Contract obligations compliance sits at the heart of every successful agreement.
Each contract specifies activities that each party to it is obliged to do or refrain from doing, either separately, or jointly with the other party or parties.
By signing a contract each party is making a legally enforceable commitment to comply with their applicable obligations.
The size of this commitment will vary in line with the number and type of obligations contained in the contract.
And it’s not always a straightforward calculation. A high volume of standard or common obligations can require less resource to manage than a small number of non-standard or complex obligations.
As a result, contract obligations compliance can be a challenge for any business. It can be made still harder by shifting priorities and changes in personnel. Furthermore, failure to comply with contract obligations can lead to a breach of contract and represent a potentially serious latent risk to the business and one that needs to be closely managed.
In order to help you improve your contract obligations compliance we’ve developed a step-by-step approach, covering:
- Some assumptions to provide context
- The nature and span of contract obligations
- Consequences of non-compliance
- Awareness and ownership of obligations
- Ranking the criticality of obligations
- Establishing the compliance checking timetable
- Developing the compliance checking procedures
- Addressing non-compliance
- Reporting compliance checking outcomes
- Recalibrating an obligation.
For the purposes of illustrating the concepts in this article, the following assumptions will apply:
- For the sake of simplicity, there will only be two parties to any contract discussed with respect to obligations: the organisation requiring certain products or services, and the supplier selected to fulfil the need
- The activities to be performed for contract obligations management will mostly be described from the organisation’s viewpoint
- The organisation has some risk management policies in effect to drive obligations compliance behaviour
- The organisation has some processes in place to support the collection, analysis and reporting of obligations compliance data.
The bulk of contract obligations are explicit and visible, relating mainly to the operation of the contract, such as:
- Issuing invoices within 10 days of the end of the month
- Not issuing invoices later than six months following delivery of an order
- Paying invoices by the due date
- Paying late fees when invoices are paid after the due date
- Submitting requests to amend the contract via an agreed process.
Other obligations that apply are typically not party-to-party related, and may or may not be incorporated in the contract by reference only, without any accompanying details. These obligations can concern compliance with:
- Laws and regulations enacted at any level of government, such as data protection principles and export regulations. Sometimes the applicable laws and regulations will be stated in the contract by reference without any details. At other times, those laws and regulations will apply even if not explicitly stated in the contract
- The organisation’s internal directives, policies and operating practices, such as a code of conduct governing behaviour on the organisation’s premises. Compliance cannot be expected unless details are provided before contract execution
- Generally accepted domestic and international standards, such as SOC 2 Type 2 data-centre security reporting.
Consequences of non-compliance
All obligations are meant to be complied with, but the consequences of non-compliance or a breach of contract can range from trivial, such as interest accruing on late invoice payments, to catastrophic, such as termination of the contract, massive government fines, loss of business or failure of the non-complying party.
Commonly, where non-compliance is an isolated event, the parties to the contract will treat the case as an aberration and attempt to ensure that causation is adequately remedied, with or without a penalty of some kind.
More serious non-compliance in respect of effect on the aggrieved party may require invocation of the contract’s dispute resolution process or a court hearing to obtain any redress.
Chronic, blatant or bullying non-compliance, often based on market power and arrogance, can be difficult to combat. The courts of law and public opinion may be the only way for any consequences to be applied for such behaviour.
Obligations awareness and ownership
The legalese used in contracts, the often confidential nature of a contract’s content, and the generally limited need-to-know about a contract outside the Legal and Contract Lifecycle Management teams, all work to restrict general knowledge about the workings of any particular contract.
However, many stakeholders in a contract need to know certain things about it in order to do their jobs. This is particularly the case when it comes to ensuring compliance with the obligations associated with that contract.
In an earlier article we advocated the use of a contract summary for providing a good plain language overview of the features of a contract, including obligations.
One outcome of the summarisation process is the allocation of ownership to certain aspects of the contract, like obligations.
Obligation management needs to be internal to the organisation, regardless of which party is the obligation holder with compliance responsibility.
This allows proactive steps to be taken by the organisation to detect any drift towards non-compliance by itself or the supplier, and take or request remedial action sooner rather than later.
While the contract summary does a good job of increasing obligation awareness, successful obligations management requires a detailed compliance specification for each obligation.
Also required is a standardised process for checking compliance and tracking obligations. This will not only simplify any training needed across the organisation, but also increase the pool of people who may need to participate in a compliance check without much prior notice when circumstances dictate.
Ranking obligation criticality
The criticality of an obligation is directly related to the implications of the worst-case response to its non-compliance.
Consider invoice payment after the due date. In many contracts, when late payment occurs, the supplier may or will charge interest at a particular rate on the amount outstanding until that amount is paid in full.
Any accrued interest will appear on the next invoice after full payment is received for the outstanding amount. Obligation criticality here is likely to be low or very low.
However, if the payment is outstanding for say more than 60 days, the supplier might withhold the contracted services until all amounts then due are paid in full within say five days. Depending on the nature of those services, the payment obligation criticality might range from low to very high.
It’s important then that each obligation is assigned a criticality level, to heighten awareness that what might superficially appear to be a minor, relatively low risk commitment actually isn’t.
When to check for compliance
Obligation criticality usually drives compliance check frequency: the more critical the obligation, the more frequent the check.
However, other factors may need to be considered in setting the check frequency for any particular obligation, such as a poor compliance performance history.
A date for each check should be established initially, say for the first 12 months of the contract’s life.
A calendar of check events should be set up, catering for any necessary preparatory activities like information gathering and discussions with stakeholders, plus any follow-up activities that might be needed, say to rank, address and report any non-compliance discovered.
The calendar should be regularly reviewed and updated as circumstances require.
If you use a Contract Management System with an automated alerting capability and/or a workflow engine that can be triggered by dates, this would be the best place to record the compliance check schedule.
The obligation owner should be the person to receive the ‘check due’ alert.
A compliance checking approach
The scope of activities required for any particular compliance check may vary for each check occurrence, depending on the complexity of the obligation and the number of aspects that need to be examined. Accordingly, the number of people required to assist with each check may also vary.
A generalised compliance checking approach for the obligation owner to use could involve activities like:
- Determine the scope, timing and people needed to conduct the approaching check
- Advise the people involved about the scope and timing of the check, and their roles
- Collect and distribute any information necessary for conducting the check
- Review the collected information and score the level of obligation compliance achieved.
Our free template can also be used to capture the details of each compliance checking event, from the obligations to be checked, to the compliance scores assigned, the issues detected and any remediation activities needed.
It doesn’t matter if the scale used to indicate the level of compliance achieved is simple (eg none, low, medium, high) or complex (eg 0-10).
It’s important that the same scale is used everywhere, and that it is based on the notion that the higher the compliance level, the lower the risk to the organisation.
An important aspect to watch for over time is evidence of a downward trend in the compliance score for any specific checking activity. This needs to be treated as a rising non-compliance potential.
Dealing with non-compliance
Non-compliance can occur for many reasons, despite best intentions. Some non-compliance might be first detected by the organisation without the supplier being aware that there was a problem until advised so by the organisation, or vice versa.
Alternatively, it may be a rising non-compliance potential that gets noticed and the details passed on as a pre-emptive action.
Irrespective of how any actual or potential non-compliance is detected, again there is value in adopting a standardised approach to dealing with it, such as:
- Advise the obligation holder about their actual or potential non-compliance
- Estimate the effect of actual non-compliance on the affected party
- Investigate and determine the causes of the actual or potential non-compliance
- Decide on and then quickly apply a method to remediate and prevent such non-compliance
- Negotiate and deliver an acceptable compensatory response for the affected party as needed
- Update the contract as needed to restate an obligation or its compliance method
- Revise the detailed compliance specification as needed
- Inform all interest stakeholders about how the non-compliance was dealt with.
Note that steps 3-6 above may be undertaken jointly with the supplier as necessary.
To the extent possible, measures to address any actual or potential non-compliance should be implemented without undue delay. This action helps to minimise risk and shows the commitment of both parties to the smooth running of the relationship.
Reporting obligations compliance
Visibility of obligations is incomplete without some understanding of how well both parties to the contract are meeting their individual and joint commitments.
Obligation compliance levels should be a major reporting item for risk management purposes, as many stakeholders have a vested interest in the achievement of high levels of compliance, both personally and organisationally.
To provide useful information, the obligations compliance report could show details like:
- Contract numbers: total contracts; important contracts; important contracts compliance-checked this year; other contracts; other contracts compliance-checked this year
- Contracts checked this period: supplier name; contract name; contract importance; contract purpose; # critical obligations; a list of critical obligations checked showing the obligation holder and owner details, the assigned compliance level and comments about any non-compliance detected plus planned remediation date and approach if known, and a rolled-up overall compliance level
- Overall totals: for important and other contracts, separately and together: contracts checked, obligations checked, compliance by level; rolled-up overall compliance level.
The format of the compliance information reporting, its presentation timing and distribution arrangements all need to be agreed within the organisation.
A contract may oblige one or both parties to self-report on their compliance with some or all of their obligations, and provide that information to the other party.
The content and format of the self-reporting and its presentation timing should be specified in the contract or otherwise agreed between the parties.
Since supplier self-reporting is likely to be incorporated into the organisation’s internal reporting on compliance levels, a measure of confidence in the self-reported numbers is required.
A policy of ‘trust but verify’ using internally-sourced information is a good way to establish that measure.
It will also reveal any mistakes, misconceptions, miscalculations or misinterpretations made by one or both parties if the numbers don’t agree. The discussion about any differences can be:
- Enlightening: didn’t know that
- Worrying: should’ve known that
- Damning: should have known better
- Incriminating: shouldn’t have done that.
‘Trust but verify’ can probably be done on a random, spot-check basis rather than for every reporting cycle. The ‘trusting’ party should deal with undesirable outcomes as it sees fit.
The ‘trusted’ party should willingly and rapidly address any issues which can or have eroded that trust.
Further analysis of the reported compliance levels might be conducted to suit specific needs such as non-compliance by organisational unit, contract type, supplier, country and so on.
In today’s highly dynamic regulatory and political environment, yesterday’s dead certainty can disappear, change unrecognisably, just need a light refresh or remain acceptable just as it is.
Change may be forced or planned, and may need to be achieved overnight or over the longer term. Expecting and being prepared for this is a good risk management strategy.
Considering this environment, many aspects of a contract should be regularly reviewed for ongoing relevance. For contract obligations, the focus should be on the most critical commitments and those that are most difficult or tedious to check for compliance.
Over time though, every obligation should be assessed for ongoing relevance at least once."
Discussions with the supplier will always be needed, to highlight relevance-related concerns about the need for, nature or current settings of any obligations, and jointly decide on any achievable recalibration.
Where change to obligations is possible and desirable in some respect, amendments to the following should be expected:
- The contract
- Some of the data measurement requirements supporting compliance checking
- Some of the compliance check specifications
- The compliance checking timetable
- The compliance reporting regime.
Details of any such changes must be relayed to all interested stakeholders, regular participants in obligation compliance checking activities, and recipients of obligations compliance reports, as and when appropriate.
Managing compliance with contract, regulatory, policy, process and other obligations is a good risk minimisation practice.
The key to success here is increased visibility of obligations, their ownership and criticality.
A solid understanding of the pitfalls of non-compliance, a strong commitment to complying with their obligations by all parties, and a structured compliance checking program supported by appropriate alerting technologies are evidence of that visibility.
Achievement and maintenance of a high level of obligations compliance in at least all important contracts is a reasonable and worthwhile target.
It shows that, while individual contracts may have more compliance issues than others, at a portfolio level, obligation risk is being managed within acceptable bounds.
Not only that, but the Contract Lifecycle Management function can provide a solid indicator of its value to the organisation in the form of a validated obligation compliance level.
In this article we’ve presented an approach to help you achieve effective obligations compliance, and provided a useful template that can be modified to suit your particular circumstances.
If you would like more information on how to manage your obligations compliance then contact us today for a free consultation.