Managing Digital Risk

From the April 2019 print edition

As procurement organizations move up the digitalization value chain and acquire and implement increasingly complex and integrated systems, it is critical that the risks associated with these technologies be identified and managed.

End-to-end risk management from technology specification, selection, implementation and integration, through ongoing operations and governance must be achieved through technology acquisition and managed services contracts. Automated contracting systems, such as AI-powered robotic purchasers and blockchain-based smart contracts, also need to be structured and contracted to ensure that liability for failures and errors is addressed.

Smart technologies encompass the spectrum of digital tools used in procurement and supply chain management, including big data analytics, artificial intelligence (AI), robotics and blockchain. Most procurement organizations are moving up the digitalization value chain, from digitalizing data to the use of ERP systems to automate workflow, to robotic processing, to the application of big data analytics and the use of machine learning and AI systems. Blockchain is also increasingly used to improve traceability and transparency along supply chains.

The 2018 Deloitte Global Chief Procurement Officer (CPO) survey (2018 Deloitte Survey) found that managing risk continues to be one of the top three priorities for procurement departments (along with cost reduction and new products), but that many companies struggle to effectively implement advanced digital technologies. Problems with data, namely lack of integration and poor quality data were identified by more than 45 per cent of procurement leaders as barriers to the effective application of digital procurement technologies, and only 3 per cent of procurement leaders believe staff possess all the skills to maximize digital technology use. Blockchain is currently deployed or scaling in only 2 per cent of firms, but is being piloted or considered by another 23 per cent.

Firms looking to implement digital procurement technologies are looking to outside providers of managed services, often in the cloud, to provide the technologies and skills required to implement and support them, but remain focused on risk management. Lack of familiarity with the technologies and the management of the risks may prevent companies from realizing the benefits available through procurement digitalization, but these knowledge gaps may be addressed through external technical and legal advisors with expertise.

Managing risks
Implementating and operating digital procurement technologies involves a variety of inter-related legal, economic and operational risks, all of which must be addressed through the technology procurement process and documented in the resulting technology contracts. Legal risks and contractual provisions include those dealing with:

  • compliance with applicable laws;
  • protection of confidential information and personal information;
  • cybersecurity breaches;
  • payment of taxes;
  • compliance with reporting obligations;
  • insurance coverage
  • representations, warranties and covenants; and
  • indemnities and limitations of liability.

Economic risks and corresponding contractual provisions include those dealing with:

  • the pricing and management of changes;
  • price performance and other adjustments to prices over the term;
  • price benchmarking;
  • financial and performance audits;
  • impacts from changes in currencies; and
  • gain sharing.

Operational risks and corresponding contractual provisions include those dealing with:

  • the integration of the new technology and data with other technologies and platforms in use by the organization;
  • performance management (including service levels, reporting, fee reductions and incentives);
  • allocation of roles and responsibilities;
  • continuing access to key service provider personnel;
  • continuing access to key facilities and assets;
  • ownership and licensing of data and intellectual property;
  • availability of verified disaster recovery and business continuity plans;
  • governance commitments; and
  • transition assistance.

In addition to the usual technology risks, the use of blockchain and AI procurement agents (AI Agents, where the AI system is empowered to make procurement decisions and to place orders relatively autonomously) raises additional legal concerns surrounding the enforceability of the contracts, and the resolution and rectification of errors.

Blockchain technologies (typically employing a private or “permissioned” blockchain architecture, rather than the “public” blockchain models employed by Bitcoin and other cryptocurrencies) may be used to form smart contracts and to track goods and payment obligations throughout the supply chain. Blockchain, which relies upon the creation of an immutable, distributed digital ledger to document such transactions, is curretly being used to track several products, ranging from diamonds (by De Beers) to fresh produce (by Walmart, Unilever, Nestle, and others). Blockchains can also create smart contracts, which include conditions of payment, to automate purchase transactions (e.g., once the product is confirmed to have been delivered, payment is automatically advanced).

AI Agents may use machine learning and big data analytics to determine when and how much of each product to order, and to then to automatically place the corresponding orders. While Canadian ecommerce laws, such as the Ontario Electronic Commerce Act, 2000, provide for the use of AI Agents (“electronic agents” are defined in the Act as “a computer program or any other electronic means used to initiate an act or to respond to electronic documents or acts, in whole or in part, without review by an individual at the time of the response or act”) to form valid contracts, mistakes underlying the contract may, in some cases, be asserted to invalidate the contract.

Where an AI Agent or a smart contract is being provided and managed by a service provider for the procuring organization, the underlying technology contract should consider the different types of risks arising from the use of such technology (including programming errors and errors in the data), include provisions to mitigate such risks, and then allocate the liabilities appropriately.
In order to assist our clients to effectively and efficiently procure complex technology systems and managed services relationships, we use an agile procurement methodology which is comprised of three principal stages:

  1. Fact finding and due diligence: During which the procuring entity performs a market scan and uses Requests for Information, Requests for Qualifications, Requests for Expressions of Interests, and meetings with prospective service providers to clearly understand the technology products and services available in the market.
  2. RFP development and clarification: During which the Request for Proposals (RFP) is developed, issued, questions received from prospective proponents, and clarifications issued in response.
  3. Assessment of proposals, negotiations and contract: During which the procuring entity receives and assesses the proposals, concludes expedited negotiations with the leading proponents and then enters into a contract for the best solution.

We have used this agile procurement approach to good effect with both public sector and private sector organizations, in some cases with formal “fairness” oversight.

As procurement departments pursue the increased efficacy, efficiency and value offered by the digitalization of their supply chain, proper risk management is a critical consideration. This article has highlighted some of the legal, economic and operational risks that need to be managed, and described an agile procurement methodology that may be used to facilitate the acquisition of complex technologies and service offerings.

Richard Corley is a Toronto-based technology lawyer. His colleagues Seth Klerer and Sarah Stothart co-wrote the following article.