By Facility Executive
From the June 2025 Issue of Facility Executive
Facility executives have significant and diverse responsibilities to manage. On one hand, they must consider building occupant experience, making sure restrooms are stocked, spaces are clean, the temperature is comfortable, etc. The other hand, meanwhile, is considering how to keep occupants safe and secure from harm. To manage all these responsibilities, many facilities loop in outside help from vendors and contractors. The challenge with outsourcing some of these critical responsibilities is when work isn’t delivered as expected and expectations aren’t met. To protect their organizations and buildings, facility executives must thoroughly vet third-party partners and have a backup plan in case a failure does occur.
To learn more about how facilities teams can account for third-party risk, Facility Executive spoke with Mark Carroll of Boston University, an expert in business continuity.
Facility Executive: What are operational risks commercial buildings face when outsourcing maintenance? (plumbers, HVAC technicians, etc.)
Mark Carroll: First and foremost, making sure the work is done right and nothing else is affected accidentally or on purpose (nefariously). The plumber, not knowing, could run the new water pipe right over the data center. Someone in the firm needs to make sure that those kinds of mistakes, or risky non-mistakes, are prevented. That also comes with testing any and all new functionalities.
Secondly, consider access and access controls on the activity. Putting aside nefarious activity for a moment, the outside maintenance firm may simply NOT have the controls and appreciation of need for controls that the host firm has. Their focus is not security but rather delivery or execution of their services. Post-its with passwords, or credentials written on the wall may be common as they are focused on doing the work and not letting access get in the way.
The host firm needs to develop a credentialing process that is local to the specific role and most likely specific to an event or a duration. The outside plumber comes in monthly and gets badged for access to only parts of the facility AND gets access credentials for that day or series of days (after which they are disabled).
Someone in the firm, ideally the facilities manager, needs to add, expand, delete, etc. these credentials based on when needed. Proper management here will also thwart any nefarious activity.
FE: How can facility executives monitor vendor progress to ensure work is getting done correctly?
Carroll: This starts with the four corners of the contract and the specificity that it contains. Ultimately, there are two (possibly three) dimensions of those four corners: a) the work itself as in scope, pricing, milestones, success criteria, etc. For the work itself and b) the contractual legal content that centers on liability, force maturer, intellectual property, privacy, etc. It is not uncommon for this to be more or less a boilerplate of legal language to protect the firm.
But boilerplate may not be sufficient for the project or effort at hand. It is not uncommon that a third component be required: c) the contractual language (b) that needs to be modified to address the specifics of (a). For example, a new candy shipping system is to be installed by June. Delays until July are painful but further delays until August jeopardize the peak period of Halloween. Contractual language may include time-specific penalties based on business cycles.
FE: If a vendor failure does happen, how should facility executives respond? What are the main scenarios executives need to consider before an incident occurs?
Carroll: It’s no different than any sort of risk analysis, where there is a defined contingency response to the specific event; keeping in mind that the response could be to do nothing, but at least the issue needs to be thought through. There will or should be a legal/contractual response in the form of penalty but that is not what the firm desires — that is simply a financially painful consequence for the vendor. You don’t want their money (you do want what you paid for).
That said, the contract needs to be clear on what constitutes failure and what the financial remedies are for that. A vendor could be delayed or even stall a maintenance/warranty call for days or weeks without consequence to themselves unless the contract has clear SLA’s with defined penalties. You could be dying while they simply are not responsive.
FE: As buildings become smarter, critical information is migrating to the cloud. What steps can executives and managers take to ensure they are finding trustworthy partners to help them with this process and ensure their data is secure?
Carroll: Under the assumption that other aspects of the environment are in the Cloud (e.g., payroll, inventory, etc.), first and foremost make sure that you leverage what is already there and do not try to ‘create’ a new approach to Cloud hosting. But that is not good enough. You need to also confirm that those prior Cloud hosting activities are themselves rock solid with good backup, validation, response level, etc. for their existing services. But even that is not good enough. A Cloud hosting service that provides solid 2 second response time for an existing payroll transaction may not be robust enough for a Manufacturing Execution System (MES) on the shop floor that needs real time response. A two-, three-, four- or five-second response on an alarm system is an eternity and may not be sufficient for the safety aspects of building management.
The other consideration is that move into Operational Technology (OT) which building management is, as contrasted with Information Technology (IT) which is more about management systems (i.e., not Real Time). OT has a whole different sense of urgency.
Do you have a comment? Share your thoughts by sending an e-mail to the Editor at jen@groupc.com.