Skip to Main Content

blogpost

Meet deadlines and cut costs: Five steps to faster contract negotiations

10.10.18

State governments regularly negotiate contracts with vendors. Unfortunately, these negotiations are often prolonged, which can have major downstream effects on projects, procurements, and implementations—including skewed timelines, delayed milestones, and increased costs. Here are five suggestions for shortening contract negotiations. 

  1. Limit project scope. Leaner project scope equals shorter contract negotiations. Conversely, the sheer number of requirements, terms, and conditions for larger projects naturally inflate negotiations. Limiting scope means being conservative in what you are looking to achieve. Planning a core systems modernization? They can cost tens of millions of dollars. Limit scope (and cost) to just certain modules. If, for example, you have an ERP modernization, limit projects and procurements to key modules and milestones. 
  2. Use project management techniques. Treat the negotiation like a small project. For example, compile a list of tasks and deadlines, as well as names for necessary signatures. Develop a project plan and hold weekly check-ins to keep things on track. Assign someone in your organization as a single point of contact to help shepherd the contract through the process. 
  3. Make the vendor’s proposal part of the contract?verbatim. Some states still require copying the proposal response into a contract document, and that often requires modification of proposal language, which slows things down. Attach the solution proposal to the contract cover pages(s) so that the proposal is there, word for word. 
  4. Have vendors define deliverables, except for the minimum deliverables you must have. Vendors should know how to deliver their product and services and should include items they expect to be paid for, such as completion of a development cycle, software licenses, and a gap analysis report. Rather than define what deliverables you need, let the vendors define them, except for any mandatory ones, such as a training or testing plan. Ask for interim or draft versions of training or testing plans as part of proposal submission. 
  5. Tell vendors ahead of time what the payment constraints are. As a state government, you are bound by budget cycles and authority to spend. You also want working product tied to payment. With both factors in mind, tell vendors up front how much of the contract can be paid in a certain year and how much you are willing to tie to what deliverables. Don’t want to pay more than, say 40% of the project cost for non-software deliverables? Say so. Vendors can then plan their paydays and deliverable sequence accordingly. 

    You can also save time and effort by not negotiating at all. States often assume there will be, or allow for, negotiation periods. Yet states can make clear that no negotiation will occur after contract award—or limit what can be negotiated to a small, finite number of items. To prepare for this approach, states should gleam vendor stipulations ahead of time, and perhaps even score vendors on the number or type of stipulations. Use a pre-award proposal clarification period to clarify any terms or demands that are unfavorable to the state and consider ranking or evaluating proposals on the number of objections to terms/conditions raised. 

States should feel empowered to shorten (or, when appropriate, even eliminate) contract negotiations. After all, state time is state money.

Related Services

Consulting

Information Systems

When an organization wants to select and implement a new software solution, the following process typically occurs:

  1. The organization compiles a list of requirements for essential and non-essential (but helpful) functions.
  2. The organization incorporates the requirements into an RFP to solicit solutions from vendors.
  3. The organization selects finalist vendors to provide presentations and demonstrations.
  4. The organization selects one preferred vendor based on various qualifications, including how well the vendor’s solution meets the requirements listed in the RFP. A contract between the organization and vendor is executed for delivery of the solution.
  5. The preferred vendor conducts a gap analysis to see if there are gaps between the requirements and its solution—and discloses those gaps.
  6. The preferred vendor resolves the gaps, which often results in change orders, cost adjustments, and delays.

Sound painful? It can be. Step #5—the gap analysis, and its post-contract timing—is the main culprit. However, without it, an organization will be unaware of solution shortcomings, which can lead to countless problems down the road. So what’s an organization to do?

A Possible Solution
One suggestion: Don’t wait until you choose the preferred vendor for a gap analysis. Have finalist vendors conduct pre-contract gap analyses for you.

You read that right. Pay each finalist vendor to visit your organization for a week to learn about your current and desired software needs. Then pay them to develop and present a report, based on both the RFP and on-site discussions, which outlines how their solution will meet your current and desired software needs—as well as how they will meet any gaps. Among other things, a pre-contract gap analysis will help finalist vendors determine:

  • Whether programming changes are necessary to meet requirements
  • Whether functions can be provided through configuration setup, changes in database tables, or some other non-customized solution
  • What workarounds will be necessary
  • What functionalities they can't, or won't, provide

Select a preferred vendor based on both their initial proposal and solution report.
Of course, to save time and money, you could select only one finalist vendor for the pre-contract gap analysis. But having multiple finalist vendors creates a competitive environment that can benefit your organization, and can prevent your organization from having to go back to other vendors if you’re dissatisfied with the single finalist vendor’s proposal and solution report, or if contract negotiations prove unsuccessful.

Pros
You can set realistic expectations. By having finalist vendors conduct gap analyses during the selection process, they will gain a better understanding of your organization, and both your essential and nonessential software needs. In turn, your organization gets a better understanding of the functionality and limitations of the proposed solutions. This allows your organization to pinpoint costs for system essentials, including costs to address identified gaps. Your organization can also explore the benefits and costs of optional functions. Knowing the price breakdowns ahead of time will allow your organization to adjust its system requirements list.

You can reduce the need for, or pressure to accept, scope changes and change orders. Adding to, or deleting from, the scope of work after solution implementation is underway can create project delays and frustration. Nailing down gaps—and the preferred vendor’s solutions to meet those gaps—on the front end increases efficiency, helps to ensure best use of project resources, and minimizes unnecessary work or rework. It may also save you expense later on in the process.

Cons
You will incur additional up-front costs. Obviously, your organization will have to pay to bring finalist vendors on-site so they can learn the intricacies of your business and technical environment, and demonstrate their proposed solutions. Expenses will include vendors’ time, costs for transportation, lodging, and meals. These costs will need to be less than those typically incurred in the usual approach, or else any advantage to the modified gap analysis is minimized.

You might encounter resistance. Some finalist vendors might not be willing to invest the time and effort required to travel and conduct gap analyses for a system they may not be selected to implement. They will be more interested in the larger paycheck. Likewise, stakeholders in your own organization might feel that the required costs and time investments are impractical or unrealistic. Remind staff of the upfront investment and take note of which vendors are willing to do the same.

Blog
The pros and cons of pre-contract gap analyses

The day-to-day work of providing government services involves collecting, using, and storing large amounts of data. The data that government agencies accumulate is a critical asset — it holds answers about which programs perform best, which interventions are most effective, and how to improve service delivery. Data can also be a liability when it falls into the wrong hands or is misused, even unintentionally. Data governance is a great place to start gaining control of your data.

Establishing data governance can be intimidating. Between resource constraints, multiple and different data policies within large organizations, cultural reluctance to change, and lack of knowledge, it can be difficult to even know where to begin. Start with the fundamentals: understand what data governance is, and why it is so important.

These initial guidelines will help you validate the need for data governance at your organization, and recognize the correlation between reaching your strategic goals and governing data.

So, what is it?
Data governance is an ongoing, evolutionary process driven by business leaders where they establish principles, policies, business rules, and metrics for data sharing. They manage priorities and resources such as data stewards and technologists to acquire, harmonize, summarize, and produce data-rich analyses of data assets required to meet agency goals.

At a high-level, data governance has two main components: 

Data Governance Components

Why is data governance so important, and why NOW?

  • Data ownership is a responsibility. Properly governing data is not only important for organizational strategy, it is also important to produce high-quality client outcomes and levels of satisfaction. When you establish proper data policies and procedures, clients receive a better level of service. 
  • The amount of data collected is increasing. Many organizations collect an abundance of data, with no real vision of how to use it. A framework of data governance assists with developing a strategy to take advantage of data and use it effectively. 
  • The demand for data is growing. Organizations, especially in the public sector, are required to analyze and submit data for reporting to funders and oversight bodies. Without data governance, these reports can be inaccurate, contain gaps, or be manipulated improperly to produce false reports. 
  • The concern for security surrounding data is increasing. Mandates across both public and private sectors constantly evolve, because the more technical our world becomes, the more secure our data needs to be. If an organization does not implement foundational data security measures across all jurisdictions, it can become easy to fall behind the curve, and out of compliance. 
  • Organizations miss many opportunities to leverage data more efficiently. Organizations report being unable to provide a high level of confidence to produce accurate data reports, resulting in inefficient resource distribution. A standardized framework for governing data helps produce higher levels of data quality and integrity, and improves report accuracy.

How can your organization start the process?
The first step in a data governance initiative is to assess your organization’s data environment and maturity level. Start by analyzing your organization’s data policies, usage, documentation, and management processes to gain a true understanding of the current data landscape and management maturity level. CMMI’s Data Management Maturity Model (DMMM) and the Data Management Association’s Data Management Body of Knowledge (DMBOK) are great reference resources to assist with understanding the role and definition of data governance.

The time for data governance is now.
BerryDunn’s Government Consulting Group works with state agencies to develop data governance initiatives as well as specific processes and policies to help states take control of data, increase confidence in its quality, and reach strategic goals. 

Blog
Data governance: Gain control

In July 2016, we wrote about how the booming microbrewery scene in Maine is shaking up the three-tier system of alcohol distribution, which dates back to the 1930s.

A month later, three Texas microbreweries — Live Oak Brewing Company, Peticolas Brewing, and Revolver Brewing — argued against the three-tier system in district court, seeking to circumvent parts of the system and allow craft breweries in Texas to sell their distribution and territorial rights. The State countered that assertion, and claimed that the three-tier system was necessary because it allowed the Texas Alcoholic Beverage Commission to easily monitor the distribution of products, and have a greater sense of the inventory of retailers, restaurants, and bars.

A few weeks following the initial court appearance, the presiding judge ruled in favor of the three Texas microbreweries, granting them the right to distribute their own product — and, as a result, allowing these and other Texas microbreweries to maximize their profits. This ruling opined that the three-tier system unfairly benefits distributors at the expense of microbreweries.

One could argue that microbreweries wouldn’t exist in such force today if not for the three-tier system, which allows for competition and the creation of new producers. On the other hand, the three-tier system imposes burdens on microbreweries, as the Texas suit demonstrates. Yes, the number of microbreweries is growing—but because microbreweries are forced to sell directly to a shrinking number of distributors, the former tend to suffer slow revenue growth, while the latter tend to enjoy steady or increased sales.

The co-existence of microbreweries and the three-tier system in the United States merits observation. It will be equally fascinating to see if the methods for producing and distributing alcohol will drastically change. Is it time for a modified regulatory model that will better accommodate the growing craft beer landscape? Or do the tried-and-true policies dating back to before World War II still serve their original intent? It’s too soon to know, but we’ll see what ferments in the months to come.

Editor's note: this article was co-written with Amanda Findlay. 

Blog
Untapped potential: Microbreweries use legal scrutiny to erode the three-tier system

There is plenty of media coverage of Maine’s, and specifically Portland’s, burgeoning microbrew scene. It’s good economic development and complements the already established “foodie” scene Portland is renowned for. What’s more, microbrewers are increasingly avoiding the middle man, and offering tastings directly to consumers, onsite at their breweries. All who sell beer by the glass in Maine need a license, just as with other states. But the licensing cost for breweries and their tasting rooms is much less expensive than it is for bars and taverns, earning a charge of unfairness from those entities that have to go through a more stringent and expensive process of getting a liquor license. Read here for more detail. As you read, you may enjoy the irony of Maine being the first state to prohibit the sale of alcohol in 1851.

There is another facet to the boom in tasting room sales that is higher up the legal food chain than licensing fees: the three-tier system. First, a quick primer: the three-tier system was instituted at the time of the repeal of Prohibition (December 1933) to remove the problem of a “tied house”. Prior to Prohibition, a tied house was not an uncommon occurrence, where one regional entity had entire control of brewing or distilling, distribution, and retail sale of intoxicating beverages. This resulted in, it was argued, excessive alcoholic beverage sales by larger manufacturers and thus excessive consumption of alcohol. Following Prohibition, states instituted laws establishing a three-tier system whereby manufacturers, distributors and retailers are required to have separate licenses. This separation was designed to prevent dominance of one tier over the others. Gone are the days of saloons that were associated with drinking excess and loyalty to only one regionally dominant brand.

The three-tier system, by many opinions, works well. The National Alcoholic Beverage Control Association (NABCA) has published a paper on the virtues of the system. The Supreme Court, in the landmark case Granholm vs. Heald, declared that the three-tier system was “unquestionably legitimate”[1]. The Alabama Brewers Guild supports the three-tier system, but feels exceptions should be made, notably direct sales (presumably to include both on-premise and off-premise sales, the latter occurring when a consumer takes beer to go, just like a grocery or package store).

In Portland’s microbreweries (and distilleries, too), direct sales are over the counter, just like a bar. Is it reasonable to make exceptions to the three-tier system and let manufacturers become retailers at a certain level? Probably. A brewery in Portland making under 50,000 gallons of beer a year is no corporate monolith. Neither are craft distillers in North Carolina, where a state senate bill was under consideration recently to allow purchase of one bottle of spirits per year from distilleries[2]. But it does blur the lines of the three-tier system and its original reason for being. In addition to making those in the industry who pay for a full license upset, the spirit of the three-tier system may be challenged as breweries grow larger. The situation is certainly worth keeping an eye on as the microbrewery revolution continues.

[1] http://repository.law.umich.edu/cgi/viewcontent.cgi?article=1127&context=mlr&sei-redir=1&referer=http%3A%2F%2Fwww.bing.com%2Fsearch%3Fq%3Dargument%2Bagainst%2Bthe%2Bthree%2Btier%2Bsystem%26src%3DIE-SearchBox%26FORM%3DIENTTR%26conversationid%3D#search=%22argument%20against%20three%20tier%20system%22 , page 822.
[2] http://www.wral.com/distilleries-could-sell-more-bottles-direct-to-tourists/15760834/

Blog
Microbreweries and the debate on the three-tier system

Best practices for financial institution contracts with technology providers

As the financial services sector moves in an increasingly digital direction, you cannot overstate the need for robust and relevant information security programs. Financial institutions place more reliance than ever on third-party technology vendors to support core aspects of their business, and in turn place more reliance on those vendors to meet the industry’s high standards for information security. These include those in the Gramm-Leach-Bliley Act, Sarbanes Oxley 404, and regulations established by the Federal Financial Institutions Examination Council (FFIEC).

On April 2, 2019, the FDIC issued Financial Institution Letter (FIL) 19-2019, which outlines important requirements and considerations for financial institutions regarding their contracts with third-party technology service providers. In particular, FIL-19-2019 urges financial institutions to address how their business continuity and incident response processes integrate with those of their providers, and what that could mean for customers.

Common gaps in technology service provider contracts

As auditors of IT controls, we review lots of contracts between financial institutions and their technology service providers. When it comes to recommending areas for improvement, our top observations include:

  • No right-to-audit clause
    Including a right-to-audit clause encourages transparency and provides greater assurance that vendors are providing services, and charging for them, in accordance with their contract.
  • Unclear and/or inadequate rights and responsibilities around service disruptions
    In the event of a service incident, time and transparency are vital. Contracts that lack clear and comprehensive standards, both for the vendor and financial institution, regarding business continuity and incident response expose institutions to otherwise avoidable risk, including slow or substandard communications.
  • No defined recovery standards
    Explicitly defined recovery standards are essential to ensuring both parties know their role in responding and recovering from a disaster or other technology outage.

FIL-19-2019 also reminds financial institutions that they need to properly inform regulators when they undertake contracts or relationships with technology service providers. The Bank Service Company Act requires financial institutions to inform regulators in writing when receiving third-party services like sorting and posting of checks and deposits, computation and posting of interest, preparation and mailing of statements, and other functions involving data processing, Internet banking, and mobile banking services.

Writing clearer contracts that strengthen your institution

Financial institutions should review their contracts, especially those that are longstanding, and make necessary updates in accordance with FDIC guidelines. As operating environments continue to evolve, older contracts, often renewed automatically, are particularly easy to overlook. You also need to review business continuity and incident response procedures to ensure they address all services provided by third-parties.

Senior management and the Board of Directors hold ultimate responsibility for managing a financial institution’s relationship with its technology service providers. Management should inform board members of any and all services that the institution receives from third-parties to help them better understand your operating environment and information security needs.

Not sure what to look for when reviewing contracts? Some places to start include:

  • Establish your right-to-audit
    All contracts should include a right-to-audit clause, which preserves your ability to access and audit vendor records relating to their performance under contract. Most vendors will provide documentation of due diligence upon request, such as System and Organization Control (SOC) 1 or 2 reports detailing their financial and IT security controls.

    Many right-to-audit clauses also include a provision allowing your institution to conduct its own audit procedures. At a minimum, don’t hesitate to perform occasional walk-throughs of your vendor’s facilities to confirm that your contract’s provisions are being met.
  • Ensure connectivity with outsourced data centers
    If you outsource some or all of your core banking systems to a hosted data center, place added emphasis on your institution’s business continuity plan to ensure connectivity, such as through the use of multiple internet or dedicated telecommunications circuits. Data vendors should, by contract, be prepared to assist with alternative connectivity.
  • Set standards for incident response communications 
    Clear expectations for incident response are crucial  to helping you quickly and confidently manage the impact of a service incident on your customers and information systems. Vendor contracts should include explicit requirements for how and when vendors will communicate in the event of any issue or incident that affects your ability to serve your customers. You should also review and update contracts after each incident to address any areas of dissatisfaction with vendor communications.
  • Ensure regular testing of defined disaster recovery standards
    While vendor contracts don’t need to detail every aspect of a service provider’s recovery standards, they should ensure those standards will meet your institution’s needs. Contracts should guarantee that the vendor periodically tests, reviews, and updates their recovery standards, with input from your financial institution.

    Your data center may also offer regular disaster recovery and failover testing. If they do, your institution should participate in it. If they don’t, work with the vendor to conduct annual testing of your ability to access your hosted resources from an alternate site.

As financial institutions increasingly look to third-party vendors to meet their evolving technology needs, it is critical that management and the board understand which benefits—and related risks—those vendors present. By taking time today to align your vendor contracts with the latest FFIEC, FDIC, and NCUA standards, your institution will be better prepared to manage risk tomorrow.

For more help gaining control over risk and cybersecurity, see our blog on sustainable solutions for educating your Board of Directors and creating a culture of cybersecurity awareness.
 

Blog
Are your vendor contracts putting you at risk?

This site uses cookies to provide you with an improved user experience. By using this site you consent to the use of cookies. Please read our Privacy Policy for more information on the cookies we use and how you can manage them.