Before joining DISCO, I had a front-row view of the challenges of evaluating and managing vendors: My first task at the helm of a global ediscovery program was an RFP and security assessment of 55 (!) vendors.
For nine months, I had to meet with reps from these 55 vendors, cutting through marketing buzzwords, normalizing services, digging into opaque pricing, and generally navigating the murky waters of the vendor-verse.
While I would not recommend that masochistic undertaking to anyone, I did discover quite a bit about how to evaluate partners for long-term collaboration.
The selection process consisted of four phases: determining the current state, establishing a security baseline, conducting a lean RFP process, and meeting with the most qualified potential partners.
(Next week, I’ll share the key considerations that surfaced from this undertaking, including some unexpected factors that ultimately weighed heavily in the vetting process.)
Phase 1: An unflinching assessment of the current state
When embarking on a vendor selection process, it is important to start with a comprehensive assessment of the current ediscovery ecosystem at your organization. Identify all approved providers or companies your firm is currently engaging with.
At my previous firm, we had each provider submit a comprehensive analysis of spend for the last 3-5 years broken down by matter, year, service offered, and locale. If your program has vendors engage directly with end clients, ensure that this analysis includes indirect spend.
Understanding your total spend on discovery services is important in properly sizing the number of providers you ultimately choose to partner with. Additionally, identifying problematic vendors (especially from a risk and data security standpoint) is helpful in getting greater buy-in with executives throughout the process.
Phase 2: Notification, security assessment, and NDA
In the next phase, notify all providers of the pending RFP process and secure an executed NDA and security assessment (covering basic minimum expectations in terms of certifications, infrastructure, and standard operating procedures) vetted by executive leadership. Starting with the security assessment enabled me to eliminate problematic providers early on, helped in securing executive buy-in and ensured that any approved provider would meet our fiduciary obligation to our clients.
In the event of a future deficiency by any of these service providers, we had a documented and defensible process of ensuring technical competence. This also was helpful for when a partner wanted to work with a buddy who had not been approved, because it shifted the onus to the requesting attorney to justify why they wanted to use a vendor that did not pass the firmwide security assessment.
Phase 3: The big bad RFP
At the outset of the process, I asked industry peers and a few providers to send me “the best RFP you have ever seen.”
Using these as a starting point, I crafted a lean RFP highlighting the tasks and processes most important to my program. Don’t feel like you have to ask every question you have seen on other RFPs — at a certain point, reading several hundred pages of RFP responses across dozens of providers becomes overwhelming.
Global capabilities, advanced analytics, scalability, innovation, project management, and a collaborative approach were mission-critical for my program. As such, the RFP had specific asks around innovative practices and methods for streamlining engagement with clients and case studies.
It is important to have a few non-negotiables (think: certain data capabilities, locations, scale) to help you pare down the pool of potential partners. Once you have reviewed all the applicants (and ideally passed them through a panel of colleagues), set an in-person meeting to talk through the candidates and cleave by about half. In my case, we took the initial pool of 55 vendors down to 25.
Phase 4: In-person presentations
Once you have narrowed the field to a more manageable number, I recommend inviting the finalists for a one hour face-to-face presentation. I let the providers focus on whatever they felt best represented their services, although in some cases, I limited scope to the service under consideration.
At the end of the presentation phase, we narrowed the providers down further, and divided end-to-end providers into two tiers. The higher tier served as a preferred list and the second was probationary approval.
This structure allowed the list to remain dynamic without completely derailing the preferred provider program, creating the elasticity necessary to accommodate increases and decreases in service offerings, merger activity, and requests from end clients.
You found the dream team, now what?
Once there is a final short list, I recommend creating a vendor advisory board to normalize communication, workflows, and SLAs, ultimately creating a standard playbook that all selected providers follow when engaging with your organization.
I also recommend creating standard metrics for the vendor partners to provide on a recurring basis. This can include financials on an aggregate and matter-by-matter basis, metrics on data hosted or processed, and/or comparisons of bid pricing to actual spend on matters.
The goal is to make collaboration with the selected vendors valuable to both your organization and theirs. Having consistent and transparent communication with providers helps the relationship evolve from transactional to more of a reciprocal partnership. For the providers, having clearly articulated expectations and processes ultimately makes their job easier.
I additionally recommend revisiting the list annually. Not a comprehensive RFP, but perhaps an evaluation of how the selected provider performed and/or consideration of new providers that were not previously vetted. This keeps the list more of a living document and allows for your program to pivot more easily if there is a change in performance or ownership of a provider.
In next week’s post, I’ll explore what mattered most in this evaluation process—some may come as a surprise!