⚙️ Ops Playbook #41

Vendor disasters, compliance 101, and contract review.

Advertise | Membership
Join 22,000+ COO’s and operators

Hi Operators ⚙️

Not to be all doom and gloom, but there’s been some recent data breaches that’ve got me a bit worked up. They involved third-party vendors, the types of partners we probably all work with.

Shell was hit on May 29, Home Depot on April 8. Both from small vendors they work with.

It got me thinking that, no matter how prepared we are, we have to triple check the security of everyone we work with. So get out your notebook, because I’ve got some tips for ya.

⚙️ Here’s what we got going on today:

  • Don’t Let Vendors Cost You Millions  → Ask the right questions to save your skin

  • Compliance for COOs → Let’s avoid a $200k+ penalty

  • Contracts for Newbies We’re not lawyers, but we can read

Let’s dive in.

(P.S Anything you want us to cover in a future edition? Reply to this email or hit me up at [email protected]. )

Together With…Me!
Looking for a better accountant?

A bad accountant can cost you a lot of time, a ton of money, and (if you’re really lucky) some special one-on-one time with the IRS.

Instead of finding a good accountant through trial-and-error, why not just use accountants that other Bottleneck readers love and vouch for?

We’re putting together a scorecard on:

  • What firms other operators are using 🧑‍💻

  • What firms have the highest rating among our readers ⭐

  • How much they charge 💰

Want access? All you need to do is fill out the below survey about your own accountant (we’ll anonymize all responses 🤝).

We’ll compile all of the responses into a tight, easy-to-understand report and send it to your email next week.

5 Operator’s Library Links

I. Don’t Let Vendors Cost You Millions

Insight from Diana Ramos 

You can do all the due diligence in the world, but if your vendors aren‘t doing the same, you’re screwed.

American Express just had this happen in March when the security of one of their third-party vendors was breached. Between January and March this year, they reported 16 data breaches.

Failures like these don't just piss off customers and stakeholders, they’re expensive. The average data breach costs companies $4.4 million.

The best way to prevent this from happening? Vendor-risk assessments, the process of identifying and evaluating potential risks a vendor might pose to your business.

These assessments aren’t sexy, but they’re necessary (like that zinc sunscreen that Zuck rolls up to the lake wearing👇)

If you need a place to start, here are three key questions to ask the vendors you’re planning on working with:

  1. “What is your data security policy?” Do they have certifications that comply with your industry and geographical regulations (e.g. PCI DSS, ISO, HIPAA, GDPR)? How is their data access controlled?

  2. “Do you have incident security breach management practices in place?” What happens if something goes wrong? Do these systems identify issues as soon as they arise? Are they performing third-party security auditing regularly? 

  3. “Do you have liability insurance?” Can they cover damages if everything goes to hell? Review their certificate – is it current? It pays to get a legal review of this.    

Third-party partner infrastructure breaches increased 68% over the past year. 

Don’t be like T-Mobile and lose $350 million in customer payouts (and then have another two breaches a year later). Ask the right questions, and cover your you-know-what.

II.  Compliance 101 for COOs

Insight from Gareth Foulkes

When a data breach happens because of non-compliance issues, it costs companies $220,000 more (on average) than if it was for any other reason.

As COO, you’re responsible for the business maintaining compliance.

It’s a lot of responsibility (and so much fun 🥲), but there are three simple ways you can stay up to date:

  1. Consult with regulators: Know which associations govern your industry and sign up for their updates (newsletters, press releases, reports). Identify a contact at the regulator and ensure a direct line of communication with them.

  2. Utilize your network: Find out what other COO’s are doing in your industry and keep each other abreast of changes. Join an association or group (like Cornerstone 👀) and meet regularly to share ideas on how to adapt to changing regulations. Maybe even create a subgroup specifically for compliance-related issues. Bring that knowledge back to your team. 

  3. Prioritize the critical: Know what the most critical compliance issues are for your organization, and rank them based on importance and potential penalty. Create guidelines that outline the compliance issues from most to least critical, and what your employees should do when they encounter them. Include who they should report to in each instance.   

III. Learn the Basics of Contract Review

Insight from Steve Thienel 

You’ve got a new contract in front of you, but the thousands of words are starting to blur together.

You’re not alone. 90% of professionals find contracts either difficult or downright impossible to understand.

Who among us hasn’t fallen asleep at their desk reading a contract at 1AM, fingers covered in dust after powering through a family-size bag of Flamin' Hot Cheetos? Just me? Okay great.

The reality is your legal team is too busy to teach you the basics. Heck, you’re probably the entire legal team at your startup.

Below are some simple areas that you can review before asking for help. 

Here’s your basic checklist:

  • Agreement Term: Make sure the duration is correct, as are all key dates for deliverables.

  • Payment Terms: Who pays who? How much do they pay? When do they need to pay by? Don’t forget to check late payment penalties, default terms, and remedies for default. 

  • Termination: How do you terminate the agreement? How much notice do you have to give? If you’d like to renew the agreement, what steps need to be taken?

  • Data Rights: Who owns what data? Who owns the work that’s being completed? Make sure that the terms align with your goals and with your industry’s compliance regulations.

  • Regulatory Compliance: If you have a compliance framework, make sure it matches this section. You may need to make additions to ensure compliance.

Those are just the basics. If you have a legal team, now would be the time to pass it to them.

They’ll probably have very few notes and say everything looks great. That’s how that usually goes, right? 😉

Something Fun

Last Word 👋 
How am I doing?

I take all feedback I receive to heart. Keep it coming!

Am I covering the topics that are important to you? What else do you want me to include?

Just hit reply and let me know – I'd love to hear from you!


Rameel from The Bottleneck

Spread The Word

Refer one friend to receive an inside look into what 238 executives are prioritizing in Q3.

What did you think of today's tips?

Login or Subscribe to participate in polls.


or to participate.