How to Review a Vendor Contract

Vendor contract reviews are a critical component to successful vendor risk management (VRM). Reviewing a vendor contract and negotiating terms and provisions is essential for protecting your organization and customers. Although it may seem easier to simply accept the vendor’s standard contract or agreement, this can leave your organization vulnerable to additional risks. This is why reviewing a vendor contract and negotiating as needed should always be included in your VRM process.  

A comprehensive review of the vendor contract will provide many benefits for your organization. It helps set the standards for the vendor relationship by creating expectations around service delivery and quality, while also mitigating the vendor’s risks. To achieve these benefits, it’s important to understand some key steps of reviewing and negotiating vendor contracts. 

15 Steps to Take for Vendor Contract Reviews    

Reviewing a vendor contract typically involves collaboration between multiple stakeholders, such as your legal team, the vendor owner, procurement, vendor risk management, and different subject matter experts (SMEs). It’s important to consider their involvement at different stages of the process.

Here are 15 steps to help you with your contract reviews:

1. Review the scope of services. You want to verify there are provisions in the vendor contract that clearly outline the scope of services. This includes:
   
   • The products and/or services the vendor will provide
   • Rights and responsibilities of both parties (your organization and the third-party vendor)
   • Language around any time frames promised or custom services requested
   • Rights to modify products and/or services
   • Any guidelines around adding products or services and contract re-negotiation
   • Details around training, support, maintenance, and customer service
2. Determine the performance standards and make sure they are adequate. Here you should negotiate with the vendor and decide on the service level agreement (SLA) requirements, remedies, and any penalties if the SLAs are not met. SLAs are largely dependent on the product or service the vendor will provide. However, SLAs identify the most critical attributes of quality, delivery, and performance. Penalties for noncompliance could be monetary, like discounts or fines, or non-monetary, like losing the right to compete for more business with your organization. All SLAs should be clearly stated in the vendor contract. 
3. Verify the duration of the contract is correct. Confirm that the term, renewal term, non-renewal, and termination notice periods related to time frames are accurate. It’s important to track these dates to ensure you have enough time for mid-term contract reviews and any re-negotiations or modifications. Tracking dates will also help avoid surprise price increases and auto-renewals.
   
   
   Pro Tip:  Consider setting up notifications to alert you halfway through the contract term. Many vendor risk management software solutions offer this capability, but email calendar reminders can also be effective. 
4. Ensure there is a default and termination clause within the contract. This should clearly set the standards of the types of events that can lead to default or termination, which can help avoid misunderstandings and disputes between both parties. Also, be sure to review for early termination fees in the event you need to terminate the agreement for convenience as these can become quite costly. 
5. Consider costs and price increase language. In the fee description, you are looking for information pertaining to the following:
   • Cost overview
   • Increase limitations
   • Support for merger/acquisition activity and costs
   • Payment terms
   • Late fee language
   • Deconversion fees
   • If applicable, who is responsible for cost to provide or maintain software and/or hardware
6. Always look for security and confidentiality provisions. This should include information on how the vendor plans to safeguard your data, prevent exposure to breaches, notify you of a breach, and mitigate future incidents. You also want to confirm how the vendor will return or destroy your data or assets if the relationship terminates. Are there geographical limits on where data can reside and/or be transferred? Also consider provisions around data ownership segregation and compliance with privacy regulations.
7. Review the audit requirements. Verify there is a description of audit reports your organization is entitled to receive – like a SOC 1, SOC 2, and SSAE 18 – and that they are provided annually at no cost to you. 
8. Understand what due diligence documents will be made available to you and if there will be any fees for customizations. Documents may include, but are not limited to the following:
   • Financial statements
   • Performance reports
   • PCI compliance certification
   • List of critical subcontractors
   • Security testing results
   • Insurance certificates
   • Proof of compliance with applicable laws and regulations
   Pro Tip: A right to audit clause will ensure you can request a vendor’s documents as needed throughout the engagement. This allows you to continuously monitor and re-assess the vendor’s risk, which can change in the event of new regulatory requirements, recent security incidents, and more. 
9. Verify business resumption and contingency plan language is included within the contract. You are seeking provisions around disaster recovery, business continuity, and back-up record protection. This should include annual testing and provision of a summary of test results.
10. Ensure the vendor outlines their policies around subcontracting. This should require your vendor to provide required due diligence documents for any subcontracted vendors and notify you in advance of any changes to subcontractors. The vendor contract should also outline your third parties’ policies and practices for vendor risk management. You should expect your third parties to actively manage their vendors. They should also disclose all their current and known vendors that are critical in providing their products and services to your organization. 
11. Include ownership and license information. There should be a description of ownership, rights, and allowable use of your organization’s data, system documentation, and other intellectual property. This should clearly describe the type of ownership and license being granted. Both parties should have it clearly stated if and how each can use the other party’s name, logo, trademarks, and other copyrighted material. 
12. Confirm the contract includes a clause pertaining to indemnification. This is so that the vendor will hold your organization harmless from liability due to negligence of the vendor.
13. Review the limitation of liability. Your organization should verify it equates to the amount of loss your organization might experience as a result of the vendor’s failure to perform.
14. Include provisions around dispute resolution. Be sure to identify how and where disputes will be heard. Many arbitration clauses benefit the vendor, so be sure to have your expert legal team review before signing.
15. Review the general provisions. You are looking for provisions such as the following:
    • Survival
    • Governing law
    • Contract conflict – order of precedence
    • Severability
    • Failure to exercise/waiver
    • And more, depending on the vendor relationship in review, as the provisions necessary aren’t limited to these five

3 Best Practices for Reviewing a Vendor Contract  

The vendor contract review process may require updates and improvements over time, especially as regulations change and vendor risk becomes more complex. Here are some recommended best practices that can keep your vendor contract review process efficient:

• Document the contract review. Have a qualified SME, such as a paralegal, write up the analysis. Once you have your analysis in hand, reach out to the vendor to discuss any terms that may be missing and next steps to negotiate them into the contract.
• Consider building a clause library. Vendor contract reviews can be a lengthy process, but one way to save time is by using a library of pre-approved clauses. As you’re reviewing your vendor contract and going through the redlining process, make sure to save the approved clauses for future use.
• Track the removal of standard clauses. There are many reasons why a standard clause might be removed from a contract, such as irrelevancy or creating a conflict with another term. Sometimes a clause is removed just to simplify the contract. Whatever the reason, make sure to keep track of any standard clauses that were removed, as this can save time for vendor owners and legal teams if any issues arise in the future.

And just like that, you have the basic steps of reviewing a vendor contract. Your organization may have additional requirements, but these steps should be easy to implement in your process. By following these steps and best practices for a vendor contract review, your overall vendor risk management program will be stronger and more effective.