As organisations and their legal teams mature, a supplier contracting policy becomes a necessity to ensure:
the legal team's time is spent on the right work; and
operational risk is managed in-line with the expectations of senior management, shareholders, regulators and other stakeholders.
Unfortunately, such policies don't always get the best reception from business colleagues. The business may seem them as "just another blocker" to getting things done.
But that needn't be the case. A great supplier contracting policy tiers risk and allocates contracts to the proportionate track to ensure:
- contracts that can be dealt with quickly, are dealt with quickly; and
- time, effort and energy is focused on the risks that the organisation cares about.
So what makes a great supplier contracting policy? In this article, Chris Bridges (Partner & COO at Tacit Legal) provides the five key ingredients.
If you are just starting out, ingredients one and two may be enough short term. However, to make your contracting policy as slick and business-friendly as possible, Chris suggests adding at least a pinch of three through five.
1. Which contracts are in the scope of your policy?
In an ideal world, all supplier contracts would be in-scope with a range of tracks and delivery models proportionate to the risk.
We'll come back to tracks and delivery models later. When starting out it's important to consider (a) how much resource you can allocate to supplier contracts; and (b) given that, which contracts you should be focusing on.
How you define (b) will vary by organisation, but a good starting point is probably a combination of committed spend and the organisation's more sensitive risk areas.
For instance,a health tech company concerned about health data and their IP might start with:
- contracts over £200,000 in committed spend*; or
- the supplier underpins a business critical process or technology; or
- the supplier will be processing their customers' health data*; or
- the supplier will have access to their IP*.
* With some guidance on what those terms mean!
For the vast majority of in-house teams, you probably won't have a track for all contracts. If that's you, be clear what your business should do with out-of-scope contracts:
- Can they proceed themselves, without legal support?
- Are there any hard lines they should not cross if they do?
- Are there any helpful resources you can point them to?
- Who can sign the contract?
2. Who can accept risk in your contracts?
What do you do when you identify risk?
The minimal viable solution requires that a finite list of signatories sign all contracts within scope, based on a risk summary prepared by the business and legal teams.
However, this leaves a lot up to the individual's interpretationof what is a material risk. Some reviews may include too much, others too little.
Even if a sole in-house counsel, we'd recommend at least agreeing with signatories which risks they consider material – doing so makes expectations clear, and the output more useful.
You could do this in your policy or in a separate template sign-off form.
3. Getting granular – risk tiers and risk policies
As the number of reviews increases, whether naturally or through expanding your scope, you may need to start being more granular in how you manage contract reviews, to keep up with the workload.
Introducingrisk tiersto your contracting policies
The first thing you should do is tier risk, assigning each tier having its own set of sub-criteria.
For most organisations two or three tiers will be enough – we'd start simple with "High", "Medium" and "Low".
This alone doesn't do much, but it starts to make a lot more sense when you get into risk policies and different delivery models.
Defining therisk policyfor each tier
In "who can accept risk", we talked about agreeing what risks are material with signatories. This is a risk policy in its simplest form.
We'd suggest defining a risk policy for each of your risk tiers. Be sure to make clear whether that policy is finite or not (can the reviewer limit their review to those issues only?).
We often see clients defining finite risk policies for their two lowest risk tiers to speed up review, with a more thorough review for their third with the policy being a "minimum reporting level".
Whilst starting out, we recommend keeping these policies simple. But as they develop, you can start differentiating between contract types, being more precise about the questions you want answering of contracts, and grading those risks with a RAG status.
You may also want to specify escalation paths for agreeing exceptions. You could categorise these by risk grade or require specific people to approve certain risks (e.g., the DPO for data protection).
4. Picking the right delivery models
With granularity, you make your job in sourcing alternative delivery models much easier (and if going external, much cheaper).
A mature process will probably see a mix of business self-service, outsourcing to a law firm or ALSP and "traditional" legal review, with all or some assisted by AI review.
We are seeing a growing shift of in-house teams wanting to outsource the medium risk rather than the high risk. They recognising that often their intricate knowledge of the business is far more valuable on the most strategic deals.
Ultimately though, whichever model you choose, having a good risk policy backed by good knowledge, process, tech and data will put you in good stead.
5. Make your supplier contracting policy measurable
Every good policy should be measurable, and to do that, you need data. The more granular that data, the more you'll be able to understand areas for improvement in your policy and process.
What's more, data will enable you to demonstrate the impact your policy is having and the enterprise value that your function is creating, beyond pounds spent.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.