There is no doubt that COVID-19 is forcing change and adaptability within organizations. As we continue to meet this new reality, some organizations are not only having to look internally to their business continuity plans (BCP) as they get tested, but must also consider specific provisions in third-party agreements incorporating strategic BCP provisions such as disaster recovery plans.
What Is A Business Continuity Plan?
A business continuity plan (“BCP”) is a critical component of an organization’s processes that is holistic in nature – considering every facet of an organization’s operations and engagements with customers and partners. The main components of a BCP are lowering risk, maintaining operations, qualifying partners and suppliers, product strategy, business execution, and maintaining access to applications, data, technology, and facilities. A successful BCP begins with the tone and conviction of the organization’s management team. A solid BCP will be developed by first conducting a business impact analysis that identifies the risks of disruptions to an organization’s functions including identifying key internal managers or personnel. Identifying these key personnel is important for internal succession planning as part of a resilient BCP. The next step is internally planning the framework that will include, organizing recovery teams, communication teams, developing relocation plans, writing the business continuity and disaster recovery procedures, document manual workarounds, assemble the plan, validate, gain management approval, and test the plan. The resiliency of a BCP is dependent on whether it is viewed as a static or evolving document. It is important that training is continuously offered to business continuity teams, orientation exercises, and that the BCP is updated as needed.
It is essential to consider the internal aspects of the business as well as external dynamics, including customer needs, economic demands and supplier deviations. For instance, a business should consider how their suppliers are affected and how these external factors will affect the business’ ability to operate, as well as the steps the business can take to overcome these challenges. As such, a critical component of a BCP is identifying the strategic partners, suppliers, vendors, and customers that are critical to the organization’s operations, and integrate these third parties into the BCP. This will compel an organization to take steps to incorporate certain provisions in agreements with these third parties, such as a disaster recovery plan for the preservation of critical data, minimizing downtime, or maintaining critical components of the IT infrastructure.
Ultimately, the BCP should outline how a business will continue to operate regardless of any disruptions caused by critical system failures, virus attacks, natural disasters, or any loss of access to the core infrastructure of the organization or impact to the supply chain. A BCP is a blueprint for strategy, tactics, and scenario planning to deal with an event or crisis, such as the one we are in today.
Disaster Recovery Plans in Third-Party Agreements
Because of the downstream effect, COVID-19 is having across the globe, parties are having to look at their third-party agreements to justify excusing performance, mitigating non-performance, or compelling performance. Parties should take caution and carefully review these agreements with legal counsel as there is often an interplay between provisions and an unlikely clear path to a desired outcome. This is even more so when an organization has specifically negotiated a disaster recovery provision in the agreement. These disaster recovery plans are part of an organization’s BCP. The disaster recovery plan’s purpose is to have a process in place that will allow a business to recover enough data and system functionality to allow the organization to continue operations. Since some IT infrastructure is outsourced to vendors, having a disaster recovery plan in agreements with these vendors is critical.
Under the difficult situation we are in today, some vendors may be finding it difficult to perform and contemplating ways to terminate agreements with minimal damage. However, if you are a vendor that has agreed to a disaster recovery plan provision, you may want to seek counsel before deciding you are unable to perform. These disaster recovery provisions are negotiated with the purpose of minimizing downtime in the event of a disaster and customers will argue that this is the type of situation contemplated by the provision. Understandably, no one could have anticipated the current circumstances we are in and this is where counsel can provide guidance by reviewing the agreements and advising on compliance and/or mitigation.
Preparing for a Potential Exit
The current state of things will no doubt result in the need for more than just a BCP for many companies. Anticipating potential exit strategies, including the worst-case scenario of bankruptcy, requires a deep dive into a company’s critical assets and agreements, IP, privacy practices and other essential aspects. Companies that have gone through a BCP “exercise” will no doubt be in a better position for the best possible exit because they have taken the time to assess the organizations’ global operations, strengths, and weaknesses. However, companies that take this one step further and leverage the information gathered in preparing the BCP to address additional legal and other issues that may potentially hold up an exit will be in an even better position. Taking the example of privacy and security, while an organization’s privacy practices may not be an essential part of a BCP, those practices will without question be scrutinized in the event of a sale – even in bankruptcy. In this day and age, one of a business’s most valuable assets is the personal information that it has collected from its customers or end-users – often more so than any of its tangible assets. But when a business becomes a debtor, the sale of personal information can be problematic. Section 363(b) of the US Bankruptcy Code provides that a debtor that has a privacy policy prohibiting the transfer of personally identifiable information (or that fails to disclose that the debtor may sell or transfer such information to third parties) may not sell or lease such information unless (1) the sale or lease is consistent with the terms of the privacy policy or (2) after the appointment of a consumer privacy ombudsman (CPO) the court finds, after giving due consideration to the facts, circumstances, and conditions, that the sale or lease would not violate applicable non-bankruptcy law. This is just one example of why now is the time to reassess your organization’s internal and external processes, above and beyond a BCP.
Final Thoughts
As organizations scramble to try to meet this unprecedented disruption caused by COVID-19, this is also an opportunity to strengthen internal processes or implement a BCP that could minimize the effect of disruptions like the one we are experiencing now. Critical to the success is not only having an internal process that can overcome these unforeseen disruptions, but also working closely with business partners and reflecting this partnership in agreements. Leveraging a BCP to address potential exit strategies will put an organization in the best possible position to weather the storm – no matter the outcome.
Please reach out to Hopkins & Carley’s Corporate attorneys with any questions. To stay up-to-date with the latest legal issues regarding COVID-19 please visit the Hopkins & Carley COVID-19 Resources page.