Exclusive Webinar Series: Avoid Getting Trapped by Supplier Centric Contracts

Join Turnstone IT Sourcing Consultant Tom Giblenn for an intricate look at IT supplier centric contracts & how to avoid or mitigate the common the commercial and service related risks inherent in the supplier due diligence and contract negotiation process.

With GDPR coming into play putting more obligations on suppliers and customers we will talk about some of the planning support we are providing to clients. With Brexit negotiations looming and the devolution of EU legal obligations, it’s a critical time to review your supply contracts.

The webinar will focus on the themes around pre- contract due diligence during RFP phase and evaluation criteria including:


  • Data segregation and location
  • GDPR preparation
  • Availability
  • Recovery & replication of data
  • Exit planning
  • Proactive monitoring
  • Financial viability
  • Business continuity plans
  • Compliance – legal / policy / regulatory
  • Technical assessment of suppliers cyber security
  • Due diligence assessment on suppliers IT supply chain
  • Evaluation method – RFP and scoring

The webinar will also address key areas such as IP, Acceptance Testing, Exclusions and Liabilities as well as Multi-Sourcing, Contractual Cloud Issues, Service Credits, Associated Services and Scope of the Software License.

Join us on Thursday March 9thth by registering for free here: https://attendee.gotowebinar.com/register/2309880796626557699





Turnstone part of MCA’s Consulting Excellence Declarations for 2017

Turnstone are proud to be in the MCA’s Consulting Excellence Declaration initiative. Described as a new hallmark of quality for management consulting firms the declarations pledge to uphold new principles of ethical behaviour, client service and value and professional development in 2017, and providing evidence of how they do this in practice.

Over 20 MCA member firms, including global names such as KPMG and IBM as well as many specialist consulting firms, have joined the first wave of consultancies publishing online declarations setting out their commitments and approach. Turnstone are within this first wave of consultancies releasing their 2017 declaration & look forward to strong, positive year ahead.



Turnstone Guest Speaker at GSA Sourcing Predictions

Turnstone are delighted to be this year’s guest speaker at the annual Global Sourcing Association‘s event, Sourcing Predictions 2017.

2016 has been a big year for global outsourcing with a number of far reaching changes & trends taking place; robotic automation, the high-speed digital agenda and of course the repercussions of BREXIT all potentially disruptive to the wider outsourcing industry.

So what doe the future hold?

Turnstone shall be delivering its keynote around 2017 predictions and looking at:-

Ongoing Vendor Management-A More Scientific Approach, including:

  • Skills mapping, accurate workload estimates, proper resourcing
  • ‘Right people, right job’-don’t expect tech resources to manage the provider
  • Job training and skills (CIPS), motivation, perception of procurement v. sourcing

Your Top 10 IT Contracts-A Review for Key Operational Exposures

  • Objective analysis of typical ITO contracts revel 50/50 split of clause count between legal, commercial & cost teams. The drivers are gaining an awareness of operational risks & the chance to mitigate, plus addressing any corporate pressure on audit & compliance
  • Cyber Security-how well protected are you contractually? Does your IT vendor also subcontract? How safe is your supply chain?


Cyber Security Webinar

For anyone who missed Turnstone’s exclusive cyber security webinar in association with cyber security experts AproseRisk you can listen to the recording here & gain the latest market intel and thought leadership on this exponential threat.




Back By Demand

Cyber Security Webinar & On-Site Appraisal
We are delighted to announce that due to high demand we shall be re-running our exclsuive Cyber Security webinar in association with cyber security specilaists Aprose Risk.
As part of the webinar’s exclusive offering we shall be giving on-site free half-day appraisals, evaluating your cyber security protocols.
Expect to leave this event with:
  • Expert insight into the five most common cyber threats today
  • Three examples of supply chain cyber breaches that could happen to you
  • Key lessons learned from the Target supply chain breach
  • Best practices you can implement to managing the cyber risk from your partners
  • The overlooked aspects of security that are critical to avoid a breach
  • Suggested strategic actions and quick wins to improve your security posture
Our expert presenters are:
  1. Mark Satterthwaite is a specialist consultant at Turnstone with procurement expertise spanning 20 years in both public & private sectors.
  2. Andy is Chief Information Security Officer at Aprose Risk, a specialist Cyber Risk and Resilience Consultancy. He advises senior stakeholders at public and private sector organisations on effective strategies to reduce the risk and impact of cyber-related incidents. He is Fellow of the British Computer Society.

For further information please contact: Heidi@turnstoneservices.com or call 0207 936 4373

Watch Exclusive Cyber Security Webinar

For anyone who missed Turnstone’s exclusive Cyber Security: How Safe Are You webinar in association with Cyber Security experts, Aprose Risk, you can access it here:


Gain the latest in market intel and expert insight on the evolving threat of cyber crime within the supply chain.

5 Common Body Language Fails

We all know how to prepare for an important meeting; we do our research, practice our pitch and polish our shoes, but we could be letting ourselves down before we even speak.

You may have been told the basics & the glaringly obvious; don’t fidget, bite your nails or cross your arms or smile inanely, to name a few, but there are some less obvious that can help or hinder your communication and ultimately improve the outcome of the meeting, securing the deal or engaging with stakeholders:

  • Before entering a meeting don’t check your phone

This can be interpreted as an unwillingness to communicate with people in the same room. It now seems the norm that if people have a spare second or two they check their phones. Instead, read a magazine or newspaper or look around the room at others waiting and strike up a conversation with someone who is not immersed in the digital world – you may end up talking to a potential client or read an interesting article that could act as an ice breaker.

  • When meeting someone for the first time make sure not to invade their personal space

Leaning forward can make someone think that you want something from them or be perceived as invading their personal space. To make sure you don’t lean in and seem overly keen try putting your weight on your back foot: this will stop the leaning and give you a slightly more confident/relaxed posture. Different cultures have different comfort zones when it comes to personal space, some preferring greater distances than others.

  • Head tilting

Tilting your head sideways when making a statement can undermine the point you are trying to make. In many ways head tilting can be positive, a reassurance at times, as it can convey empathy, thought and understanding. But be aware when you are using it. In certain situations it can be appropriate. Different head tilts can indicate the undertones of a question; for example tilting your head down while asking a question communicates disapproval compared with someone tilting their head to the side, which communicates interest.

  • Don’t maintain constant eye contact

Looking wide-eyed at the person you are meeting for the whole duration for the conversation may be interpreted as being intimidating or aggressive. In natural conversations you usually break eye contact within 7-10 seconds, but in a pressured situation you may forget this and end up staring. Looking away briefly to blink and relax might also help you pick up on their body language that could help you to interpret the thoughts and feelings underlying their words.

  • Over-gesturing

Over-gesturing can communicate nervousness. Gesturing can be helpful when trying to convey an important point but waving your arms around too much may distract from what you’re saying. Practice active listening by nodding to show that you are paying attention or agree with what someone is saying but be careful not to do this much as it may be misread as obsequious, or lacking personal autonomy.

Brexit: The Road Ahead for IT

Brexit: The Road Ahead for IT

The scale of divisiveness brought on by the UK Referendum underpins the profound importance of an agile, global landscape, which has enough resilience to counter disruptive and unexpected events. The fall-out of the referendum has yet to play out or elucidate how and when substantial changes to the status quo will manifest. As procurement experts we must define how the sourcing industry can navigate turbulence ahead and mitigate risk on the wider scale.

Areas of obvious relevance are EU data regulations v UK DPA law and the OJEU regulations. Certainly there is enough here to keep London lawyers sleeping at the office, indefinitely.

Joking aside, on data protection, it will be diligent planning and foresight that is critical. But should we be unduly concerned about the landscape ahead? Not according to Peter Galdies, Development Director from Data Compliance firm DQM GRC:

“In my view the long term impact of a “Brexit” on the legislative framework for privacy will probably not be hugely significant”

He goes on to say that the received estimate of a two year negotiating wait may in all likelihood end up being anywhere between 3-6 years, after Article 50 is invoked:

“It is also highly likely that the UK (now with a strong new commissioner with a proven history of backing and enforcing consumer rights) will adopt a legislation directly modelled on the GDPR (as we will also need to do with the other legislations, such as worker’s rights and other similar good laws that protect the rights of the individual which will now need replacing),” said Galdies.

“The pressure to negotiate a strong trade deal with the EU will also drive the adoption of ‘mirroring’ legislation – designed to minimise the barriers to continued trade,” said Galdies.

With the UK’s Information Commissioners Office (ICO) saying future data protection laws must be commensurate to that of Europe, it remains an on-going process how we adapt:

“The Data Protection Act remains the law of the land irrespective of the referendum result,” said an ICO spokesperson.

“If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK, but if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation (GDPR) framework starting in 2018.”

The latest rules on data protection General Data Protection Regulations (GDRP) were given the stamp of approval by Brussels in 2015 and due to come into force by 2018 for the EU, and potentially the UK if the two year exit plan is still underway.

From another perspective, if a business handles EU citizen data, the laws will still need to be met by the service provider

So GDPRs are going to affect business’ offering any service to the EU market, independent of where your data is held. One of the new provisions that raises the bar for service providers is that essentially anyone who touches your data gains responsibility.

Whether, as some legal experts predict, the new rules will affect every entity that holds European data both in and outside Europe or whether as global firms indicate the new laws will increase costs of doing business in Europe, remains to be seen. But it is certainly galvanising enough for us to need a significant forward plan.

Ultimately the UK’s DPA will need to enact stronger rules in order to provide equivalency with the enhanced EU rules, to enable UK firms to do business with remaining EU members.

A further complication are the revised EU-US Privacy Shield, which is replacing Safe Harbor. This has been set for review by EU member states, and according to Reuters a vote is expected in July. But should companies be unduly concerned about what lies ahead with the advent of a new data sharing landscape?

These macro level laws aside, in practical terms for UK organisations it will boil down to;

  • If you need to get your data back
  • Where is it?
  • How much will it cost to do so
  • What are the provisions in your current contracts?
  • Are there exit schedules that define who is to do what, by when and for how much?

All of these points are within control of UK companies, and form part of besrt practice in terms of IT contract auditing and awareness.

 Cyber Security

The air of uncertainty is particularly pungent around Cyber Security and what kind of framework the UK will adopt post Brexit.

Businesses may in the short term become more vulnerable to cyber attack given the potential for bureaucratic loopholes; with 40% of IT professionals forewarning of greater exposure to cyber crime this cannot be dismissed as hyperbole. Given the amorphous and evolving nature of cyber crime we must continually seek to adapt and ensure the IT supply chain is appropriately secured.

A significant proportion of cyber breaches have occurred not inside the victims own firewall or environment, but within that of a third party supplier, by which the cyber criminals then gain access.

Essentially a more complicated set of EU/US/UK DPA laws can only add to the risk of companies not being adequately protected from a contractual viewpoint.

Free Movement

The biggest medium to long- term threat would be the restriction of free movement. If free movement is off the table, the larger SI houses may seek to centralise in favour of Europe, which would mean a restriction of European IT skills coming to London

In addition, Visa restrictions could drive up costs as well as providing operational challenges. As an example, 50 staff from an Indian SI house were deported from a UK client site last year, due to inadequate travel visas. Should free movement be restricted and visas necessary for EU based staff, the same problems could arise.

In the event that we follow Norway and Switzerland by maintaining access to the single market, much of the initial fear and headache emanating from lack of free movement will be resolved. Again, it is too early to predict which way the negotiations will go.

With two years to exit, organisations do have the time they need to forward plan and consider the impact on their supply bases.


 With many companies facing an uncertain trajectory in the wake of Brexit it remains prudent to watch and wait until more of the jigsaw is in place.

From a risk management standpoint it is both prudent and best practice to audit and log all your IT & Telco contracts, to have a good awareness of what you have and where any current problems lie.

Cyber Security: Don’t be a Victim

Cyber Security is a very real and an increasingly omnipotent reality for both the public and private sector; with cyber-attacks becoming more evolved, the immediacy of the problem warrants a level of security previously unseen.

The misconception of Cyber Security being an IT issue is as myopic as it is commercially disastrous; because it involves people, the complexity of an insider threat ranks as the highest risk of data loss. Indeed, personal IT may be more valuable to attack than Corporate IT resources.

Sensitive data may be susceptible to breaches that can cause untold damage to brand & reputation, with exposure of client information, interests, IP, trade secrets and serious business interruption. The end result, direct & indirect financial and economic loss.

In the latter years companies are beginning to address the issues that Cyber Security raises and are taking logical steps toward protecting their systems. The key protocols being to prevent and defend; protecting data whilst mitigating risk is key to managing organisation’s privacy and ensuring the security of confidential client information. By employing prudent measures & fostering the right relationships, organisations can increase their security and minimise risk exposure exponentially.

Increasing Awareness

Sadly & somewhat unsurprisingly the insider threat arises from employees & partners who’ve become compromised.

Whilst most incidents are not maliciously motivated, they nevertheless arise from people’s fallibility and misinformation. A somewhat alarming statistic is that 60% of people will put an erroneous USB drive into their system.

Targeted attacks are a different ball game completely with criminals leading industrialised attack methods, hoodwinking traditional information security. A game changer indeed, with industries in the position of having to raise their game, significantly. The number one cause of supply chin failure is IT/telecom outage, with cyber-attack at number 4.

RISK Assessment

By undertaking this 6-step risk assessment companies will receive a review of their existing capability with a roadmap that will ensure continued safe operation.

Understanding Objectives

Focus on business objectives to appreciate aims and to form the “To-Be” future state Cyber Security strategy

 Business Impact Assessment

Determine the potential business impact in the event of a compromise

Threat Assessment

Assessment of the Cyber Security threat & identify sources that seek to compromise the firm’s sensitive assets

Vulnerability Assessment

Identify document security vulnerabilities in existing technology, people & protocols; create “As-ls” current position

Risk Evaluation

Evaluation of remaining risk factors & the risk rating for each. Output is a prioritised Cyber Risk Register

Strategy & Roadmap

Roadmap of tactical & strategic measures to ensure ongoing defence of systems and assets

Executive Views

  •  Sept (2014) The UK gov announced suppliers bidding for public contracts would have to meet new cyber security standards
  •  May (2015) Aon Risk Solutions highlighted cyber risk had moved into the top 10 global threats for business for the first time
  •  Rory Moloney, Chief Executive, and Aon Global Risk Consulting, said: While new risks such as cyber have moved to the centre stage, established risks such as damage to reputation or brand are taking on new dimensions and complexities. The interconnected nature of these risks reinforces the importance…..”
  •  According to a 2015 global Private Equity survey conducted by EY, entitled ‘Positioning to Win’, a top risk highlighted by CFOs is cyber security
  •   Andrew Coulcher, Director of Customer Solutions, CIPS said: “This is one of the biggest issues of our time as procurement professionals we need the right tools and support to meet these challenges head on.”
  •   Costs of cyber security breach are estimated by CIPS as anywhere between £600k to 1.15m for large businesses or 65k to 115k for small businesses.
  •   The Ponemon Institute estimated that a breach in the financial services sector would cost $217 per record. For example, for Target’s 110 million records breached, the costs would be substantial enough to put a fund out of business.

Cyber Essentials

UK Government ‘Cyber Essentials’ is a set of controls offering Public and Private Sector organisations a sound foundation of basic cyber hygiene measures.

  •  Firms such as AIG are offering incentives to businesses to become certified.
  •   Larger organisations, such as HP, are also beginning to demand accreditation.
  •   The five key controls are: boundary firewalls and internet gateways; secure    configuration; user access control; malware protection; and patch management.
  •   There are two levels of assurance available to satisfy the requirement; ‘Cyber Essentials’ and ‘Cyber Essentials Plus’.
  •   Cyber Essentials provides a cost-effective foundation of basic measures that can defend against the increasing threat of cyber-attack.
  •  Cyber Essentials is a single, government and industry endorsed cyber security certification. It is accessible for businesses of all sizes and sectors to adopt
  •  The UK standards are based on the ISO/ESEC 27000 series, providing a basis for checking the IT security of elements in the global supply chain.


The battle against cyber threats is not a finite one, with a one solution fits all approach, nor is it a problem that can be easily circumvented, but rather a multifarious entity that organizations must continuously adapt and evolve to. Even more alarming is the advent of zero-day threats where malware agents exploit unknown vulnerabilities; this is arguably the next generation of security threat.

With cyber criminals employing yet more sophisticated strategies to displace and rupture systems, organizations must adopt a robust appraisal of the current exposure level, seek an expert roadmap to counteract key risks and an on-going system which allows for the amorphous and unpredictable nature of the threat.