The Global Risk Forum (GRF)
The Global Risk Forum (GRF)
The Global Risk Forum (GRF)
  • CHF0.00 0
    Cart review

    No products in the cart.

Bylaw 7. Procurement, Vendors & Grants

Last modified: September 5, 2025
For versions:
Estimated reading time: 6 min

(Swiss Verein; Zug register; principal base Geneva. This Bylaw sets sovereign-grade rules for acquiring goods/services/data/software, onboarding and overseeing vendors, and accepting/administering restricted funds and grants. It preserves independence (Art. 3), respects Board-reserved powers and Delegation of Authority (Art. 9; Annex F), and embeds the Central Bureau (CB) clearance, Council Register and Gazette regime (Arts. 9.3, 12–13). Cross-refs: Arts. 1–2, 5 (EN controls; FR/DE companions), 6–8, 10–11 (Programs; ECT), 14 (Finance & Controls), 15 (Data/Security/Privacy), 16 (Ethics/Conflicts/ABAC/Sanctions), 17 (Protocol), 18–21; Bylaws 1–6. Annexes: F (DoA & thresholds), G (Signatory Matrix), H (Treasury), N (Conflicts & RPT), AB (Open-Contracting Standard & Templates), L (Identity/InfoSec), T (Data/Model Governance), W (Records), X (Gazette), Z (Continuity/RAP). EN controls.)

7.0 Principles, Scope & Non-Substitution

7.0.1 Objectives

(a) Achieve best value over total life-cycle; (b) preserve independence and prevent donor/vendor capture; (c) ensure lawfulness, safety, privacy, and auditability; (d) promote competition, transparency, sustainability, accessibility, and supplier diversity.

7.0.2 Scope

Applies to all acquisitions (goods, services, venues, travel, consulting, data, software, cloud, compute, AI/ML models/APIs), frameworks, sub-awards, outbound grants, and inward restricted funds/sponsorships; and to the full vendor lifecycle (planning → sourcing → contracting → performance → change → close-out).

7.0.3 Non-Substitution

Nothing herein authorizes acts reserved to the Board (Art. 9.1) or waives CB Pre-Clearance for Material Actions (Art. 12). DoA values and tiers reside in Annex F.

7.1 Planning, Authorities & Blackouts

7.1.1 Annual Procurement Plan (APP)

EM files an APP (needs, categories, estimated values, sourcing strategy, sustainability, risk, independence posture). CB logs APP in CSR; material changes are gazetted in summary.

7.1.2 Roles & Segregation

(a) Requisitioner ≠ Evaluator ≠ Signatory (four-eyes). (b) Panels are constituted per §7.2.2 with conflict screens (Annex N). (c) CB advises on independence, sanctions/KYC, privacy/security, and materiality.

7.1.3 Market Soundings

Permitted if non-discriminatory, documented, and clean-room protocols are used (no unfair info advantage). Summaries filed in CSR.

7.1.4 Communications Blackout

From RFP issue to award, vendor contact is limited to the official channel; breaches may disqualify offers.

7.2 Thresholds & Competitive Sourcing

7.2.1 Tiers & Authority (DoA)

Tier 1 (Departmental)T1 (Annex F)≥1 written quote on approved template.
Tier 2 (Executive)T2≥3 comparable bids or equivalent competition (RFQ/RFP).
Tier 3 (ED/CEO)T3 — formal RFP/ITT; ≥3 bona fide bids.
Board-Reserved > T3 or items in Art. 9.1 (e.g., core IP/exclusive licenses, DRF rails, real property, borrowing/liens).
Aggregation rule: related contracts/options in 12-month window aggregate.

7.2.2 Competition & Evaluation

(a) Open, fair, non-discriminatory specifications; avoid unnecessary bundling; lotting to enable SME/Global South participation.
(b) Criteria (illustrative): technical merit; independence risk; IP/data posture; security/privacy; sustainability & accessibility; delivery plan; past performance; price/TCO.
(c) Panels: ≥2 evaluators (Tier-2), ≥3 (Tier-3); conflicts walled; scoring sheets filed in CSR.
(d) Standstill & Debrief: 10 Business Days standstill before contract execution; losing bidders may request debrief within 5 Business Days; summaries filed in CSR.

7.2.3 Exceptions to Competition

(a) Sole-Source (CB Pre-Clearance + award memo required):

  1. Uniqueness/interoperability (protected IP/standards);
  2. Continuity/safety (change risks material harm);
  3. Security/sovereignty (identity, export-control constraints);
  4. Public-interest pilot (time-boxed, openly disclosed, post-pilot competition).
    (b) Emergency / RAP (Art. 19): compressed sourcing by RAP Order with RAP-Clearance; post-event regularization within 10 Business Days (CSR + Gazette).
    (c) Frameworks/Catalogues: call-offs under CB-cleared frameworks are competitive by construction; stay within scope and caps.

7.3 Contracting Standards & Mandatory Clauses

7.3.1 Form & Authority

(a) Two-to-sign per Annex G; DoA recital in preamble; CB Clearance ID for Material Actions.
(b) Contract hierarchy: main terms → SOW → annexes → RFP → vendor offer; conflicts resolved in that order.

7.3.2 Core Clauses (non-exhaustive)

  • Audit/inspection, ABAC (no gifts > de minimis; hospitality register), sanctions/export controls, anti-boycott.
  • IP & licensing: GRF owns bespoke deliverables; vendor retains background IP; GRF receives perpetual, worldwide, royalty-free license to background IP as needed. Public-good outputs may be open/FRAND licensed (Annex T). No unintended exclusivity.
  • Data & privacy: DPAs, ROPAs, TIAs, cross-border tools (SCCs/IDTA), purpose limitation, minimization, data return/deletion certificates.
  • Security: ISO 27001/SOC 2 (or equivalent by tier), encryption at rest/in transit, vulnerability mgmt, incident notice SLAs, PAM/zero-trust; InfoSec Annex (Annex L).
  • AI/ML/model-specific: Model Cards, training/validation access, red-team rights, safety/fairness testing, usage caps/telemetry, SBOM for model artifacts, no black-box obligations that preclude assurance for high-stakes use (Annex T).
  • Service: KPIs/SLAs, service credits, step-in rights, escrow (code/models) for Tier-A; continuity/DR requirements.
  • Change control: formal variation orders; price adjustments capped; indexation formula explicit.
  • Termination: for convenience (notice, pro-rata payments) and for cause (material breach, independence breach, sanctions hit, security/privacy incident).
  • Liability/insurance: limits by tier; professional indemnity & cyber cover for critical suppliers.
  • Sustainability & accessibility: carbon budgets, waste standards, WCAG 2.1 AA; modern slavery & human-rights clauses.
  • Publicity/marks: no co-branding or endorsements without Board approval (Art. 3); case studies only per brand guidelines.

7.3.3 Payment, Currency & Bonds

(a) Net 30 default; milestone-based; advance payments require security (bond/guarantee/escrow).
(b) Currency CHF unless agreed; FX rules per Annex H.
(c) Performance bonds (up to 10% of value) required for Tier-3/critical works at CB/ARC discretion.

7.4 Vendor Due Diligence, Risk Tiering & Lifecycle

7.4.1 Onboarding (proportional)

  • Identity & ownership (register excerpts; beneficial owners); signatory proofs.
  • Sanctions/KYC/AML (SECO/EU/OFAC; PEP; adverse media); export-control flags.
  • Integrity/ABAC (certifications; debarment lists; litigation history).
  • Security & privacy (questionnaire; ISO/SOC attestation; DPA; DPIA/TIA if needed).
  • Technical/IP (licenses; chain-of-title; OSS compliance).
  • Sustainability/labour (modern slavery; carbon disclosures; accessibility).
  • Financial soundness (solvency snapshot; going-concern risks).

7.4.2 Risk Tiering

Classify Tier-A (critical), Tier-B (important), Tier-C (routine) by criticality, data sensitivity, substitutability. Controls scale by tier (assurance cadence, incident SLAs, audit rights, escrow, liability).

7.4.3 Performance & Monitoring

(a) KPIs/SLAs; quarterly reviews (Tier-A) / semi-annual (Tier-B).
(b) Incidents reported within SLA (≤24h Tier-A); entries in Incident Register (Art. 13, 15).
(c) Corrective-action plans tracked in CSR Action Logs.
(d) Data return/deletion verified on close-out; certificates filed.

7.4.4 Related-Party & Conflicts

Disclose relationships (Annex N). Conflicted officers recuse; breaches may trigger removal (Art. 8.5) and contract remedies.

7.5 Open-Contracting, Transparency & Protests

7.5.1 E-Procurement & OCDS

Use a CSR-integrated e-procurement portal. Publish Open Contracting Data Standard (OCDS) metadata where lawful (redactions for security/privacy).

7.5.2 Notices & Awards

Post RFPs, Q&A, and award summaries (Tier-3/Board) to the Gazette within 10 Business Days (lawful redactions). Keep a Procurement Register in CSR.

7.5.3 Standstill, Debriefs & Protests

(a) Standstill: 10 Business Days from award notice.
(b) Debrief: structured feedback (criteria/relative ranking) within 5 Business Days on request.
(c) Protests: file to CB within standstill; CB/GC issue reasoned decision; appeal per Art. 18 (mediation → Swiss Rules arbitration; seat Geneva; EN). Execution stays only if CB so orders.

7.6 Sustainability, Access & Inclusion

7.6.1 Environmental & Social

Carbon budgets for travel/venues; low-emission preference; waste standards; human-rights due diligence; modern-slavery declarations.

7.6.2 Accessibility & Design for All

Venue/software WCAG 2.1 AA; reasonable accommodations in sourcing and delivery.

7.6.3 Supplier Diversity & Global South Participation

Lot sizes, fair payment terms, and outreach to SMEs/GSIs; avoid unnecessary exclusivity; publish participation stats annually.

7.7 Restricted Funds, Sponsorships & Grants (Inbound)

7.7.1 Independence & Board Control

Default neutrality (platform/membership revenues). Exceptions: acceptance of restricted funds/sponsorships/grants requires Trustee approval (≥2/3) and CB Pre-Clearance; entries in Donor & Dues Register (Art. 14.1, 13.2).

7.7.2 Diligence & Inadmissible Sources

Source identity/beneficial ownership; sanctions/KYC/AML; anti-terrorism financing; reputational/independence risks (IIA). Inadmissible: sanctioned/debarred sources; donor-conditioned editorial/policy control.

7.7.3 Grant/Sponsorship Instruments

Use CB-cleared Grant/Donation Agreements with: purpose scope; Independence Clause; no co-branding without Board approval; neutral reporting; audit rights; refund/clawback; privacy/security terms; publicity rules; non-exclusivity beyond necessity.

7.7.4 Ring-Fencing & Reporting

Restricted funds are segmented in finance systems; spend linked to evidence; quarterly reports to FIC/ARC; material items gazetted (lawful redactions).

7.8 Outbound Grants & Sub-Awards (If Used)

7.8.1 Policy & Competition

Outbound grants/sub-awards require a Board-approved policy and budget line. Competitive calls by default; Sole-Source exceptions per §7.2.3.

7.8.2 Agreements & Pass-Throughs

Standard Sub-Award Agreement with pass-through obligations: ABAC; sanctions/KYC/AML; privacy/security; IP/data/model governance; reporting; audit; safeguarding; anti-discrimination; modern slavery.

7.8.3 M&E, Cure & Clawback

Output/outcome KPIs; proportional assurance; cure notices; clawback for material non-performance or independence breach.

7.9 Records, Audit & Remedies

7.9.1 CSR & Gazette

All sourcing artifacts (RFPs, bids, evaluations, award memos, contracts-of-record, Clearances, exceptions, performance reviews, corrective plans) are filed in CSR. Material awards/exceptions and restricted-fund entries are gazetted within 10 Business Days.

7.9.2 Internal Controls & Audit

ARC may test procurement cycles, vendor oversight, and restricted-fund trails; external auditor may sample contracts (Art. 14.3). Management letters carry remediation plans with deadlines.

7.9.3 Remedies & Debarment

Acts executed without competition where required or without CB Clearance, or contrary to conditions, are voidable (Art. 7.11). Remedies: suspension/termination, clawback, supplier debarment (CSR Debarment Register; gazetted summary), personnel discipline (Art. 16).

7.9.4 Disputes

Supplier/grantee disputes follow Art. 18 (internal review → mediation → Swiss Rules arbitration; seat Geneva; EN).

7.10 AI/ML, Data & Cloud — Special Regime (Supplement)

7.10.1 Model & Data Procurement

Require Model Cards and Data Cards (Annex T), red-team rights, validation access, fairness testing, uncertainty disclosure, and safety guarantees proportional to risk. No NDA terms that block required assurance.

7.10.2 Security & Software Supply Chain

SBOM; SLSA (or equivalent) attestations; critical CVEs remediated per SLA; zero-trust controls; compute usage telemetry for cost/abuse monitoring.

7.10.3 Cross-Border Data Transfers

Use SCCs/IDTA and TIA where required; data localization only where mandated or risk-justified; privacy-by-design evidence filed with DPIA.

7.11 Training, Capability & Ethics

Annual training for requisitioners, panelists, and signatories: competition law, ABAC, conflicts & donor walls, privacy/security, open-contracting, AI/ML assurance, and records discipline. Gift/hospitality thresholds and registers enforced; lobbying disclosures per Standing Orders.

7.12 Quick-Reference Timelines

Phase Standard RAP
RFP open period ≥ 10 Business Days (Tier-3) As ordered in RAP
Standstill 10 Business Days May shorten with RAP-Clearance
Debrief window 5 Business Days from request 3 Business Days
Post-award CSR/Gazette 10 Business Days 5 Business Days
Sole-Source memo to CSR Prior to execution Prior to execution

Design result: A Swiss-grade, trust-minimized regime that defaults to competition, narrows and audits exceptions, hard-wires sanctions/KYC, privacy/security, and AI/ML safety into contracts, ring-fences restricted funds under Board + CB control, and makes every step provable through the CSR/Gazette—so GRF can scale DRR/DRF/DRI delivery at speed without compromising independence, safety, or public trust.

Written by: GRF
Was this article helpful?
Dislike 0 0 of 0 found this article helpful.
Views: 9

Continue reading

Previous: Bylaw 6. Programs, KPIs & Scorecards
Next: Bylaw 8. Ethics & Conflicts (Implementation Rules)

Leave a Reply

Your email address will not be published. Required fields are marked *

Have questions?