RFPs: Mitigating Third Party Risk Starts at the Beginning
July 15, 2021
“Lowest Qualified Bidder”, “Best Value Bid” and other similar terms are often included in Requests for Proposals (RFPs). These statements signal to bidders that proposals should be accurate and that lowballing bids with the intention of product substitution or cutting corners on service will not be tolerated. Qualifying bidders and considering quality as well as cost contributes to successful procurement outcomes.
As consumers, we use the same logic when evaluating contractors for home improvement projects. It is important to hire a reputable company that will deliver high-quality work products, on time, at the price agreed upon. While simple in concept, most consumers have experienced how rarely commitments on quality, timeline, and cost are met. Experienced consumers can attest that the lowest priced contractors do not always meet expectations for quality and/or timeliness. Many would suggest it is not possible to hire an excellent contractor who is available right away at a cost less than other contractors, as displayed in the graphic below.
The same concept applies to RFPs businesses issue when specific needs arise. Typically, RFPs are very thorough. Bidders are asked to provide details on experience, references, qualifications, project plans, etc. A huge amount of focus is placed on determining whether a bidder can credibly provide the goods or services, and whether the proposed bid price is appropriate given the level of service and quality desired.
Risk Consideration in Bidder Qualification
A wrinkle is beginning to arise as more and more organizations use the RFP process to evaluate and manage third-party risk. Many companies provide a template Master Agreement (MA), outlining terms and conditions as well as one or more questionnaires related to the bidders’ qualifications. These can include disaster recovery, business continuity, information security, and data privacy within the RFP. The disparity arises when the same level of scrutiny applied to a bidder’s quality of service, or product, and proposed price is rarely applied to a bidder’s compliance with MA terms or the validity of questionnaire responses.
Could third-party risk management practices incorporated into RFPs counterintuitively increase third-party risk? Accepting supplier responses to existence or adherence to disaster recovery, business continuity, information security, and data privacy questions without performing validation may reward suppliers with embellished responses and penalize suppliers who respond accurately and honestly.
How Unqualified Bidders Win Bids
For instance, many RFPs ask bidders to “accept the client’s MA terms” with notes indicating that changes are discouraged and may result in disqualification. If the MA includes an insurance requirement that exceeds a bidder’s current coverage, an honest bidder will ask for a change in the RFP response even though they know the request may decrease the likelihood of securing the work. A bidder who carries less than the required coverage may not ask for a change and hope the buyer does not validate the actual coverage requirements. If all else is equal, the dishonest bidder will win the RFP, exposing the buyer to significant risk. The gap will only be discovered if the buyer is proactive in obtaining and scrutinizing insurance certificates during the bidding process.
Once the governance gap is apparent, one can’t help but wonder what other requirements or questions were asked but not verified. Below are just a few of many representations bidders make when responding to RFPs.
- Does the supplier or contractor subcontract work without the customer’s permission?
- Does the supplier or contractor formally test their disaster recovery plan periodically?
- Do they test the plan annually as they claim? Are the contractor or suppliers’ employees completing the security and data privacy training as required?
- Does the supplier have an unqualified SOC 2 report or ISO270001 certification?
It is likely that a bidder who affirms they have implemented best practices would be rated higher than a supplier that is in the process of upgrading systems and processes to meet best practices and answers the questions accordingly. But what if the bidder who affirms they have implemented best practices does not formally have those practices in place and available for validation? Would they be discovered? If a dishonest bidder would not be discovered, your organization may be increasing third-party risk.
Monitoring Third Parties is Worth the Cost
Proactive organizations verify third parties are complying with contract terms and conditions periodically throughout the relationship. Monitoring third parties has a cost, but the cost is far less than a data security breach that can eliminate billions in market value. Collecting insurance certificates might be a logistical challenge, but it is a lot easier than collecting a claim from a supplier who is not insured. Validating a supplier has implemented data privacy controls is also challenging, but it is a lot easier than being investigated by a regulator after a supplier-caused data privacy violation.
RFPs are necessary as is critical evaluation of representations made by bidders. Representations alone are not sufficient and selecting the lowest bid may increase risk. Trust but verify is the tone that will lead to a high-quality supplier base. These types of relationships are durable, mutually beneficial, and the most likely to generate value for the organization over the long term. Ultimately, even businesses are not exempt from the consumer dilemma.
If you would like to further discuss this topic or have any questions, please feel free to reach out to our Contract Compliance Audit Services team who will be happy to speak with you. You can also check out our page for an overview of our services.