We understand risk as any event, circumstance or condition that may occur and result in unfavourable outcomes. Contract risk management can protect your business and help to drive a better end result.
We assess risk in terms of its likelihood of occurrence and its level of impact.
Consider the modern problem of texting while driving.
The impact of this activity can range from none, to a near-miss, to collisions of various intensity which can result in injury or death to the driver, their companions, other road users and innocent bystanders, and damage to property. But what about contract risks?
What is Contract Risk?
Contract risk tends to affect the operations, arrangements and outcomes of, and the participants in, a contract. In business-to-business contracts, there may also be collateral damage for employees of affected businesses.
Let’s first consider a contract in place between two businesses for the supply of certain products and services. The likelihood of a problem occurring with the contract over its lifetime may or may not be readily predictable, say like the supplier not being able to fulfil orders.
However, the impact on the parties of such an event may be somewhat more predictable.
A key function of a contract then, is dealing in some manner with various risks, taking account of past history and anticipating future possibilities, in order to prevent or minimise their future occurrence and their impact.
Naturally enough, not every possible contractual risk can or should be catered for. Probability, practicality and the parties’ risk appetite should guide contract risk management for key agreements.
However, the flexibility to deal with non-specific uncertainty should certainly be available - especially within scaling businesses or those that operate in regulated industries. This can be as simple as providing the option to negotiate changes to the contract if one or more parties to it are detrimentally affected by unusual or uncertain circumstances.
It would take a small book to do justice to the range of risks a business may encounter during the contract lifecycle.
This article will cover just a few key risk areas common to a typical business-to-business contract, to give some sense of what they are, how they vary, why they might occur and how they can be treated with effective contract risk management. These risks can be categorised as direct or indirect.
Specifically, we'll take you through:
- Direct Contract Risk
- Indirect Contract Risk
Types of Contract Risk
When planning your contract risk management strategies, your business is likely to have some common contract risks in mind. These may include:
- Regulatory risks whereby your business or its third parties aren't complying with local legislation
- Financial risks that can occur as a result of missing key renewal dates
- Security risks including contracts and confidential information being accessed by the wrong parties
- Brand damage which could be due to reputation or inability to compete in the market
Types of risks in contract management can be direct or indirect, which we'll look at in more depth below.
Direct Contract Risk
Direct contract risk relates specifically to a contract’s contents. There are some key types of risk to be dealt with.
The most fundamental contract risk is a lack of organisational awareness of the existence of a contract, its location or its contents.
Why? Because the contract describes key information like the arrangements between the parties, the key dates that must not be missed, the obligations that must be complied with and consequences of non-compliance, and how the contract might terminate or renew in the absence of a request to not do so.
Sometimes a contract can just be an orphan because anybody who knew anything about it, including its location, is long gone.
In other cases, certain individuals within the organisation may have this knowledge, but either don’t know or have never considered that the organisation owns and needs to know about that information.
Those individuals may be doing a great job of managing such contracts, or think they are, but that might not be the case. They might just have been lucky so far.
Unless the organisation has policies, processes and technologies in place to make ALL contracts visible, regardless of where in the organisation they originate, a complete picture of overall contract risk cannot be developed.
"CEOs' desire to take a more data-driven approach to risk management is ultimately a desire for greater transparency." - EY Legal
This could result in shortcomings in established mitigation approaches, and that might only be discovered the hard way at great cost.
Anticipated Operational Events
Most contracts today stipulate various operational aspects of the arrangements between the parties, in order to allow those arrangements to function smoothly and fairly predictably in real life.
The most immediate issue with operational activities is failure to be performed as specified, leading to risks like the following:
|Situation||Potential Risk||Possible Mitigation Approach|
|Customer orders are delivered late||Customer suffers production slowdown or misses milestones||Agreed delivery period, price discount increases in accordance with delivery delay|
|Supplier invoices aren’t paid on time||Supplier’s creditors can’t be paid, so customer’s orders are not processed or delivered||Escalating penalties for non-payment, interest charged on outstanding amounts, orders not accepted until all bills paid|
|Confidentiality is breached||Perpetrator hit with financial penalties, loss of reputation, cancelled orders||Strong technological protection, workforce training, breach notification requirements|
A contract can mitigate risk if it both identifies situations with a good likelihood of occurring and/or having a negative effect on contract outcomes, and describes approaches for minimising, or preferably eliminating, that probability and/or that effect.
How to address contract risk
Some simple approaches that should sensibly and realistically address risks that can or might affect achievement of contract objectives include:
- Highly visible statement of key dates such as within a business-wide Contract Management Software
- Measures to describe supplier performance
- Specification of the obligations of each party and the consequences of non-compliance
- Description of the applicable operating processes and parameters such as changing the contract, placing orders and payment
- Standard risk management clauses like limitations on liability, dispute resolution, force majeure, governing law, and exchange rate management.
There is a wide and seemingly ever-increasing regulatory compliance burden attached to contracts these days that need to be closely monitored. Depending on a number of factors, one or more parties to the contract may need to comply with matters such as:
- Laws governing the sale of certain products to certain countries or citizens of those countries
- Regulations covering the protection of personal information in various countries and regions such as the GDPR in the EU and the CCPA in California
- Laws specific to certain industries like financial services
- Generally accepted principles of doing business
- Internationally recognised standards like SOC 2 reports about effectiveness of controls
- The obligations assigned by the contract
- Operating policies of one or more of the contract’s parties
- Operational processes and practices agreed by the contract’s parties.
In general, a contract should clearly state the obligations that apply to each party separately or jointly, to minimise arguments about who should be doing what and when, and mitigate the risks of non-compliance that might affect the contract outcomes in some manner.
Often though, certain types of regulatory compliance are implicit and simply expected as general practice without specific statement in a contract. An example would be for the parties to the contract to behave as good corporate citizens, something that it shouldn’t be necessary to state.
In other cases, a requirement for compliance with specific laws will be stated, mainly for avoidance of doubt. For instance, compliance with US Export Regulations might be specifically indicated as applying to one or more parties.
Typically, a contract will not contain a specific requirement for any of the parties to comply with their obligations, but again there may be exceptions for avoidance of doubt.
An expectation of compliance is inherent by virtue of the language used to define the obligations, such as ‘the Supplier will…’ or ‘the parties shall not…’.
However, a contract often will, and perhaps always should, specify an obligation for one or more parties to provide timely and verifiable evidence of their compliance with certain critical obligations. Specific responses may be prescribed in the contract for each type of compliance failure where the obligations in question are not regulatory, since the legislation covers those responses.
It’s not uncommon for certain aspects of a contract’s contents to be a source of risk. It’s also far too common that lay people with less than total fluency in legalese receive little support in their efforts to gain sufficient understanding of a contract to help manage intrinsic risk.
A conceptually simple remedy for intrinsic risks is available: the plain-language contract summary.
It takes an experienced person with good judgement and fluency in both their spoken language and legalese to thoroughly review a contract, determine the key elements that are needed to allow operation of the contract and identification of the risks, and reduce those elements into plain language suitable for public consumption.
Publicising the existence of the contract summary and allowing unrestricted access to it can be a great aid to increasing both understanding of its workings and recognition of its risks.
Constant improvements to various technologies are certain to automate much of this summarisation work further, to the benefit of all involved.
A very useful by-product of the review process is the ability to advise the legal team about all shortcomings found in the contract, especially those related to risk.
A sample of potentially risk-precipitating contract aspects includes the following:
Opaque Contract Language
Clear understanding of a contract can be difficult to obtain for people without a legal background or deep familiarity with a legalistic writing style. Legalese can be so long-winded, impenetrable, unclear, archaic and grammatically awkward that even lawyers can misinterpret the contract author’s intentions.
Many contracts have a low readability index, not necessarily based on a readability formula score, but by violating basic standard principles for clear communication.
- There can be no logic to the organisation of clause groupings
- Single clauses can cover what should be multiple clauses
- Clauses can be unnumbered or lack descriptive subject captions
- Sentences can ramble on and on and on
- Punctuation might seem optional
- Sub-clauses and sub-sub-clauses are all left-aligned rather than indented, rendering structure invisible
These forms of obfuscation can lead to a contract being weaker than required or not operating as expected, possibly leading to friction between the parties, higher costs, and contract outcomes that are unpredictable, unexpected, undesirable, unacceptable or all of the above. It can also lead to contract breaches, which has further implications for your business and its third party.
The fundamental causes of the opacity problem are historical precedent, resistance to change and the known difficulties of writing for a class of readers other than your own.
Studies have shown that there is a relationship between readability and contract interpretation, in that the more readable, the the greater the commonality of interpretation by different readers.
There is a large and growing push for contract simplification to aid readability and therefore reduce contract obscurity, but probably also a similar amount of resistance from people who don’t have a problem with the status quo.
When in doubt, consult a lawyer.
The Interface Between Legal and Operational Aspects
Lawyers may have an excellent grasp of contract law and operational people are likely have a deep understanding about how things work in their organisation. Neither may have much idea of how the contract’s constructs might negatively impact on the practicalities and workability of the desired arrangements.
Interfaces are well-known sources of risk, particularly in industries where different elements of a project or components of complex equipment are produced by different groups in different places. An infamous example was the loss of NASA’s $300m, unmanned Mars Climate Orbiter in late 1999 due to a contractor’s engineering team’s use of English measurement units for a spacecraft navigation operation while NASA used metric units.
Close interaction between legal and operation people at contract development time is necessary to ensure that both sides get what they need from the contract, separately and jointly, in a way that minimises the potential impact on the other side.
It’s never enough to unilaterally think you’re on the same page, it must be jointly verified as early as possible in the preliminary stages.
The linearity of a contract is related to its journey from start to finish in a step-wise clause progression from A to B to C and so on.
Notionally, linearity is an aid to understanding when reviewing a contract end-to-end, because each clause is self-contained, even though it may be related to other clauses, and motion is forward.
Linearity reduces when a clause contains one or more references to other clauses that contribute in some way to understanding of the referring clause. For instance, clause 12.4 might begin with ‘Subject to clause 18.2, …’.
Each referenced clause needs to be accessed and understood in order to grasp its relevance to and effect on the referring clause. If say clause 18.2 from the example above seems to bear no relationship to clause 12.4, it might be due to clause 12.4 containing the wrong reference or the original clause 18.2 could have been renumbered or deleted.
Should any referenced clause in turn reference other clauses, this can increase the difficulty of understanding the contract because of the physical and contextual movement away from and back to the referring clauses.
It’s worth maintaining a breadcrumb trail of some sort to help track where to jump back to from any referenced clause. Losing the thread can mean overlooking something that can come back to bite later on.
Realistically, all but the simplest and shortest contracts lack linearity. Obtaining clear understanding of contracts convoluted by many cascading references is a skill that takes practice.
Complex Contract Content
Complexity comes in many forms:
- Industry-specific terms might be used to describe certain operational arrangements.
- The legalistic measures might be very intricate and involved.
- The purpose of the contract and the levels of interaction between the parties might only be encountered relatively rarely.
What these situations imply is that, in addition to complexity of form, there can be an overriding knowledge complexity involved in the development of such contracts.
This has implications for the detection of intrinsic risk in a contract if the sort of knowledge required to write the contract isn’t available for its review.
A typical contract reviewer will realise fairly quickly, and should promptly advise management, that a contract is complex, that specialist expertise is required to help reveal any hidden risks, and that there could be considerable avoidable risk in failure to obtain that expertise.
Size in a document is typically related to the number of pages. In a contract, more pages usually means more clauses. More clauses can mean more relationships between clauses.
Another dimension to contract size is the number of separate documents that make up the entire contract.
Big contracts can be a problem.
The author can overlook key issues, relationships, potential inconsistencies and so on, just due to the scale of the work. Add in the inevitable changes that occur during drafting and negotiation, plus the pressure to get the job done, and things major and minor can fall through the cracks, with corresponding latent risk.
The same pressures can apply to the contract reviewer.
The fundamental issue with contract size is recall.
Get to the end of a 10-page software licence and you’re likely to detect an inconsistency between a clause on page 10 and one on page 4 because you only read page 4 a few minutes ago.
A good memory is needed to do this with something like a 500-page IT outsourcing contract that’s spread over multiple documents. Bear in mind though, that it’s not that hard to recall the clues dropped in the early chapters of a 500-page novel as the end approaches and it becomes clear that the butler really did do it. While a contract doesn’t really read like a novel, the brain works in mysterious ways and with practice it can be done quite effectively.
The legal system in many countries requires all contracts covered by the laws of the country to be written in the country’s official language(s). This can lead to the situation where a single contract needs to be written in at least two languages.
One language absolutely must be designated as controlling, that is, it will be the reference language for the contract to be used for understanding, operating and changing in the courts and arbitration system of each party’s home country.
If the contract is written in languages A and B, and both language versions say the same language is the controlling one, then that language will control.
If a control language is not designated, then language A will control in the courts of party A’s home country, and language B in party B’s home country.
Whichever language controls, ensure the contract specifies that that language is to be used for all contract management and change management activities related to the contract.
The controlling language issue can be compounded if each language version of the contract isn’t identical, whether by accident or intent.
As an example, one party is in a for a rude shock if their language version of the contract uses turnover as a measure while the other version uses profit.
There is a straightforward way to counter this potential problem: trust, but verify.
The party providing the original contract wording should obtain a translated version of that wording from the other party, then have that translated version, and every updated version received during initial negotiations and any post-execution amendments, checked by an in-house or independent third-party translator for any material differences between the language versions.
Note that the translator used must be thoroughly experienced in translating legal documents between the languages concerned, and have solid understanding of the relevant legal systems.
Multi-language contracts are unlikely to go away any time soon. They may actually increase as the world shrinks, more and more business is conducted internationally, and an increasing number of countries demand the right to use their own languages for contracts rather than someone else’s. Be prepared.
Unrealistic Risk Allocation
A standard method of dealing with risk in contracts is to allocate each risk to the party best able to deal with it.
‘Best’ can be a subjective term. For the party who provides the contract, ‘best’ might mean ‘best for them’, so by design, risk could be unfairly and unrealistically allocated to the other party.
If the other party doesn’t realise the implications of this allocation of risk, or isn’t able to negotiate a more realistic allocation, ‘not our problem’ can appear to be the view of the contract provider.
The occurrence of risks that the other party has been left to deal may be extremely difficult to handle, and the consequences could be long-standing. However, if the other party fails to handle any risks it has been allocated, the responsibility for dealing with it may fall to the contract provider, since occurrence of the risk usually affects both parties.
Contract providers who behave this way may live to regret it. The other party may well resent such an attitude and become distrustful and adversarial in their relationship if costs increase or they face other difficulties, or even if they are not really affected by the contract provider’s risk assignment actions.
A fractious, acrimonious relationship inevitably ends in tears. Early termination of the contract may be a distinct possibility, with all the hassle that entails.
It’s crucial that a party to a contract really understands how risk has been allocated in the contract. It’s an aspect that should be on every contract negotiator’s checklist.
The question must be asked about whether it’s worth doing business with somebody who resists a fair and realistic allocation of risk. What other sort of undesirable behaviour might reveal itself after the contract is signed?
Divergence from Desired Positions
It’s common for the providers of contracts to want to stick with the terms of their contracts, since those terms represent their preferred positions.
Equally as common, if not more so, is the other parties’ wish to negotiate some terms to make them more acceptable, and somewhat closer to their own preferred positions.
With goodwill, good argument and good grace, the parties may be able to achieve a balance of give and take that leaves them all satisfied for the main part. However, this is often not the case.
Arrogance, indifference, recalcitrance and other unhelpful behaviours can result in dissatisfaction and resentment for the party who has to do all or most of the giving, especially when choice of the other party is limited.
Regardless of the acceptability of the negotiated outcomes to the involved parties, every move away from their desired positions represents an increase in their level of risk proportionate to the distance between the preferred and actual positions.
It’s important then, that the level of accepted risk is recognised and assigned to the contract in some manner at the conclusion of negotiations, say in the form of a risk register. Without such information, risk due to positional divergence will be invisible from the start.
It can be useful for risk management purposes to also monitor the nature, level and frequency of divergence across contracts of the same type and where feasible, across the whole contract inventory.
This can help identify preferred positions which get a lot of attention during negotiation, and suggest settings that are more readily acceptable externally. This action could simplify and reduce the negotiation effort, and allow concerted efforts to mitigate any perceived risk accompanying the new settings.
Using a Contract Management System with an integrated risk module, such as Gatekeeper, can make this process easier and increase the visibility of contract risks throughout the business.
Indirect Contract Risk
Indirect contract risk is related to the ongoing management of active contracts.
It takes a comprehensive contract management ecosystem to minimise indirect risk, consisting of policies, practices, processes, people and technologies.
Indirect risk is most commonly expressed in the the form of an absence or inadequacy of elements of the contract management ecosystem.
There are some key areas where indirect risk is most likely to occur.
Level of Organisational Support for Contract Management
There can be many parts of an organisation that are involved in some fashion in the creation, implementation, ongoing management, and termination or renewal of contracts. Some of these organisational parts might be centralised and cover the whole organisation, others may be distributed and look after just their own interests.
Depending on the nature of what an organisation does and what it needs to do it, plus its age and growth rate, its focus might be more on bringing in new business than managing what it’s already got.
Such concentration on only looking forward often reflects a low level of contract management maturity. Risk accompanies low maturity, as follows.
Limited Awareness of the Need for Contract Management
Contracts are just like cars, trains, boats and planes, in that they all need a regular check on particular bits and pieces according to a maintenance schedule to ensure they’re in peak operating condition.
Failure to properly maintain a piece of equipment, especially critically important equipment, is asking for trouble, tempting fate, pushing your luck, a career-threatening type of crazy.
Imagine the fate of the guy who didn’t check, as was required, that the backup generator had fuel in the tank. Consequently, it didn’t trip in when the power went out in the operating theatre, air traffic control centre, or wherever.
Maybe the buck doesn’t stop there though. Maybe the blame continues further up the organisational hierarchy, depending on what actually or could have happened.
People who work with contracts, or under their terms and conditions, really should understand this. People who don’t, won’t, not unless they innately get it, have learned it by observation or through bitter experience, or have been advised and have actually heard what was said.
Contract management is the term used to indicate the maintenance needed for contracts. It is a very specialised area that, like a range of other specialities, might only be recognised and appreciated by the well-informed.
In some organisations, there might be dedicated team of contract management specialists. In others there could be an expectation that contract management will be performed by the Legal or Procurement teams. At worst, there could be no appreciation at all of the purpose, need for or benefits of contract management.
As a generalisation, the lower the awareness of contract management where it counts in the organisation, the higher the risk.
Lack of Policies Covering Contract Management
Awareness shouldn’t be confused with or construed as action. Any set of activities that an organisation decides should be performed needs to be backed by:
- Policies outlining the purposes and ownership of the activities
- The strategies to be followed
- The location of documentation detailing the activities
- Categorisation of the activities as mandatory or optional
- The criteria used to measure performance
- Any consequences for underperformance
- Plus anything else necessary to allow compliance with the policy
This need for policies applies as much to contract management as it does to any other risk-mitigating activity, like separation of duties for procurement purposes.
The performance of contract management activities, whether on a full-time or part-time basis, ought to be backed by policies to ensure that organisational requirements are prioritised over business unit or departmental needs and desires.
Risk affects the whole organisation, not just its individual component parts.
Insufficient Resourcing to Support Effective Contract Management
Every business function should be appropriately resourced in terms of funding, people, training, premises, technologies and so on. How else can the function be expected to deliver the desired outcomes?
Operating on the proverbial smell of an oily rag is belittling, crass, debilitating and unfair organisational behaviour.
Without being able to operate properly, both the function and the people working for it can be ridiculed, ignored, actively worked against or worked around.
An under-resourced contract management function can only produce a pay-off from personal heroics, which is ultimately unsustainable, or by focussing on only a subset of the organisation’s contracts representing the highest risk, on the basis that something is better than nothing.
Poor morale and high turnover of people involved in contract management activities often accompany under-resourcing of the function.
Giving lip service to contract management does more to precipitate risk than mitigate it.
The Contract Management Support Ecosystem
To continue with the equipment maintenance schedule metaphor mentioned above, the contract management support ecosystem is the equivalent of the workshop, the tools, spare parts and manuals, the engineers and so on.
Everything needed has to be present or readily available. Procedures and practices have to be closely followed. Documentation has to be updated. A brief road-test should be conducted.
Nobody should ever hear words like ‘why have we got this bolt left over?’.
In contract risk management terms, the question would be something like ‘why did this happen?’. Sometimes this question might be unrealistic, but when has that ever mattered?
Any deficit in the contract risk management approach can be a source of issue. A sample of such deficits and their potential risks can include:
|Contract management activities are informal, undocumented and inconsistent across the organisation||People do what they think needs to be done, which can be contrary to what should be done|
|Available technologies provide limited benefits to contract management activities||Key contract dates can pass unnoticed, which can cause undesirable contracts to automatically renew, desired contracts to automatically terminate, or the organisation to be in default for failing to do something by a deadline|
|No visible ownership of contracts, obligations or risks||Without ownership there is no responsibility. Situations can get out of control very quickly and the consequences could be dire|
|Limited contract management expertise available||Limited ability to deal with contract issues quickly or properly|
|Poor measurement and reporting of contract and contract management performance||Low understanding of the level of risk potential in contracts leaves the organisation very susceptible to and unprepared for the occurrence of that risk|
It takes commitment, a concerted effort, an enlightened organisational mindset, the right people, good training, appropriate contract management technologies and a whole raft of must-do’s to create, roll-out and adopt a robust contract management support ecosystem.
If all this can be achieved, it can provide comfort via evidence that contract risk is being identified and managed within desired parameters.
Contracts are, or should be, designed to practically prevent, minimise or deal with known and potential risks that can negatively affect their desired purpose.
It needs to be recognised that contracts can also precipitate risk, in obvious and obscure ways.
In this article we’ve discussed a small subset of the types of risk that could occur in respect of contracts.
Checking if any of just those risks are present can be laborious without the right technological support.
Manual effort will most likely necessitate a joint effort between contract management specialists and the Legal Team.
For the non-lawyers, a few personal attributes are helpful, like a good command of the spoken language, a great memory, tenacity, and a strong desire to reveal all the contract risks, whether hidden or in plain sight.
An ability to look at a contract from the contract provider’s viewpoint might produce helpful insights into where and how risks could be hidden or camouflaged.
Mentoring by somebody experienced, and exposure to lots of contracts are needed to develop the ‘contract risk finding’ muscle and maintain it in good working condition.
A well resourced and supported contract management function is critical for contract risk management. It’s a form of insurance for an organisation, just like the internal audit function.
Remember that there are many more type of contract risks than discussed here. Some will be esoteric and tricky, meaning advice from lawyers will be needed. Others will be more operationally focussed, say like ensuring Service Level Agreements governing supplier performance are pertinent, measurable and backed by sufficient bite to encourage compliance.
Finally, if it’s not already available, consider promoting the idea that an excellent contributor to contract risk mitigation is a formalised statement of the organisation’s position on the absence or presence of certain contract clauses, with their preferred settings and acceptable alternatives.
Such a benchmark is invaluable, raising the visibility of negotiated risk and allowing for effective dispute management.
If you would like more information about contract risk management and specifically how Gatekeeper can help, then contact us today for a free consultation.