Meet deadlines and cut costs: Five steps to faster contract negotiations

When an organization wants to select and implement a new software solution, the following process typically occurs:

1. The organization compiles a list of requirements for essential and non-essential (but helpful) functions.
2. The organization incorporates the requirements into an RFP to solicit solutions from vendors.
3. The organization selects finalist vendors to provide presentations and demonstrations.
4. The organization selects one preferred vendor based on various qualifications, including how well the vendor’s solution meets the requirements listed in the RFP. A contract between the organization and vendor is executed for delivery of the solution.
5. The preferred vendor conducts a gap analysis to see if there are gaps between the requirements and its solution—and discloses those gaps.
6. The preferred vendor resolves the gaps, which often results in change orders, cost adjustments, and delays.

Sound painful? It can be. Step #5—the gap analysis, and its post-contract timing—is the main culprit. However, without it, an organization will be unaware of solution shortcomings, which can lead to countless problems down the road. So what’s an organization to do?

A Possible Solution
One suggestion: Don’t wait until you choose the preferred vendor for a gap analysis. Have finalist vendors conduct pre-contract gap analyses for you.

You read that right. Pay each finalist vendor to visit your organization for a week to learn about your current and desired software needs. Then pay them to develop and present a report, based on both the RFP and on-site discussions, which outlines how their solution will meet your current and desired software needs—as well as how they will meet any gaps. Among other things, a pre-contract gap analysis will help finalist vendors determine:

• Whether programming changes are necessary to meet requirements
• Whether functions can be provided through configuration setup, changes in database tables, or some other non-customized solution
• What workarounds will be necessary
• What functionalities they can't, or won't, provide

Select a preferred vendor based on both their initial proposal and solution report.
Of course, to save time and money, you could select only one finalist vendor for the pre-contract gap analysis. But having multiple finalist vendors creates a competitive environment that can benefit your organization, and can prevent your organization from having to go back to other vendors if you’re dissatisfied with the single finalist vendor’s proposal and solution report, or if contract negotiations prove unsuccessful.

Pros
You can set realistic expectations. By having finalist vendors conduct gap analyses during the selection process, they will gain a better understanding of your organization, and both your essential and nonessential software needs. In turn, your organization gets a better understanding of the functionality and limitations of the proposed solutions. This allows your organization to pinpoint costs for system essentials, including costs to address identified gaps. Your organization can also explore the benefits and costs of optional functions. Knowing the price breakdowns ahead of time will allow your organization to adjust its system requirements list.

You can reduce the need for, or pressure to accept, scope changes and change orders. Adding to, or deleting from, the scope of work after solution implementation is underway can create project delays and frustration. Nailing down gaps—and the preferred vendor’s solutions to meet those gaps—on the front end increases efficiency, helps to ensure best use of project resources, and minimizes unnecessary work or rework. It may also save you expense later on in the process.

Cons
You will incur additional up-front costs. Obviously, your organization will have to pay to bring finalist vendors on-site so they can learn the intricacies of your business and technical environment, and demonstrate their proposed solutions. Expenses will include vendors’ time, costs for transportation, lodging, and meals. These costs will need to be less than those typically incurred in the usual approach, or else any advantage to the modified gap analysis is minimized.

You might encounter resistance. Some finalist vendors might not be willing to invest the time and effort required to travel and conduct gap analyses for a system they may not be selected to implement. They will be more interested in the larger paycheck. Likewise, stakeholders in your own organization might feel that the required costs and time investments are impractical or unrealistic. Remind staff of the upfront investment and take note of which vendors are willing to do the same.

The day-to-day work of providing government services involves collecting, using, and storing large amounts of data. The data that government agencies accumulate is a critical asset — it holds answers about which programs perform best, which interventions are most effective, and how to improve service delivery. Data can also be a liability when it falls into the wrong hands or is misused, even unintentionally. Data governance is a great place to start gaining control of your data.

Establishing data governance can be intimidating. Between resource constraints, multiple and different data policies within large organizations, cultural reluctance to change, and lack of knowledge, it can be difficult to even know where to begin. Start with the fundamentals: understand what data governance is, and why it is so important.

These initial guidelines will help you validate the need for data governance at your organization, and recognize the correlation between reaching your strategic goals and governing data.

So, what is it?
Data governance is an ongoing, evolutionary process driven by business leaders where they establish principles, policies, business rules, and metrics for data sharing. They manage priorities and resources such as data stewards and technologists to acquire, harmonize, summarize, and produce data-rich analyses of data assets required to meet agency goals.

At a high-level, data governance has two main components: 

Why is data governance so important, and why NOW?

• Data ownership is a responsibility. Properly governing data is not only important for organizational strategy, it is also important to produce high-quality client outcomes and levels of satisfaction. When you establish proper data policies and procedures, clients receive a better level of service. 

• The amount of data collected is increasing. Many organizations collect an abundance of data, with no real vision of how to use it. A framework of data governance assists with developing a strategy to take advantage of data and use it effectively. 

• The demand for data is growing. Organizations, especially in the public sector, are required to analyze and submit data for reporting to funders and oversight bodies. Without data governance, these reports can be inaccurate, contain gaps, or be manipulated improperly to produce false reports. 

• The concern for security surrounding data is increasing. Mandates across both public and private sectors constantly evolve, because the more technical our world becomes, the more secure our data needs to be. If an organization does not implement foundational data security measures across all jurisdictions, it can become easy to fall behind the curve, and out of compliance. 

• Organizations miss many opportunities to leverage data more efficiently. Organizations report being unable to provide a high level of confidence to produce accurate data reports, resulting in inefficient resource distribution. A standardized framework for governing data helps produce higher levels of data quality and integrity, and improves report accuracy.

How can your organization start the process?
The first step in a data governance initiative is to assess your organization’s data environment and maturity level. Start by analyzing your organization’s data policies, usage, documentation, and management processes to gain a true understanding of the current data landscape and management maturity level. CMMI’s Data Management Maturity Model (DMMM) and the Data Management Association’s Data Management Body of Knowledge (DMBOK) are great reference resources to assist with understanding the role and definition of data governance.

The time for data governance is now.
BerryDunn’s Government Consulting Group works with state agencies to develop data governance initiatives as well as specific processes and policies to help states take control of data, increase confidence in its quality, and reach strategic goals. 

In July 2016, we wrote about how the booming microbrewery scene in Maine is shaking up the three-tier system of alcohol distribution, which dates back to the 1930s.

A month later, three Texas microbreweries — Live Oak Brewing Company, Peticolas Brewing, and Revolver Brewing — argued against the three-tier system in district court, seeking to circumvent parts of the system and allow craft breweries in Texas to sell their distribution and territorial rights. The State countered that assertion, and claimed that the three-tier system was necessary because it allowed the Texas Alcoholic Beverage Commission to easily monitor the distribution of products, and have a greater sense of the inventory of retailers, restaurants, and bars.

A few weeks following the initial court appearance, the presiding judge ruled in favor of the three Texas microbreweries, granting them the right to distribute their own product — and, as a result, allowing these and other Texas microbreweries to maximize their profits. This ruling opined that the three-tier system unfairly benefits distributors at the expense of microbreweries.

One could argue that microbreweries wouldn’t exist in such force today if not for the three-tier system, which allows for competition and the creation of new producers. On the other hand, the three-tier system imposes burdens on microbreweries, as the Texas suit demonstrates. Yes, the number of microbreweries is growing—but because microbreweries are forced to sell directly to a shrinking number of distributors, the former tend to suffer slow revenue growth, while the latter tend to enjoy steady or increased sales.

The co-existence of microbreweries and the three-tier system in the United States merits observation. It will be equally fascinating to see if the methods for producing and distributing alcohol will drastically change. Is it time for a modified regulatory model that will better accommodate the growing craft beer landscape? Or do the tried-and-true policies dating back to before World War II still serve their original intent? It’s too soon to know, but we’ll see what ferments in the months to come.

Editor's note: this article was co-written with Amanda Findlay. 

There is plenty of media coverage of Maine’s, and specifically Portland’s, burgeoning microbrew scene. It’s good economic development and complements the already established “foodie” scene Portland is renowned for. What’s more, microbrewers are increasingly avoiding the middle man, and offering tastings directly to consumers, onsite at their breweries. All who sell beer by the glass in Maine need a license, just as with other states. But the licensing cost for breweries and their tasting rooms is much less expensive than it is for bars and taverns, earning a charge of unfairness from those entities that have to go through a more stringent and expensive process of getting a liquor license. Read here for more detail. As you read, you may enjoy the irony of Maine being the first state to prohibit the sale of alcohol in 1851.

There is another facet to the boom in tasting room sales that is higher up the legal food chain than licensing fees: the three-tier system. First, a quick primer: the three-tier system was instituted at the time of the repeal of Prohibition (December 1933) to remove the problem of a “tied house”. Prior to Prohibition, a tied house was not an uncommon occurrence, where one regional entity had entire control of brewing or distilling, distribution, and retail sale of intoxicating beverages. This resulted in, it was argued, excessive alcoholic beverage sales by larger manufacturers and thus excessive consumption of alcohol. Following Prohibition, states instituted laws establishing a three-tier system whereby manufacturers, distributors and retailers are required to have separate licenses. This separation was designed to prevent dominance of one tier over the others. Gone are the days of saloons that were associated with drinking excess and loyalty to only one regionally dominant brand.

The three-tier system, by many opinions, works well. The National Alcoholic Beverage Control Association (NABCA) has published a paper on the virtues of the system. The Supreme Court, in the landmark case Granholm vs. Heald, declared that the three-tier system was “unquestionably legitimate”^[1]. The Alabama Brewers Guild supports the three-tier system, but feels exceptions should be made, notably direct sales (presumably to include both on-premise and off-premise sales, the latter occurring when a consumer takes beer to go, just like a grocery or package store).

In Portland’s microbreweries (and distilleries, too), direct sales are over the counter, just like a bar. Is it reasonable to make exceptions to the three-tier system and let manufacturers become retailers at a certain level? Probably. A brewery in Portland making under 50,000 gallons of beer a year is no corporate monolith. Neither are craft distillers in North Carolina, where a state senate bill was under consideration recently to allow purchase of one bottle of spirits per year from distilleries^[2]. But it does blur the lines of the three-tier system and its original reason for being. In addition to making those in the industry who pay for a full license upset, the spirit of the three-tier system may be challenged as breweries grow larger. The situation is certainly worth keeping an eye on as the microbrewery revolution continues.

[1] http://repository.law.umich.edu/cgi/viewcontent.cgi?article=1127&context=mlr&sei-redir=1&referer=http%3A%2F%2Fwww.bing.com%2Fsearch%3Fq%3Dargument%2Bagainst%2Bthe%2Bthree%2Btier%2Bsystem%26src%3DIE-SearchBox%26FORM%3DIENTTR%26conversationid%3D#search=%22argument%20against%20three%20tier%20system%22 , page 822.
[2] http://www.wral.com/distilleries-could-sell-more-bottles-direct-to-tourists/15760834/

Read this if you use, manage, or procure public safety and corrections technology. 

In our previous post, we discussed the link between developing a technology RFP with meaning, structure, and clarity to enhance the competitive nature of the solicitation. In this article, we ask: How can your agency synthesize and unify existing business processes with industry standards to attract modern OMS providers? The answer? Your agency crosswalks. 

Industry standards, such as those set by the Corrections Technology Association (CTA) and American Probation and Parole Association (APPA), establish the benchmark for modern operations. However, legacy correction software limitations often blur the one-to-one relationship with industry standards. For that reason, crosswalk tools help agencies map current process into industry-wide standards.

CTA Functional Areas

Agencies crosswalk in preparation for a corrections technology procurement to help align system requirements with commercial-off-the-shelf (COTS) corrections management systems. In revisiting the topics of clarity, meaning, and structure, the crosswalk helps technology vendors understand your current operations, the tools your currently use to support the operations, and the way in which those operations relate to industry functional areas.

In an iterative fashion, the CTA crosswalk first helps you understand your agency’s technology and operational structure, and then communicates system requirements to correction technology providers in an industry-led framework. The approach helps you transition from your legacy processes to your new operational environment.

Although your agency can engage the market with a meaningful, structured, and clear RFP, prequalification and contract vehicles provide a viable alternative of enhancement to procuring a new offender management system. The following advantages and disadvantages can inform your agency’s decision to use a prequalification vehicle.

Advantages:

1. Non-competitive procurement can often be accomplished more quickly given the absence of the timeframe usually dedicated to the development of the RFP, posting to potential vendors, and evaluation of proposals.
2. Reduced uncertainties in terms of what a vendor is able to provide since an open dialog starts immediately.
3. Competitive procurement (secondary competition) under a contract vehicle is limited to the vendors who proposed and were awarded. Only higher performing vendors are likely to be able to respond, particularly if only certain vendors are selected from the list.
4. Potentially better pricing as a vendor can eliminate unknowns through open communication, so less risk is priced into the proposal.
5. A better environment around requested changes, as a vendor that has maintained a certain margin in their pricing may be more amenable to no-cost change orders.

Disadvantages:

1. The agency loses some negotiating advantage when a vendor knows they are the only ones in the procurement conversation. 
2. A vendor may have less incentive to “put their best foot forward” and offer higher levels of service and functionality.
3. Competitive cost may not be obtained because the vendor doesn’t have to worry about beating a competitor.
4. Secondary competition may take a somewhat similar timeframe because the solicitation, evaluation, and award processes take a similar amount of time to an RFP for larger projects.

The trajectory to develop an RFP for new corrections management software spans assessing existing operations and technology to including mapping current operations into industry standards clarity. At the same time your agency should consider the driving and constraining factors for using a prequalification or contract vehicle.

BerryDunn has experience with cross-walking agencies into industry-leading practices, and we also understand the need for non-standard RFPs that extend beyond CTA and APPA guidelines. Reach out to our public safety consultants if you have questions, or look out for our next blog providing insight on adapting to and overlapping challenges in non-standard corrections technology procurements.

Read this if you use, manage, or procure public safety and corrections technology. 

When initiating the selection of a new technology platform to replace legacy software, how does an agency ensure the new system addresses functional and technical requirements while also complying with procurement standards? Request for Proposals (RFP) serve as an effective purchasing vehicle, particularly when agencies seek to identify modern technology with professional services to implement the software. While correctional agencies may use an RFP to engage a new Offender Management System (OMS) provider, the complexities of the industry and vast range of best practices complicate the planning, scoping, issuance, and evaluation process. 

With the long-term vision set to complete projects on time, under budget, and within scope, independent third-parties write technology RFPs to enhance traceability and accountability during implementation.

An independent third-party can help your agency:

1. Define a meaningful project scope to scale the vendor market and guide quality proposals
2. Develop effective forms, worksheets, and attachments to supplement RFP requirements to support compliance and meet proposal standards
3. Build a balanced evaluation committee with impartial scoring criteria to represent agency-wide needs and fairly rank vendors
4. Craft a structured procurement package that attracts multiple vendors to find the solution that best fits your needs
5. Design a reasonable and achievable RFP schedule of events to finish the project in a timely manner
6. Reduce ambiguity and increase clarity of RFP terms to streamline the process

If your agency incorporates a sound strategy to craft a meaningful RFP, then a lengthy, meandering procurement journey will become a well-defined, objective, and seamless process to identify new software. Furthermore, you can enhance competitive responses with an RFP free from ambiguity―and full of clarity.

If your corrections agency does engage outside help to facilitate development of an RFP for new OMS software, you should ensure that the third party you engage has experience supporting a meaningful, balanced, and structured purchasing process. BerryDunn injects best practices from the Corrections Technology Association (CTA) and American Probation and Parole Association (APPA). Pairing CTA and APPA standards with an RFP tailored to the technology markets will help an agency boost vendor responses to ultimately improve critical operations.

Reach out to our public safety consultants directly for questions, or look out for our next blog providing insight on leveraging industry standards (e.g., CTA, APPA) when crafting an RFP for corrections technology.
 

The BerryDunn Recovery Advisory Team has compiled this guide to COVID-19 consulting resources for state and local government agencies and higher education institutions.

We have provided a list of our consulting services related to data analysis, CARES Act funding and procurement, and legislation and policy implementation. Many of these services can be procured via the NASPO ValuePoint Procurement Acquisition Support Services contract.

READ THE GUIDE NOW

We're here to help.
If you have any questions, please contact us at info@berrydunn.com

Read this if you are a CIO, CFO, Provost, or President at a higher education institution.

In my conversations with CIO friends over the past weeks, it is obvious that the COVID-19 pandemic has forced a lot of change for institutions. Information technology is the underlying foundation for supporting much of this change, and as such, IT leaders face a variety of new demands now and into the future. Here are important considerations going forward.

Swift impact to IT and rapid response

The COVID-19 pandemic has had a significant impact on higher education. At the onset of this pandemic, institutions found themselves quickly pivoting to work from home (WFH), moving to remote campus operations, remote instruction within a few weeks, and in some cases, a few days. Most CIOs I spoke with indicated that they were prepared, to some extent, thanks to Cloud services and online class offerings already in place—it was mostly a matter of scaling the services across the entire campus and being prepared for returning students and faculty on the heels of an extended spring break.

Services that were not in place required creative and rapid deployment to meet the new demand. For example, one CIO mentioned the capability to have staff accept calls from home. The need for softphones to accommodate student service and helpdesk calls at staff homes required rapid purchase, deployment, and training.

Most institutions have laptop loan programs in place but not scaled to the size needed during this pandemic. Students who choose to attend college on campus are now forced to attend school from home and may not have the technology they need. The need for laptop loans increased significantly. Some institutions purchased and shipped laptops directly to students’ homes. 

CIO insights about people

CIOs shared seeing positive outcomes with their staff. Almost all of the CIOs I spoke with mentioned how the pandemic has spawned creativity and problem solving across their organizations. In some cases, past staffing challenges were put on hold as managers and staff have stepped up and engaged constructively. Some other positive changes shared by CIOs:

• Communication has improved—a more intentional exchange, a greater sense of urgency, and problem solving have created opportunities for staff to get engaged during video calls.
• Teams focusing on high priority initiatives and fewer projects have yielded successful results. 
• People feel a stronger connection with each other because they are uniting behind a common purpose.

Perhaps this has reduced the noise that most staff seem to hear daily about competing priorities and incoming requests that seem to never end.

Key considerations and a framework for IT leaders 

It is too early to fully understand the impact on IT during this phase of the pandemic. However, we are beginning to see budgetary concerns that will impact all institutions in some way. As campuses work to get their budgets settled, cuts could affect most departments—IT included. In light of the increased demand for technology, cuts could be less than anticipated to help ensure critical services and support are uninterrupted. Other future impacts to IT will likely include:

• Support for a longer term WFH model and hybrid options
• Opportunities for greater efficiencies and possible collaborative agreements between institutions to reduce costs
• Increased budgets for online services, licenses, and technologies
• Need for remote helpdesk support, library services, and staffing
• Increased training needs for collaborative and instructional software
• Increased need for change management to help support and engage staff in the new ways of providing services and support
• Re-evaluation of organizational structure and roles to right-size and refocus positions in a more virtual environment
• Security and risk management implications with remote workers
  • Accessibility to systems and classes 

IT leaders should examine these potential changes over the next three to nine months using a phased approach. The diagram below describes two phases of impact and areas of focus for consideration. 

As IT leaders continue to support their institutions through these phases, focusing on meeting the needs of faculty, staff, and students will be key in the success of their institutions. Over time, as IT leaders move from surviving to thriving, they will have opportunities to be strategic and create new ways of supporting teaching and learning. While it remains to be seen what the future holds, change is here. 

How prepared are you to support your institution? 

If we can help you navigate through these phases, have perspective to share, or any questions, please contact us. We’re here to help.

Best practices for financial institution contracts with technology providers

As the financial services sector moves in an increasingly digital direction, you cannot overstate the need for robust and relevant information security programs. Financial institutions place more reliance than ever on third-party technology vendors to support core aspects of their business, and in turn place more reliance on those vendors to meet the industry’s high standards for information security. These include those in the Gramm-Leach-Bliley Act, Sarbanes Oxley 404, and regulations established by the Federal Financial Institutions Examination Council (FFIEC).

On April 2, 2019, the FDIC issued Financial Institution Letter (FIL) 19-2019, which outlines important requirements and considerations for financial institutions regarding their contracts with third-party technology service providers. In particular, FIL-19-2019 urges financial institutions to address how their business continuity and incident response processes integrate with those of their providers, and what that could mean for customers.

Common gaps in technology service provider contracts

As auditors of IT controls, we review lots of contracts between financial institutions and their technology service providers. When it comes to recommending areas for improvement, our top observations include:

• No right-to-audit clause
  Including a right-to-audit clause encourages transparency and provides greater assurance that vendors are providing services, and charging for them, in accordance with their contract.
• Unclear and/or inadequate rights and responsibilities around service disruptions
  In the event of a service incident, time and transparency are vital. Contracts that lack clear and comprehensive standards, both for the vendor and financial institution, regarding business continuity and incident response expose institutions to otherwise avoidable risk, including slow or substandard communications.
• No defined recovery standards
  Explicitly defined recovery standards are essential to ensuring both parties know their role in responding and recovering from a disaster or other technology outage.

FIL-19-2019 also reminds financial institutions that they need to properly inform regulators when they undertake contracts or relationships with technology service providers. The Bank Service Company Act requires financial institutions to inform regulators in writing when receiving third-party services like sorting and posting of checks and deposits, computation and posting of interest, preparation and mailing of statements, and other functions involving data processing, Internet banking, and mobile banking services.

Writing clearer contracts that strengthen your institution

Financial institutions should review their contracts, especially those that are longstanding, and make necessary updates in accordance with FDIC guidelines. As operating environments continue to evolve, older contracts, often renewed automatically, are particularly easy to overlook. You also need to review business continuity and incident response procedures to ensure they address all services provided by third-parties.

Senior management and the Board of Directors hold ultimate responsibility for managing a financial institution’s relationship with its technology service providers. Management should inform board members of any and all services that the institution receives from third-parties to help them better understand your operating environment and information security needs.

Not sure what to look for when reviewing contracts? Some places to start include:

• Establish your right-to-audit
  All contracts should include a right-to-audit clause, which preserves your ability to access and audit vendor records relating to their performance under contract. Most vendors will provide documentation of due diligence upon request, such as System and Organization Control (SOC) 1 or 2 reports detailing their financial and IT security controls.
  
  Many right-to-audit clauses also include a provision allowing your institution to conduct its own audit procedures. At a minimum, don’t hesitate to perform occasional walk-throughs of your vendor’s facilities to confirm that your contract’s provisions are being met.

• Ensure connectivity with outsourced data centers
  If you outsource some or all of your core banking systems to a hosted data center, place added emphasis on your institution’s business continuity plan to ensure connectivity, such as through the use of multiple internet or dedicated telecommunications circuits. Data vendors should, by contract, be prepared to assist with alternative connectivity.

• Set standards for incident response communications 
  Clear expectations for incident response are crucial  to helping you quickly and confidently manage the impact of a service incident on your customers and information systems. Vendor contracts should include explicit requirements for how and when vendors will communicate in the event of any issue or incident that affects your ability to serve your customers. You should also review and update contracts after each incident to address any areas of dissatisfaction with vendor communications.

• Ensure regular testing of defined disaster recovery standards
  While vendor contracts don’t need to detail every aspect of a service provider’s recovery standards, they should ensure those standards will meet your institution’s needs. Contracts should guarantee that the vendor periodically tests, reviews, and updates their recovery standards, with input from your financial institution.
  
  Your data center may also offer regular disaster recovery and failover testing. If they do, your institution should participate in it. If they don’t, work with the vendor to conduct annual testing of your ability to access your hosted resources from an alternate site.

As financial institutions increasingly look to third-party vendors to meet their evolving technology needs, it is critical that management and the board understand which benefits—and related risks—those vendors present. By taking time today to align your vendor contracts with the latest FFIEC, FDIC, and NCUA standards, your institution will be better prepared to manage risk tomorrow.

For more help gaining control over risk and cybersecurity, see our blog on sustainable solutions for educating your Board of Directors and creating a culture of cybersecurity awareness.