Diligence Needed to Evaluate Software Vendors

If there’s one thing that CIOs have to understand when selecting a software vendor, it’s this: The software industry is fundamentally unstable.

Every year there’s a hot new trend in IT. Whether it’s ERP, e-business, CRM or wireless, vendors flood the market, hoping to make a killing off of a CIO’s need to stay competitive. But the intense competition inevitably leads to a shakeout. The weaker companies’ earnings start to slip, and in time they declare bankruptcy or are acquired by a larger competitor. Such was the case with Chicago-based System Software Associates (SSA), which left at least one ERP customer floundering when it declared bankruptcy in April 2000.

Even industry leaders are not immune to financial trouble. After all, they’re under even more pressure from Wall Street to meet earnings expectations, and this pressure sometimes leads companies to cook the books. Belgian speech recognition and translation technologies company Lernout & Hauspie (L&H), for example, made its revenues look better than they actually were, by recording sales before contracts were signed. This alleged financial fraud spurred an investigation by the Securities and Exchange Commission (SEC), which led to L&H filing for bankruptcy. The company’s founders and its CEO have since been arrested and jailed, charged with stock manipulation and falsifying documents.

CIOs, of course, can’t prevent vendors from digging their own graves. But if they are interested in protecting their companies and careers from vendors that go bust, they must learn to do a more thorough job of investigating before signing on the dotted line. Conducting solid due diligence and knowing whether vendors are financially stable is especially important now during an economic downturn, when many companies are going out of business.

Due diligence means taking the time to conduct background checks on the vendor and its management team, and thoroughly investigating its financial position. (That includes examining not just its yearly revenues but determining whether those numbers come from actual sales or from contracts that have yet to be signed.) It means searching for early warning signs that a company is in financial distress, such as the resignation of the chief executive, massive layoffs and restructuring announcements. It means meeting with a vendor’s customers and talking to other software companies that may have been called in to clean up your prospective vendor’s mess. And finally it means doing an RFP to get competitive bids and clarify why you are investing in a certain technology.

“If you don’t do proper due diligence, you’re committing your company to a relationship that you don’t know you can rely on. You’re leading your company down a blind alley,” warns Jim Mulvaney, KPMG’s director of forensics and litigation, and manager of its investigative due diligence practice.

Unfortunately, this message has not yet permeated the executive suite. Many CIOs think it takes too much time to conduct due diligence and believe the cost outweighs the benefits. A number of executives interviewed for this piece acknowledge that they don’t lose sleep when one of their vendors declares bankruptcy, because they assume a white knight will come along, acquire the bankrupt company and continue to support its existing customers. But, as the following example shows, customers endure a lot of pain before a knight gallops to the rescue. And the knight could well be a knave.

The Missing RFP

In 1996, textile manufacturer Cone Mills began an arduous three-year quest to select and implement an ERP package that would replace a 30-year-old homegrown system that required constant maintenance. A new ERP system would support the hundreds of processes in each of the company’s three divisions?denim and khaki, commission printing and woven fabrics?and cure the company’s Y2K woes. Though the Greensboro, N.C.-based company hired a well-known consultant for just under $500,000 and gave the organization more than a year to help choose the right vendor, Cone Mills still ended up buying from a company with no future.

The first mistake Cone Mills made was hiring Andersen Consulting (now Accenture)to select a vendor. Andersen compiled a list of 20 possibilities, which it and Cone Mills whittled down to three: Altanta-based Mapics (formerly PivotPoint), Rolling Meadows, Ill.-based JBA International and SSA.

What Cone Mills should have insisted on before honing the list down was an RFP, according to Phil Townsend, a partner in PricewaterhouseCoopers’ global risk management solutions practice.

“An RFP is a critical part of the due diligence process,” Townsend says. An RFP guides buyers through a rigorous process of identifying their business needs and technical requirements, such as the particular platform on which the software needs to run and the systems with which the solution must interface. It also helps companies clarify from a strategic perspective why they are undertaking a particular technology project in the first place.

With an RFP in hand, Cone Mills might well have selected a different list of finalists to evaluate. But the process designed by Andersen allowed Cone Mills to scrutinize only those three vendors the consultancy had chosen.

Cone Mills and Andersen did put together a scorecard for each vendor, evaluating the companies on the basis of how well they knew the textile industry, how well the software supported Cone Mills’s existing business processes, the companies’ financial stability, the amount of money they were spending on R&D and their vision for the product they were selling.

The vendors took representatives from Cone Mills through detailed demonstrations of their systems so that Cone Mills could see from start to finish how to enter orders and track shipments. They also visited local companies, both inside and outside the textile industry, that had implemented each of the vendors’ systems to see what it looked like, how it worked and if they were getting good service from their vendor. “We wanted to find out if [the system] worked and get to the meat and potatoes,” says Keith De Young, Cone Mills’s manager of application development.

SSA, which at the time showed strong year-to-year growth, ranked the highest on Cone Mills’s scorecard and won the $3 million contract in May 1997. At the time, Cone Mills Director of Corporate Applications Development Randy Auman and De Young considered $3 million a bargain based on the list prices they had for other packages.

One month later, Cone Mills began implementing the Business Planning and Control System (BPCS) software. But after a year’s worth of effort, it found that the system wouldn’t run on HP-UX in its environment, even though it had been one of SSA’s biggest selling points. It turned out that BPCS was designed to run on HP-UX only if the entire BPCS package had been purchased, including financials, customer service and manufacturing. SSA knew that Cone Mills would not be implementing the whole system. Nevertheless, SSA still sold Cone the product on the premise that it worked on HP-UX. Either SSA lied or the salespeople didn’t know how their product worked.

A Ripple Effect

Not only had Cone Mills wasted a year trying to get BPCS to run on HP-UX, but it then had to spend 10 months trying to get the software to run on its existing HP-900 platform. And doing so meant that the company wouldn’t be able to consolidate architectures. BPCS was supposed to go live by July 1998; it didn’t become fully functional until July 1999.

The hang-up had a disturbing ripple effect on the manufacturer. “The delay consumed internal resources for a lot longer than we intended, so we were not able to work on other projects,” Auman says. The system not working as advertised was the first of many signs indicating that all was not well with SSA. In early 1998, SSA suddenly replaced its founder Roger Covey with a new CEO. In July 1998, SSA announced restructuring plans that cost $120 million and included cutting staff by 12 percent.

In April 2000, the company filed for Chapter 11 and announced that Los Angeles-based Gores Technology Group would acquire its assets.

De Young believes in retrospect that the price Cone Mills paid for BPCS was an indication of the company’s financial future?or lack thereof. “We got a pretty good deal. Looking back, it might have been because they were so hungry for sales,” he says.

In October 1995, SSA had been the subject of an investigation launched by the SEC for its revenue recognition practices. The SEC probe concluded that SSA had cooked its books and advised the company to adopt more conservative accounting practices and restate its financial statements for 1994 and 1995, which it did.

After the company restated its earnings, its shareholders filed class action law suits against SSA for the money they lost as a result of those financial snafus. (SSA settled the case for $1.7 million and 100,000 shares of common stock.)

Cone Mills’s officials say they were not made aware of the lawsuit?even though the SEC investigation and subsequent legal action were public information included in annual reports the company filed with the SEC. According to PricewaterhouseCoopers’ Townsend, Andersen should have flagged SSA’s legal hassles for Cone Mills.

Andersen declined to comment on the work it did for Cone Mills. “We don’t comment on client work,” says Mary Hall, a spokeswoman for Accenture. “We employ rigorous standards when making vendor recommendations for all of our clients.”

Despite SSA’s more recent financial problems and its acquisition by Gores, Cone Mills CIO Tom Gmitter, who joined the company in May 1999, is not worried about the impact on Cone Mills’s business. He says that since the company has been up and running on BPCS for almost two years, it doesn’t have to rely on SSA for support because his IT staff knows the system.

Gmitter believes that Gores will continue to honor Cone Mills’s contract with SSA because Gores has honored a contract with Revere, another Cone Mills vendor that Gores acquired this year. (Because Cone lost a year on its ERP implementation, it was able to negotiate four years of free maintenance from SSA, through 2002, as well as licenses for an unlimited number of users.)

Doug Bergeron, Gores’s executive vice president, says the company plans to continue to enhance BPCS. But he wouldn’t comment on the company’s plans to honor SSA’s contract with Cone Mills or any of its clients.

Gmitter says there are several valuable lessons learned from this experience. If and when his company plans any further implementation of BPCS, or any other mission-critical system, he says that Cone Mills will demand that all potential vendors fill out an RFP.

“An RFP is a CIO’s foundation for all strategic IT projects,” Gmitter says. An RFP has three functions: It helps CIOs understand the project they’re undertaking from both a technical and business perspective, it provides CIOs with competitive bids, and it gives them a foundation on which to base a more rigorous investigation of a vendor.

Had Cone Mills drawn up an RFP document for its ERP system, it would have asked about the vendor’s background: how long it had been in business, and its financials, number of employees and various products. It would also have asked more specific questions about the company’s plans for the product, such as the amount of money the company budgets for development, its plans for rolling out new releases, the average length of service at the company for developers and support staff, and the processes the company has in place to provide technical support.

Even if you have carefully selected a vendor through an RFP process, your diligence won’t always prevent that company from being acquired by a larger more troubled vendor. Baptist Healthcare System found itself in just that kind of predicament several years ago.

Playing Hardball

In 1997, Louisville, Ky.-based Baptist, a six-hospital organization, began looking for a clinical documentation system that would ensure that doctors and nurses administered proper drugs to the right patients, in the right doses, at the right times. Baptist CIO Al Barea needed a product that would integrate with existing software from three vendors?Clinicom, Serving Software and Trendstar?that scheduled surgeries, documented patients’ vital signs and handled accounting.

At this time, Barea was due to renegotiate his contract with an existing vendor, HBO & Co. (a.k.a. HBOC). Baptist became a customer of HBOC in 1991, when HBOC acquired Gerber Alley, a vendor from whom Baptist had purchased a hospital information system. HBOC had also swept up other vendors with whom Baptist was doing business, including Serving Software and Clinicom.

As HBOC bought out Baptist’s vendors, the support service provided to the health-care organization steadily declined. When Baptist contacted HBOC’s call center to get help extracting data from one of its systems or assistance in integrating two different products, HBOC couldn’t answer its questions. The people at HBOC didn’t know how the products it acquired worked. On top of that, HBOC didn’t make much of an effort to integrate Baptist’s new and old products, says Barea.

A Fail-Safe Contract

He was so fed up with the lack of support from HBOC and the difficulty of dealing with the company that he was ready to rip out his entire health-care information system and replace it with one from another vendor. So Barea started looking at other players in the industry.

When HBOC saw that Barea wasn’t kidding about switching to another vendor, the company got scared. “HBOC became very aggressive,” says Barea. “They did not want to lose the business and were more willing to negotiate a contract that would incorporate protection against repeating the sins of the past.”

But just as Barea was getting ready to sit down with HBOC in the summer of 1998 to iron out the contract’s specifics, he read that San Francisco-based McKesson, a provider of medical supplies and drugs, was looking to buy HBOC. That stopped him in his tracks.

“We were very leery of cutting a contract with a vendor that could be acquired, split up or sold off if it did not become profitable for McKesson,” he says.

Barea didn’t want to sign a contract with HBOC or McKesson and began implementing the clinical documentation system only to find out that McKesson was going to spin off HBOC. “I didn’t want to be left out there holding software or a piece of software that couldn’t be supported or [was] sold to a company that we did not want to do business with,” he says.

The Baptist CIO had to make a difficult decision. He could either wreak havoc on everyone inside the hospital while he replaced Baptist’s entire health-care information system with a product from a new vendor, or he could stick with HBOC and try to get the company to improve its service.

He discussed the matter at length with the hospital presidents, doctors, nurses and administrators. The verdict? The hospitals couldn’t afford the disruption to its day-to-day operations and patient care that would accompany switching systems.

HBOC, of course, didn’t know about that decision. So Barea decided to play hardball with the vendor, in an effort to get it to clean up its act. He convinced Baptist to spend more than $200,000 on legal counsel. For a little over three months, he worked with lawyers to determine the potential risks of doing business with HBOC should the vendor be acquired and later spun off, and then to spell out in contract language how such a possibility would be handled.

He then went back to the negotiating table. After seven months, Barea came out with a contract he was proud of.

“We laid out pretty much all the eventualities that could occur through a merger, acquisition or split up of the company down the road,” he says. “For each one of those eventualities, we crafted language that would protect Baptist Healthcare from any adversities that could occur.”

Barea says Baptist was able to win concessions from HBOC for two reasons. First, Baptist would be committing a lot of money (in the tens of millions) to one vendor over eight years. “You can’t expect these kinds of concessions on a small contract,” says Barea.

Second, HBOC’s senior leadership got involved in the negotiations. Previously only salespeople had been involved. “[HBOC’s senior executives] recognized that they needed to change the company,” Barea says.

Since Baptist signed the contract, McKesson HBOC has been embroiled in controversy. After acquiring HBOC, McKesson discovered that HBOC had inflated its revenues in previous financial statements. As in the SSA case, shareholders filed suit against the company. By press time, the lawsuit was still before the courts.

Fortunately for Baptist, HBOC’s legal woes have not had a negative effect on the support it has provided the hospital system. “It’s turned from black to white,” he says, noting that the support has been almost flawless.

The headache, of course, now lies in managing the contract.

To stay on top of that, Barea meets with both Baptist’s and McKesson HBOC’s senior managers on a quarterly basis. He has also dedicated certain employees to monitoring software implementation projects to ensure that the hospital system gets adequate support from McKesson HBOC. Finally, he’s developed metrics to measure the support he’s getting from McKesson HBOC vis-ˆ-vis the contract.

“It has taken so much effort to manage this contract; it has taken many years off my life,” says Barea, only half joking. “But the company has benefited tremendously, and that’s what it’s all about.”