks implementing playbooks and contract risk policies?
Aurelia and I have been having many conversations with in-house teams recently about their contracting processes and how our Managed Contracts service might help.
Those we speak to almost universally agree that having a playbook or risk policy for supplier contracts would be a good thing.
However, they assume that to implement one is a huge piece of work and needs significant scale to be worth the effort, especially if outsourced.
What is a risk policy?
A risk policy is a standard position on (a) what issues you are concerned about in a specific type of agreement; (b) how risky your organisation considers each of those issues to be; and (c) who should be able to approve different risks.
They are then rather surprised and pleased to hear that we can get them started with a customised risk policy in as little as 15 minutes of their time, with no minimum volume of contracts and with no set up fee.
So, what makes it difficult, and what have we done to make it easier?
In this article I cover:
figuring out the issues, and your position on them;
business adoption; and
reporting on compliance with your policy in an effective way.
Figuring out the issues and your position on them
Experienced commercial lawyers have their “watch points” built into their brains – when you read something that isn’t right, you just know it.
Trying to turn that into a list of issues, even without making them usable, can be a task in itself.
Then you need to start framing them in a way that makes sense in a policy and present them in a way that your business will understand. When you start doing that, you start thinking about all the variations and edge cases.
This only gets more complicated if you are regulated, with all or some of your supplier contracts falling, for instance, within the scope of FCA SYSC8, the EBA outsourcing guidelines or, soon, DORA.
We’ve done this all for you. We’ve created a contract risk framework that maps out the possible risks for a given contract type (e.g. SaaS), meaning all you need to do is select your “watch points” from our menu of risks.
What’s more, we provide you with a suggested red-amber-green (RAG) rating, based on our experience across other in-house teams. Though if you would like to override it, you can.
Do you need to specify a different collection of risks, a different RAG rating for different contract types or different tiers of the same contract type? We allow you to do that, too.
We’ve built our risk framework on a principle of “standardised customisation”. This way, we can offer you the customisation you need around the edges, without needing to re-invent the wheel for every client. Thus, no lengthy or expensive set up process – for you or for us.
Business adoption
I have talked before about why business adoption is essential. Whilst you might be able to enforce a contracting policy on your business to a degree, you will get a much better buy in and reception from our colleagues if they are onside.
For a contracting policy to be successful, we believe it should:
make the process/policy the easier path for your business colleagues;
make sure the output enhances your business colleagues’ productivity; and
empower your business colleagues with the knowledge they need to make quicker and better-informed decisions, without needing to lean on legal as heavily.
The TL;DR of which is: if you make it good to use, it sells itself to your business colleagues.
Making the process around the policy the easy path
Our platform provides your business colleagues with a user-friendly form that speaks their language, asks all the right questions upfront to avoid email traffic and only asks the questions it needs to, based on the relevant risk policy.
Our lawyers then aim to turn around reviews in 24 hours, allowing your business colleagues to keep up momentum on their deal.
Making the output enhance productivity
We’ve designed our risk reports to be filterable and skim-readable – allowing you to find and review the information you need to in minutes – and drill down into more detail only if you want or need to.
We’ve then gone a step further and added features that make negotiation and internal feedback a cinch:
we automatically produce an issues list that your business colleagues can use to negotiate, or that they can use to narrow down the issues they need help on from the in-house team or us; and
we make it a breeze to raise escalations and get feedback from your business colleagues on specific points, tracking conversations and outcomes without endless email chains.
Empowering your colleagues with knowledge
We’ve boiled down our 50+ years of collective knowledge into business-friendly guidance that your business colleagues can access via the platform themselves. We provide them with:
The “so what” – why does this risk matter, and when might it not matter?
Potential mitigations – what can the business do to reduce a risk that can’t be negotiated away?
Is it market – is it common for other businesses to accept this risk?
This allows your business colleagues to make better decisions where legal support isn’t available, and reduce their reliance on the legal team for day-to-day issues.
If you’d rather your business colleagues didn’t make that call on the big-ticket risks themselves, you can set up an escalation policy so that they must defer to your team (or someone else in the business, like your DPO), giving you the best of both worlds.
Effective reporting on compliance
The best policies are ones where you can measure compliance – on a live basis or over a period.
Traditional contract reviews are great for “on the spot” compliance, but they don’t allow you to easily:
measure compliance at a granular level (e.g. down to the clause(s));
measure compliance over a period; or
identify trends and other insights which might drive, for instance, regulator or shareholder reporting, finance decisions, insurance decisions or policy optimisations.
We capture every single risk as a separate data point with a structured answer – allowing you to drill into your portfolio of supplier contracts like you might website analytics.
This data is yours and you can export it whenever you like, so if your risk team wants to interrogate it in Tableau or Power BI, or you want to push it into your contract lifecycle management system – no problem.
If you are interested in hearing more about how our managed contracts service might help, book in a call with Aurelia and I.