Learning from a $150 Billion Compliance Failure
How a 10-minute survey cost Facebook $150 billion
- By Colin Earl
- Nov 27, 2018
In 2013, an academic named Dr. Aleksandr Kogan created a Facebook app called “this is your digital life” which asked users questions for a psychological profile purportedly for academic use. In violation of Facebook's contractual terms, he then sold users’ responses and personal data to Cambridge Analytica, which then used it for political campaigns. The ensuing scandal cost the social media giant the trust of its users who reacted by leaving the platform in droves. The stock plunged, erasing $150B of market value in 90 minutes.
While most businesses may not relate to a $150B loss in market value, they may pay attention to a 10 percent reduction in annual revenues. That’s the amount the International Association of Contract and Commercial Management (IACCM) reports the average company loses to poor contract management practices. When typical profit margins hover around 10 percent, even halving this loss can increase profit margins by 50 percent. Even more critical than plugging revenue leaks is protecting against those security breaches that pose an existential threat to the enterprise such as violating regulatory mandates, exposing customer or proprietary company data.
What can we learn from one of the most expensive contractual compliance failures in history? For one, it’s not enough to mandate compliance in contracts; companies must have a robust way to monitor compliance and take immediate action to remedy breaches in real time. And second, the volume and velocity of business is such that if you’re not using some form of automation to monitor compliance, it’s a certainty that you’re missing things that are costing you serious money. A contract management system that automates monitoring of your contract terms will pay for itself almost immediately in plugging revenue leaks and, more importantly, will offer much better protection against existential-threatening compliance failures and security breaches.
To fully apply these lessons, let’s examine some common compliance and security risks and how businesses defend against them.
Let us begin with the top of mind issue of data security. Security risks related to digital data are among the most difficult to police. Digital systems enable incredible efficiency but make it easier than ever to steal information. Whether it’s valuable IP, pricing information or confidential customer and employee data, once the perimeter is breached, the potential damage is much higher with digital systems. Whether it’s falling for a phishing scam or just carelessness typified by using the same password across environments, the weak link is often the interface with humans. For some organizations, the risk is so dire, they are choosing to sacrifice the convenience of digital for the security of analog systems.
For example, the Kremlin uses manual typewriters and does not store the most sensitive information electronically. There probably aren’t many organizations that want to go to that extreme, but the point is clear. Storing contracts with a treasure trove of confidential information on individual computers is an open invitation for theft, especially when the information is accessible to anyone. A contract lifecycle management (CLM) system that manages access with well-defined permissions is critical to ensuring data security. CLM software allows organizations to configure access permissions down to the document field level and apply varying levels of permissions based on location, group or individual user.
An example of a company securing its IP with well-defined permissions is Aviation Technical Services. One of the country’s leading aircraft and maintenance services companies, ATS has more than 9,000 sensitive contract documents in various locations. Its CLM system ensures each document can only be accessed by properly authorized personnel based on specific criteria such as primary department and location. The system preserves security and gives employees and contractors immediate access to the information they need.
Regulatory compliance refers to government mandates that govern the business such as HIPPA or Sarbanes Oxley. These, often complex requirements are generally included in contract documents with each party’s obligations clearly spelled out. When managing large volumes of contracts, the challenge is to ensure that the appropriate clauses are included and to monitor internal and external compliance. Contract management software simplifies the process by digitally auditing current contracts to ensure they have the appropriate clauses related to data privacy, arbitration, confidentiality or other regulations that affect your business. Once you’ve identified the gaps, your legal team can update the contracts with the appropriate language and contact any third-party signatories. A central digital repository for all your contracts also helps track other types of compliance and allows advanced systems to trigger business process automation to aid future operations.
Operational compliance relates to the terms and conditions of your contracts. Facebook is a cautionary tale of what can happen when you are lax about monitoring compliance with contract terms, but for most companies, the majority of operational risk revolves around revenues and expenses. As a basic best practice, contracts should clearly define performance obligations that your contract management system can track and manage.
A simple example is payment terms. Most companies outline payment due dates in contracts with penalties for missing the deadline. How many companies track those late payments, let alone enforce the penalties? What about contract renewals? Do you keep track of when contracts are expiring and send renewal notifications to ensure there’s no slippage in payments? On the supply side, a common form of operational non-compliance results in overpayment due to poor tracking of volume or other discounts negotiated in the contract. Of course, putting performance metrics in place is the easy part. The hard part is matching real-world behavior to contractual obligations and taking timely action. Doing this is impossible without automating contract management.
A good example of a comprehensive, automated approach to compliance is OB Hospitalist Group (OBHG), a provider of healthcare services with more than 120 programs covering 560 doctors in 28 states. OBHG faced a massive challenge in tracking the contract expirations and renewals associated with hundreds of vendors in addition to accounting for discounts and other contract obligations. And on the revenue side, matching insurance payments against the services delivered was equally daunting.
Automating its CLM gave OBHG accurate, up-to-date cost and renewal information, eliminating overpayments and providing visibility into its revenue cycle. The result has been not just cost savings and better use of resources. It has also contributed to business insights that have helped OBHG make better strategic decisions and continue to grow profitably.
In addition to compliance, automation offers several efficiencies in streamlining operations. For example, if you don’t use standardized contract templates and language, you’re going to end up with long lead times and longer negotiation cycles, which will lead to stalled projects and missed opportunities. Automation also ensures a standard workflow with well-defined protocols and procedures for approvals. This alone can speed up business operations and greatly reduce the time and effort required for audits.
The best CLM software enable precise and configurable security as well as the flexibility to integrate with ERP and CRM systems or other business processes. Even better are systems that extend beyond the organization to offer vendor and customer portals, enabling unmatched efficiency when creating contracts, purchase orders or other agreements with key business contacts.
Implementing the right CLM software
So, you have a sense of the security, operational and regulatory risks lurking in your contracts and you’d like to mitigate them with software. The next step is deploying the right system which is itself an exercise in risk management. Here are the key pitfalls to sidestep:
Getting Started: The first pitfall to overcome is inertia. If your documents are all over the place—in spreadsheets, pdfs, emails or even file drawers, just gathering all the information may be daunting. Then you may have to make sense of your workflows before getting started on the selection process. The temptation is to just maintain the status quo. My advice would be to not give in and just begin the process. The risks of doing nothing are too great. As Facebook found out, cleaning up the mess after a compliance failure is a lot messier than taking proactive action.
Choosing the right solution: There are a lot of CLM systems in the market and all promise to take care of all your contract management needs. A good best practice is to list and prioritize your needs in detail. Check with the business users in Procurement, Sales and Finance to see what’s most important to them in a system. Then reach out to vendors to request a custom demo that focuses on your requirements. You may want to save one or two requests for the actual demo to test how flexible the system is.
Deployment: CLM software generally requires some level of customization to align with your business processes and integrate with current systems. This is the area most prone to going off the tracks. Common issues include inaccurate or changing project scope that results in high consulting fees and delays in deployment, lack of in-house technical expertise resulting in an expensive over-reliance on the vendor for even small changes, errors integrating with current systems and not accounting for all current and future needs when configuring the system. While the single most important factor to assess is the quality of the implementation team, many of these issues are addressed by applications built on low-code platforms. Because these platforms eliminate custom coding, they are highly flexible, can add capabilities on the fly and allow non-technical people to administer and configure them.
Finally, don’t forget to take into account the financial health, reputation and business practices of the vendor. Your CLM software will be managing your contracts for years to come, so you want to be sure the vendor is financially stable and will be able to provide support 10 years from now.
To conclude, as we learned from Facebook, careless contract management can expose even the best-run businesses to operational, security and compliance risks. Happily, they can be greatly reduced with effective CLM software. The right system will ensure that your contracts are compliant with regulations, deploy security safeguards and generate incremental revenue and cost savings from operations.