Opinion: New approaches to managing risk in complex IT projects

Opinion: New approaches to managing risk in complex IT projects

As a younger lawyer, I recall watching a vendor and a customer sparring fiercely over the scope and detail of a data loss indemnity for a solid week. It was a lively experience – a range of scenarios were vigorously tested, worst cases dramatically illustrated and positions passionately defended by each side and their legal representatives.

Sadly, however, the debate was abruptly truncated on the first day of the following week, when the negotiation teams were joined by a visiting chief engineer who pointed out that the portion of the service under debate did not actually encompass any data carriage.

With that embarrassing revelation, most in the room implicitly assumed the issue closed (albeit belatedly). Not to be outdone, however, the customer’s deal lead promptly offered:

“Well, since we all seem to agree that this risk will never arise, it shouldn’t be a problem for you to indemnify us against it.”

That was many years ago. Ever since then, I have been searching for more intelligent and innovative ways of approaching the allocation of risk and liability in complex IT projects.

These include prioritising pragmatic business outcomes that translate into real value, de-emphasising the need for purely theoretical wins and counseling clients to move away from unnecessarily combative positions by moderating them with constructive styles that promote quick resolutions.

Understandably, for some, this can prove too great of a cultural shift from the stereotypical negotiation process. However, for those who are open to fresh approaches, this can transform the legal function from a potential hindrance into a powerful tool to incentivise the right behaviours from all parties.

Whether approaching complex IT projects from a vendor or a customer perspective, there are some common fundamentals which can assist in retaining focus and ensuring that contract negotiations not only remain productive but drive better outcomes.

No magic bullet

A realisation that is essential to any successful complex contract negotiation is that contractual risk allocation measures are only one part of an overall, and inevitably imperfect, business process.

The purpose of such mechanisms cannot realistically be to eliminate all risk, which is an unavoidable symptom of doing business.

Rather, their function is to identify those non-trivial risks which are likely to arise, set out how those risks should be reduced, mitigated or managed, should they eventuate, and then apportion any residual liability between the contract counter-parties in a fair and sensible way.

As simple as this principle is - that is, that contracts are about risk allocation and not risk elimination - has become less and less familiar in modern negotiation rooms, with the result being the downfall of many prospective engagements, over-excitement regarding a counter-party's positions and an unduly long and costly deal closure process.

Many organisations have come to view a contract as an opportunity to shift all risk to its counter-party, including existing business risks which are not reasonably referable to the relevant project and which would continue to exist independently of the engagement in any event.

A better approach is for the parties to focus on material risks, investigate those which cannot be otherwise addressed (for example, through a change in practice) and then allocate the remaining risks between them, based on which party is most naturally placed to minimise the incidence of events which could manifest the risk.

Selective joint management

While there are many colours in between, at opposite ends of the negotiation style spectrum lie the 'commercial-in-confidence' approach and the 'honest joint management' approach.

The former style is consistent with a closed-deck poker game, in which each side negotiates by reference to aspirational values to avoid exposing to the other side its true concerns and the reasons for its desire for particular positions.

The assumption, quite typically (but not exclusively) made by customers, is that vendors will seek to take advantage of a customer’s pressure points in certain areas, once known, by holding it to ransom in relation to those issues.

The opposite approach is one of honest joint management, in which there is a greater level of trust in the parties’ mutual incentives to manage and address each other’s key concerns. The advantage of this approach is that often the concern will not be a new one to the counter-party, which may be able to draw on its previous experiences in other transactions to suggest practical approaches to resolution.

This is not to argue that the playing of an open deck on every issue is appropriate, but simply to acknowledge that certain issues can be selectively identified for joint management which, once the light of open discussion is brought to bear, can usefully expedite outcomes.

Focus on project-specific risk

Many negotiations fail once discussions resort to the ‘battle of the high watermarks’. That is, when each party adopts an extreme position by reference to its own perception of what is industry standard practice.

The reality is that while typical industry positions certainly exist, they can sometimes be over-emphasised to a point where a one-size-fits-all mindset dominates and a proper assessment of project-specific risk is neglected.

In a climate in which IT solutions have become increasingly bespoke, there is a good case for a concentrated focus on project-specific risk. It is also valuable if both parties are willing to make contractual distinctions between different risks and treat them in different ways, such as through customised indemnity protections and separate intra-contractual limitation regimes.

Early escalation

A critical balance needs to be struck in relation to the timing and frequency of escalation of deadlocked negotiation issues to each party’s respective CIOs, or other senior decision makers.

It is true that overly frequent escalation can diminish the overall impact and strategic effectiveness of each instance of escalation, thereby effectively reducing the senior escalation contacts to negotiators of the general deal.

While this should be avoided, conversely, late and infrequent escalation can result in much wasted time, wheel-spinning and huge inefficiencies as negotiation teams try to unsuccessfully guess their senior management’s attitude to specific risks in an uninformed way.

The latter approach is much more prevalent than the former, meaning that (generally speaking), organisations can afford to escalate sooner and more frequently to have issues resolved, provided the escalated issues are of a nature that they can be quarantined and settled prior to end-of-negotiation trade-offs.

The value of due diligence

Sometimes parties will contest the balance a contract strikes in relation to various contingencies, forgetting that it is often possible to resolve the relevant contingency before the contract is entered into, through pre-contractual due diligence.

For example, an IT vendor proposing to supply services to a customer may seek price exclusions based on unknown features of the customer’s network environment and architecture. Such clauses require delicate drafting, can become overly hypothetical and ultimately reduce certainty for both parties.

However, on occasion the parties can agree an initial limited engagement during which the vendor has the opportunity to assess the customer’s environment to enable it to satisfy itself as to customer-side contingencies and enable both parties to confidently commit to a more certain price construct.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags risk management

Show Comments