CRM Platform and Partner Company Selection and Due Diligence

Things to consider when Selecting a CRM Provider:

Note: with most CRM deployments the ‘CRM Provider‘ would be a big company such as Microsoft, Salesforce or Oracle. They would work with a ‘Partner Company’ who would be the people that you work with to set up your CRM system.


  • Are the CRM Provider and Partner Company robust and have financial checks been made using someone like
  • How many years have they been in business and what is their financial and ownership position, is this likely to change in the foreseeable future and what would be the impact?
  • What is the cultural fit between the company and the Partner Company that will be configuring the system?
  • Is the CRM Provider a major player and if not what is the probability of them surviving competition?
  • If required is the Partner Company legally authorised and competent to undertake the work (a consideration for example in Financial Services)?
  • Does the Partner Company have a track record of successful deployments?
  • Can the Partner Company provide reference sites, which can be visited?


  • What are the pricing options and versions available and how do these fit with the requirement?
  • What are the implications of switching versions e.g. can this be done selectively on a user basis or does all of the licensing need to change?
  • Are software upgrades included in the pricing?
  • If the system is to be configured by a Partner Company or is assistance required from a Partner Company (will impact the initial cost)?
  • Is there an initial discovery phase where the full cost can be evaluated?
  • What is the ongoing support cost (probably expressed as a percentage)?
  • Is there any tie-in to the supplier e.g. IP ownership or a managed solution whereby the code is controlled by the Partner Company?
  • Who owns the intellectual property rights for the solution and what are the limitations on use?
  •  If an industry configured solution is anyone else using the solution?
    • If so can and will the solution be adapted to the company’s needs and how much work is required?
    • What are the expected timescales to do this work?
  • Can data be easily exchanged with the company’s other systems or third party systems?
  • Does the system have flexible reporting capabilities and can the data from the system be easily linked to other reporting solutions if need be?
  • If the project incorporates other systems or integration work how will the partner or CRM Provider work with the other third parties?
  • How will end to end testing be performed especially if third parties are involved?


  • Are there any limitations in scaling the solution including any interfaces or related software?
  • Will the solution be robust enough to be able to scale to meet the needs of the company within the foreseeable future?
  • Obtain details of any system stress testing that has been performed, if relevant?

Project Management

  • Will a project manager be provided to support the project or is this the company’s responsibility?
  • What will be the scope of project ownership, just the CRM end to end Systems Integrator programme ownership etc?
  • What are the expected overall timescales and timescales for the discovery, design, development, training and implementation stages of the project?
  • Is the project likely to be phased and what is proposed?


  • Has a security risk assessment been undertaken on the full end to end solution, including integration with other systems?
  • Is there a proper security policy and set of measures in place to mitigate security risks, including those relating to any third parties the CRM Provider or Partner Company may use?
  • Are security responsibilities fully understood by all affected CRM Provider employees and can this be evidenced
  • What tools are in place to monitor security, what penetration testing has been performed and what continuous security checking is performed?
  • Is the CRM Provider independently security audited and if so by whom, what standards does it operate under e.g. ISAE 3402?
    • If internally audited obtain details and confirm independently if necessary that these are satisfactory?
  • Is the CRM Provider ISO 27000 accredited?

Top Cloud Computing Threats and Vulnerabilities to Consider

Disaster Recovery

  • What disaster recovery is in place and is this sufficiently resilient to meet the purpose (depends on your requirement)?
  • Have the exact requirements been specified and agreed with CRM Provider – this can have quite a significant cost impact?
  • What is in place to prevent an outage in the first place – e.g. uninterrupable power supplies etc?
  • Is there a formal Disaster Recovery Plan and does this align with the expectations of the company and its own DR plan?
  • Will the Disaster Recovery plan and related IT solution be tested on at least an annual basis and after a major change in configuration or upgrade?
  • Is the disaster recovery plans fit for purpose (see RTO and RPO in the Service Level section)?

Data Protection

  • Will the data be processed in line with the UK Data Protection Act
  • Will all data be held and processed within the EEA or other acceptable jurisdiction (if not special contractual arrangements such as model clause inclusions may be necessary)
  • Will data be fully separated from that of other companies so that there is no danger of other parties gaining access to data in the company CRM or related systems?
  • Is data encrypted during transmission?
  • Is data at rest i.e. stored data encrypted?
  • CRM cloud solutions are often multi-tenanted – how is data segregated and secured?
  • How will performance impairment due to other clients be prevented?
  • Who will have control of managing the systems and what aspects will be controlled by the company?
  • If the company needs to exit the relationship with the CRM Provider or Partner Company:
    • How can the transition be managed?
    • Will the company be able to easily extract its data in a useful and usable format that would lend itself to transfer to another system?
    • How will the data be removed from the CRM systems, supporting test systems and backups?

User administration

  • Will the company control all access to the system, is there any backdoor or administrator access to the system and the company’s data by the the CRM Provider or Partner Company?
  • Is there a process for managing the access rights of joiners/movers/leavers and are are the administration features in the system fit for purpose and easy to use?


  • Will the CRM Provider and Partner Company continue to support the solution going forward?
  • How will changes be made and what is already covered in any support contract?
  • Who owns the Intellectual Property for these changes?
  • Will there be an ongoing support contract, what will be included in this and is it sufficient to fit the needs of the company?
  • Who will provide system maintenance and upgrade support i.e. will it be the company, CRM Provider and Partner Company or a combination?
  • Will patches and upgrades be automatically applied by the CRM Provider, what options are available e.g. does he company have any control over when and how these are applied?

Service levels

  • What is the recovery time objective RTO (duration of time within which a service must be restored after a major incident)
  • What is the the recovery point objective RPO (maximum time data might be lost due to a major incident – the amount of data that could be potentially lost).
  • What are the SLAs that will be provided around support for both the CRM Provider and Partner Company?
  • Will the SLAs form part of the contract and what sorts of penalties may be associated with this e.g. service credits?
  • What practical evidence is there that the CRM Provider and Partner Company will actually be able to perform against these SLAs?
  • What tools and reporting is provided by the CRM Provider and Partner Company?

Incident Management

  • Are the incident management responsibilities of the company, CRM Provider and Partner Company clearly defined and is there a formal process of engagement?
  • Is a portal available to communicate and manage incidents and/or can this be integrated with the company’s own incident management system?
  • Is incident management adequately covered off in the SLAs above?

Company Responsibilities

  • Who will be responsible for managing the relationship with the CRM Provider and the Partner Company?
  • Do the internal skills currently exist to manage such a third party relationship ?
  • How will disputes be resolved between the supplier, the company and if necessary third parties?
  • What type of relationship will exist between the company, CRM Provider and Partner Company?