CFOs know the importance of planning and taking the long view, so it’s natural they should have a special interest in preventing and managing risk within the organization, rather than just “mopping up” after a disaster. But before something can be managed, it must be identified and defined, with responsibility assigned.
That’s where the process often breaks down, particularly related to contractor and vendor management. At best, identifying risk is a fragmented process, even in the best-run organizations. Legal is involved in creating and reviewing contracts and vendor agreements, typically limiting the scope of its review to the legal structure of the agreement and ultimate indemnification.
More and more frequently, however, especially in this era of outsourcing, the real problem may arise in the individual sections of these agreements, particularly as they relate to personnel (including contractors), insurance, and licenses.
Once the agreement has been signed, who within the organization will track and enforce its provisions? For that matter, who can identify how many contractors or vendors the company is using? Or how many of these are “compliant” — assuming the organization has defined what that means.
Over the years, organizations have placed an undue amount of faith in indemnification clauses as a way to protect themselves. While such clauses can assist in the offset or recovery of direct financial losses, they cannot protect the organization from reputational damage and loss of consumer, partner, and/or vendor confidence; or the related financial damage caused by loss of customers and revenue.
Insurance carriers have transferred risk for “additional insured” clauses by referencing contract language. In the absence of such language, however, coverage is not granted. Unfortunately, in most organizations no one is reviewing this language, leaving the insured at great risk. For example, if “additional insured for completed operations” is required, the contract between the insured and the contractor or vendor must state:
Even if the certificate of insurance grants this additional insured coverage, the carrier can reject the claim as not being covered in the contract, particularly if there is no stated term of the completed operations coverage. The carrier can say the coverage ended immediately upon completion of the service.
Safe Contracting Programs
Although safe hiring programs have now become commonplace for large corporations, they typically cover only direct employees — a situation that does not meet the outsourcing needs of today’s increasingly contractor-based way of doing business.
Contractors and vendors the company works with can pose some of the greatest risks for damage because they operate outside the company. They are hired to do a job for a certain period of time, and so are not vested stakeholders.
Thus, the next step is to expand the scope of safe hiring programs to what may be called “safe contracting programs.” This extends the provisions of employee safe hiring programs, such as background screening, to contracted employees as well.
A comprehensive safe contracting program benefits the company in a number of areas: minimized corporate liability, reduced financial risk, preservation of the company’s reputation, improved customer safety and protection, safer working environment, and more professional services from contracting companies.
In addition to the indemnification considerations, verification of contractor insurance and licenses has become a much more important factor in managing risk, although it may still be overlooked. Active management of licenses and insurance documentation is the guiding concept, working with vendors, contractors, and their insurance agents to verify and track their status.
Verification, however, is only as good as the systems used to store, track, and manage contractor and vendor compliance documents, so every organization needs to take a systemic view of its capabilities and vulnerabilities.
Although risk management has existed as a corporate function for a number of years, most organizations have yet to come to grips with the growing number of risks they face. The CFO is in a unique position to review these vulnerabilities and help assign direct responsibility for them.
So as simple as it is to ask whose job it is, the answer is more complex. More and more frequently, though, organizations are choosing to centralize the responsibility within a risk-management department, whose head has easy and immediate access to company executives. It’s only then that the CFO, CEO, and other executives can breathe easier, knowing that someone is clearly responsible for managing their organizational risk.
Craig Reilly is CEO of PlusOne Solutions, http://www.plusonesolutions.net, which helps companies manage risks associated with contractor and vendor networks. Reilly can be reached at [email protected].