As organisations evolve their operations to integrate technology, they often engage third party suppliers to provide IT services. This may include the migration of data to the cloud, outsourcing the payroll function, automation of job recruitment processes, enabling a chatbot, and support of key hardware and software.

Organisations may be tempted to hasten the onboarding of a supplier to secure what seems to be a business-critical IT solution or a supposedly great commercial deal. However, failure to conduct proper due diligence on your IT supplier before you let them into your environment or integrate into your solutions can result in significant risks for your business. We discuss some of these below, and how having a robust IT supplier selection process helps with mitigating and in some cases, preventing these risks.

  1. Adherence to applicable law
  • Non-adherence to applicable laws: Some suppliers may refuse to comply with laws that may be applicable to the services that they are providing, and insist on providing the services on an "as-is" basis.
  • Inflexible to accommodate local law requirements: Often, IT suppliers that are not familiar with the local legal landscapes are not willing to accommodate local law requirements that may apply to the customer. For example, a bank may find that its IT supplier refuses to comply with directives and guidance notes issued by the South African Reserve Bank which stipulate what the contract with the supplier should provide for. In other instances, we see suppliers refusing to make provision for privacy requirements in the contract, alternatively not being flexible to accommodate local privacy law requirements, or insisting on a privacy regime that might not even be applicable (for example the EU or UK General Data Protection Regulation).
  • B-BBEE considerations: Some suppliers may not be able to comply with a South African customer's broad-based black economic empowerment ("B-BBEE") requirements. This is relevant to customers that require their suppliers to comply with minimum B-BBEE contributor status levels.
  1. Security vulnerabilities: In today's world, data has become the lifeforce of an organisation, and with that, the legal landscape has evolved and responded to the privacy and security risks inherent in data usage. An unreliable IT supplier who has access to your data and environment might not implement robust security measures, leaving your systems and data vulnerable to security compromises. This could result in data breaches and theft of sensitive information, with potential legal and financial consequences, and significant reputational harm. Customer trust and confidence can be eroded if your systems are consistently unreliable or vulnerable to cyber threats.
  1. Undesirable supplier:
  • Sanctions and ABC: If your supplier has been, or is likely to be sanctioned, or has been implicated in any activities relating to antibribery and corruption ("ABC"), this could expose your organisation to various risks, both financial and legal. Moreover, associating with such entities can damage your organisation's reputation as your customers, business partners, investors, and other stakeholders may view your business negatively, leading to a loss of trust and potential business relationships.
  • Suppliers that may otherwise have a bad reputation. Even if a supplier is not facing sanction or committing any ABC-related activities, its behaviour may have drawn public attention and scrutiny which may spill into the supplier's relationships with other parties including your organisation.
  1. Lack of scalability and flexibility: Even if your supplier adheres to what they are contractually required to do at the inception of the contract, if in the future you ever wished to scale up or down, your supplier's systems may not be able to accommodate that.
  1. Failure to refresh technology: Whilst your supplier will likely adhere to the scope of services defined in your contract, it may not be sufficiently flexible to continuously improve and refresh its technologies or implement newly improved or enhanced information technologies or initiatives that reasonably could be expected to have a positive impact on the services you are receiving (eg, increased efficiency, increased quality and/or reduced costs, innovation on new methodologies, a sustainable model for achieving innovation, etc). This may cause your supplier to fall out of line with your own architectural technology standards and strategies.
  1. Contracting with empty shells or the wrong entity:
  • Empty shells: Even the best of contracts may not be able to protect you against poor supplier selection if you can only enforce your agreement against an empty shell. Background checks and thorough due diligence will elucidate gaps regarding, among other things, delivery capabilities (eg, whether the supplier has adequate resources, expertise, and infrastructure to deliver the products or services promised).
  • Wrong entity: Sometimes, you may think that you are dealing with one entity in the supplier's company group, but you may be contracting with a different entity altogether. Be clear on the supplier's group structure, and which entity you are engaging with.
  1. Financial instability: The financial stability of your supplier may impact the supplier's ability to perform under the agreement, and/or affect the enforcement of your rights against the supplier. No real assets or financial standing means there is a high risk of financial instability.
  1. Conflicting cultures: Some organisations do not attach much value to cultural differences with their suppliers, but this can bear on the customer dynamic and lead to strained relationships. The culture of your supplier can result in, among other things:
  • Difficulty in decision-making: Divergent cultures can make decision-making challenging. The parties may have varying approaches to problem-solving and differing priorities, making it difficult to reach agreements on important matters.
  • Delayed or inefficient processes: Conflicting cultures might slow down processes as each party tries to adapt or negotiate to align with their respective values and practices. This can lead to inefficiencies and delays in fulfilling contractual obligations.
  • Lack of trust: When there's a clash in company cultures, it can erode trust between the parties. They may question each other's intentions or be sceptical about the other party's commitment to the contract.
  • Breach of contract: In extreme cases, conflicting cultures could lead to a breach of contract. If the parties cannot find common ground or refuse to compromise, they may fail to fulfil their contractual obligations.

Before you rush to sign a deal with an IT supplier, ensure that you first conduct a thorough due diligence, including evaluating the supplier's financial standing, reputation, technical capabilities, security practices, and generally how they align with your organisation's long-term goals. Is this an entity you want to be seen doing business with? Are you confident that you will get what you expect out of the relationship? Consider the level of due diligence that is appropriate to the transaction and relationship, for example, whether it should be open source due diligence (using information that is publicly available), doing a specific due diligence by engaging directly with the prospective supplier and requesting information to assess it, or both.

The above relates to non-contractual risks that come up when engaging with IT suppliers. There are many other risks that arise in the contractual context relating to, among other things, poor product or service quality, incompatibility and integration issues, contractual disputes, and so on, all of which will need to be managed through the contract. We will be expanding on these risks in a separate publication.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.