The Importance of Vendor Risk Assessments

When buying a car, do you rush right out to the dealership and purchase the first car you find online? Or, do you perform your research and kick the tires, taking it for a test drive? Most of us will conduct our “due diligence” before buying a car and this includes researching the types of cars we’d like to buy, taking several test drives and checking out the mechanics of the car.  This same due diligence should be done for each of the vendors that you plan to use within your company in the form of a vendor risk assessment, regardless of their size. In fact, current vendors within your company should be reviewed every one to two years. For example, did someone review their financials? Do you know if you can get your data back if they go bankrupt? Do you know if they’re governed by laws outside of your country?

In larger companies, vendor risk assessments are typically performed by risk analysts, technology auditors, and information security folks, working in conjunction with the vendor management and procurement departments. In smaller companies, there may be a one or two person team responsible for conducting the vendor risk assessment. In many startup organizations, vendor risk assessments can be an afterthought. If you don’t perform a vendor risk assessment on your vendors today, take a look at this Risk Assessment Toolkit from the State of California’s Department of Technology, Information Security Office to get you started. There are many other sample templates and resources available online, as well. This is a great video on assessing technology vendor risk and security from Monte Ratzlaff, Security Manager, at UC Davis Health System, as he presents “Vendor Risks: Evaluating the Security of New Technology”.

At this point, some of you may think, “well, I don’t need a risk assessment on ____ vendor (insert name of vendor), they’re huge!”. Right? Wrong. I’ve worked with technology audit professionals on the review of hundreds (if not thousands) of technology vendors and yes, some of those “huge” vendors can have red flags for you and your company. Whether it’s the fact that they’re in the middle of a merger, they’re outsourcing their development team, or they don’t have enough insurance to cover you in the event of a breach, the scenarios can vary, depending upon what your company considers a risk and how that risk is categorized. If you need a tool to understand risks associated with the project you’re considering, take a look at this post by BrightHub PM, it has a lot of great info on creating a risk matrix and how to use it.

In the end, just think of a vendor risk assessment as a way to kick the tires of the prospective vendor before buying a lemon whose carburetor is going to explode once you drive it off the lot. If you’re interested in performing a proof of concept or proof of technology with the vendor once they pass the vendor risk assessment, check out a former post that I wrote on this topic and good luck!


Staying Relevant

trexA friend of mine recently mentioned that he was a “dinosaur” as we were discussing different mobile social media platforms. I started thinking, “How can we, as technology vendor management and procurement professionals, stay relevant in an age of such rapidly changing technology?” For all of you “dinosaurs” out there, here are a few things to assist you in coming out of the Mesozoic Era:

1) Create a Twitter account. Yes, I’m talking to you. Don’t roll your eyes! Twitter is an amazing place where information is spread so quickly that you’ll see it on Twitter before mainstream media picks it up. How does this affect you? Well, if you’re putting together a deal with a certain vendor (think successful start-up) and they’ve been bought out (say by a behemoth T-Rex vendor), you’ll typically find it on Twitter first.

2) Try Blogging. Now you’ve started to panic. “Blog?! I have to Blog?” If you’re just punching in and punching out, waiting for the next boat to Shangri-la, then don’t worry about it. However, if you’re passionate about your field and you have something to say, consider writing your own blog or posting for someone else’s blog. For me, it’s exciting to be able to share my knowledge but also learn from others as I read their blogs.

All in all, staying relevant in the field of technology vendor management and procurement is very important, so give it a try and find me on Twitter, @vendorchronicle!

Do you have a technology vendor management question?

question mark The reason I started this blog was to provide a toolkit for those of you working with technology vendors, as there isn’t much out there on this topic, especially as it relates to vendor management, project management, contract management and procurement. If you have a question on any of these topics, just contact me using the form below and I’ll post my answer on this blog, along with your question (you’re welcome to post your question anonymously).

I really enjoy discussing these topics and think that this approach would be a great way to create a helpful community of folks that have experienced similar issues.  If your vendor isn’t in the technology space, that’s fine too, I’ve worked with plenty of vendors outside of technology and would be happy to answer your questions as well. Please remember that I’m not an attorney, so I can’t provide legal advice, but I do have many years of experience in the technology vendor management, project management, contract management and procurement / strategic sourcing areas.

Looking forward to your feedback and some great discussions!

Avoid Making Emotional Contract Decisions

contractA friend of mine is working through a difficult landlord / tenant situation. She signed the lease quickly, excited to move into the condo of her dreams. It’s close to the metro, has perfect square footage, great neighbors and the price was right. The landlord seemed nice when she was signing the lease and she felt that they had a good rapport.  Fast forward a few months and the landlord has gone from Dr. Jekyll to Mr. Hyde.  Unfortunately, she was in such a hurry to sign on the dotted line, she didn’t thoroughly read the lease and is now stuck with a bad contract that barely has any tenant’s rights.

Has this ever happened to a contract that you signed? This is a question for both customers and vendors alike.  Emotions can be high when negotiating contracts. However, the key is to read the contract and don’t enter into it with haste, regardless of how badly you want the deal.  Did you wake up one morning and think “who are these people?!” Did you sign a contract but look back later on and regret it?  Signing a bad contract is more common than you’d imagine. What can you do? Unfortunately for my friend, she’s trapped for another seven months with her landlord. But, is there a way out of your situation?

In a previous post, I wrote about Termination for Convenience. Hopefully, you’ll have this provision in your contract, allowing you to terminate the contract for convenience. If you don’t have this provision in your contract, you’re in a tougher situation. If there’s been a material breach of the contract, that would give you cause to terminate, but that’s pretty rare.

So, if the termination for convenience option doesn’t exist and you’re stuck with one another, I’d recommend having a one-on-one meeting with the vendor (or customer) and determining how to make lemonade out of lemons. This doesn’t need to be a screaming match, but it’s likely that you’re not the only one unhappy with the situation. How can both of your needs be met? Speak with them about adding a 90 day improvement period with termination language to the contract. If the improvement period doesn’t yield any results, either party can terminate the agreement. If you have internal counsel, speak with them about additional options. If you don’t have the luxury of internal counsel, consider an external counsel consultation. Keep in mind that fees may need to be paid when terminating. If this is the case, the pain may be so great that it’s worth the money. Look at Starbucks, they terminated a deal with Kraft to the tune of $2.8 billion dollars. Yes, you read that correctly. Billion with a “b”.

If the deal isn’t working out contractually, don’t let your emotions get in the way and tell you that “it’ll all work out”. Take a hard look at what you’ll need to live with if you sign the contract. Just remember that there are plenty of other vendors, clients, and in my friend’s case, condos out there.

How Much Are You Paying Your Technology Vendors Upfront?


Too much? Some of you are thinking, “I don’t pay vendors a dime upfront!”.  Some of you stopped and thought, “Well, I did that before, but I’d never do it again.”  And, some of you said, “Yeah, what’s the problem with it?”

The problem with paying vendors too much upfront is that you lose leverage when the rubber meets the road. When the vendor tells you that the software you paid millions of dollars for upfront is “working as designed” when you know it’s a defect, what leverage do you have? Unfortunately, if you’ve paid too much upfront for the software, you don’t have many legs to stand on.

Now, don’t get me wrong, scenarios where 20% of the contract value is paid upfront isn’t an issue. Tiered payments throughout the contract as the vendor meets their milestones is a great idea and also isn’t an issue.

I’m talking about all or nothing payments up front or large lump sums paid for services not yet rendered or software not yet delivered.  I’ve heard of Tier 1 technology vendors commanding over $1,000,000 up front before performing technology services on a $3,000,000 contract. Really? A cool million? For what? First class seats? You better hope you’ve got the GSA rates in your contract or you really will be paying for first class seats!

If you have a vendor telling you that they have to have all fees paid upfront or a very large sum paid upfront for services or software, ask the five why’s to get to the center of that tootsie roll pop. I guarantee you’ll find something fishy!

Negotiating Vendor Cloud Computing Contracts


I stumbled across this phenomenal paper entitled Negotiating Cloud Contracts: Looking At Clouds From Both Sides Now, written by W. Kuan Hon, Christopher Millard and Ian Walden. It was published in Stanford’s Technology Law Review in the Fall of 2012.  What’s fascinating is that it’s the first paper I’ve seen which objectively reviews the negotiating process that takes place between both buyers and sellers of cloud computing software.

In the first part of their paper, the writers describe the cloud market, “The top ten strategic trends for 2013 include, are based on, or incorporate cloud computing; those trends include personal cloud, hybrid information technology and computing, cloud-based analytics, in memory computing and integrated technology ecosystems. However, the cloud market is still relatively immature. The state of providers’ standard contract terms seem to reflect this” (Hon, Millard, Walden, 80-81).

After reading those sentences, I almost fainted. For those of you that are negotiating vendor cloud contracts alongside me, you probably just fainted as well.  This is what I’ve been jumping up and down about for the past year, that cloud vendor contracts are very poor and are not in favor of the customer.  Is “the cloud” just that bright and shiny?

I think it is and I’ll tell you why. When a customer who has been dragging around an old, patched version of an enterprise software solution is told by the cloud vendor that they can migrate that customer’s enterprise data in about ten weeks to a cloud version that doesn’t require patches, downtime, or Charlton Heston’s cast of thousands to maintain it on a regular basis, all they can think of is “Where do I sign??!!”.

I was told once that these cloud vendors are “too large to negotiate with”.  Really? My answer to that is no, they aren’t too large to negotiate with and you can negotiate with them, either from a pricing perspective, contracting perspective or both. However, the key to negotiating with cloud vendors is to plan up front.

If you’re a small organization, you can leverage your buying power. You may not have a lot of funds to spend on external counsel, but that doesn’t mean you have to take the contractual negotiations lying down. Push for business items that you need in your contract and see how far you can get. Most importantly, you can still purchase with power.  Just as the adage of the crow adding the pebbles to the jar in order to drink the rainwater, you’ll eventually have enough purchasing power to feel the leverage. Don’t allow your team to purchase $10,000 or $30,000 licenses from the same vendor separately. Plan your cloud spending so that you’re putting down a large chunk of change at one time…then ask for that discount!

For those of you who spend millions of dollars a year in enterprise cloud solutions, meet with your procurement / sourcing,  legal and IT departments to holistically understand where you’re spending now, how much is being spent and who you’re spending it with.  Is your legal department open to creating your company’s own cloud agreement? Given the paper stated above, most cloud vendor agreements are woefully inadequate. Why not come up with your own template that you can use repeatedly with multiple cloud vendors? From a pricing perspective, you are the big fish. You should remain in control, regardless of what the vendor tells you on pricing. Push for the discount and request it each time. If you don’t, you’re missing out on saving your company millions of dollars a year.

For negotiations with cloud vendors to work, the purchasing department / legal department need to work side-by-side with the business. This includes coordinated efforts with the vendor during negotiations, both pricing and contractual negotiations. Unfortunately dear customers, the cloud vendors are counting on you to be so desperate that you will swallow any bitter pill they bestow upon you and your colleagues during pricing and contract negotiations. In a previous post, I wrote about the hard truths of cloud vendor SLA’s.  However, I encourage you to truly understand the power you have when negotiating  with a cloud vendor. Take your time to choose the vendor that will support your organization and don’t settle for the scraps you’re thrown.

A Few Things to Consider When Choosing a Contract Management System


For quite a while now, I’ve been involved in a contract management system integration project and wanted to talk generally about a few things to consider when choosing a contract management system.

1) I’ve said this in other posts, but don’t choose the brightest, shiniest object you found online or at a conference! If you type “software contract management” into Google, you will not receive a list of articles about best practices in the field of software contract management. What you will find are vendors who have done some very creative SEO (search engine optimization) work to get their keywords and their products at the top of the search list. Do your homework and your due diligence!

2) Users are stakeholders too. The stakeholder group is larger than the management team, it includes the users as well. These are the folks who will be using the software day in and day out, so it only makes sense to give them input into the selection process. As a bonus, you’ll achieve immediate buy-in if you involve them in the beginning. But, leave them in the dark for two years while you purchase, develop and then release the software, making it mandatory for them to use a system that they didn’t have any input into? Well, good luck with that one!

3) Think about the big picture for your department. Is this going to be integrated with an ERP system next year and then integrated with another product two years down the road? How will other departments interact with your system? What systems do they currently use? Ask your IT department for assistance if they’re not already involved and allow them to diagram the architecture and understand the enterprise impacts of the system you’re considering for purchase in the beginning. Note the emphasis on beginning

4) Don’t rush.  I know we’re almost in Q4 and everyone’s trying to burn down 2013 funds, but don’t spend money on a contract management system in a rush. If you have to spend the money now, how about spending it on a consultant that can come in and assess your needs for a contract management system? Do you already have a homegrown system that can be expanded on? Do you have money in 2014 that you can earmark now for this expenditure? If you’re truly in a rush and have to burn through that money before the end of the year, take a hard look at your options and make a solid plan that’s in the best interest of your team, your department and your organization.

Good luck!