This model of engagement is a boon for spikes in demand or to support a situation where you need specialist capability for a one off project, but they come at a cost, and I don’t mean just in the higher rates you will pay when compared to an employee. Having an external resourcing in your business places a new burden on securing not only your own organisations commercial in confidence information, but also the information your organisation has promised to protect.
There are varying degrees of risk associated with exposing commercial in confidence information to a contracted resource, the greatest risk is where the other party, or the owner, of the commercial in confidence information determines that their competitive strength in the market has been weakened by having their data exposed to a competitor. This situation also damages your organisations ability to generate and maintain competitive tension in the market.
Here is a worst case scenario and one that occurs in many organisations on a routine basis.
There is a major project approved and it’s all hands on deck to deliver it. The project deliverable is a complex ICT solution and it is quickly realised that there is no in house skill in this space to drive the project, so a contracted resource as a programme manager is required. The internal documents to justify the position are created and budget allocated. Market engagement documents are then created and the proposals sought and received, evaluation carried out and the successful candidate identified and engaged.
To keep everything tidy, all the documentation is saved under the programme folders. Error number one.
Next, the new programme manager identifies that the project will require three project managers to manage each major stream of work. So he writes up the specification (warning bells should be sounding), picks a few companies to be engaged for proposals, including his own (louder bells) and then chairs the panel for evaluating the offers. You know the movie scenes where the nuclear reactor is about to melt down and all the sirens and alarms are going off and people run panicking everywhere? That is what should be happening right now.
Further to this, this programme manager is an awesome operator, so the organisation brings them in on the early planning stages of a new project that will be let to market in the near future (the alarms just keep getting louder here).
Here are some of the issues:
- If a vendor representative can see the responses of competitors to their company, there is a significant conflict of interest risk that they will use that information to their advantage
- The competitors may take exception to their commercial in confidence information being shared, so you may have a law suit coming your way if the vendor is up against it commercially or in a fighting mood
- Weakening a competitor is weakening your market and potentially damaging any hope you have of leveraging competitive tension
- This supplier is going to become very difficult to negotiate with as they now know your drivers and boundaries.
- Allowing a vendor to write specifications that they will compete on is inviting bias, either intentional or unintentional
- Allowing a vendor to have visibility, and worse, influence over forward planning is placing a very high risk on the integrity of future processes.
You must always keep in the forefront of your mind that all vendors must have the same primary goal if they want to stay in business, to be profitable. Then after that comes the drive to deliver something useful to the market. As much as we would like to think they have our organisations requirements fore front in their minds, that cannot be possible if they are to ensure the strength of their own organisation.
So what can we do to manage these issues? Clearly we can’t rule out leveraging contractors, the benefits generally outweigh the risks. We could be more selective about what we bring contractors in for and what we outsource as a whole. Do we need to bring a software developer on site or can we have them deliver a package of work from their own place of business? Some organisations move all contractors into a specific part of the building or even a separate building, but that is not always practical, possible or may not meet the aims of having them on board in the first place.
So we need to take measures to protect the key data and still allow the contractor to function.
Big one, never let the contractor see the documentation from the process they came in on, their is no justification for this. So store procurement information outside any areas the contractor will have access to. Also, watch out for situations where you decide to leverage that same process to select more resources and a contractor engaged through the process is on the evaluation panel.
Carefully review any situations where a contractor is on an evaluation panel. Double check if any information would benefit the company he works for and manage that risk.
A contractor can be on an evaluation panel for work that is not directly related to their industry, but if having a compromised contractor involved in the process is unavoidable, aim to remove all commercial information from the offer documents and evaluate that separately. Allow them to use their specialist knowledge to carry out technical evaluation, but avoid sharing commercial information. However, also watch out for leaking other commercially sensitive data such as patented designed and proprietary methodologies.
Don’t allow contractors to view any rate tables agreed with vendors unless absolutely necessary. One that is often very challenging is ensuring contractors don’t see invoices from competitors. Particularly when they fill a management roll such as project or programme manager. The financial review and approval duties should be passed to an appropriate employee.
Avoid having contractors sitting near or walking past areas of the business where planning, procurement and unrelated projects are undertaken. Overheard conversations can be risky.
In some cases, exposing the contractor to sensitive data us unavoidable. They may be working in procurement or planning areas, in these case, a regular conflict of interest catch up, nondisclosure agreement and clear statements of their responsibility in protecting data are needed to manage the risks.
Overall, it is just another risk the business needs to identify, review and manage to ensure the interests of the organisation, the market and individuals are protected. It should not be onerous, but equally, it must not be ignored.
Got any thoughts, experiences or ideas on this subject, then head on over to the PME4U forums and get involved.