Takeaways

You should review your (and your suppliers’) business continuity and disaster recovery plans in light of COVID-19. Many supplier contracts give you the right to review and request updates to the plan.
Key business functions and material service providers should be the target of review of business continuity and disaster recovery plans. Watch out for deficiencies in scope; scale; risk prioritization; monitoring, testing, and communication processes; and flexibility.
Correcting deficiencies in business continuity and disaster recovery plans, together with a review of the interrelated security provisions, service levels and force majeure clauses, protects your organization, employees and customers.

Business continuity and disaster recovery (BC/DR) plans are an essential element of your and your suppliers’ business—an increasingly apparent fact as we now face the uncertainty caused by COVID-19. Your agreements with suppliers and service providers likely account for exigent circumstances via force majeure and BC/DR provisions, and reviewing and updating those contingencies now is imperative. The following steps will help you critically review how the BC/DR plans supporting your organization plan for COVID-19.

1. Identify Critical Suppliers/Services

Start by identifying and prioritizing your key suppliers. First, consider which products and services are critical to your business. If downtime of a given supplier-system would impair your mission-critical functionality, that supplier should top the list.

Second, the nature of the supplier’s product or services should play a role in your prioritization. Services that rely on highly concentrated personnel resources, such as call centers and service desks, will likely be the first wave of impacted services. Alternatively, infrastructure-related outsourced functions will be less impacted by workforce-related issues, but they may be negatively affected by increased user volume as more users shift to online services while in isolation. Supply-chain issues related to hardware deployment are also possible.

If your agreement permits you to request a copy of the plan, do so. Many suppliers are proactively providing updates and revised plans—but requesting additional information about their obligations and asking specific questions is invaluable in your ability to assess the plan.

2. Review BC/DR Plans and Identify Deficiencies

Whether you are reviewing your own, or your supplier’s BC/DR plan, determine first whether it properly accounts for pandemic circumstances. Your garden-variety plan may not appropriately account for a pandemic. Most BC/DR plans respond to data transfer outages, natural disasters or terrorist events. Pandemics differ in both scale and duration to these events.

While a terrorist attack, for example, would target just one region of the world, COVID-19 has spread vastly and rapidly. At present, very few geographic locations have yet to see cases of the virus. As such, BC/DR plans that properly account for the risks associated with a pandemic will be global in scope, and they will contemplate a disaster that impacts a significant number of people spread out geographically. Similarly, a pandemic, unlike the usual disaster triggers, is not a one-time occurrence. Even as we endeavor to “flatten the curve” of COVID-19, it is impossible to know if it will be contained or if it will reoccur. The BC/DR plan should present long-term solutions, with contingencies that can be reactivated at any time.

Once you have established that the BC/DR plan is appropriate in scope and scale, also consider the following elements:

  • Appropriate Risk Assessment and Prioritization: While it is important to have the basics covered in your BC/DR plan, such as alternative service delivery locations and action plans, the best plan puts the health and safety of your employees and customers above data security and financial concerns. Ensure that the plan considers these priorities.
  • Comprehensive Framework: The plan should consider all personnel roles, infrastructure, and products in your supply chain. It should not be limited by location.
  • Testing Capability: Proactive testing of plans (and changes thereto) to account for progressing circumstances is a central element of successful BC/DR. Ensure that there are frequent opportunities to test the systems and processes, and that the results are shared with the correct stakeholders. Testing capability gets bonus points if it builds in business impact analysis that considers the financial and regulatory implications of the BC/DR trigger on the business.
  • Agile and Responsive Oversight: The parties supervising implementation of the plan should be agile and responsive. A top-down approach that requires management buy-in and labor force cooperation will be most effective.
  • Transparency: There should be sufficient reporting and communication obligations in the plan. Understanding how your suppliers are reacting is key in keeping your business running—and it has the added benefit of creating a record for posterity on how the BC/DR evolves throughout the crisis.

3. Correct the Deficiencies

If your or your suppliers’ BC/DR plan is deficient, utilize the mechanism in your agreement for requesting updates or supplements to your plan. In addition to correcting any gaps as compared to the elements mentioned above, consider also requesting the following, specific to viruses or pandemics:

  • Escalation Points: No plan should be static. As the COVID-19 landscape shifts, so too should the right BC/DR plan. There should be appropriate triggers for escalation such as areas in the supply chain declaring states of emergency or lockdowns. Instituting escalation points that trigger more aggressive actions in turn necessitates monitoring of the global situation on an active basis. The more responsive the plan is to the uncertain future of COVID-19, the better.
  • Regulatory Obligations: Organizations in heavily regulated industries, like health care and financial services, should consider how the regulatory landscape is changing to accommodate the current circumstances. Monitor the evolving standards and ensure that any new requirements are quickly and seamlessly incorporated into the existing plan. For example, both the FFIEC and FINRA have updated their requirements for BC/DR, and these new standards should be the lodestar of revised plans for financial-industry companies.
  • Creative Solutions: As they say, desperate times call for desperate measures. Your plan could allow for unique mitigators, such as cross-training programs in the event of a loss in workforce or use of new remote working platforms. Also, reprioritize focus on “running the business” as opposed to discretionary projects. Cooperative plans that require both you and your supplier to share some of the burden may also be necessary, and even prudent, to ensure you remain engaged in solving the problem a business interruption creates.
  • Safety Hatch: The risk of continuing a relationship with the supplier may outweigh the benefit. At this impasse, consider whether your agreement permits shifting to an alternative supplier (via termination for convenience, force majeure clause, etc.). Alternatively, if your organization is able to perform the function in-house, prepare to transition the services accordingly.

4. Review Agreements for Related Clauses

Force Majeure

Sometimes a crisis is so catastrophic that a business is unable to continue or recover. In that case, look to your force majeure clause. Generally, force majeure clauses are narrowly construed and will only excuse a party’s nonperformance that has been rendered impossible by an unforeseen event. In many cases, pandemics or the like are not addressed in force majeure clauses, but are addressed in BC/DR plans. Before this “nuclear option” is triggered, which often results in contract termination, consider whether the BC/DR plan is sufficient to carry the business forward even during trying times. For more information on whether your force majeure clauses cover COVID-19, visit Pillsbury’s COVID-19 Resource Page

Security

Ensure that the BC/DR provisions, especially when updated, do not run counter to security requirements. Remote working, specifically, can trigger data security and processing issues, and therefore, such policies should be considered critically.

Service Levels

Force majeure events or other exceptions may excuse a supplier’s performance-level obligations or provide relief from service level credits. Account for this risk in your own BC/DR by seeking backups or other providers to fill in the gaps.

5. Conclusion

There is no more critical time to review your and your supplier’s BC/DR plans. Failing to react during this pandemic may leave your bottom line—and more importantly, your employees and customers—at risk.

Pillsbury’s experienced crisis management professionals are closely monitoring the global threat of COVID-19, drawing on the firm's capabilities in supply chain management, insurance law, cybersecurity, employment law, corporate law and other areas to provide critical guidance to clients in an urgent and quickly evolving situation. For more thought leadership on this rapidly developing topic, please visit our COVID-19 resources page.

These and any accompanying materials are not legal advice, are not a complete summary of the subject matter, and are subject to the terms of use found at: https://www.pillsburylaw.com/en/terms-of-use.html. We recommend that you obtain separate legal advice.