Wirecard: how to protect yourself from supplier failure

What is operational resilience?

PwC defines OpRes as “an organisation’s ability to protect and sustain the core business services that are key for its clients, both during business as usual and when experiencing operational stress disruption.” Add the word significant to operational stress disruption, and you’ll get the general idea.

For most companies, OpRes is a need-to-have or a nice-to-have, depending on their appetite for risk and their line of business.

For financial service companies, the outsourcing of a critical or important part of their functions brings with it an explicit regulatory requirement for OpRes to be factored into their management and operations. As a result, OpRes is much more developed as a concept in the financial services sector than it is the rest of the economy, and any non-financial company that wants to get a good handle on OpRes can do a lot worse than looking at the relevant parts of the European Banking Authority’s Final Report on EBA Guidelines for outsourcing arrangements (available here https://eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-outsourcing-arrangements).

Having said all that, this blog is mainly aimed at the non-financial services company (if you are a regulated financial services company, you are going to have additional obligations around maintaining an outsourcing policy, an outsourcing register, etc.).

 

Operational resilience and outsourcing

In the context of outsourcing, OpRes is primarily about a business’ ability to cope with failure of the supplier, and that failure comes in two types: poor performance on one hand, and collapse (like Wirecard) on the other. And when I say ability to cope, I mean the ability to smoothly either bring the business back in-house or (more likely in most scenarios) the ability to transition to an alternative supplier.

Given that this is the brief, how do we go about it? What should be covered in the contract and what needs to be addressed outside the contract? In terms of outside the contract, there are three main areas of activity (if you are a regulated financial services company, you are going to have additional obligations around maintaining an outsourcing policy, an outsourcing register, etc.).

 

Protecting yourself: outside the contract

1. Carry out due diligence on suppliers before you contract. Yes, pretty boring stuff, but doing enough good-quality due diligence on suppliers is what will provide you with the best OpRes ROI.
2. Who in your business is in charge of monitoring and managing the supplier? Are they sufficiently skilled and do they have the resources (people, time, bandwidth) to do the job properly? This may sound trite and self-evident but, in the financial services sector, companies have been fined where they have outsourced but not put in place competent people, or effective controls, to monitor the supplier. Granted, if you are not a regulated company, you won’t get fined by the FCA, but this does not mean that the market will not find other ways to punish you.
3. Keeping an eye on how your supplier is coping in the marketplace. Are they having problems with other customers? Are shareholders or newspapers making noises about strange accounting practices? The Financial Times had been questioning Wirecard’s accounting practices since 2015, and a KPMG report of 28 April 2020 concluded, basically, that KPMG found it impossible to get hold of enough information to validate, or invalidate, Wirecard’s revenue numbers. Clear warning signs for those that were paying attention. Smarter players paid attention and exited Wirecard in good time.

 

Protecting yourself: inside the contract

In terms of protections inside the contract, here’s how I look at it.

1. Do you know how well your supplier is performing from a service perspective? In other words, does your contract provide you with enough of the right management information (KPIs, SLAs, etc.) so that you can actually form an intelligent view? This may sound trite and self-evident (again), but some of the FCA fines (again) have been applied to companies that outsourced important functions but who simply did not have the right MI flowing back to them. This links back to one of the outside-the-contract points above: you need both the right MI coming out of the contract, and people competent enough to react to the MI. Equally important is making sure that your contract entitles you to get the right MI: it’s often the case that a supplier contract doesn’t, off the bat, give you what you need. Having on your team someone who has done it before can be very helpful.
2. How well planned is your exit? No contract lasts for ever, so you are going to have to do the exit planning at some point. The problem is that exit planning is unglamorous work – who wants to be thinking about exit plans at the moment that you are going to sign the contract? Which is why most contracts default to “the parties will have agreed an exit plan within 90 days of contract signature” or similar, and then the parties (most often) proceed to ignore exit planning altogether. But if you are outsourcing a critical or important function and you don’t have your exit route mapped out, then you are asking for trouble.
3. At what point can you pull the trigger, terminate the contract and invoke the exit process? In an ideal world, as a buyer, you should be able to do this for convenience (i.e. without cause) whenever you want (or, at least, as soon as the supplier has recouped its set-up costs). If you are buying a SaaS service then, in theory, you are in the ideal world: as a buyer, you are buying a timeslice of the supplier’s already-built infrastructure and the supplier’s costs of onboarding your company will be minimal. SaaS suppliers often don’t see it this way though, primarily because everyone – particularly investors – loves annuity revenue. (It’s all about developing, using and maintaining negotiating power, though: on this, see our White Paper, Strategic Contract for Fintechs (available here). It’s aimed primarily at fintechs, as its title suggests, but good for all businesses).

Assuming you don’t get the right to terminate for convenience, what’s the next best thing? Terminating for service failure is pretty standard and most suppliers will be happy to add provisions allowing termination on Critical Service Failure – though there are often vigorous discussions around what should count as Critical Service Failure.

What you really need to think about, other than service failure, is the collapse or general failure of the supplier (and if you are going to be really thorough, the collapse or general failure of the supplier’s key suppliers). Terminating for insolvency doesn’t cut it – by that time, it’s far too late. What you are really looking for is what you would consider to be a warning sign (or, more creatively, what you would have considered to be a warning sign had the event happened and you now have the benefit of hindsight). As a buyer, you want the ability to exit as soon as a potential risk issue of any size materialises: as a supplier, you are worried that the buyer is using this to introduce termination for convenience by the back door.

This is where it gets really tricky and some skilful negotiating and drafting is required, ideally from someone who has seen it all before. If OpRes is a problem that’s facing you at the moment, or likely to come across your desk shortly, and you want to talk through the issues, then give me a call.  You can contact me here.