Risk Management and the IT Consultant
A Brief Review
Survival means understanding the risk in any situation. Whether hunting for food or reviewingthe latest RFP, an appreciation of risk management will maximize the chances of success and minimize the chance of the “Murphy” factor. This is just a brief summary of the more critical areas of risk exposure and treatment.
The typical risk management is a five step process:
- Identify and analyze risk of loss exposures
- Examine risk management techniques
- Select risk management techniques
- Implement techniques
- Monitor results, improve the process
- Identify and Analyze loss exposures
Internal
What are your strengths and weaknesses? Before tackling a new project, assess personnel and expertise required, time lines, cash flow, other project commitments, contract terms, location, physical assets at risk, etc.
External
What can change in the external environment? Have you considered relevant political, legal, economic, social and technological factors? What about changes in market demand, and financial constraints? Determine the probability and try to quantify:
- Examine risk management techniques
The more significant impact and/or high likelihood exposures require treatment, classified as:
- Avoidance
- Prevention
- Reduction
- Retention
- Segregation
- Transfer
Avoidance may mean simply passing on the particular project if the risk of failure is too high. Prevention and reduction refers to reducing the frequency or severity of risks: e.g., enhanced security alarms to minimize the theft exposure. Retention is the conscious, and quantified, decision to set aside funds for identified risks. Segregation could be the establishment of a separate facility, with full working backups, and equipment, to resume operations, if there was a fire in the primary location.
Contractual Transfer
This refers to the transfer of risk to another partythrough a formal contract. The contract should include these clauses:
Importantly, make sure there is a contract!
When a dispute arises, the first place both parties will turn to for resolution is the contract. A properly worded contract, and not just a purchase order, can avoid or minimize disputes and litigation, by clearly outlining the responsibilities of each party. Take all reasonable steps to limit liability and address the following:
Disclaimer of Warranties
Provide for reasonable but limited warranties and disclaim all other warranties.
Exclusive Remedy
State what the only remedy will be for breach contract terms: e.g., refund of fees.
Consequential Damages
Disclaim liability for consequential damages. The clause for Exclusive Remedies should state that the consultant will not be liable for bodily injury or property damage except that caused by the Consultant’s negligence and that the Consultant will in no event be responsible for or have any obligation or liability for direct, indirect, consequential or incidental damage.
Territory
Limit liability to defend an action to a court having jurisdiction in Canada or Canada and the US. This will help prevent “tourist” litigation where the lawsuit is brought in, say, the UK.
Integration
Include this clause to minimize misunderstanding regarding the expectations of customers: e.g., this agreement contains the entire agreement with respect to the purchase, sale and installation of the equipment and the performance of all related service and ...supersedes all proposals and negotiations....
Site Preparation
Specify who is responsible for site preparation: e.g., Customer shall have site prepared and ready to receive the installation, including, without limitation, all electrical and telecommunications connection as required...
Delivery
Delivery dates should be clearly spelled out and subject to completion of site preparation and subject to force majeure (causes beyond the control of the contractor). Support obligations should also be defined, including whether telephone or on-site support, and the hours available.
Force Majeure
This clause gives the Consultant some leeway and ultimately an escape if the contract cannot be performed because of causes beyond the control to the contractor. This could include inability to obtain the material or equipment, fire, strikes, riots, war, etc., but not the financial inability of the consultant.
Insurance Transfer
You can also transfer a great deal of risk to an insurance company, including:
- Physical risk
- Loss of income
- General Liability
- Professional Liability
Physical risk refers to perils such as fire, theft, vandalism, windstorm, etc. The best insurance policy will include insurance against all risk of loss, for replacement cost, and include extensions such as off premises laptop coverage and equipment in transit.
Loss of income coverage can be critical. Can you recover quickly from a fire? Or do you need to insure your payroll and profit? What about extra expense to offset the cost of a move?
GeneralLiabilityinsurance will be one of two approved forms by the Insurance Bureau of Canada: Occurrence based, or Claims made. Often, your contract will specify Occurrence based GeneralLiability coverage. This form typically provides superiorcoverage.
ProfessionalLiabilityinsurance (or E&O (Errors and Omissions)) has as many forms as there are insurers. The coveragewill be on a Claims made basis, and covers your exposurein a professionalcapacity to claims for loss of income and damages. Make sure insurer definitions of activities are broad, and that the policy covers breach of implied terms, breach of privacy, libel, slander, dishonesty, and virus and hacking attacks.
Importantly, coverage should also includes breach of IntellectualProperty rights (e.g., copyright), full Contractual Liability coverage, and, if working with payment transfers, wordings approved by the Canadian Payments Association (PL&B Insurance can provide all of this).
- Select risk management techniques
This will depend on your assessment of the best (cost/benefit) technique, and your risk appetite
- Implement techniques
This willinvolvepersonnel in finance, engineering, legal and management, as well as outside input from insurance brokers and others. Success depends on the commitment of senior management to mitigation techniques.
- Monitor results
The design of a risk management information system will provide timely feedback of critical factors. The purpose is to bring matters within the awareness of senior management so that corrective action can be taken.
Conclusion
The risk management process results in a better appreciation of what might go wrong. Management can then take steps to mitigate potential losses. Consider using standardised surveys and questionnaires, a review of loss histories, financial statements, and the completion of process flowcharts to identify risk exposures. The chance (of survival) favours the prepared mind!
PL&B Insurance is a major National provider of Professional Liability Insurance, and provides the above
information as aserviceto our clients. However, we are not legal professionals, and assume no
responsibility for the accuracy, completeness, or appropriateness of thisinformation.
E.&O.E.