Aviva’s £8.2M FCA fine a stark reminder that regulated firms cannot outsource their regulatory responsibilities
Senior Partner Robert Zahler Named a Top Legal IT Innovator by LegalWeek
Retail Law Conference 2016
Oh, That'll Never HappenAt the outset of an outsourcing relationship, you are inevitably feeling some level of excitement about the future. You have crunched your numbers, done your due diligence, and chosen a first-rate supplier who has proposed a solution that will transform the way your company does business.
As you enter the contract negotiation stage of the process, both you and the supplier are riding a wave of goodwill. They won the business, and you have a deal that you like. With some simple collaboration, it should take no time to memorialize the deal in a contract. At this point, the last thing you want to talk about is what could go wrong. So when a colleague or advisor cautions you about a potential pitfall, your first reaction is often: "Oh, that'll never happen!"
Unfortunately, it can. And it does.
In an outsourcing relationship, you place an enormous amount of trust in your outsourcing supplier. Trust is healthy! You have made this decision for a reason, and it is important not to over-manage the relationship. However, it is equally important to ensure you have a contract that anticipates and addresses the risks inherent in most outsourcing relationships (and there are many). Below we describe four key risk areas where the likelihood of having a big problem seemed very small, until it actually happened:
- Data Loss. Your data is your business. Losing it or suffering a data breach – whether by an outside hacker or a rogue supplier employee, or the accidental misplacement of hard drives (all actual examples) – can result in immeasurable harm to your operations, your finances and your reputation. You can mitigate this risk to some extent by (i) conducting due diligence upfront to understand exactly how and where your supplier will store and access your data, (ii) imposing clear obligations on your supplier to comply with global data privacy laws, regulations and standards like PCI-DSS where appropriate, (iii) periodically auditing your supplier's data privacy policies and procedures, and (iv) ensuring your contract allocates at least some of the risk of a data breach to your supplier to ensure your incentives are aligned.
- Disasters. "Of course we back up our service delivery centers! Our backup capabilities are second-to-none." Surely a big and successful supplier has the best backup capabilities in the industry, right? While this is often true, we find that many suppliers fail to deploy and test these capabilities for all their clients. They may have the right infrastructure on the floor, but they do not perform the planning and testing necessary to ensure recovery time and recovery point objectives are achieved when an actual disaster occurs. Or they may have the right plan in place initially, but not update it to cover new critical systems that you later bring into your environment. As a result, in addition to documenting supplier obligations in the contract, you should conduct periodic reviews of your supplier's disaster recovery plans and policies, and participate in disaster recovery tests to ensure the supplier is meeting these obligations. Trust but verify!
- Ownership of Intellectual Property. Your supplier will be developing software, and you have come to an agreement about the ownership of the particular software components. Sounds easy. However, without careful consideration of the way the provisions are described in the contract, you may later find that you don't own everything you thought you did. In other words, you might have the car, but not the keys. In addition to losing the inherent value in the intellectual property, this can make it more expensive and time consuming to transition away from your supplier when your relationship comes to an end. This risk can be mitigated by spending the time to identify the various kinds of intellectual property that may arise in your outsourcing relationship (e.g., patents, copyrights, trademarks in a joint venture), and clearly allocating both the rights to them and the risks associated with infringement and misappropriation claims.
- Performance Failure. What leverage do you have to address performance failures by your supplier? Performance problems of one sort or another will inevitably arise in any large outsourcing relationship, and it's important to ensure that your contract contains the right levers for you to address them. Service level credits may not be enough – you never want to be in a position where the supplier would rather pay the credit than do what's needed to fix the problem. Other levers might include termination for convenience rights, rights to move work to third parties, benchmarking, indemnities to shift liability for performance failures, and clear disengagement assistance provisions to ensure you can transition to a new supplier as a last resort. Your supplier will likely have a great deal of leverage with a long-term contract and control over your operations. You need the right provisions in your contract to "level the playing field" when dealing with performance failures and other problems that arise.
Protecting Yourself without Poisoning the Well
How do you build the trust necessary for a strong outsourcing relationship while negotiating for critical, but oftentimes contentious, risk-mitigating contact provisions?
Pillsbury has the advisors and the experience to guide you through this strategic process – we know how to walk this fine line, and we do it regularly. In fact, in our experience, we have discovered that open and honest negotiations of difficult issues can itself build trust and strengthen relationships. We know the industry, and we have excellent relationships with all the major supplier organizations. And as your advocate, we can push for the tough positions on your behalf while helping you to preserve and build trust with your outsourcing supplier. With Pillsbury's help, you will be able to say: "Oh, that'll never happen…but just in case it does, I know I have taken the right steps to protect our business."