Loading...
 
IACCM - International Association for Contract & Commercial Management Contracting Excellence Magazine
 

Contracting Excellence Magazine - Jun 2010

 
 

 

Coping with Complexity: The Three Fundamental Questions

 
Increased complexity is not a new phenomenon, yet its pace and scale are generally viewed as unprecedented. Today's complexity is only in part due to technical factors; much of it is because traditional relationships are being undermined and altered. This strikes at the heart of the role performed by contract and commercial managers. A recent survey of more than 1,500 CEOs confirms the challenge - and the opportunity - that we face.
 
 

IBM recently published the results of its bi-annual Global CEO Study. More than 1,500 CEOs were interviewed and the most consistent theme - identified by 79% - was the challenge of dealing with increased global complexity.

This feeling is mirrored in a recent IACCM study, in which 92% of the contracts and commercial community agreed that ‘The amount of change and volatility in our markets has made contracting and commercial management more complex’. Our sense of an increasing challenge is not surprising when you discover that the primary issue identified by executives is 'the unprecedented level of interconnection and interdependency' in today's markets and business relationships.

It is not new news that contracting and commercial competence have become sources of competitive edge. In particular, the ability to tackle markets and customers with more creative and innovative terms and relationship offerings is a definite source of differentiation. This demands increased flexibility and imagination by both the buy-side and sell-side of contracting.

However, it is clear that this cannot depend on transactional improvements alone. Innovation cannot be solely through inspired exceptions - it must be built upon a firm base of business capability. Executives are clear about the nature of the changes they require. They call for increased creativity from those who wish to be leaders - and that creativity must focus on the need to become better at taking risks, better at eliminating rules and bureaucracy, better at making and managing customer relationships. 

This call from the top could scarcely be clearer. Where does the contracts and commercial community sit on the scale of creativity right now? Each of us must ask ourselves three fundamental questions - or better still, ask other internal functions:

  1. Am I (and my function) viewed as someone who is improving the company's ability to take risks?
  2. Am I (and my function) viewed as someone who is eliminating rules and bureaucracy?
  3. Am I (and my function) viewed as someone who is contributing to making and managing better customer relationships?

Unless the answer is a firm 'yes', then now is the time for action. If you are not sure how to drive these changes, it is time to engage with your professional community at IACCM. Draw from the research, the experts, the communities of practice, the message boards and the training materials to ensure that you not only discover how to cope with complexity, but in the words of IBM CEO Sam Palmisano 'Capitalize on complexity'.

 
 

 


 

 

The Challenges of Emerging Markets

 
Our lead story ('Coping With Complexity') highlighted the challenge facing executive management because of today's 'interconnected and interdependent business relationships'. Nowhere is this more apparent than in the web of international trading networks that contract negotiators and supply managers face today - and these have generated significant sources of risk. Yet much of this risk is because of unfamiliarity. IACCM is working to take the surprises out of doing business internationally.
 
 

"To issue an insurance policy in Russia, we have to print the policy document on special paper, provided through a single state agency. Supply is notoriously unreliable. We must then hand-deliver the document to the insured party and take payment in cash."

That is just one of the stories we have heard at IACCM since we started our survey on the difficulty of doing business internationally. The traps that await us in new or unfamiliar markets are many and varied. Of course, any experienced negotiator or contract manager knows to be alert - but alert to what? We typically understand the need to explore differences of law - but even these are often difficult to discover unless you ask exactly the right question. Te same applies with business culture and practice.

"We thought negotiations were going really well, there were just a couple of points to be closed off. Then, out of the blue, a whole new set of issues was introduced. We discovered they simply didn't trust us, assumed we were lying - because that is what they considered normal in a former Communist republic." We are often operating to entirely different rule books which can lead to situations for which we have no plan.

In many respects, issues like corruption are easier to handle, because we mostly know when and where we are likely to encounter them. It may be much harder to grasp norms in areas like empowerment and authority - like the team that found itself at the signing ceremony only to be told that negotiation was going to start all over again, because the first team had been withdrawn since it exceeded its remit and had 'given too much away'.

The IACCM study is exploring member experiences in markets around the world, to share and increase our understanding of the typical pitfalls we encounter. We are looking at almost 50 countries and comparing the major trading nations (not all of which score especially well) with the primary emerging markets. The survey looks at performance on 9 different dimensions.

The core data is itself extremely interesting and informative. It will guide any contracts or negotiation team on the things to watch out for. But the plan is to dive deeper into the responses and to explore in some detail the specific types of incidents against which we must protect.

And the journey does not stop there. IACCM will communicate the results to relevant Government agencies to assist their understanding of the factors that are making their country more difficult and more risky to do business with, discouraging trading relationships and inward investment.

It is reports such as this which are fundamental to the value-add of the contracts and commercial community. Based on its findings, any participant will be equipped with exactly the sort of data that moves them into the 'creative' category highlighted in our lead story ' Coping With Complexity'.

The IACCM survey can be accessed at https://www.surveymonkey.com/s/marketcomparisons. All participants receive a free copy of the final report and there contributions remain confidential.

 
 



 


 

 

THE RISK SHARING MYTH DEBUNKED! Risk Ownership in Commercial Transactions

 
The issue I want to focus on in this paper is the 'sharing' of risk. It is a simple basic principle that a single risk cannot be effectively shared: one party needs to be ultimately responsible. To explain my point, use the analogy of driving a car: is it safer for one person to take full control of and drive a car or for one person to steer the car and another to operate the pedals? For clarification though, what I am not saying is that a bundle of risks cannot be shared: each risk within the bundle must be owned by one of the parties. Continuing the car analogy, it might be sensible for one person to be responsible for the navigation and for another to be responsible for the driving. When I refer to the party being 'responsible', I mean that that party will suffer the consequences should the risk come to pass. So given the party's exposure to the risk impact, it would be prudent for that party to pro-actively manage the risk.  Ian Deeks, TEN SQUARED LIMITED
 
 
THE RISK SHARING MYTH
 
The issue I want to focus on in this paper is the 'sharing' of risk. It is a simple basic principle that a single risk cannot be effectively shared: one party needs to be ultimately responsible. To explain my point, use the analogy of driving a car: is it safer for one person to take full control of and drive a car or for one person to steer the car and another to operate the pedals? For clarification though, what I am not saying is that a bundle of risks cannot be shared: each risk within the bundle must be owned by one of the parties. Continuing the car analogy, it might be sensible for one person to be responsible for the navigation and for another to be responsible for the driving. When I refer to the party being “responsible”, I mean that that party will suffer the consequences should the risk come to pass. So given the party's exposure to the risk impact, it would be prudent for that party to pro-actively manage the risk.
 
However, when it comes to the matter of contracting for systems integration or a managed service or the like, this common sense basic principle gets lost in all the talk of partnership, collaboration and business criticality. Time and again, the customer and the supplier in their discussions are not clear about the fundamental point of which party is to bear the risk of delivering the desired outcome. Not surprisingly, therefore, when the inevitable non-delivery occurs, the parties' expectations are not aligned and, worse still, the contract is not clear on the point. So how do we prevent these problems arising?  
 
In a two party transaction (customer and supplier in this case), the risk of overall delivery can sit on only one side of the fence: it cannot sit on the fence (i.e. be shared) or be held by a third party. Even if it is a third party risk, for the purpose of the transaction, one of the parties must assume responsibility for the third party's risk. Also, the fact that one party has overall responsibility for delivery does not preclude it being dependent upon the other to do something in support of its overall responsibility.   Obviously any such dependency will need to be clearly and explicitly stated up front. (For completeness, but not further discussion in this paper, in a tri-partite transaction, the risk can sit with one of the three parties. And so on.)
 
So let's compare the situation where the supplier bears the risk with the situation where the customer bears the risk:
 
Supplier Accepts the Risk
 
Where there is a precise specification of the output, the customer would be justified in expecting the supplier to accept the risk, albeit subject to the customer fulfilling some dependencies outside the supplier's control. Accordingly, the supplier should be committing to delivering the specified output for a specified fixed price, usually by a specified date or to a specified quality. In these circumstances, the supplier should identify and quantify the risks inherent in its delivery and cost these into its price – this cost is often referred to as the “risk premium” or “risk contingency”. The customer pays the risk premium or contingency regardless of whether the risks materialise. The supplier should be deploying its expertise as an experienced supplier to manage out or minimise the risks and thereby to avoid or minimise use of the risk contingency, thus increasing its profit. Obviously, if the supplier does not manage the risk within the risk contingency, then its anticipated profitability is impaired. This avoidance or minimisation of risk is the prime role of project management.  
 
Where the customer's requirements are not fully and precisely specified, a supplier cannot be expected to take the risk of delivering an unknown or a not fully known output – to do so would be a mere gamble. In these circumstances, the customer has two options: either to fully specify the desired output or pay the supplier to do so on its behalf (whereafter the supplier should bear the risk of delivery as described above) or to accept the delivery risk itself and contract with the supplier for the provision of resources and materials which would be paid for on what is commonly known as 'a time and materials' basis. In the latter case, because the customer is bearing the risk, it should be making provision for the risk within its budget and it should be project managing that risk so as to avoid or mitigate the impact.
 
There is no middle ground between these two approaches, because, as stated at the outset, risk must ultimately lie with a single party: it cannot sit on the fence.

Common Pitfalls
 
Trying to Share the Risk
 
This is where many deals fail: the talk of partnership and collaboration leads to gain-share / pain-share regimes being invented, where the customer takes some of the 'gain' if the supplier, through its expertise possibly, is able to deliver at less than the forecast cost, but equally takes some of the 'pain' if the supplier, possibly through its negligence, suffers a cost overrun. Such schemes reduce the incentive for the supplier to do better than anticipated (because some of the benefit of so doing will go to the customer) and also reduce the supplier's incentive to deliver within the cost expectations (because the customer will share in the cost overrun).

Trying to Manage the Responsible Party
 
Another common pitfall is for the non-risk bearing party to 'project manage' the risk-bearing party's delivery: there is a very thin line between monitoring the other party's progress and project managing its delivery. Over-stepping this line leads to the impression that the non-risk bearing party is taking on the risk and also invites the defaulting supplier to justifiably say “But you told me to do it this way”.

Conclusions
 
So, in summary:

· Be clear with your customer / supplier about which party is to bear which risks;
· Document the arrangement clearly;
· Project manage those risks for which you are responsible;
· Tread the line between monitoring and project managing carefully; and
· Do not purport to share an individual risk.




IAN DEEKS, TEN SQUARED LIMITED 4/28/10
Copyright Ten Squared Limited
 
 



 


 

 

Information Governance

 
When it comes to creating policies for handling personal data in an organization, who decides? How are those policy decisions made and kept up to date? These are questions of governance – I would call it “information governance.” Most large enterprises have established responsibilities and procedures for information technology governance and specifically for IT security policies, procedures, procurement, management, and training. In many cases, however, these have not been fully mapped to personal data compliance and risk management requirements, which should be defined and monitored by a somewhat different group of people, from departments beyond IT and security. Unless privacy issues are visible in the internal governance process, the organization – and the individuals that deal with it -- may be exposed to some nasty surprises. W. Scott Blackmer, Founding Partner, InfoLawGroup LLP
 
 
When it comes to creating policies for handling personal data in an organization, who decides? How are those policy decisions made and kept up to date?
These are questions of governance – I would call it “information governance.” Most large enterprises have established responsibilities and procedures for information technology governance and specifically for IT security policies, procedures, procurement, management, and training. In many cases, however, these have not been fully mapped to personal data compliance and risk management requirements, which should be defined and monitored by a somewhat different group of people, from departments beyond IT and security. Unless privacy issues are visible in the internal governance process, the organization – and the individuals that deal with it -- may be exposed to some nasty surprises.
 
One consequence of the growing body of laws, regulations, standards, and contractual requirements dealing with protected categories of personally identifiable information (PII) is a heightened awareness of the importance of establishing effective internal governance mechanisms. The organization needs to be clear on who decides, and how, key questions such as these:
• Which kinds of PII should be collected in the first place?
• Which categories of PII require particular safeguards or treatment, either legally or because the information is considered especially sensitive by customers and employees, or by the organization itself?
• How should PII be secured?
• Who should be given access to PII, and for what purposes?
• How are individuals informed of events (such as business changes and security breaches) and options (such as op-in or opt-out choices) that affect their privacy and personal security?
• How should PII be disposed of at the end of its useful life?
In some cases, legislators, regulators, and industry standards bodies provide guidance on PII management and governance, at least by implication. But for the most part, organizations must find their own way to weave privacy compliance and PII risk management into effective internal governance procedures. Adding privacy to the organization’s governance structure, with constant reference to evolving privacy rules and standards, is one way to avoid costly mistakes and arm the organization with legal defenses in the event of a security breach or a serious privacy complaint.
I recently presented a workshop on “information governance” at the Vanguard Security 2010 conference in Las Vegas. Some of the participants, typically managers of enterprise IT security functions, were concerned about whether their employers -- companies, universities, healthcare systems, and government agencies -- were organizationally equipped to make appropriate decisions about collecting, securing, and using PII in a rapidly changing legal and regulatory environment.
It’s a legitimate concern. Organizations in both the private and public sectors are increasingly held accountable for the proper handling of sensitive or potentially dangerous PII such as health records, Social Security Numbers, bank account and payment card details, credit reports, and background checks. An effective system of both privacy and security governance is essential if the organization is to achieve substantial compliance, manage litigation and market risks, and respond adequately to privacy challenges and to security threats and incidents. Relevant laws, standards, and contract requirements sometimes mandate certain aspects of privacy or security management and, less frequently, governance. Otherwise, it is ultimately a matter of finding what best fits your organization’s leadership culture – although it may be helpful to compare models from other organizations with similar needs.
 
What PII Do You Handle?
Don Harris of HR Privacy Solutions often refers to personal data as the latest “controlled substance.” For purposes of this discussion, I use the term “PII” to mean whatever personally identifiable information your organization has an obligation to protect from unauthorized disclosure, use, loss, or alteration. In the US, that varies considerably by sector and jurisdiction. US state laws requiring personal information security measures or notification of security breaches (in all but four states) typically apply only to limited categories of PII that raise the greatest risk of identity theft, such as the SSN, driver’s license number, and bank account or payment card number (combined with a PIN or other access code). The US federal HIPAA and HITECH acts and a number of state laws more broadly regulate health records, while the federal Gramm-Leach-Bliley Act (GLBA) and financial supervisory authorities focus on the confidentiality of financial records. The Fair Credit Reporting Act is concerned with consumer reports. Equal Employment Opportunity laws often address the proper collection and use of information about race, ethnicity, religion, age, gender, disability, family status, or sexual life. Other laws protect information about students and their parents, licensed drivers, telephone and cable subscribers, persons renting DVDs and videotapes, library patrons, clients of mental health and substance abuse programs, people who seek refuge in battered women’s shelters, genetic data, and an array of other categories of PII deemed potentially risky to individuals. Meanwhile, an organization may be required contractually to handle certain kinds of data in a prescribed manner, such as the PCI-DSS standards that apply to the processing of credit and debit card payments.
By contrast, PII can be almost any information relating to an identifiable individual under the more comprehensive privacy and data protection laws in Canada, the European Union, Australia, Japan, and several other jurisdictions. Even in those jurisdictions, however, there is often an enhanced obligation to protect especially sensitive categories of PII such as those relating to race or ethnicity, health and sex life, religion, political opinion, trade union involvement, criminal records, consumer profiles, bankruptcy, personal financial records, genetic data, geolocation data (such as tracking a person’s physical location through his mobile phone or RFID security badge), and official identifiers such as passports and national ID numbers that could be used in fraud and identity theft.
Who Is Responsible?
Within the organization, who accepts responsibility for ensuring that all relevant categories of PII are handled appropriately? In some organizations, the Chief Legal Officer, Chief Information Officer, or Chief Technology Officer is considered primarily responsible for PII policy decisions. In others, the decisions may be made by senior executives responsible for human relations (employee data) or customer relations (consumer data). Obviously, policy decisions should be made in consultation with the legal or compliance functions in the organization. IT security managers will provide some of the tools and techniques – once they know what the requirements are and how to classify the data. HR management should be on top of employee privacy issues in all the jurisdictions in which the organization has employees (and their dependents) or independent contractors and temporary workers. The customer relations and marketing managers should understand the restrictions under which they operate and the disclosures and choices they must provide. Records management should implement appropriate storage and disposal policies. And many organizations now have a “privacy officer” (under any of a variety of titles) who is charged with offering guidance and making recommendations relating to PII.
Business managers also typically make recommendations, but their primary job is to see that the organization’s policies are implemented – that is the management function. Security and privacy governance refers to the process by which those policies are adopted in the first place and then monitored and adjusted. Ultimately, policy decisions should be made by senior or C-level executives or (for the most fundamental policies) by the board of directors or agency chief. Ideally, the CEO and directors are at least broadly aware of privacy and security issues affecting the organization’s handling of PII -- well before the first embarrassing privacy complaint or security breach hits the news.
Governance Requirements and Tools
Most PII laws and regulations are not terribly detailed in referring to information governance issues. It is simply the organization’s obligation to find the best ways to achieve compliance.
Corporate governance, particularly in publicly traded companies, offers some familiar and relevant models for information governance. In the US (especially under the Sarbanes-Oxley Act or “SOX”), Canada, Europe, and Japan, financial reporting laws or stock exchange rules require management controls in all areas material to the accurate reporting of financial results to investors and regulators. Under those laws, a CFO, CEO, or Audit Committee of the board must certify the effectiveness of the company’s control procedures. In most modern companies, IT is used for data collection and reporting and, indeed, is critical to the success of the organization. Thus, internal and external auditors refer to IT management “control objectives,” often with reference to the COBIT Framework published by ISACA.
IT control objectives may include items such as access controls, encryption, and data retention policies as required to comply with PII rules or to manage PII risks. In some companies, there is such a dependence on protected PII that management reporting expressly refers to relevant PII compliance requirements such as those imposed by HIPAA, GLBA, FRCA, PCI-DSS, PIPEDA, or national laws based on the EU Data Protection Directive. In those cases, PII compliance requirements are documented in specific control objectives with associated policies and procedures, assigned to responsible functions, and periodically audited and certified.
Apart from public company governance requirements, some laws and regulations specifically require that there is a designated person or department accountable for the security of covered PII, with an obligation to report to senior management. This is true of US federal health and financial privacy regulation, as it is of Canadian legislation incorporating the CSA’s Model Code for the Protection of Personal Information. In several EU countries and Switzerland, the organization may or must designate an internal data protection officer who reviews and maintains a “registry” of PII processing in the organization, renders a written opinion on proposals for handling sensitive categories of data, and reports directly to the highest level of management.
Increasingly, laws and regulations governing PII mandate a risk-based, written security policy. In the US, the HIPAA and GLBA privacy and security rules require written policies, as do the “Red Flag Rules” adopted by the Federal Trade Commission and the federal financial regulatory bodies to combat identity theft. The Massachusetts Personal Information Security Regulation requires a written information security policy (commonly called a “WISP”) covering the categories of data for which security breach notices are required. The Canadian CSA standard and several European countries similarly require or recommend written security policies, documented procedures, and approvals by the governing body of a company or agency.
E-government laws and executive policies in the US and Canada require agencies to designate a privacy officer, reporting to a senior agency executive, with oversight by an auditor or inspector general from outside the agency (or by the federal or provincial privacy commissioner, in Canada). US and Canadian federal agencies are also now generally required to prepare a privacy impact assessment (PIA), identifying PII needs and measures to mitigate privacy risks, before implementing a new or substantially modified information system that includes PII.
Some companies and nonprofits in North America and Europe follow a similar approach of requiring the responsible manager to prepare a PIA for review by a privacy officer and, if there are serious objections, by executive management. Some also undertake a baseline privacy audit to determine where the organization is already handling PII and where it might be at risk. Periodic security audits are common in many organizations, but the scope often needs to be adjusted to include protected categories of PII.
A variety of vendors offer “GRC” (governance, risk, and compliance) software tools and databases to help automate the task of identifying PII in the organization’s information systems and checklisting PII compliance requirements and actions. These can be helpful, although there is inevitably a need for knowledgeable individuals to review the scope, methodology, and results.
As much PII processing is ultimately outsourced, and PII is often exchanged with business partners, a key aspect of compliance is contract management. HIPAA and GLBA, the Canadian CSA standards incorporated in PIPEDA and provincial laws, and the EU Data Protection Directive all require a measure of due diligence in contracting with vendors to handle PII. Contracts that refer to the confidentiality of proprietary information should also address the confidentiality and security of PII. The procurement function in the organization needs to be made aware of PII risks and requirements, and procurement and legal personnel should ensure that there are appropriate confidentiality and indemnification clauses, security schedules, and any required provisions to meet sectoral requirements or legal conditions for cross-border transfers of PII (e.g., from the EU to the US or India). In some cases, it is practical and appropriate to make contractual reference to established information security management and control standards such as ISO 27001 / 27002, PCI-DSS, or NIST 800 series guidelines. An aspect of information governance is setting policies for such contract requirements and monitoring procurement practices that involve PII, since accountability itself can rarely be outsourced.
Trends and Keys
The privacy and data protection laws and PII security and breach notification legislation have motivated organizations to better understand changing legal requirements, to inventory their collection, use, and sharing of PII, and to minimize the use or retention of sensitive PII throughout the organization. In some companies that means, for example, reducing the instances where SSNs and other official identifiers are recorded or communicated, encrypting PII, outsourcing payment card verification, and imposing stricter data destruction schedules on customer and employee records.
Organizations have also been driven to establish or update written policies and procedures for handling PII, and then include these in training and internal audits, as well as in contracts with third parties.
Another trend has been to raise information governance to a more centralized and higher level of management and reporting, with privacy officers and IT security managers reporting to senior executives rather than to middle managers. This is an understandable result of high-profile privacy and security lapses affecting the organization or its peers, as well as of SOX, security breach notice laws, FTC and state investigations, and pressure from privacy commissioners and sectoral regulators.
From our observation, and from reports by professional associations and conference participants, it appears that two elements are key to the success of organizations that have established effective information governance relating to PII: a high-level champion that the CEO, board, and business managers will listen to, and a liaison team to review PII issues and make recommendations to management. Depending on the structure and mission of the organization, the privacy liaison team might include representatives of several functions that deal with PII: IT, security, HR, customer relations, marketing, government relations, labor relations, legal, compliance, audit, procurement or contract management, product development, international subsidiaries (subject to different PII rules). It is not hard to imagine who should have a seat at the table (or more likely on the email list and occasional conference call), but it may be a challenge to identify who will convene and lead the team, unless the organization has already designated a chief privacy officer or equivalent position.
In the end, good information governance depends not only on procedures and tools but on the quality, drive, and authority of those who lead the effort.
Posted on May 6, 2010 by W. Scott Blackmer
W. Scott Blackmer, Founding Partner, InfoLawGroup LLP
 
 


 


 

 

ProcureCon 2010, being held September 14-16, 2010 in Dallas, is designed to meet all your current concerns and challenges in relation to manufacturing material management & professional services spend. Key topics include the re-emergence of demand, globalization, procurement spend analysis, SRM, commodity volatility, cost containment and talent development. No other procurement conference that brings together so many CPOs for intensive networking, learning, and strategizing.  Register online for ProcureCon 2010 at  www.ProcureConUSA.com and receive a 25% discount. Mention code 10412XZ824NL! (Offer is for qualified procurement practitioners only).
“Register online”

 


 


 

 

 

Contract Management Automation - Three Critical Success Factors

 
After months or even years of thinking about automating your contract management, you are ready to take the leap. Good for you! There is no question that contract management has become more strategically important. Many executives have become aware of the role of contracts in providing business insights and managing key relationships. They also understand that poor contracting processes can lead to more frequent disputes, missed opportunities, and cost or revenue leakage. The options available today for contract management automation are plentiful. Whether you are starting small or planning an enterprise-wide solution, without too much difficulty you can find a solution that meets your budget and technology requirements. If you are looking for a SaaS solution, ERP bolt-on, SharePoint solution, or a pure-play Contract Lifecycle Management (CLM) system, there are a number to choose from. But regardless of what solution you choose, no CM implementation is a ‘slam dunk’. Based on our research at IACCM, we have identified 3 Critical Success factors that will make or break your CM automation implementation. Katherine Kawamoto, Vice President of Research & Advisory Services, IACCM
 
 
After months or even years of thinking about automating your contract management, you are ready to take the leap. Good for you! There is no question that contract management has become more strategically important. Many executives have become aware of the role of contracts in providing business insights and managing key relationships. They also understand that poor contracting processes can lead to more frequent disputes, missed opportunities, and cost or revenue leakage.
The options available today for contract management automation are plentiful. Whether you are starting small or planning an enterprise-wide solution, without too much difficulty you can find a solution that meets your budget and technology requirements. If you are looking for a SaaS solution, ERP bolt-on, SharePoint solution, or a pure-play Contract Lifecycle Management (CLM) system, there are a number to choose from. But regardless of what solution you choose, no CM implementation is a ‘slam dunk’. Based on our research at IACCM, we have identified 3 Critical Success factors that will make or break your CM automation implementation.
The First Critical Success Factor is in the selection of an Executive Sponsor. A CM automation implementation will have an impact on a number of stakeholders across the enterprise. You will need the buy-in and support of an executive level person in your organization to explain and advocate on your behalf to the other senior executives whose organizations will be impacted.  The executive sponsor could be your voice to convince others that your project should receive budget approval. In all likelihood, the executive sponsor will require you to demonstrate a reasonable project ROI before they agree to advocate on your behalf. This is good as they will likely know what other budget approvals are being considered and can coach you how to best position yours. Do not underestimate the importance of having a strong sponsor involved early in the project. Keep the sponsor informed of key milestones, bottlenecks, and successes. And in the end let the sponsor socialize the success of your implementation and even take credit for it! 
The Second Critical Success Factor involves gaining support from other internal functions and groups. Particularly if the CM solution is implemented as an enterprise-wide solution, it is important to gain consensus and understanding from those stakeholders who will be either users of the system or impacted by its use. The contracting process is rarely contained within an easily identified group. You likely will have several different types of users of the system, its workflow and output. Identify and engage stakeholders early. Seek out their advice, inputs and criticisms. Better to have those discussions (sometimes heated debates) early, rather than in the middle or end of the implementation process. You might find that other functional groups are already addressing aspects of the contracting process that you were intending to address with your CM implementation. Do not be surprised to find that a number of groups have their own repositories of contracts or databases for maintaining key contract data. Leverage what you can from the other groups and make them a part of your extended implementation team. 
The Third Critical Success Factor is the quality of your Project Management. Selecting the right person (and core team) with the necessary skill set and leadership capabilities is often the difference between success and failure. This is a bit tricky as you might have willing talent in your organization, but they may or may not be able to take the project to successful completion. Some might be technology gurus or just super practitioners up for a challenge. The ideal project lead has process knowledge and ‘corporate clout’.  They need to be able to evangelize the vision and strategy and convince users of the system that their adoption will benefit them personally as well as the overall organization. Rarely will you find a single individual with all the skills or time necessary to handle the implementation alone. You will need to assemble a team of skilled individuals led by a leader with vision, respect and exceptional team building skills. 
Katherine Kawamoto is the Vice President of Research & Advisory Services at IACCM.
 
 
 
 


 
 
 

Disclaimer

This newsletter is intended to keep readers abreast of current developments in the field of contract and commercial management. It is not, however, to be used or relied on as a substitute for professional advice. Before acting on any matter in the areas, readers should discuss matters with their own professional advisers.
This site is provided by IACCM on an 'as is' basis. IACCM provides this web site as a service to those people seeking contracting and commercial news and information. IACCM assumes no responsibility for consequences resulting from the use of information on the site or information obtained through links. IACCM will not be liable for any damages of any kind arising out of use, reference to, or reliance on any information contained in the site. IACCM is not responsible for the accuracy or content information contained in the site or in the links provided on its site. Links to and from IACCM do not constitute an endorsement by IACCM of the parties or their products and services.

Copyright

The content in this publication is copyright. Excepted as permitted, no part of this publication may be reproduced by any process, electronic or otherwise, without the specific written permission of the copyright owner.

All content included on this site, such as text, graphics, logos, button icons, images, audio clips and software, is the property of IACCM, or its content suppliers or an identified third party and is protected by international copyright laws. The collection, arrangement and assembly of all content on this site are the exclusive property of IACCM and are also protected by international copyright laws. Any reproduction, modification, distribution, transmission, republication, display or performance, of the content on this site is strictly prohibited.

Use of this site

This site or any portion of this site may not be reproduced, duplicated, copied, sold, resold or otherwise exploited for any commercial purpose that is not expressly permitted by IACCM. Unauthorized attempts to upload information or change information are strictly prohibited and may be punishable under the Computer Fraud and Abuse Act of 1986.

Published by IACCM, 90 Grove Street, Ridgefield, CT 06877, USA www.iaccm.com