Revisiting risk and return in modern digital procurement

23 March 2023

by James Patto

Like technology itself, the process of acquiring technology in a modern, digital world has seen substantial change.  

More and more, organisations are now finding themselves managing large transformation projects that transition from more traditional IT procurement arrangements (i.e. often single source, long term, fixed pricing) to a more decentralised suite of vendors under outcome based, agile, pay-as-you-go arrangements. Further, more organisations are finding themselves subject to regulatory regimes which require an all-hazards approach to risk management, including through their supply chains (for example the new APRA CPS230 standard and the new Security of Critical Infrastructure Act 2018 (Cth) reforms). 

A new breed of tech vendor

Although the tech industry remains dominated by the traditional tech giants, the repeated success of IT start-ups and scale ups has resulted in a new (and growing) range of tech vendors looking to service clients across all industries. From government to health to banking and beyond, smaller tech outfits are bringing innovative tools to the market which have the potential to greatly enhance the quality of services provided by traditional organisations to end customers.  

In fact, innovative new technologies and delivery methodologies tend not to come from the large software and technology providers, but rather from organisations in their relative infancy who are software-centric, tangible asset poor and leveraging other third-party digital platforms. 

Procuring from scale-ups requires a different approach 

As a result, organisations are realising that to remain relevant and stay competitive in a digital world, they are increasingly required to engage and work with smaller IT vendors.  

Compared to the traditional larger IT providers, these vendors may represent a different risk profile to the organisation as they often do not carry strong balance sheets and potentially lack assets or backing to secure legal and contractual obligations. But this shouldn’t be seen as a reason to avoid engaging with an innovative and progressive part of the market.

Some organisations seek to address these risks by applying traditional contractual mechanisms such as high or non-existent liability caps, onerous vendor indemnities, punitive service level regimes, utilising their bargaining power and the eagerness of a smaller provider to obtain an extremely favourable contractual liability framework.  

However, traditional contracting methods (including traditional contractual protections) can be largely ineffective because:

• the contractual liability regime must be considered in the context of the vendor’s ability to meet the obligation (or fund liabilities). If the vendor does not have the capacity (or backing/guarantees) to support these positions, they can prove ineffective and potentially destructive; and 
• ​vendors can adopt a light touch approach to onerous/acquirer friendly risk management positions. It is often evidence of a practice adopted more generally with other customers. As a result, an organisation becomes vulnerable to contractual positions obtained by other customers which could result in a single customer rendering the vendor insolvent before the organisation can recover its loss. This is sometimes referred to as “contract irrigation” risk. 

Working with scale-ups: an active relationship

For other organisations, the risks appear insurmountable, stopping their business from receiving the benefits of innovative new (and often, lower cost) solutions that come from a diverse vendor pool.  But procuring from scale-ups does not need to be that difficult. Although there are new and sizable risks of engaging entities in the start-up and scale-up stage of their lifecycle, a change in procurement strategy is all it takes to responsibly engage smaller vendors.  

Put simply, the change required is a move away from reliance on conventional/passive risk management techniques, and instead to facilitate a much higher level of active project risk management (i.e. taking on a closer ‘partnering’ relationship).  

The contract remains an essential tool used by a customer, but rather than rely on contractual mechanisms which invariably presuppose a failure on the part of the vendor, organisations should be looking to create mechanisms designed to mitigate or minimise the risk of failure, or at least provide the organisation with as much warning and visibility in relation such risk.  A little more investment up front in actively managing the relationship with the smaller vendor can lead to significant gains for both vendor and customer in the long run. 

Risk management in a scale-up vendor engagement 

There are several strategies - contractual and otherwise - that an organisation can utilise to manage the risks of engaging a scale-up vendor. These strategies include: 

• engaging a local and substantial prime contractor who can assume primary responsibility for prime contract performance/project delivery; 
• engaging a local and substantial business implementation (BI) partner who acts as a proxy for the organisation and brings specialist contract and project management capabilities to the project; 
• taking an equity interest in the vendor to obtain the benefits of part ownership such as greater visibility and control of the vendor, improved liquidity and enhanced management and technical capability; 
• if taking an equity interest is not possible, obtaining rights to directly participate in the management of the vendor, providing greater visibility and potential influence over the vendor’s business; 
• utilising a short term consultancy agreement with a vendor for the period of time in which the organisation confirms the viability of the vendor against pre-agreed metrics; 
• separating or de-scoping the project based on priority areas or risk and running separate, distinct programs of work (these could be geographically, technically or operationally isolated) to narrow or isolate the scope. As the vendor proves itself, the role can then be increasingly ramped up expanded (or if issues are encountered, set out ways to step back); 
• maintaining significant in-house capacity/capability to support the project and be prepared for problems, not just to ensure successful implementation but to provide a potential backstop/fall back if things go awry and the organisation needs to be able to “step-in”; 
• including a set of contracted principles connected to the governance model to drive a “partnering” relationship to ensure that senior executives participate in the governance, provide full transparency, work closely with other third-party vendors etc.; 
• utilising targeted traditional contractual protections (and actively managing and enforcing these rights) such as: 
  • escrow arrangements (even in SaaS environments) 
  • parent company/third party performance/financial guarantees 
  • traditional step-in rights and transition out protections 
  • securing key personnel/know-how 
  • development stage events/consequences/payments 
  • insurance options to supplement 

Inevitably, organisations are going to have bad experiences with smaller vendors, just as they may with the heavyweight tech providers.  

However, by implementing some of the risk management techniques listed above and building strong ‘partnership’ like relationships with vendors, the risk of a bad experience is mitigated, and the risk of failure is more likely to be identified before the organisation suffers substantial losses that it cannot recover from the vendor. In the end, the greatest risk is falling behind in the market and missing out on innovative new products from smaller, more agile vendors.

The information contained in this article is general in nature, and is not intended to be a substitute for legal advice. Readers should obtain independent legal advice as to their specific circumstances.