Sarah Mumford and Gillian Watson look at an activity that every law firm undertakes but is little written about from the perspective of practical compliance.

Every firm, every day, is dealing with suppliers. This article looks at suppliers to the firm, understanding the risks in not having an agreed procurement process and some practical tips.

To keep the article manageable we have taken the practical example of embedding information security considerations into supplier contracts.

This may be something the firm has to do as part of compliance with ISO 27001 (the information security international standard) or as a development of the government’s more modest but still valuable Cyber Essentials programme, or perhaps from a nagging feeling that the firm has grown (whether organically or by merger) with little strategic thought given to supplier governance.

Although we describe the process of review of existing contracts, it is easy to apply the same methodology to negotiation of new ones.

Who are your suppliers?

This may not be as easy as you think to ascertain, but it is a crucial first step.

Many suppliers paid out of office account are contracted for client work (counsel, experts, and investigators) and probably can be discounted for this project.

Those that remain should be put in a spreadsheet and the data analysed. It may be helpful to identify the key suppliers to the firm and focus on their contracts.

The supplier of sandwiches may be rather taken aback to receive a full confidentiality undertaking but your SAR accountant’s terms may take you by surprise with their one-sidedness.

What do they supply and on what terms?

Again, a deceptively simple question, but it is critical to understand who the suppliers are, who is the main contact at the firm, the agreed terms and any other key contractual information such as termination provisions and any end date.

Don’t forget to include all outsourcing contracts (business process outsourcing or legal process outsourcing alike).

Who should be the contract owner?

Each contract should be assigned an owner. This is the person responsible for the management and maintenance of the contract and may be different to the firm contact who will work directly with the supplier day to day.

Important IT contracts for example may be ‘owned’ by the FD because of their strategic significance.

Most firms will not have full time resource for procurement and so contract owner allocation is an important step in the success of the project and in ongoing contract management.

What issues are important to the firm?

These may be one or more on the following non-exhaustive list;

  • confidentiality and security risk
  • commitment to particular policies such as Anti Bribery & Corruption (AB&C), Equality & Diversity and Environmental
  • specific information security (IS) considerations
  • business continuity

It won’t be proportionate to insist that every supplier signs up to a long list of policies and in many cases, the suppliers will refuse (good luck with changing the Microsoft standard terms) but it is important that this analysis is made and the residual risk understood.

Some may consider that a risk based approach to this task is appropriate e.g. the supplier of expensive services such as IT contracts may need a robust AB&C agreement which may not be appropriate for the occasional supply of sandwiches.

Population of the spreadsheet

The grid is now starting to look like this

  • Name/address
  • Supplies what?
  • Contract owner
  • Key supplier?
  • High risk
  • Reasons for KS/HR
  • IS considerations?
  • Priority
  • Contract terms to note

Other headings may be helpful for triage purposes if the list is long e.g. annual spend and imminence of contract renewal.  

This first cut will give the firm a priority list; it is then for the project sponsor to decide how to tackle it, allocating tasks depending on the skill required.

The project team should comprise expertise in risk, finance, HR, and commercial terms negotiation (could you spot an ‘evergreen’ clause?).

We are going to look at information security as an example for the rest of this article. For this, we suggest you ask five questions:

  • Will the supplier require or be given access to confidential information?

Suppliers in the Yes category will include off site archiving and outsourced office staff and also include those who don’t require access (in fact the reverse) such as out of hours cleaners: would a ‘clean desk’ policy mitigate some of that risk?

  • Will the supplier have unescorted/unobserved access, particularly out of hours?

Suppliers in the Yes category will include copier mechanics, security staff. Think about what areas of the building are required for access and whether this can be limited.

  • Will the supplier have administrative privileges (i.e. the ability to change information on the firm’s systems)?

This will typically be IT related but may be wider (e.g. CCTV reporting, proximity access card supplier etc.).

  • If Yes, will this ever be by remote access (i.e. higher risk)?

What is the process to request access and to whom will they submit that request. How long will you grant that access for and what audit logging is in place to review what they have done during the time they have accessed the information?  What structural measures do you expect them to have in place to preserve your information?

  • How can any of these risks be mitigated or averted?

For example, an external trainer comes in to train on social media.  Risks are low if they stay in public or low risk areas such as the kitchen. However, if the trainer is going to write a policy, and see the firm’s intranet, it would be necessary to introduce confidentiality provisions in the contract in the form of an NDA.

The triage stage of the project

Some further questions that may involve higher risk situations:

  • Will the supplier maintain the information on the firm’s behalf?  Who is ultimately responsible for it?
  • How important is this data to your firm?
  • Is this a new or existing supplier? What is your relative bargaining position?
  • Where relevant, what is their back up strategy and business continuity plan?

Many clients conduct due diligence on their lawyers and the questions they ask and types of information they ask for may assist the firm in compiling the list, on a ‘biter bit’ basis.

Continuing management

Who will ensure that the hard work undertaken for the initial project is maintained?

Many readers will not have procurement teams or full time contract managers but the process is the same, whoever does it. There are systems to purchase which can automate some of the legwork in recording and monitoring but it still needs a project manager.

If a Service Level Agreement (SLA) is in place – how will this be monitored and any default or breach escalated?

The firm may well have a number of people with an interest in a particular contract. How will this be co-ordinated to ensure that the firm speaks with one voice and knows what it wants? This is as relevant to ongoing management of a contract as it is to formation.

Some further considerations

  • Are data protection, intellectual property rights and copyright provisions agreed and being adhered to?
  • What authorisation processes are required? This applies to forming the contract as well as to authorising payment and variations – and may require different skills or controls. We have previously given the example of Director of Finance being responsible for IT contracts
  • What checks does the supplier take for employing staff and do they subcontract?  Is subcontracting appropriate for this engagement? Vetting and pre-employment checks are an increasing requirement of commercial clients – they expect these requirements to be stepped down to the firm’s suppliers.  You may in any event want to require protective measures for your own reasons e.g. CRB checks on all staff employed by your cleaning contractor given the IS implications of unescorted access
  • Ensure that you have ability to audit the supplier where appropriate


To ensure that contract management becomes part of business as usual, it is important that workflows and lines of communication are established to bed in the process.

Once the initial contract review has taken place and the process is established this is a clear finish point for the project.

The project can then be handed over internally. Law firms are often substantial and complex businesses but the basis on which their suppliers supply goods and services can often be overlooked.

Although a potentially daunting task, there are good risk and financial reasons for understanding and influencing the basis on which the firm is purchasing from suppliers. A contract review process is sensible business discipline.

Sarah Mumford is a solicitor and risk consultant to law firms and Gillian Walton is a freelance business analyst specialising in optimising business processes for law firms.