Yes many organisations are moving beyond mere compliance statements to real actions on the ground. Have a look at the website of QANTAS, ANZ Bank, and Marks & Spencer in UK as examples. I can share more on this topic at our Perth Member Meeting, including what the Mekong Club, STOP THE TRAFFIK, and the Bali Government Forum are also doing. In your part of the world of Western Australia, also check out what Twiggy Forrest is doing.
Thanks for the question and we will hear what others have to say. See you next Tuesday.
Bruce R. Everett, Regional CEO Asia Pacific IACCM
+61 407 535 835 www.iaccm.com
• Fire and Emergency NZ
Hi Gaurav - good question to get the discussion going.
Will be exciting to see what others are doing. I found this overview from Lexology really useful to think about those issues :
It also took me to the link on those who are meant to help prepare guidance (but not much there yet) :
Will be looking up the examples that Bruce has outlined in his post as well to see how some of the bigger companies ahead of the game are looking at it.
Things like these, whilst they can be lots of compliance, can be a good opportunity for procurement teams around the country to look at portfolios and make some early assessments of those contracts at risk !
Hi Mary Jo - great question. We've tried to take a lot out of the workload by investing up front in standard templates as much as possible. If you're only then putting in place objectives and milestones and special conditions to deal with unique risks whilst keeping the rest as identical as possible, we found that we've saved a lot of time and effort out of the process. Our former solicitors / lawyers were a little bit upset though !
Where possible, we've also tried to align legal manager to a procurement category. That helps balance things out but that way, they also see that there are themes or risk that might resonate within that area or require a new standard contract term.
Hope this helps
Hi Darren, Thank you for your response. Can you clarify what you mean by "we've also tried to align legal manager to a procurement category"? Would a procurement category be a business segment?
• Fire and Emergency NZ
Hi Mary Jo - sure. Business segment, category or team - by whatever name, we're talking the same.
Hope that this helped, and would love to hear any comments as to how others have done this as well ! b
As Bhagavathi N pointed out, a self certification/declaration can be taken to ensure no deviation is taken by a bidder. This would help in evaluating bids faster.
Following is the indicative language of that declaration for your reference:
"We hereby agree to fully comply with, abide by and accept without variation, deviation or reservation all technical, commercial and other conditions whatsoever of the Bidding Documents and Amendment/ Addendum to the Bidding Documents, if any, for subject work issued by_________.
We hereby further confirm that any terms and conditions if mentioned in our bid, shall not be recognized and shall be treated as null and void."
In addition to all your suggestions, I would think that a self certification from all the stakeholders would serve as a good base for your update to the management unless of course you are using a contract management software that allows you to generate compliance reports.
Hi Mark, Happy to discuss. Send me an email via email@example.com and I can talk about the principles I use.
In my view I don't believe, as a community, we have fully bottomed out all the risks associated with these types of engagement.
• Nokia Solutions and Networks Australia Limited
For a very good, concise review of the principles and issues of cloud agreements generally, covering most of your points above (my view anyway), you might also check out David W. Tollen's book "The Tech Contracts Handbook" online or via this website:
I'm just trying to understand your position.
Considering that you are managing all contractual relationship with another company (buy and sell side) sounds actually good from your company perspective. It would mean, that your leadership can expect you to have a full overview about the contractually back and forth with this JF. Therefore I assume it's hard to change the mind of your leadership, since I would expect them to see your doublerole as positive.
However on the other side, there is your personal position, meaning being something in the middle of a sandwich, right? I'm not sure about your empowerment, but in worst case you have also very limited authority to change some company rules (discounts, penalties, payment conditions, acceptance criteria etc.). And on buy side you usually have different contractual expectation than on sell side. I assume, this is the tricky part in your situation. Fulfilling the internal requirements for buy- and sell side with the same contractual partner at the same time (and maybe also your partner asks you if you are a bit crazy, since requesting sooo different contracts when you are either on sell side or on buy side).
When the conditions your company expect in contracts are very different on sell side and buy side, this should be communicated as an issue (to your leadership). I think there are 2 options as solution: either the requested second CM as you suggest, or an escalation to the leadership to align clear buy and sell conditions between your company and the JF, which are equal to both parties. such framework conditions would make at least your position more clear. And maybe there won't be anymore need of a split of the CM roles buy side and sell side?
Since I couldn't find many information in your post, I hope, this is somehow helpful?
If your uncomfortable position has other reasons, please let me know.
• Omaha Public Power District
I probably would start collecting facts: Firstly, establish the relationship between Your Company ("Y Company") and Company X ("X Company") by looking at any specific, written agreement about the services ("X and Y Services"). Also, establish clarity around (1) Y Company's services to be provided to X Company, and (2) X Company's services to be provided to Y Company. At this point, are there any conflicts that you can see/anticipate in your ability as the Contract Manager during the provision of X and Y Services, that perhaps could result in non-performance or non-compliance? Also, how do you escalate and cure any issues of non-performance (for example)? Secondly, I would review the files documenting any legal review, if any, prior to said agreement being reviewed for signature/execution. Were there any concerns that were raised and eventually resolved (internally)? AT the very least, you could start with the resource allocation -- that is, regarding your time management and how to better allocate your skills - in developing your case. Hope this helps. Regards ~ Rose
Its an interesting role and I recommend your decision to bring in another manager to take one of the contracts.
I would recommend to present this as two different roles:
On the buy side - Contract Manager would play role of a customer and to manage Company X, need to drive and establish Vendor Management Discipline around Contract Administration / Governance / Service Performance / Financial Management / Risk and Compliance
On the sell side - Contract Manager would play role of an engagement partner to drive business relationship / Value addition to Company X/ increase revenue generation from Company X to your company / Joint go-to-market strategy if possible.
Just in case you still need a few other pointers, consider the following:
One thing sales people understand is numbers so approach it from an accounting point of view. Since the contract is void, consider discussing the fact they will not be able to meet all the GAAP principles for revenue recognition and if your accounts folk are diligent they probably will back you up ( but run this by them - accounts - first. Companies interpret or apply GAAP revenue recognition differently ).
Since Company X no longer exists and as such has no contracting capacity, it cant assign/novate the contract which will impact collectability should the New Company choose not to follow through with what it has implied it would do re: payment
If you are required to create a new agreement using the same or similar terms and conditions, consider preparing a risk assessment analysis of the contract and let the stakeholders approve the risk they are taking on by utilizing the same Ts & Cs so everyone is on the same page. Whatever discussions or approvals were obtained for the former Company should not apply to the New Company.
Given you are talking about actually processing personal data (suppliers' reps details), if this falls under the GDPR then it would be prudent to update the contracts to that effect (See Art 3 of the GDPR for full territorial scope, but this could mean a company based in the EU or processing data from EU individuals or companies). I believe the first step is reaching out to your Legal team and DPO and get an assessment specific to your business operations and identify the cases where you qualify as a data processor or controller. As a general approach, according to Art. 5 of the GDPR, you need to inform the individuals about collecting and processing their data, as well as the purpose of the data processing. Direct consent could also be required (see Art 7). If your organisation has already implemented the processes to comply with the GDPR, it would only be a matter of including it in the contracts or working with localised templates (i.e. include it only for your company's OUs or suppliers based in the EU).
Hi there. I have submitted and forwarded your question to Daniela Badescu, who is the practitioner in charge of the IACCM Community of Interest "Data Privacy and Data protection", and who has recently delivered a webinar on GDPR. Daniela will be back to you on this. Thanks
• Willis Towers Watson
This is a very interesting point. Thank you for raising the question.
As all is still new with GDPR, it's hard to say what the actual practice is.
One aspect to consider is that the administrative fines are tiered, with the first being up to 2% of the turnover or 10M Eur (whichever is higher) and the second tier up to 4% or 20M Eur (whichever is higher).
Let's assume a consultant provides a set of recommendations and implementation guidelines. GDPR consultants could argue that following that advice is the company's business decision and that applying and maintaining the processes to remain compliant is the company's responsibility.
Also, holding a consultant liable for up to 4% of their customer's turnover may be more than what they can/are willing to cover. Ie. assume an organisation has 10M EUR turnover - this mean the consultant's liability would be up to 400,000 EUR. How does this measure against the consulting fee?
To set up a liability coverage, I believe it may make sense to look at fines in the context of specific contractual obligations and see if based on that, the fines qualify as direct or consequential damages.
It may be different for contracts where there is a continuous service to design, maintain and review the GDPR related processes. Still, the level of liability remains subject to negotiation and I would rather expect it to be tied to the actual contract value and not on fines or other operational costs that may result from non-compliance.
What type of contracts are you looking at? It would be great if you can share what you have seen.
thank you for your kind response!
It seems it is becoming practice for companies seeking GDPR consultants to require liability for administrative fines and related costs incurred.
You have asked about the contracts, these are service/consulting contracts between GDPR consultant and SME company (client) which intends to source out the GDPR management/compliance to an external consultant. The services would typically include investigation of readiness for GDPR, preparation of guidelines the company should comply with with regards to GDPR, impact assessment and gap analysis.. The value of such contracts is a fraction of the administrative fines which might be implied upon the client by the authorities in case of GDPR breach. GDPR consultants who refuse to accept full liability for the administrative fines often loose their opportunities and clients.
I do not fully understand your paragraph on direct and consequential damages. Could you please kindly explain?
Thank you again for your time and help.
• NISSAN Europe (Alliance Renault)
Please share any market trends regarding "super caps" instead of unlimited liability in case of data and/or security breaches for SAAS, PAAS and IAAS contracts, Thanking you in advance, Hubert
Hubert - this wasn't SaaS, PaaS, IaaS specific - but on most recent contracts relating to ICT managed services I've worked on (network and apps support) customer took an approach of requesting unlimited liability, then relaxing back to super cap between £15 - £25m (depending on bargaining power).