The (Really) Simple Contract Management Blog

    Every New Hire Gets the Same Advice: Read the MSA First!

    Every New Hire Gets the Same Advice: Read the MSA First!

    I’ve onboarded maybe a dozen people into contracts or legal ops roles over the years. Different companies, different industries, different levels of experience. And every single time, on day one or close to it, I say the same thing:

    “Before you read any SOW, read the MSA.”

    Most of them look at me like I’ve just told them to eat dessert before dinner. The SOW is the fun part. It’s got the deliverables, the timeline, the dollar amounts. It’s the thing people fight about in meetings. It’s what the project manager wants to discuss. It’s specific, tangible, and usually shorter.

    The MSA is that 20-page document full of indemnification language and governing law provisions that everybody scroll-signs and nobody brings up again until something goes wrong.

    Which is exactly why I want them to read it first.

    The MSA is where the real risk lives

    Here’s what I learned the hard way, about seven years into this career: the SOW tells you what you’re buying. The MSA tells you what happens when things go sideways.

    And things always go sideways eventually.

    WorldCC’s annual Most Negotiated Terms research consistently finds that limitation of liability and indemnification dominate negotiation priorities. Those clauses live in the MSA, not the SOW. They determine your total financial exposure if a vendor fails to deliver, breaches your data, or just disappears mid-project. The SOW can say “deliver a working platform by March 15” all it wants. If the MSA caps the vendor’s liability at the fees paid in the prior 12 months (which is extremely common), then the most you can recover when they blow the deadline and cost you a quarter’s worth of revenue is whatever you paid them.

    I had a new hire once, sharp, MBA background, came from procurement. She was reviewing a vendor agreement and was laser-focused on the SOW. The pricing was off, the milestones didn’t align with our internal timeline, and she caught both issues. Good work. But when I asked her what the liability cap was in the MSA, she hadn’t looked. It was capped at $25,000. The contract was worth $400,000 a year. If anything went wrong (and we were buying a compliance tool, so “wrong” could mean regulatory exposure), the most we could claw back was $25,000.

    She never made that mistake again.

    Why people always read the SOW first

    I don’t blame anyone for going to the SOW first. It makes sense. The SOW is the document that answers the question everyone’s actually asking: “What are we getting and how much does it cost?”

    The MSA, by contrast, answers a question nobody wants to think about: “What happens if this relationship falls apart?”

    Nobody wants to start a new vendor relationship by planning for its failure. It feels adversarial. It feels pessimistic. And, honestly, MSAs are hard to read. They’re dense, they’re full of cross-references, and they use “notwithstanding” like it’s punctuation. I’ve been doing this for 15 years and I still sometimes have to read an indemnification clause three times before I’m sure I understand which direction the obligation flows.

    But WorldCC research has shown, repeatedly, that the terms organizations identify as most important for outcomes (scope, deliverables, SLAs, change management) are not the same terms that get the most negotiation attention. The negotiation energy goes to the legal risk terms in the MSA. The outcome-driving terms in the SOW get less scrutiny. That disconnect is a problem, but it’s also exactly why you need to understand both documents: the MSA is where your organization’s lawyers spent their negotiating capital, and you need to know what they bought you.

    What to actually look for

    When I tell new hires to read the MSA first, I don’t mean memorize every clause. I mean understand the five things that will matter most when something goes wrong:

    1. Limitation of liability. What’s the cap? Is it tied to fees paid, a flat dollar amount, or annual contract value? Are there carve-outs for things like data breaches or IP infringement? According to research from Harvard Law School, roughly 10 to 15% of contract breaches are actually strategic: the breaching party calculated that paying the penalty was cheaper than performing. If you don’t know your vendor’s liability cap, you don’t know whether they have that incentive.

    2. Indemnification. Who’s covering whom for what? This is the clause that determines whether you’re on the hook for a vendor’s negligence or a vendor’s on the hook for yours. It can flow one way, both ways, or (in the worst vendor-drafted MSAs) effectively only protect the vendor. I once spent two days rewriting an indemnification clause in a staffing vendor’s MSA because it would have made us liable for their contractors’ on-site injuries. The SOW just said “temporary IT staff, 3 FTEs, 6-month engagement.” Nothing in that scope would have told you about the liability you were taking on.

    3. Termination rights. Can you leave? Under what circumstances? With how much notice? I’ve seen MSAs that require 180 days’ written notice to terminate for convenience. If you’re not aware of that and your relationship with the vendor turns sour in month three, you’re locked in for another six months while you figure out how to send the right letter to the right address in the right format.

    4. Data obligations. What happens to your data when the contract ends? Does the vendor delete it? Return it? In what format? How quickly? Gartner has found that 83% of organizations face third-party risks due to poor contract visibility, and data handling is a huge part of that. These provisions live in the MSA (or a DPA attached to it), and I cannot tell you how many times I’ve seen organizations discover, mid-transition, that their old vendor has no contractual obligation to export data in a usable format. You end up paying them extra, during the termination period, to give you your own information back.

    5. Governing law and dispute resolution. This one feels academic until it isn’t. If your vendor is based in California and your MSA says disputes will be resolved under California law in San Francisco courts, and you’re a 50-person company in Ohio, you’ve just made it very expensive to enforce any of the protections you negotiated.

    The SOW is important. It’s just not first.

    I’m not saying the SOW doesn’t matter. Obviously it does. If the deliverables are wrong or the pricing is off, nothing else matters because the deal itself doesn’t work. And scope disputes are real: WorldCC reports that around 80% of contract disputes stem from poorly defined scope or deliverables, which is exactly the kind of thing a good SOW prevents.

    But here’s the thing about SOWs: everybody reads them. The project manager reads the SOW. The finance team reads the pricing section. The executive sponsor skims the timeline. You will have no shortage of people in your organization who can tell you whether the deliverables make sense.

    Almost nobody reads the MSA. That’s your job. And if you don’t do it, nobody will.

    What I’ve seen go wrong

    A few years back, I was at a mid-size company where a marketing technology vendor failed to deliver a platform migration on time. Three months late, significant business impact. The team wanted to terminate and recover damages.

    When I pulled up the MSA, three things became clear very quickly. First, the liability cap was fees paid in the prior 12 months, which was about $80,000. The actual business impact of the delay was easily ten times that. Second, the termination for cause clause required 60 days’ written notice and a 30-day cure period, so even once we formally complained, the vendor had a month to “fix” things (they used all 30 days and fixed nothing meaningful). Third, consequential damages were mutually waived, which meant lost revenue was off the table entirely.

    None of this was in the SOW. The SOW said “platform migration, Q2 delivery, $80,000 annual fee.” It was a perfectly fine SOW. It just didn’t tell you anything about what would happen if the vendor couldn’t deliver, because that’s not the SOW’s job. That’s the MSA’s job.

    The five-minute version for people who won’t read the whole thing

    If you manage contracts and you’re short on time (and you’re always short on time), here’s the minimum:

    Open the MSA. Find the limitation of liability clause. Know the cap. Find the indemnification clause. Know which direction it flows. Find the termination clause. Know how much notice you need to give. That takes five minutes, and it tells you 80% of what you need to know about your risk exposure.

    Then read the SOW. Check the scope, the pricing, and the dates. Make sure the deliverables are specific enough that you could hold the vendor to them if you had to.

    Then open ContractSafe and make sure both documents are filed together, linked, and the key dates are tracked. Because the worst version of this problem is when someone reads the SOW, signs it, and the MSA is sitting in someone’s email from six months ago, unfiled, unfindable, and full of terms nobody reviewed.

    The conversation I keep having

    Every time I give this advice to a new hire, we end up having the same follow-up conversation a few weeks later. They come back and say something like: “I read the MSA on that vendor deal and the liability cap is way too low” or “Did you know our termination clause requires six months’ notice?”

    And I say: “Yes. Now you know too. And you’re the reason it’ll get fixed next time.”

    That’s the whole point. You can’t negotiate better terms if you don’t know what you agreed to. You can’t manage risk if you don’t know where the risk lives. And the risk almost never lives in the SOW.

    Read the MSA first. Everything else will make more sense after you do.

    Dave

    Leave a Reply

    Your email address will not be published. Required fields are marked *