By Pete Bazil, Chief Legal Officer, Ensono
IT leaders play an important role in managing contractual risks. Take the time to lean into those risks and take advantage of the opportunities presented, and you’ll deliver appreciable value to the business.
Risk is a strange concept: Opaque notions that could have huge, critical and painful impact... or no impact at all; fears that could manifest at any moment... or not materialize in a century.
This kind of uncertainty is often dreaded by overloaded and time-constrained IT leaders, who need to ruthlessly focus their attention on what they can control and solve for now—not what “could” happen in some hypothetical future scenario. As a result, the typical CIO or IT executive doesn’t usually spend a lot of time digging into the risks in a contract. They might say things like, “Ah, that’s not gonna happen,” “Isn’t that what we have insurance for?” or, my personal favorite (insert sarcasm here), “Legal will take care of it.” To a certain extent, that’s understandable. The great majority of risk is exposed and managed in how you operate. Technical gaps or operational lapses are where the real risks will surface, and no amount of contract magic will be able to completely mitigate the fallout. The rest of the risk can be managed in how you’ve contracted—basically, what happens when things break—which can be very material in terms of impact. It is important that IT leaders and Legal work together to properly anticipate legal ramifications—who owns the liability, what are the remedies, what are the contingency plans, and how can you exit if the vendor doesn’t meet their commitments, among other considerations.
Legal’s attention to potential impacts and risk allocation may at times appear over-protective or unnecessary, but it is their job to partner with leaders to anticipate how things can go bad and have a plan for them. And it’s IT leadership’s job to execute quickly and deliver results. Both mandates need to exist—they’re a natural and important check and balance on each other. But too often they come into conflict, like when a completely new approach or commitment gets urgently escalated late in the game. It does not have to be this way.
When IT leaders take the time up front to understand the risks in a contract, the benefits to the deal, the business, and the leader personally are significant. And to be clear, it does not have to be a massive investment of time or energy drain. Focus on and lean into the key contract risks and you will deliver appreciable value by:
Proactively managing important issues before they crop up.
Saving significant time and money.
Delivering signed agreements faster and with less negotiation, redlines and stress.
The specific risks presented in an IT contract naturally vary from deal to deal. But at a high level, they can be bundled into five key categories, each of which offers an opportunity for those IT leaders who take the time to consider and respond to them.
Technology spending can represent a significant capital expense. Especially in the kind of uncertain economic environment we’re in right now, that kind of commitment comes with pressure to sweat assets and deliver ROI, which can suppress or stop innovation and progress.
Managed Service Providers (MSPs) can offer that same technology in a monthly recurring-cost model without the same level of up-front capital expense, but ultimately they are subject to the same set of ROI pressures. The way MSPs often deal with that is to lock their clients into long-term contracts that assure their return on capital. Great for the provider’s P&L forecast, maybe not so great for your strategic vision or transformation roadmap. In a world of hyperinnovation, being locked into a three- to seven-year contract for any tech is a potential kiss of death, forcing you to press pause on innovation and watch from the sidelines as your competitors pass you by.
One way to mitigate the inherent risks in tech investment is to purchase and undertake in phases where you can, to limit spend in any phase and allow greater flexibility to pivot. It will be important to structure each phase to be able to deliver on its own return, and not be dependent on future phases or timing to unlock that return.
If outsourcing your IT infrastructure to an MSP is part of your strategy, consider partners that offer flexibility and support your digital transformation on the timeline that supports your company’s goals—for example, by enabling you to make a commitment to one IT platform then transition to another later without any early termination fees. You want a partner to be fully allied to and supportive of your longer-term digital transformation journey, rather than be a hindrance to it.
The 2022 Ponemon Institute/IBM Security® Cost of a Data Breach report revealed some not-surprising but nonetheless sobering statistics: The average cost of a data breach in the U.S. is $9.44 million; globally, it’s a lower-but-still-painful $4.33 million.
With 83 percent of the companies studied having experienced at least one breach, all businesses need to approach the risk as a “when, not if” situation and respond accordingly. And while cyber insurance is essential to help cover financial losses resulting from a security breach, you can’t insure your way out of the hit to your reputation or customer goodwill.
What you can do is get out as far ahead of it as possible. Establish clearly defined security processes, controls, tooling and people focused on managing external and internal threats. Subject those processes and protocols to regular testing by internal and external auditors. Enlist a partner to conduct a thorough assessment of your IT estate to surface any weak points or lurking threats and determine recommended remediation and/or hardening actions.
As you rely on technology partners to deliver on these remediations, hardening or other security requirements, it is important that the contracts with those partners directly align and fully cover those requirements including clear remedies for any failures, prompt or real-time reporting and auditing rights as appropriate.
Between the Great Resignation, the quiet quitting phenomenon, and the shortage of mainframe and cloud talent, labor has become an especially acute risk for IT leaders. The pain is even greater for enterprises that run many of their most critical applications on mainframes, as the workers experienced in these platforms and their esoteric software code are aging out. Enterprises are racing to move certain apps from mainframe to the cloud to gain agility, while at the same time trying to outpace the phasing out of the mainframe workforce.
In addition, many enterprises embrace a hybrid IT estate as the future, and the mainframe can be the best place for apps to reside for performance and security reasons. There is a need for the talent to manage these critical platforms. It’s important to have a labor plan that supports this need, now and in the future, through a combination of internal and external sources.
On the internal side, make sure your team members are supported with challenging and fulfilling work that fits within their scope and aligns with their skill set. As Robert Christiansen discusses in “Do you have a zombie workforce?”, and the recent Forrester study cited confirms, this is perhaps a company’s most powerful strategy in reigniting employee engagement, countering quiet quitting and stemming the tide of attrition.
MSPs can support by assuming non-core activities you want to shift off your employees so they can focus on the more important things that differentiate your business. And they give you access to a greater, and sometimes global, pool of talent with expertise in the areas your own team lacks, removing or reducing the expenses assocated with higher cost territories, training and development. Not all talent is the same from a quality-of-experience perspective and some providers can overpromise, so it’s important to do your diligence and get assurance on the depth and breadth of the teams within your chosen MSP including service level agreements (SLAs) with financial penalties in the contract that put teeth behind those labor commitments. For more, see “Toxic hazard ahead: How to avoid a bad MSP relationship”.
A common goal among tech companies is to reduce the revenue-to-expense ratio over time and increasingly improve margins, delivering greater operating leverage.
For every dollar of revenue, you want, over time, to spend a little less on the stuff that delivers that dollar. Continuous cost optimization is necessary to remain price competitive and win your space.
Have you tested the market recently, through RFP or selective quotes? Consider whether you can buy direct from IT vendors more cost effectively than through a partner, such as a reseller or MSP. In some cases, providers can offer economies of scale that can deliver greater discounting than your company may enjoy on its own. In any case, be sure to contractually lock in the discounting structure and tiers as you consolidate or increase your spend in order to assure lower unit costs or greater value over time.
In addition, MSPs can offer the benefit of converting capital to operating expense or other financial engineering over a committed term, which can help clients seeking to reign in their balance sheet or secure a more flexible expense model. Take care to secure the contractual language that supports the desired expense outcome.
Every technology company operates with the threat of liability. Your company makes contractual commitments to clients, and your providers make contractual commitments to your company. Many companies operate under a myriad of legal requirements and regulatory oversight. Mistakes can happen, employees can do bad things, or sometimes things happen and it’s not clear if you’re at fault or not.
In any case, where there is a harmed party, there is often a party who will seek compensation for that harm. Claims fly, costly litigation can ensue and ultimately company P&Ls can suffer. Companies absorb that risk through different types of overlapping insurance coverage, either contractually from third parties such as insurance carriers and vendors, or self-insurance.
As with cost optimization, the goal is to reduce the ratio of revenue to company liability over time to improve operating leverage—for example, by seeking out ways to shifting some of your liability to third parties.
Here again, MSPs are a resource worth considering. In exchange for your business, they will effectively sign up to insure certain risks attached to the services they will deliver, in addition to any coverages from your insurance carrier. There are often limits set in the contract for that protection (i.e., “limitations on liability”) so make sure those limits are market-based and proportional to your investment with that provider and the harm they could cause you.
And be careful when outsourcing the risk attached to critical services, to choose MSPs that have the demonstrated expertise, reputation, and track record to deliver a high level of service. In that case, you could get the double benefit of greater operational assurance and a free insurance policy.
At the end of the day, it isn’t any one IT leader or lawyer taking on the risk in an agreement, it’s the entire business. Each party involved brings a unique and important perspective to risk and each one can spot issues and surface solutions the others can’t. Partner early with Legal and apply a powerful combination of IT and risk lenses to your next contract, and you’ll be sure to reap many benefits. \\
