Contract Risk Playbook

To access a downloadable version of the Contract Risk Playbook, please click here.

Risks Hiding in Plain View
Contract Risk Playbook:
An Advanced Guide for Corporate Boards and Senior Executives
Table Of Contents
Changing Demands, High Stakes
Step 1: Assessing the Situation
Step 2: Taking Action
Step 3: Moving Forward
Conclusion: A Checklist for Directors and Executives
Lorem Ipsum
When Lehman Bros. declared bankruptcy in 2008, the firm held more than 1 million outstanding contracts in a vast multiplex
web of global interactions. It had become so diverse and sprawling that the board and senior executives were unable to quickly produce reliable information about its exposures.

“The challenge is that risk is a real time problem. Yet many companies do not have real time access to relevant contracts and it is a matter of how fast they can move to deal with these issues as they come up,” says Bill Hewitt, CEO of Exari.

“If you look at the financial crisis, Lehman Bros. was eventually proven to be solvent. It just took six months to find out and by then it was too late.”

Boards and senior executives need the necessary information to connect the dots before a major event. The purpose of this playbook is to examine how contractual agreements, a vital and often overlooked corner of operations,
can provide management with the business intelligence to help reduce risks, uncover waste, and improve performance.
Changing Demands,
High Stakes
Lorem Ipsum
For 81%, finding contracts is a major concern

54% have difficulty accessing specific terms and clauses

66% rarely or never keep track of side letters or supporting documents

60% do not track contingent liabilities

61% have no idea of the interdependencies among their contracts

For 75%, contractual risk is a major concern
Financial and legal agreements today are often poorly monitored. A lack of control around these contractual relationships creates risks, either reporting or operational in nature, and can lead to brand or reputation damage and the loss of significant revenue.

According to a study by the National Contract Management Association, a leading professional resource with over 20,000 members, there is plenty of room for improvement. Take a look at the data to the right and see for yourself. 
Lorem Ipsum
The payoff for tackling the problem is often significant. According to estimates from the International Association for Contract and Commercial Management (IACCM), which reviewed contract data from its more than 12,000 member organizations, companies could increase their bottom line by 9% by addressing common contract management issues. At an industry conference in 2015, Tim Cummins, the CEO of IACCM, told leaders from Fortune 1000 and Global 2000 companies that implementing contract management software was a priority for the majority of its members. Leveraging technology to address key business challenges has been a steady priority for senior executives for several years,
he added.(1) 

However, that is easier said than done.

IACCM research shows that 62% of its global organizations have contract management software, said Cummins, yet less than 20% have achieved widespread adoption. Too often, he said, the software is not particularly useful to all parts of the business— and so it is ignored. “In today’s technology-driven world, one of the biggest obstacles to deriving value from contracts and contracting processes has been the absence of relevant technology,” Cummins wrote.(2)

(1) IBM Commerce Blog, “Debunking Three Common Myths About Contract Management Technology,” 2015

(2) Commitment Matters, “Excellence in Contract Management,” 2016
"In today’s technology-
driven world, one of
the biggest obstacles
to deriving value from
contracts and contracting
processes has been the
absence of relevant
- Tim Cummins,
      CEO of IACCM
Lorem Ipsum
It is time to approach contracts as data — an untapped bastion of data that, if systemized well, can provide firms with real-time information about the risks, obligations, and exposures their company has to a counterparty. 

Senior executives and boards should know how actions and decisions in one part of an organization impact other parts of the firm in unexpected ways. Only then can there be real confidence that risks are manageable.
A survey of corporate and general counsel by Exari found that 39 percent of respondents lack visibility into corporate risk due to poor contract management practices.
“We want you to understand what is in every single contract and what every term means. Our focus is to get companies to 100% contract certainty so that they know everything about their contract assets and what risks or obligations they pose to their company,” said Hewitt.
Step 1:
Assessing the Situation
Companies need the proper tools to assess change — by, for instance, running queries on a variety of potential impacts to the firm. Such work involves tracking a matrix of interrelated risks, including:

» The uncertainty of counterparty performance
» Unexpected termination of revenue or supplier agreements
» Mismanagement of expenditures
» Compliance oversight and risk-transfer strategies

For a better understanding of contract risk, it is helpful to think in terms of three broadly defined themes:

Asymmetry. How actions in different parts of the business have a ripple effect throughout the organization and on its overall risk profile. For example, asymmetry occurs when gains in one unit can be completely offset by losses in another.

Operational Silos. A lack of integration and coordination of business that depends on the same data. It is the opposite of a holistic view of sales, operations, finance, and other units. Silos can lead to misalignment, resulting in excess expenditures and more.

Measures of Performance. Key information that can be
leveraged before something goes wrong. By not unlocking
the potential of this data, the firm overlooks strategic
Step 2:
Taking Action
So how well do you know your contractual risk?

For example, your biggest customer could suddenly become unprofitable upon realizing that the cyber attacks it just suffered are not covered in its legacy insurance policy that somehow escaped scrutiny for years. As a result, your company had to restate your earnings.

That unfortunate happening is drawn from the world of asymmetric risk — the blind spots firms encounter when confronted with incomplete information that causes errors in judgment. These “surprises” are hidden in plain sight, but can be difficult to recognize until after a loss has occurred.
Lorem Ipsum
These are the contract risks to watch out for. In other words, your pain points:

» Revenue uncertainty. The risk of early termination of revenue contracts. Causes may include poor customer service, mergers and acquisitions, or other corporate actions. This is troubling when small service providers are affected. It can be devastating when key business partners give notice and compromise the firm’s solvency.

» Supply chain uncertainty. The risk of early termination or performance failure of a major third-party business partner, vendor, or supplier of any critical business. This can produce a knock-out effect when failed promises by a vendor lead to disruption in business operations.

» Rogue spending and contracting. The risk associated with spending off-contract or making contract arrangements that lead to regulatory and legal exposure. This may materialize as inappropriate expense spending internally or outright fraud with fictitious external vendors, etc.

» Compliance failure. The dangers of unmanaged compliance risks leading to operational failure. This can lead to damage to the firm’s reputation and loss of confidence among business partners, customers, and vendors.
Step 3: 
Lorem Ipsum
Contract risk requires a proactive campaign of awareness and internal controls to prevent a crisis.
Firms are sometimes lulled into a false sense of security when evaluating low-frequency, high-impact events such as asymmetric risks — and, in fact, contract risks as a whole. But what if you could model the risk of failure more accurately by tapping into business risk intelligence?

You can. Just leverage the firm’s inventory of contractual agreements to create analytics for enterprise operational performance. By doing so, you will be able to look through and across business channels simultaneously — for a 360-degree view.


1. Gain certainty in business operations by tapping valuable, often overlooked, data.
Contract management intelligence can draw useful information from risk-transfer transactions in order to measure “retained risks.” These are the uncovered risk exposures a firm accepts after executing options to transfer a part or all of a risk to a third-party.

Risk Transfer is a simple calculation:
Risk Exposure - Risk Transfer = Risk Retained

First, let us look at risk exposure. It is an important part of the equation. Some businesses, such as insurance companies with advanced analytical tools, measure it on a regular basis. But many firms lack confidence in their ability to make these calculations. Contract management data,
Lorem Ipsum
however, can be used to quantify changes in the profile of the firm, so it can routinely assess risk exposures.

Risk transfers involve contractually shifting risk from one party to another. An obvious example would be purchasing an insurance policy. Other contractual agreements run the gamut from mundane to complex — think vendors, service providers, and others. Typically, these agreements include harmless waivers and releases, or an indemnity agreement that assigns the liability of the other party.

By harnessing business intelligence data, companies can gather the necessary parts of the equation. They can develop measures for risks transferred versus the risks retained by the firm. And that ratio can then be used to establish risk tolerance for a given line of business or at the enterprise level. Management can balance the firm’s portfolio of contract risks, giving the board confidence in the firm’s strategies to address major hits in retained risks.

2. Better crisis management.

Firms underestimate the risk of encountering a convergence of events that perpetuate a crisis. Contract intelligence can provide important analytical data to create “what-if” scenarios to assess the scope of liability in specific events. Organizations that fail to prepare before a crisis lose credibility when responses to basic questions are poor. Timely and accurate information often determines success or failure in crisis management.
Lorem Ipsum
Let us look at current trends in contract risk. How can business intelligence help moving forward? Here are a few ways:

1. With Regulatory Investigations:

Since the financial collapse in 2008, big financial institutions have faced major regulatory penalties with no end in sight. A 2015 Morgan Stanley report found big banks have been fined $260 billion since 2009, and face about $65 billion in litigation costs alone between now and 2017.(1)

With the SEC, Federal Reserve, and other regulatory bodies keeping a keen eye on firms and their viability, senior executives must be vigilant in tracking anything that could precipitate crises for them and their counter-parties. Securities fraud and concealment of risky mortgage information. Ongoing failure to manage and identify key collateral or provide ready access to key data. It must all be tracked with the best data possible.

(1) ValueWalk”, Big Banks: $260 Billion Down, “Only” $65 Billion To Go, Says Morgan Stanley. (2015, August 20).
Lorem Ipsum
2. With Commercial Insurance:

Cyber risk insurance premiums protect against worst-case scenarios caused by cyber risks. In other words, your premiums are based in part on someone else’s cyber attack, not your own experience. Other risks, such as workers’ compensation, have mature risk experience, yet both policy types demonstrate how firms transfer the risk of future costs.

Firms that combine strong cybersecurity measures with a refined view of a data breach improve their ability to negotiate cost-effective coverage with commercial carriers. Insurance carriers have developed a “Cost of Risk” concept that quantifies risk exposures in risk-transfer agreements. All firms should do the same when executing agreements to clarify the cost of retained risk exposures.

If you have the analytics to provide a complete picture of where your organization protects confidential information adequately, and where it does not, you can present a credible position to commercial insurers during a negotiation.
Lorem Ipsum
3. With Litigation and Class Actions:

Lawsuits have spiked recently in proportion to an increase in privacy, data, and cybersecurity-related events. In recent years, litigating attorneys have targeted “reasonable security” as a weak spot due largely to vague or ambiguous language used to define the scope and limits of measures taken to prevent a breach before an attack occurs.

Although securities litigation continues to decline after peaking in 2011, 27% of the total cases represent capital regulatory actions against financial services firms and their boards of directors. In 2014, 20% of all suits involved securities class action, 21% involved merger objection and 37% involved capital regulatory actions.

Business intelligence can be used to pay special attention to the mobile devices and apps that collect personal information about customers, clients, and business partners. Boards need a plan for defining reasonable security measures and routinely monitoring the results and mitigation plans to correct any weaknesses.
Lorem Ipsum
4. With Data Security (Social Media):
Cybersecurity risks have become so common that they are now factored as a new cost of doing business. The cost of defending the enterprise during a breach while minimizing litigation risk associated with a cybersecurity event represents a trend with increasing frequency.

According to Fulbright’s 9th Annual Litigation Trends Survey, “Last year’s survey found that while 91% of U.S. companies permitted employees to conduct business on mobile devices, only 30% had to preserve or collect data from those devices for a litigation or investigation. This year’s survey revealed that gap has narrowed: 41% of U.S. companies have had to preserve or collect data from an employee’s mobile device for a dispute.”

Data security’s wide-ranging impacts on a firm’s reputation calls for a thoughtful approach to negotiating risk transfer agreements with commercial insurance providers based on the value of the potentially exposed data.
Lorem Ipsum
Contract risk management enables senior executives and boards to improve operational excellence while reducing risks. This management approach will allow you to gain clever insights into risk exposures so that you can manage them from an enterprise view.

Action Checklist for Senior Executives and Boards:

☐ Review the ways in which contracts are tracked on a company- wide basis, and the policies and procedures in place to use that data to hedge against and mitigate risks.

☐ Review the status of contracts, including any risk concentrations and interrelationships, as well as the likelihood of occurrence and potential risk.

☐ Design contract risk management policies and procedures that are coordinated and function as directed.

☐ Implement these strategies in a timely manner.

☐ Send a message to management and employees that comprehensive contract management is an integral component of the firm’s strategy and business operations.
Lorem Ipsum
Exari is the market-leading Enterprise Contract Management platform for delivering 100% Contract CertaintyTM. Hundreds of thousands of users across 80 countries use Exari for document assembly, strategic sourcing, contract creation, negotiation, collaboration and contract analytics. 5 of the top 15 banks, 4 of the top insurance brokers, and numerous market-leading energy companies use Exari. Exari is headquartered in Boston, Massachusetts with offices in Oslo, Norway; London, UK; Munich, Germany; and Melbourne, Australia. Learn more at

Boston 745 Boylston Street, 2nd Floor, Boston, MA 02116
t: +1 (617) 938 3777

London 1st Floor, 20 St. Dunstans Hill, London EC3R 8HL
t: +44 (0) 203 795 2490 |

Melbourne 10-16 Queen Street, Melbourne 3000, Australia
t: +61 3 9621 2775 |

Munich Max-Ruettgers-Str. 22 C, D-82057 Icking/Munich, Germany
t: +49 8178 998 7670 |

Oslo Strandveien 37, P.O. Box 391, 1326 Lysaker, Norway | t: +47 21 42 20 10
Bergen Øvre Kråkenes 17, 5152 Bønes, Norway | t: +47 21 42 20 10
About Exari