Managing Risk on IT Projects - A

Legal Perspective

April 19, 2006

By:Matthew Peters, PartnerMcCarthy Tétrault LLPBarristers & Solicitors1300 – 777 Dunsmuir StreetVancouver, B.C. V7Y 1K2Direct Line: (604) 643-7162Direct Fax: (604) 605-5265E-mail: mpeters@mccarthy.ca

2

Overview

Context for discussion Deal Risks Generally Detailed review of the Risks: The

Problems and Some Solutions The Economic Model and Risk Q&A

3

Context for Discussion

Assumptions: We are talking about medium to large scale

IT projects, with an emphasis on large scale projects

Focus: On the customer side (but not exclusively) Rationale: The customer is typically the

side that must ensure risks are managed

4

What Risks?

RFP Risk Project Completion Risk Service Delivery Risk Legal Liability Risk Regulatory Risk Relationship and Governance Risk External Risks

5

RFP Risk

Some Problems:RFP does not complete Customer picks the wrong vendor Not enough Vendors respond Vendors perceive the process as unfair Vendors waste time and money bidding on

projects they cannot or should not win Vendor consortium falls apart or slows the

process down Vendors “run all over” the customer

6

RFP Risk (continued)

Some Solutions:Have a clear vision of the project Customer needs to do early due diligence to

validate the project Run a fair, transparent process with

knowledgeable procurement people involved

Transparency into the vendor bids so that there can be meaningful negotiations

Vendors need to do due diligence on the customer and the project before bidding

7

RFP Risk (continued)

Customer needs to obtain its approvals as early as possible

Customer needs to do sufficient due diligence on the vendors

Customer needs to have visibility into the vendor consortium to the level that the customer is comfortable that the relationships are being properly managed

8

Project Completion Risk

Some Problems:

• IT projects tend to be over budget, late or worse, they don't complete at all

• The wrong people are involved or the right people leave part way through

9

Project Completion Risk (continued)

Some Solutions:Over budget, late or worse . . .

milestone payments holdbacks performance guarantees using license fees as a "holdback" detailed specifications attached to original

agreement tight change control process with "ordinary

course" carve out contingencies fixing realistic dates

10

Project Completion Risk (continued)

• People Risks:Ensure that you have the right people from

the beginning: customer team vendor team externals including:

lawyers stakeholders SMEs

11

Project Completion Risk (continued)

Ensure that you do not lose the right people during the project:

key personnel provisions subcontractor provisions

12

Service Delivery Risk

Some Problems:

• Service levels are left until after signing

• The vendor is not delivering the services in accordance with the service levels

13

Service Delivery Risk (CONTINUED)

Some Solutions:

•Service levels should be attached to the agreement. If this is not possible, the customer needs an exit ramp.

14

Service Delivery Risk (CONTINUED)

•What will incent the vendor to deliver the services in accordance with the service levels?Traditional approach:

Service Level Credits per service weightings and point process

Think outside the box: Ask the vendor what motivates their

people internally

15

Service Delivery Risk (CONTINUED)

Other ideas include: dashboards and other reporting processes executive compensation/performance bonus

tied to service delivery governance and meetings root cause analysis and remediation plans SLA credits directly applied to problem (note

that cash should be in the customer's hands until approved)

incentives for over-performance SLA adaptability over time and due to

different circumstances

16

Legal Liability Risk

Some Problems: • Who bears the risk of loss if things go

wrong? • Vendors want to limit legal liability

Some Solutions:• What risks should be borne by the

customer?Things within the customer’s control (such

as approvals)

17

Legal Liability Risk (continued)

• What risks should be borne by the vendor?Things within the vendor’s control (such as

delivery) IPOthers

• What risks should be shared?Cap on liabilityConsequential damages Insurance as a way to share liability

18

Regulatory Risk

Some Problems:• Both the customer and the vendor may be

subject to certain regulatory or policy requirements. Who bears the risks of non-compliance? This is particularly relevant in situations where there continue to be dependencies between the parties. e.g. privacy laws, consumer protection, FI laws

• Consequences include both legal liability and perception risk

19

Regulatory Risk (continued)

Some Solutions:• Ensure that baseline compliance is met in the

contract• Ensure that each parties responsibilities are

clearly delineated with processes to identify, early on, when a failure has or will occur and attribute appropriate responsibility

• Know when the baseline is not enough determine this in advance signal this to the vendor early in the process address PR issues associated with that

20Relationship and Governance Risk

Some Problems: • Relationship cannot adapt over the

length of the contract• Parties cannot effectively communicate

and address difficulties in the relationship

• No process to escalate problems and resolve them before they become bigger problems

21Relationship and Governance Risk (continued)

Some Solutions:

• Establish a clear, tiered governance structure that is also used for dispute resolution

• The process should accommodate regular meetings, including at the highest levels

• The right people need to be involved. Neither party should let the other party get away with appointing the wrong people to this process

• Arbitration/Mediation

22

External Risks

Some Problems:• External factors (such as a labour disruption)

affect the project • Political will of both parties over the course of

the relationship

Some Solutions:• The Force Majeure trap:

Often overlooked Vendor slips in “any other factors beyond the vendor’s

reasonable control” You can drive a truck through a clause like that

23

External Risks (continued)

Be specific – what is in and what is out. This determines who bears the risk on these issues and who should have alternative arrangements in place

Acts of God Labour disputes Subcontractor problems

• When can the parties pull the plug?• BCP/DRP• Political Will Risk

What if a party’s “political will” changes? Address with exit ramps and appropriate allocation of risk and economic costs

24

The Economic Model and Risk

There should be transparency into the economic model in order to determine risk premiums, contingencies and other costs associated with risk

The parties need to determine what risk premiums are appropriate in the economic model and what risk premiums are not appropriately reflected in the model

25The Economic Model and Risk (continued)

For example, if SLA contingencies are being layered on top of the economic model then the customer needs to ask itself why the vendor is assuming it will fail to deliver the services.

• Watch out for duplicated risk premiums:e.g. insurance costs, SLA contingencies, and

overhead can all be covering the same risk

26

QUESTIONS?

27

VancouverP.O. Box 10424, Pacific CentreSuite 1300, 777 Dunsmuir Street Vancouver BC V7Y 1K2Tel: 604.643.7100 Fax: 604.643.7900

CalgarySuite 3300, 421 – 7th Avenue SWCalgary AB T2P 4K9Tel: 403.260.3500 Fax: 403.260.3501

LondonSuite 2000, One London Place255 Queens AvenueLondon ON N6A 5R8Tel: 519.660.3587 Fax: 519.660.3599

TorontoBox 48, Suite 4700 Toronto Dominion Bank TowerToronto ON M5K 1E6Tel: 416.362.1812 Fax: 416.868.0673

OttawaThe ChambersSuite 1400, 40 Elgin StreetOttawa ON K1P 5K6Tel: 613.238.2000 Fax: 613.563.9386

MontréalSuite 25001000 de La Gauchetière Street WestMontréal QC H3B 0A2Tel: 514.397.4100 Fax: 514.875.6246

QuébecLe Complexe St-Amable1150, rue de Claire-Fontaine, 7e étageQuébec QC G1R 5G4Tel: 418.521.3000 Fax: 418.521.3099

New YorkOne New York Plaza, 25th Floor New York NY 10004-1980 U.S.A. Tel: 212.785.6410 Fax: 212.785.6438

United Kingdom & Europe5 Old Bailey, 2nd FloorLondon, England EC4M 7BATel: +44 (0)20 7489 5700 Fax: +44 (0)20 7489 5777

mccarthy.ca