Running an In-Bound Due Diligence Process

Transcription

1 Running an In-Bound Due Diligence Process Andrew Moyle and Justin Cornish 1. Introduction There are two types of due diligence exercises carried out in outsourcing transactions: Due diligence performed by Suppliers to understand the Customer s environment; and Due diligence performed by the Customer to confirm that the Supplier is able to perform the services. This whitepaper addresses the first type, that is the tasks which the Customer will need to carry out to allow Suppliers to perform due diligence of the Customer s environment and in turn provide an appropriate solution and price. It does not cover the Customer s due diligence activities of the various Suppliers. Under the final contract with the selected Supplier, risks relating to misunderstandings about the environment should be passed, to the extent possible, to the Supplier. For example, the Customer should not give any warranties as to the state of its environment (e.g., about the condition of the equipment to be used by the Supplier) and the prices in the contract should not be subject to a postsigning due diligence exercise. Consequently, the successful Supplier s due diligence needs to be completed before signature. Ultimately it is the Supplier s responsibility to identify any information that it requires and there should be a process for Supplier to submit further requests and questions during the due diligence period. It is important that the due diligence process is performed in a co-ordinated and documented manner, so that: The impact on the Customer s operations is kept to a minimum. The Customer has a paper trail at the end of the due diligence process so that it to knows what information was provided to Suppliers. Where appropriate, information is provided to all Suppliers and not just the Supplier asking the question, so as to maintain a fair and effective competitive process. To assist co-ordination, it is recommended that an individual is appointed by the Customer to administer the due diligence process on a day-to-day basis. This individual should be both the point of contact for information requests from Suppliers and be the gateway for providing responses. The Customer should also ask Suppliers to appoint equivalent individuals as their point of contact for due diligence issues. During the initial stage of the RFP process, where meetings are being held with the different Suppliers, minutes should be kept of the statements made by the Customer and after the meetings, the Customer should consider whether information volunteered at the meetings should also be provided to the other Suppliers.

2 The following sets out a process that can be followed when collating the information to be disclosed to the Supplier and serves as a guide in preparing for the due diligence process. 2. The Due Diligence Team Due Diligence Manager The Due Diligence Manager has overall responsibility for the due diligence process. This person ensures that the due diligence timetable, rules and procedures are clearly communicated internally within the Customer and to Suppliers. Depending on the size of the outsourcing project, the Due Diligence Manager may need to be supported by a small dedicated team (the Due Diligence Stream) to assist in the management of the process, the collation and dissemination of data, Suppliers access to the data and the various workstreams who will be contributing the same. The Due Diligence Stream will need to work closely with the transition stream as much of their work output particularly around third party contracts may have a direct affect on transition activities and the transition timeline. Due Diligence Stream Service Stream Contacts The Due Diligence Stream needs to be able to liaise with a contact in each service stream, who will be responsible for collating the material/information requested in their area (the Service Stream Contacts) and submitting it to the Due Diligence Stream. Service Stream Contracts are typically required for: (e) (f) (g) HR Pricing Compliance Services Service Levels Legal Commercial The Due Diligence Manager needs to ensure that sufficient resource is allocated to the document collation process and set clear deadlines for the Service Stream Contacts in respect of the collection and collation of the relevant information and data. 3. Base Information To maximise the chances of a successful relationship, Suppliers will need to understand in detail the specific functions that impact on the scope of services, the factors driving service volume requirements, how those services are provided, and the technology and resources that are currently used to provide them. Suppliers will also want to gain an understanding of the limitations (both physical, logical and regulatory) that exist within the Customer s in-scope operations as well as the existing and future business demands of the Customer in relation to the in-scope services. As a general rule, the more relevant information that is provided, the better prepared a Supplier will be when it takes over the provision of the outsourced services. Much of the information that will be provided as part of due diligence is predictable in advance. Typically this will consist of in-scope: Existing contracts

3 (e) (f) (g) (h) Equipment lists Software Facilities Network diagrams Employees (both of the Customer and its existing suppliers), although there are restrictions limiting the ability to share this data up front. The Customer policies and standards Projects (both projects that will be transferred to the selected Supplier and projects that will impact the services). Information will need to be collected as contemplated in section 5 below and subject to confidentiality or other necessary constraints will be provided either in a virtual data room or in a physical data room. 4. What Should Be Disclosed? In addition to having access to the data room, Suppliers will initially ask for further information which can be provided either by the Customer making that information available in the data room or by providing a written response. Suppliers should be required to make all requests for access to information and direct all questions relating to due diligence to the Due Diligence Manager. Suppliers requests for information shoud be reviewed carefully by the Due Diligence Manager liaising with the Core Project Team to ensure that the requested information is relevant (i.e., relates to the in-scope services) and that the information has not already been provided to Suppliers. It is essential that no material/information in any form be disclosed directly to Suppliers or any of their professional advisers or subcontractors without the consent of the Due Diligence Manager. 5. Collection and Processing of Due Diligence Material The Service Stream Contacts should assist in the collation of the information and with any further Supplier requests for information approved by the Due Diligence Manager. The Due Diligence Stream will review the material/information provided by the Service Stream Contacts to ensure it is accurate and complete (e.g., all pages have been copied and are legible) and can be disclosed to Suppliers. Information should not be disclosed without first checking with legal if it contains any highly sensitive Customer data, personal data (names, telephone numbers, addresses etc.) or is subject to third party confidentiality restrictions (see, for example, in section 6 below). All information received from the Work Streams needs to be tagged by the Due Diligence Manager. The Customer will need to continue compiling appropriate information to be disclosed after Supplier due diligence process has commenced (either as a result of further requests made by Suppliers or because not all information initially requested by Suppliers was ready at the start of the due diligence process). Data in the Data Room should be supplemented as required and appropriate and Suppliers should be notified each time an update is made. Data provided in response to questions asked by Suppliers should be included in the Data Room other than in circumstances described in section 7 below. 6. Third Party Contract Audit and Consent Process Most third party contracts which fall within the scope of services to be outsourced or that are affected by the performance of those services will contain confidential information clauses and many of these will limit the disclosure of the details of the contracts (particularly financial, commercial and technical

4 details) to Suppliers. The starting presumption is therefore that third party contracts cannot be disclosed to Suppliers without first being reviewed by the legal/commercial work stream. There are essentially two broad categories of third party contracts affected by an outsourcing. The first category are those contracts that fall within the scope of the Services being outsourced (the Incumbent Third Party Contracts). The second category are those that are not in scope but may be affected by the performance of the in-scope services and which in turn may require certain performance levels to be met by the Supplier of those in-scope services (Affected Third Party Contracts). Incumbent Third Party Contracts Contracts that should be audited include any third party contract that is in-scope of the project initiative. Typical types of Incumbent Third Party Contracts include: (e) Software licence agreements Software maintenance agreements Equipment and facilities lease agreements Equipment purchase agreements (including cable etc.) Equipment maintenance agreements (f) Independent contractor (e.g,. agency personnel) and professional services agreements (e.g., system development projects) (g) Telecom agreements Affected Third Party Contracts There will also be a number (potentially a significant number) of contracts that are Affected Third Party Contracts. The Customer s corporate customer contracts and the Customer s contracts with other service providers are examples of these types of Affected Third Party Contracts. The Customer will need to have reviewed these contracts to determine what back-to-back arrangements it will need to have with Suppliers to enable the Customer to meet its obligations to the affected third party (e.g. service levels and dependencies on the Customer), to understand the extent to which the Affected Third Party Contract may be impacted and in turn the Customer s liability to that affected third party. Purpose of the Audit The purpose of the audit is to determine, in terms of the in-scope third party contracts, what flexibility the Customer has to either: (i) assign, cede or terminate the in-scope third party contracts; or (ii) allow the Customer to permit a Supplier to use the associated subject matter of the third party contract for the benefit of the Customer. For the Affected Third Party Contracts, the purpose of the audit is to understand the impact on the retained organisation of the Customer, its relationship with its customers and what obligations the Customer in turn needs to flow through to a Supplier. Because of the sensitive nature of these relationships and the fact that the Customer and not the Supplier retains responsibility for them, the presumption should be that the Affected Third Party Contracts will not be disclosed to Suppliers, just relevant details where permitted and necessary (e.g. to justify certain back-to-back service levels from Suppliers). A distinct process therefore needs to be developed around the review and management of Affected Third Party Contracts. Often this is managed by the transition team. The remainder of this section focuses on Incumbent Third Party Contracts.

5 Information that is confidential to a third party must not be revealed as part of the due diligence exercise without the third party s consent. A key part of the due diligence process (and an extremely time consuming one) is the review of in-scope third party contracts and the process to obtain third party consents to: Disclose the detail of the contract; and obtain the necessary rights to assign, cede or otherwise enable Suppliers to manage or make use of the incumbent third party relationship going forward. This two-step process can actually breakdown into a series of sequential requests and approvals and requires close coordination with those in the Customer s organisation responsible for the incumbent third party relationship. It is likely that the incumbent s consent will probably be needed to enable Suppliers to review contracts. In this regard, the incumbent third parties may insist on limited disclosure e.g., initially only the scope of the contract but not its value. The Customer will need to have in place a dedicated team of individuals to track this iterative process and the correspondence with the incumbent third parties. Beyond the contents of the RFP, the Customer team members should be specifically instructed not to reveal third party confidential information as part of due diligence without first confirming with legal whether consents have been received that cover the requested information. 7. Written Questions and Answers and Further Information Requests No Customer personnel should answer any due diligence-related question or provide any further material/ information requested directly by Supplier personnel or any person acting on their behalf. The Due Diligence Stream should respond to Suppliers by . If other Customer personnel are asked for further information or documentation they should tell Supplier personnel that they need to use the agreed Question & Answer process and should report the request to the Due Diligence Manager. The Customer should notify Suppliers in the RFP that the Customer will be entitled to circulate any question submitted by a Supplier, together with the answer, to the other potential suppliers (but will take steps not to reveal the name of the potential supplier that asked the question), unless: The question is specific to Supplier s solution or otherwise reveals information about Supplier s solution. Supplier has specifically agreed with the Customer that the question and answer will not be circulated. In this regard, Supplier may approach the Customer in advance of formally asking the question to confirm that it will not be circulated. However, the Customer should reserve the right to respond or not to respond to such a request. The Customer may also circulate answers given in response to questions raised in workshops and other interactions with a Supplier to the other potential suppliers. The Due Diligence Stream will need to consider before circulating the questions themselves whether they fall within the above exception and, if it believes so, may discuss with a Supplier whether they are appropriate to circulate. The Due Diligence Stream should ensure that Suppliers: Restrict questions and/or requests to relevant issues not covered or not adequately addressed in the disclosed information, interviews or site visits. Prioritise questions and/or requests in order of importance to be answered. Take care in ensuring that there is no repetition in the questions asked and/or requests made. Receive a response to reasonable questions as soon as practicable.

6 Suppliers questions and answers that are provided should be logged and retained. 8. Interviews Conducted By the Supplier With Key Customer Staff Suppliers will want to be able to conduct face to face interviews with key Customer personnel. The Customer needs to agree at what phase in the RFP process it is prepared to allow this to take place. The Due Diligence Manager should co-ordinate any interviews requested by Suppliers or offered by the Customer where the Customer thinks this is the most efficient way to address Suppliers due diligence requests. The Due Diligence Manager should have the right to limit the number of interviews taking into account other resource demands. The Due Diligence Manager should closely manage the interview process in an attempt to minimise disruption to the Customer's day-to-day business and the obvious drain on resources that the Customer will encounter if key personnel are having to give a large number of interviews on a wide range of subjects to a number of different Supplier personnel, in a relatively short timeframe. Suppliers should provide a written agenda of items which they wish to discuss prior to an interview. The Due Diligence Manager should be responsible for the scheduling, time-table and co-ordination of the interviews. All interviews should be conducted with at least two Customer representatives present (one of whom should be a member of the outsourcing project team). Detailed minutes of the interview should be taken by one of the Customer representatives present at the interview. If a Supplier interviewer asks a question in an interview which the Customer interviewee cannot answer then the Supplier should be asked to submit that question in writing, (through the process mentioned at section 7 above) so that the Customer can then respond appropriately. 9. Site Visits The Customer should consider whether site visits are likely to need to be scheduled to answer any Supplier requests. The schedule of site visits should be co-ordinated by the Due Diligence Manager in consultation with the relevant member of staff in the business unit, who should choose appropriate Customer staff to lead the site visit. While it is important that Suppliers have access to all relevant in-scope information, Suppliers should be discouraged from having "open access" to sites or Customer staff as it is difficult to control the type and quality of information obtained in this way. The Due Diligence Manager may also wish to impose a requirement on Suppliers to provide a written report of each site visit. 10. Summary The due diligence carried out by Suppliers during the procurement process is a key activity in any outsourcing transaction. By facilitating due diligence, the Customer is able to transfer risks associated with the customer s environment to a Supplier and push-back against any request for a price adjustment following signature of the outsourcing agreement. By adhering to a structured and controlled due diligence process, the Customer is also able to mitigate any risks associated with the disclosure of confidential, sensitive or irrelevant information and to manage its resources in a way that minimises disruption to the Customer s day-to-day business. Latham & Watkins has prepared a number of templates, checklists and sets of rules to be used by the Customer in the due diligence process. Please contact justin.cornish@lw.com if you would like to receive further information or discuss this topic further. This white paper is intended to introduce current and prospective clients to some of the issues Latham & Watkins typically handles in outsourcing transactions. The information contained in this

7 publication should not be construed as legal advice. Should further analysis or explanation of the subject matter be required, please contact the attorney with whom you normally consult. CONTACT Justin Cornish Alice Marsden Brian Meenagh