Great questions from Thursday's event! For the complete Q&A session, watch the replay! Or start a discussion!



Q: Our legal department currently has a contract management solution.  We are interested in Ariba for Global Indirect Procurement contracts. Have you seen this before?  Do you discourage this redundancy? How do we align these systems to support each other?  


A: I have heard of this and aligning the systems would be efficient and less costly. IT would be able to help align the systems to support each other and the common configuration of the data you are collecting could also be aligned between the systems. This would help you in the future if you were to go to one system.  
Answered by Debby Leap, Sr. Director of Strategic Sourcing, Havi Global Solutions


Q: Do you separate contract analysis (review, drafting and negotiation) from contract administration (project management of milestones and compliance to contract)?   I believe Craig and Chris both had views on this topic.


A: In a nutshell, “No.”  Although I have worked in a number or organizations where the two are separated, the new contract being ‘passed over’ to the delivery team to run and manage. I have always preferred an integrated Commercial function with both pre and post signature accountability vested in the same group and ideally in the same individuals. My experience has been that the deals negotiated by those people with the real world experience of delivering them are more pragmatic and realistic in their ambitions and when there are  renewals or indeed disputes, they are analyzed and negotiated by teams who have closer worker relationships. That having been said, while it is my preference to combine pre and post as we discussed earlier on the call this morning, it is a usually a matter of operational and budget balancing!

Answered by Chris Davies, VP Commercial, Fujitsu



Q: With respect to Craig's point on mitigating risk, what should be the risk management group's function in contract management?  

Q: Is there a suggested 'one company' answer to address risk, i.e. what our team as commercial/contracts knows as acceptable risk, other functional areas, such as finance, sales, etc. might have a different response.  Defining risk continues to be a challenge. 


A: These two questions have a common thread, which is the role of different functional organizations, including Risk Management, in addressing risk in contracts.  As such, they highlight the importance of a holistic view of risk management across a company's activities, rather than an ad hoc, functional approach.  This is, of course, easy to say but can be very difficult to implement in practice, particularly across large organizations.


In addressing the challenge, I would note that the term "risk management" does not mean the same thing to everyone, particularly when used to refer to a functional group.  Some "Risk Management" functions are focused on purchasing insurance or mitigating the risk of operational disruptions, while others have a broad mandate to manage all forms of risk across the enterprise.  I think about risk as any deviation from expected outcomes and about risk management as handling those deviations in a way that achieves the organization's stated objectives.  For most companies, this means maximizing profitability (although, depending on the mission of the organization, other objectives, such as operational continuity or reputation, may take precedent).  Thus, the process involves (1) identifying, then (2) analyzing, and then (3) managing risk, and risk management will involve some combination of eliminating the risk (e.g., not doing the deal), mitigating the risk (e.g., taking steps to minimize the likelihood or impact), absorbing the risk (e.g., pricing it into your business model), and transferring the risk (e.g., shifting the risk to another party through contractual terms and conditions and/or insuring against it).


The key is building a risk management process that results in the profitability outcome (or other objective), and there are at least three challenges that must be addressed.  To illustrate these three challenges, take a simple hypothetical: a series of transactions that each represent an 80% chance of a $1 million profit and a 20% chance of a $3 million loss.  If your objective is to maximize profit, the proper risk management strategy will result in the company entering into this transaction (because the company will realize a total net profit of $2M for each 10 transactions).  But there are three challenges to reaching this rational company-wide decision:


First, are you looking at the right data (or any data)?  My hypothetical assumes perfect knowledge of the cost/benefit ratio, which rarely exists.  But even if you do not have enough data to build an actuarial table, it is likely that you have access to at least some data about the likelihood and possible impact of the risks that you have identified.  Are you analyzing risk using the best data available to you, or are risk management decisions in contracts based on "gut reactions"?


Second, we must recognize human limitations in performing rational analysis of risk.  Over the past few decades, behavioral economists and psychologists have compiled a significant body of literature that demonstrates that we regularly and predictably make risk decisions that are not economically rational.  This is a complex and fascinating field that is beyond our ability to explore here, but I will note just one illustrative example.  Studies have shown that we have what is called an "availability heuristic" that causes us to overestimate the likelihood of risks for which we have recent examples or even that we are asked to visualize.  So, if your job is to identify risks, it is very possible that the mere act of focusing on possible risks may lead you to overestimate the likelihood of those risks occurring.  Are you calibrating your risk analysis process for these biases?


Third, organizational design and interaction is vital.  Even if we solve the first two challenges, i.e., even if we base our decision-making on perfect data and calibrate our analysis for any individual biases, we still may not reach a rational decision at the company-wide level if different functions' incentives are not aligned.  To return to the hypothetical, if Joe in Sales receives a bonus based solely on revenue but Mary in Legal will be penalized for the deals that result in losses, then Mary may (rationally) reject these transactions even though she may know that, on balance, the company will benefit.  (Conversely, Joe would (rationally) push to enter into the transactions even if there were a 20% risk of $5M loss, i.e., even if the overall cost/benefit analysis turned negative for the company.)


In sum, proper risk management requires an organization to address several issues:

-- What is the outcome that the company as a whole wants to achieve through risk management (profitability or otherwise)?

-- Once a risk is identified, the analysis must address both the potential gains and losses related to that risk.

-- The question of which functions play which roles in risk analysis is less important than having a defined and holistic process for the analysis.  There isn't a single correct answer on the exact roles that should be played by Risk Management, Finance, Legal, or Sales; the key is being aligned on the desired company-wide outcome and being clear on who is providing which parts of the analysis.  If the individuals involved do not have incentives that are aligned in common with the desired outcome for the company as a whole, they will rationally take risk management positions that, taken together, may lead to irrational risk management outcomes for the organization.

Answered by Craig Silliman, Senior Vice President & General Counsel, Verizon