If you are thinking about working with a Legal Process Outsourcing (LPO) vendor, you will generally do well to evaluate vendors with the assumption that your relationship with the selected vendor(s) will be a long-term relationship and not simply a single transaction. Even if you are seeking a vendor for a discrete instance of work (e.g., a privilege review of documents for a single piece of litigation), you are likely to have recurring instances of similar work, and may want to outsource them again in the future. By investing the resources up front to make sure that the right vendor is selected, you can save potential future costs by (i) minimizing the likelihood of incompetent or otherwise inappropriate vendors, (ii) having selected an alternative vendor in the event a primary vendor is conflicted out or otherwise unavailable, and (iii) having selected a vendor that has the desire and ability to grow with your needs. In forming a relationship with a vendor, I generally recommend that clients establish a dedicated team at the vendor to service their needs.
In a previous post I outlined the need for LPO vendors to implement information security standards and have them periodically certified by independent third parties. Certification is designed to obviate the need for every General Counsel (or other LPO clients) to send an information security specialist to evaluate information security controls at each vendor. However, LPO clients cannot rely on third party certifications alone. When outsourcing legal work (and most other types of work) clients should also protect their information by thoroughly reviewing a vendor’s written security policies and practices. Clients should then make site visits (1) to observe and interview vendor personnel in order to gauge their awareness of policies, and (2) to review the overall information security culture. We strongly recommend that vendor site visits be conducted at the time of due diligence and thereafter at least annually. Information security terms are also an integral part of an LPO vendor contract, and I will write generally about LPO contracts in a future post.
In a previous post I discussed a number of characteristics that could help General Counsels (GCs) cull the list of LPO vendors. One consideration at the top of every GC’s list is security. The importance of information security and the related disciplines of confidentiality, integrity and availability of information cannot be overstated. CGs should require that LPO vendors choose an applicable standard, implement it rigorously, and subject their operations to periodic testing by an independent third party. Some uses of LPO will be less critical with regard to the information security (e.g. general contract management), but for corporations intending to use multiple LPO vendors or to outsource work requiring heightened security, (e.g. M&A doc review, litigation) a single standard will be easiest to evaluate and monitor over time.
I recently presented a webinar entitled Evaluating Legal Process Outsourcing (LPO) Providers. (A copy is available at www.RedBridgeStrategy.com.) During the presentation, I described a process with the following major steps:
- Analyze the appropriateness of globalization/LPO for a given buyer;
- Design an applicable service delivery model;
- Select vendors or plan for shared services (“captive”) operations; and
- Implement with a governance model and manage the transition.
As part of vendor selection, buyers typically select a set of vendors from whom they request responses to an RFP or RFI. Given the explosion in the number of companies offering LPO services, we are often asked which companies should be included in the “universe” of vendors to whom to send the RFP. The number of vendors to include will vary with the buyer’s familiarity with the industry, the time allowed to evaluate RFP responses and resources of the buyer, but we generally suggest between six and twelve. So how does a buyer cull the universe to between six and twelve?