Learning from a $150 Billion Compliance Failure

Learning from a $150 Billion Compliance Failure

How a 10-minute survey cost Facebook $150 billion

In 2013, an academic named Dr. Aleksandr Kogan created a Facebook app called “this is your digital life” which asked users questions for a psychological profile purportedly for academic use. In violation of Facebook's contractual terms, he then sold users’ responses and personal data to Cambridge Analytica, which then used it for political campaigns. The ensuing scandal cost the social media giant the trust of its users who reacted by leaving the platform in droves. The stock plunged, erasing $150B of market value in 90 minutes.

While most businesses may not relate to a $150B loss in market value, they may pay attention to a 10 percent reduction in annual revenues. That’s the amount the International Association of Contract and Commercial Management (IACCM) reports the average company loses to poor contract management practices. When typical profit margins hover around 10 percent, even halving this loss can increase profit margins by 50 percent. Even more critical than plugging revenue leaks is protecting against those security breaches that pose an existential threat to the enterprise such as violating regulatory mandates, exposing customer or proprietary company data.

What can we learn from one of the most expensive contractual compliance failures in history? For one, it’s not enough to mandate compliance in contracts; companies must have a robust way to monitor compliance and take immediate action to remedy breaches in real time. And second, the volume and velocity of business is such that if you’re not using some form of automation to monitor compliance, it’s a certainty that you’re missing things that are costing you serious money. A contract management system that automates monitoring of your contract terms will pay for itself almost immediately in plugging revenue leaks and, more importantly, will offer much better protection against existential-threatening compliance failures and security breaches.

To fully apply these lessons, let’s examine some common compliance and security risks and how businesses defend against them. 

Data Security

Let us begin with the top of mind issue of data security. Security risks related to digital data are among the most difficult to police. Digital systems enable incredible efficiency but make it easier than ever to steal information. Whether it’s valuable IP, pricing information or confidential customer and employee data, once the perimeter is breached, the potential damage is much higher with digital systems.  Whether it’s falling for a phishing scam or just carelessness typified by using the same password across environments, the weak link is often the interface with humans. For some organizations, the risk is so dire, they are choosing to sacrifice the convenience of digital for the security of analog systems. 

For example, the Kremlin uses manual typewriters and does not store the most sensitive information electronically. There probably aren’t many organizations that want to go to that extreme, but the point is clear. Storing contracts with a treasure trove of confidential information on individual computers is an open invitation for theft, especially when the information is accessible to anyone. A contract lifecycle management (CLM) system that manages access with well-defined permissions is critical to ensuring data security. CLM software allows organizations to configure access permissions down to the document field level and apply varying levels of permissions based on location, group or individual user. 

An example of a company securing its IP with well-defined permissions is Aviation Technical Services. One of the country’s leading aircraft and maintenance services companies, ATS has more than 9,000 sensitive contract documents in various locations. Its CLM system ensures each document can only be accessed by properly authorized personnel based on specific criteria such as primary department and location. The system preserves security and gives employees and contractors immediate access to the information they need.

Regulatory Compliance 

Regulatory compliance refers to government mandates that govern the business such as HIPPA or Sarbanes Oxley. These, often complex requirements are generally included in contract documents with each party’s obligations clearly spelled out. When managing large volumes of contracts, the challenge is to ensure that the appropriate clauses are included and to monitor internal and external compliance. Contract management software simplifies the process by digitally auditing current contracts to ensure they have the appropriate clauses related to data privacy, arbitration, confidentiality or other regulations that affect your business. Once you’ve identified the gaps, your legal team can update the contracts with the appropriate language and contact any third-party signatories. A central digital repository for all your contracts also helps track other types of compliance and allows advanced systems to trigger business process automation to aid future operations.

Operational Compliance

Operational compliance relates to the terms and conditions of your contracts. Facebook is a cautionary tale of what can happen when you are lax about monitoring compliance with contract terms, but for most companies, the majority of operational risk revolves around revenues and expenses. As a basic best practice, contracts should clearly define performance obligations that your contract management system can track and manage. 

A simple example is payment terms. Most companies outline payment due dates in contracts with penalties for missing the deadline. How many companies track those late payments, let alone enforce the penalties? What about contract renewals? Do you keep track of when contracts are expiring and send renewal notifications to ensure there’s no slippage in payments? On the supply side, a common form of operational non-compliance results in overpayment due to poor tracking of volume or other discounts negotiated in the contract. Of course, putting performance metrics in place is the easy part. The hard part is matching real-world behavior to contractual obligations and taking timely action. Doing this is impossible without automating contract management.  

A good example of a comprehensive, automated approach to compliance is OB Hospitalist Group (OBHG), a provider of healthcare services with more than 120 programs covering 560 doctors in 28 states. OBHG faced a massive challenge in tracking the contract expirations and renewals associated with hundreds of vendors in addition to accounting for discounts and other contract obligations. And on the revenue side, matching insurance payments against the services delivered was equally daunting.  

Automating its CLM gave OBHG accurate, up-to-date cost and renewal information, eliminating overpayments and providing visibility into its revenue cycle. The result has been not just cost savings and better use of resources. It has also contributed to business insights that have helped OBHG make better strategic decisions and continue to grow profitably. 

In addition to compliance, automation offers several efficiencies in streamlining operations. For example, if you don’t use standardized contract templates and language, you’re going to end up with long lead times and longer negotiation cycles, which will lead to stalled projects and missed opportunities. Automation also ensures a standard workflow with well-defined protocols and procedures for approvals. This alone can speed up business operations and greatly reduce the time and effort required for audits.

The best CLM software enable precise and configurable security as well as the flexibility to integrate with ERP and CRM systems or other business processes. Even better are systems that extend beyond the organization to offer vendor and customer portals, enabling unmatched efficiency when creating contracts, purchase orders or other agreements with key business contacts. 

Implementing the right CLM software

So, you have a sense of the security, operational and regulatory risks lurking in your contracts and you’d like to mitigate them with software. The next step is deploying the right system which is itself an exercise in risk management. Here are the key pitfalls to sidestep:

Getting Started: The first pitfall to overcome is inertia. If your documents are all over the place—in spreadsheets, pdfs, emails or even file drawers, just gathering all the information may be daunting. Then you may have to make sense of your workflows before getting started on the selection process. The temptation is to just maintain the status quo. My advice would be to not give in and just begin the process. The risks of doing nothing are too great. As Facebook found out, cleaning up the mess after a compliance failure is a lot messier than taking proactive action. 

Choosing the right solution: There are a lot of CLM systems in the market and all promise to take care of all your contract management needs. A good best practice is to list and prioritize your needs in detail.  Check with the business users in Procurement, Sales and Finance to see what’s most important to them in a system. Then reach out to vendors to request a custom demo that focuses on your requirements. You may want to save one or two requests for the actual demo to test how flexible the system is. 

Deployment: CLM software generally requires some level of customization to align with your business processes and integrate with current systems. This is the area most prone to going off the tracks. Common issues include inaccurate or changing project scope that results in high consulting fees and delays in deployment, lack of in-house technical expertise resulting in an expensive over-reliance on the vendor for even small changes, errors integrating with current systems and not accounting for all current and future needs when configuring the system. While the single most important factor to assess is the quality of the implementation team, many of these issues are addressed by applications built on low-code platforms. Because these platforms eliminate custom coding, they are highly flexible, can add capabilities on the fly and allow non-technical people to administer and configure them. 

Finally, don’t forget to take into account the financial health, reputation and business practices of the vendor. Your CLM software will be managing your contracts for years to come, so you want to be sure the vendor is financially stable and will be able to provide support 10 years from now. 

To conclude, as we learned from Facebook, careless contract management can expose even the best-run businesses to operational, security and compliance risks. Happily, they can be greatly reduced with effective CLM software. The right system will ensure that your contracts are compliant with regulations, deploy security safeguards and generate incremental revenue and cost savings from operations.


  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity


New Products

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • ResponderLink


    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3