The Convergence of Contract Management and Third-Party Risk Management

contract management software
In today’s highly automated business operations there is an abundance of software tools to help organizations more effectively manage their business processes with fewer resources. The Contract Lifecycle Management (CLM) space is certainly one in which solutions abound to help manage the contract lifecycle. A similar statement could be made about the wide variety of Third-Party Risk Management (TPR) solutions available in the marketplace. CLM and TPR tend to be treated as separate, siloed functions as one domain is not contingent on the other in most organizations. However, there is a strong business case to be made that they should be operationally integrated.

What is Contract Lifecycle Management?

Although many definitions exist, CLM is simply a process of creating, executing, and proactively managing the relationship between an organization and one or more third parties to ensure the fulfillment of commitments made by each party.
While there are multiple dimensions to CLM and multiple types of contracts, most contracts follow a similar lifecycle:

  • Creation and Authoring
  • Definition of Terms, Conditions, and Obligations
  • Internal Collaboration and External Negotiation
  • Workflow and Execution
  • Obligation and Relationship Management
  • Analysis and Optimization
  • Renewals and Closeout

What is Third-Party Risk Management?

TPR may not be as common a phrase today as CLM may be. However, TPR is the overarching process of managing an organization’s Governance, Risk, and Compliance (commonly referred to as GRC). As with CLM, TPR is multi-dimensional in that it can encompass many different aspects of risk management depending on the specific operating parameters within a specific organization. This would include an onboarding/due diligence process that might include the internal review and analysis at least some of the following aspect of a Third Party:

  • Financial Performance
  • Credit Scores
  • Regulatory and Compliance Reviews
  • Social and Reputational Perspectives
  • Ownership and Management Structure
  • Risk Rankings/Scoring
  • Ongoing reassessment

Specific industries will place more emphasis on some areas (e.g. financials, money laundering, politically exposed people, etc.) more than other industries based on regulatory demands. Other industries may need to place more emphasis on brand reputation and corporate culture when considering a contractual relationship with a third-party. See also "Preparing for Third Party Risk Management" for more information on setting up a TPR program.

CLM and TPR Traditionally Have Been Distinct Functions

Over the past 20 years, there has been an explosion of software solutions tailored to separately address CLM and TPR requirements. A Google search will quickly find well over a hundred Contract Lifecycle Management products in the marketplace. A search for Third-Party Risk Management tools will provide even more results; although, there is a broader spectrum of risk management tools compared to contract management.

CLM and TPR Joining Forces to Deliver Better Outcomes

It would seem logical to bring these two processes together to ensure the continuity and the effectiveness of due diligence prior to contract signing. Additionally, it is critical to ensure the ongoing monitoring of the higher risk third-parties to ensure they continue to meet the standards and practices formalized in the relationship.

Undertaking defined levels of due diligence based on a calculated risk score can drive varying levels of compliance reviews to ensure you know who your third parties are, and documenting the results, before engaging in the contract process. It is much better to know that you have properly vetted the third-party before investing any time building and negotiating the contract.

Once the contract has been executed it is critical to your organization’s brand and reputation to perform regular checks on the third party to ensure they are living up to expectations. The frequency of these checks will be predicated on the level of risk presented by the relationship.

Process Steps to Success

The success of the combined TPR and CLM process can be achieved very easily by using the right tools and some simple procedures. Here is a high-level view of the steps:

  1. Identify the Third Party and document key information.
  2. Define the relationship in terms of parameters required to assess risk. These can include the location of the Third Party occur, the products or services offered, financial condition, the estimated value of the contract, etc.
  3. Manually or programmatically assign risk ratings on the key items to determine a risk level (i.e. low, medium, or high).
  4. For higher risk third parties it is a best practice to vet the key individuals associated with the Third Party, related subsidiaries, associated relationships, etc. This can be done through one of the many available databases providers (i.e. Thomson Reuters, Lexis Nexis, Dow Jones, Dun & Bradstreet, etc.) to get a complete and cost-effective picture of the third party. Established interfaces from the TPR tool to the database providers is a critical success factor here.
  5. For efficiency, it may be necessary to provide a portal in which the third party can easily respond to a predefined questionnaire. Questionnaires can be specifically geared to the risk levels or other attributes. These questionnaires are used to collect detailed data and documents relating to ownership, base of operations, financial data, provide required documentation or artifacts, etc.
  6. Complete the level of due diligence deemed necessary based on the risk level.
  7. The findings of the due diligence will determine if there are any additional reviews required or if additional research (i.e. an Enhanced Due Diligence report) is needed.
  8. Once the third-party has been approved, a click of a button can transfer the key data to initiate the Contract Record and notify the necessary individuals.
  9. The contract process of assembly, negotiation, approval, etc. can now proceed to know that the proper checks are in place and all the necessary procedures have been undertaken.

Is There Value in Combining TPR and CLM in One System and Process?

For some types of contracts where the risk level is low, there generally isn’t a need to spend a lot of effort in onboarding activities. But having a consistent approach to determine what the contractual relationship will be and determining the risk level is just a sound business practice. The process doesn’t need to be cumbersome or onerous. The start of the process is as simple as answering some basic questions and letting the system drive the required steps to ensure corporate policies and procedures are followed and at the same time provide a full audit trail. Being able to prove that you have an effective and adaptable risk management program will go a long way to complying with the ever-changing and demanding regulatory world organizations operate in today.