How much supplier due diligence is enough for a major system procurement?

Firms should consider using project-specific RfPs when evaluating potential IT suppliers, write 3Kite’s Paul Longhurst and Kemp IT Law’s Richard Kemp

Proper vendor due diligence is essential when embarking on large IT projects Shutterstock

We have recently seen comments questioning the value of in-depth supplier due diligence and, in particular, the RfP (Request for Proposal) document which poses questions about functionality and other areas when firms are evaluating and selecting new systems. Given the benefits our clients see when using an RfP as a key part of the process, I thought it was worth explaining why we continue to recommend firms use one when the project merits it.

There is always a need for balance – an investment of millions or even hundreds of thousands of pounds will merit more due diligence than a small project. The importance of the system to the organisation’s business will also be a factor. However, we have always seen the due diligence process as having two main functions: (1) to enable a robust decision to be made as to how the organisation’s money should be spent, based on identifiable criteria and (2) to avoid nasty surprises during the implementation process.    

The scenarios where we would consider use of an RfP to be most important are for the selection of high-cost, complex systems which are crucial to the operation of the firm. It is crucial to understand how well products are able to meet the firm’s specific functional requirements and if such functionality is delivered out-of-the-box, with configuration or not at all (albeit, potentially a roadmap item to be delivered at a future point). Without the RfP, firms would be comparing generalities and often having to take the word of a sales person who is remunerated, in large part, on the sales of systems they are unlikely to have used in a real-world environment. This is one reason why we ask suppliers to warrant their responses, giving our clients comfort that answers have been thought through and should reflect genuine capabilities.

There is a cost to creating a firm-specific RfP and consolidating the responses from suppliers. However, this is usually between four and eight days of work which, in the grand scheme of a project that might require several hundred days’ worth of effort to implement, is a small price to pay for the certainty of knowing what each evaluated product can do and helping to guide a selection decision.

For 3Kites, the RfP is a core component in a selection process that has been honed over time to reduce unnecessary effort. We continue to work on these processes and are currently considering how AI tools can help too. Our selection process keeps pricing competitive (which often offsets our costs), has been used by our project managers to challenge implementation decisions and costs, and has also been used by clients to challenge services costs where functionality was shown in the RfP as being available out-of-the-box.

The other advantage of a comprehensive RfP is the information this provides for lawyers negotiating terms, SLAs (service level agreements) and the like. At 3Kites, we advise that our clients engage Kemp IT Law to assist with this work as it is the firm’s speciality. I have therefore asked Richard Kemp to add his views on the pros and cons of having an RfP in the selection process…

Thanks Paul, I’d certainly endorse what you say about the need for RfPs and supplier due diligence.

First, running structured, RfP-based, competitive bids for major IT investments is normal – tempted to say universal – practice in Big Law, just as it is in larger professional services firms the world over. Most Big Law firms have large – and growing – procurement and vendor management operations because they see the results and benefits of this approach in practice: better pricing; better non-price terms (e.g. future proofing); holding vendors’ feet to the fire on implementation and lifecycle issues; and better decision making, records and accountability to management on key projects.

Second, firms whose size means that running a larger, permanent, internal team is not cost effective are, in our experience, increasingly bringing in these resources from outside on a project by project basis for their larger, more critical systems – and for the same reasons. It’s not unusual in our experience for project cost savings to exceed the cost of hiring externals.

Third, with the rise of the cloud (and in particular Microsoft’s cloud services), the role of the reseller and the contracts themselves are becoming much more involved and detailed. Getting the structure right from the outset – where you may be pulling together different services from different tenancies and different vendors – is so much easier if you have the vendors’ RfP responses as a route map from which the firm and the vendor can develop their solution together.

Fourth, it’s not just at contract signature stage where a robust, competitive RfP-based approach is helpful. In most IT projects, the customer is at their strongest when the contract is signed. The size of the larger vendor organisations means that they can claw back over the project lifecycle what they lost in negotiations to win the deal. A good RfP in a well-managed competition will make it easier for the customer to resist the vendor’s efforts later on.

Last but not least, whether through clients’ engagement requirements or the general law as it applies to law businesses, regulatory compliance burdens on firms are increasing. This is especially the case at the moment in the areas of AML, client onboarding, cybersecurity, ESG, GDPR, HR and operational resilience. The RfP is the best – perhaps the only – place to systematically question the vendor on its approach to these key issues and make sure they meet the firm’s requirements. 

Paul Longhurst is a director of 3Kites and Richard Kemp is a partner at Kemp IT Law. This is the 30th article in the series Navigating Legaltech

--------------------

About 3Kites and Kemp IT Law  
3Kites is an independent consultancy, which is to say that we have no ties or arrangements with any suppliers so that we can provide our clients with unfettered advice. We have been operating since 2006 and our consultants include former law firm partners (one a managing partner), a GC, two law firm IT directors and an owner of a practice management company. This blend of skills and experience puts us in a unique position when providing advice on IT strategy, fractional IT management, knowledge management, product selections, process review (including the legal process) and more besides. 3Kites often works closely with Kemp IT Law (KITL), a boutique law firm offering its clients advice on IT services and related areas such as GDPR. Where relevant (eg when discussing cloud computing in a future article) this column may include content from the team at KITL to provide readers with a broader perspective including any regulatory considerations.

Email your news and story ideas to: [email protected]

Top