Case study: reducing outsourcing contract review from days to minutes
By Grant Crawley · 16 July 2026

Case study: reducing outsourcing contract review from days to minutes for a regulated pension insurer
A Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) regulated bulk purchase annuity pension company needed a faster way to review outsourcing and third-party supplier contracts without weakening legal, regulatory or operational resilience controls.
The organisation’s legal and commercial teams were dealing with detailed supplier agreements covering outsourcing, software-as-a-service (SaaS), hosted services, technology support, data processing, service management, audit access, exit planning and cross-border risk.
The work was important, but time-consuming. Each review required a careful read across contract wording, internal outsourcing policy, UK General Data Protection Regulation (UK GDPR) requirements, service continuity expectations and regulatory access obligations.
The result was a practical Microsoft 365 Copilot Chat agent: a human-in-the-loop Outsourcing Contract Review Assistant that helps reviewers identify gaps, negotiation points and policy issues before a qualified person makes the final judgement.
End-user feedback has been overwhelmingly positive. Review tasks that previously took days can now be progressed in minutes, and users describe the quality of the output as outstanding.
The client context
The client is anonymised for confidentiality. It is a UK bulk purchase annuity pension company operating in a highly regulated environment, subject to both FCA and PRA expectations.
That context mattered. This was not a generic contract summarisation tool. The agent had to support a review process where supplier risk, outsourcing controls, data protection, audit rights, operational resilience and exit arrangements are central to good governance.
The FCA expects firms using outsourcing and other third-party service providers to manage operational resilience risks, including the people, processes, technology, facilities and information needed to deliver important business services. It also states that firms remain responsible and accountable for their regulatory obligations when using outsourced or third-party service providers. (fca.org.uk)
For cloud and third-party information technology services, FCA guidance also highlights issues such as physical access, supply chain and sub-contracting, concentration risk, data location, effective access to data and exit plans. (fca.org.uk)
The agent was therefore designed to support disciplined review, not to replace legal judgement.
The business problem
The existing process was thorough but slow.
A reviewer needed to:
- classify the contract and the service being provided;
- identify whether the arrangement appeared material, strategic, non-material or unclear;
- check service descriptions, dates, renewal terms and financial obligations;
- review liability, remedies, termination and supplier-favourable wording;
- assess data protection, UK GDPR Article 28 alignment and sub-processing;
- check audit rights, regulator access and access to data;
- consider operational resilience, service interruption, disaster recovery and restoration;
- identify exit planning and business continuity gaps;
- decide what needed negotiation before signature;
- produce a business-friendly summary for the contract owner.
This created a bottleneck. Reviews could take days, particularly where the contract contained multiple schedules, supplier terms, hosted service provisions or cross-border elements.
The client did not need a large new platform. It needed a safe, simple assistant that worked with the way its people already reviewed documents.
The solution: a simple Copilot Chat agent
The solution was a Microsoft 365 Copilot Chat agent configured as an Outsourcing Contract Review Assistant.
Microsoft describes Copilot agents as ranging from simple prompt-and-response agents to more advanced autonomous agents. Microsoft also states that declarative agents grounded in instructions and public websites are available at no additional cost, while some agents that access shared tenant data may use metered consumption. (learn.microsoft.com)
For this use case, the value came from a simple, instruction-led agent definition rather than a complex build. The agent embedded the client’s outsourcing and contracts policy requirements and followed a staged review workflow.
The agent was instructed to:
- ingest and classify the contract;
- conduct a first-pass contract risk review;
- check the contract against the outsourcing and contracts policy;
- identify negotiation priorities;
- assess jurisdiction and cross-border issues;
- conduct a final audit pass before producing the report.
The assistant was deliberately framed as a review aid, not an approval mechanism. Its role is to read the material, surface issues, structure the evidence and suggest points for negotiation. The final call remains with the client’s legal, commercial and risk specialists, who decide whether the wording is acceptable, needs amendment or should be escalated.
That design choice reflects Virtco®’s thin-slice approach to AI adoption: start with a controlled, assistive workflow, use artificial intelligence to draft, classify, summarise or recommend, and keep the approval decision with a person.
What the agent reviews
The agent supports reviews of outsourcing, third-party supplier, SaaS, hosted service, software, support, implementation, data processing and other material service agreements.
It produces a structured report covering:
- executive summary;
- contract classification;
- policy compliance table;
- key negotiation points;
- jurisdiction and cross-border issues;
- data protection review;
- operational resilience, service continuity and exit review;
- suggested legal and commercial questions;
- audit check.
For each policy requirement, the agent marks the status as:
- Present — the contract clearly meets the requirement;
- Partially Present — the wording is incomplete, weak, ambiguous, capped, conditional or too narrow;
- Missing — no relevant provision has been found;
- Not Applicable — the requirement genuinely does not apply based on the contract and facts supplied;
- Requires Confirmation — classification, facts, schedules or supporting documents are missing.
This gives the reviewer a clear starting point. Instead of beginning with a blank page, they receive a structured analysis that highlights evidence, gaps, concerns and negotiation themes.
Why the human-in-the-loop model mattered
In regulated financial services, speed is only useful if control is maintained.
The agent therefore includes explicit behavioural rules. It must not:
- approve a contract;
- claim that a contract is legally compliant;
- invent clause references;
- assume missing schedules exist;
- treat broad wording as sufficient evidence;
- ignore caps, exclusions, limited remedies or supplier-favourable terms;
- replace human legal judgement.
It must distinguish between:
- what the contract says;
- what the policy requires;
- what is missing;
- what requires negotiation;
- what requires legal, risk or commercial escalation.
This mirrors Virtco®’s broader view of governed AI adoption: the safest pilot pattern is often assistive rather than autonomous, particularly where compliance, risk or customer outcomes are involved.
The outcome
The feedback from end users has been strongly positive.
The most important reported benefits are:
- Time saved: reviews that previously took days can now be progressed in minutes.
- Quality of output: users describe the review output as outstanding.
- Consistency: the agent follows the same structured checklist each time.
- Better first-pass triage: reviewers can see the main gaps and negotiation points earlier.
- Reduced blank-page effort: the agent gives legal and commercial reviewers a clear draft structure to challenge, refine and complete.
- Low cost of entry: the solution uses a simple Copilot Chat agent pattern rather than a large custom platform.
This is exactly the type of outcome a thin-slice AI pilot should target: a contained, repeatable, measurable process where the team can build confidence in the assisted workflow. Virtco® recommends measuring time, quality and volume before and after an AI intervention so that value is evidenced rather than assumed.
What made the use case work
Three factors made this agent effective.
1. The problem was specific
The goal was not “use AI for legal”. It was much narrower: help reviewers assess outsourcing and third-party contracts against a defined policy and review structure.
That clarity made the agent easier to govern and easier for users to trust.
2. The policy was embedded into the workflow
The agent did not simply summarise contracts. It checked them against a structured set of policy expectations covering outsourcing, operational resilience, data protection, audit, regulatory access and exit.
This moved the output closer to the real work reviewers needed to do.
3. The agent was designed around review, not approval
The agent’s job is to accelerate analysis and improve consistency. Accountability remains with the human reviewer.
That balance is essential in regulated environments, where AI must support governance rather than create a shortcut around it.
Lessons for other regulated firms
This case study shows that useful AI adoption does not always require a major system build.
For many regulated organisations, the best starting point is a narrow, high-friction workflow where people already have:
- a clear process;
- a repeatable document type;
- an approved policy or checklist;
- a known review standard;
- identifiable human decision points;
- a measurable baseline.
That combination is ideal for a controlled Copilot or agent pilot.
The wider lesson is simple: do not start with the tool. Start with the bottleneck, define the control model, test the workflow with real users, then scale only when the evidence supports it.
Virtco®’s guidance follows the same principle: build pilots in the flow of work, use tools people already use, measure outcomes and train people at the point of need.
How Virtco® can help
Virtco® helps organisations design practical AI and automation use cases that are safe, measurable and aligned to business outcomes.
For regulated firms, that means combining AI delivery with process design, information governance, access control, adoption support and human review points.
If your organisation is exploring Microsoft 365 Copilot, Copilot Chat agents or AI-assisted review workflows, talk to Virtco® about where a controlled pilot could remove friction without weakening governance.
