There is no doubt that COVID-19 is forcing change and adaptability within organizations. As we continue to meet this new reality, some organizations are not only having to look internally to their business continuity plans (BCP) as they get tested, but must also consider specific provisions in third-party agreements incorporating strategic BCP provisions such as disaster recovery plans.
What Is A Business Continuity Plan?
A business continuity plan (“BCP”) is a critical component of an organization’s processes that is holistic in nature – considering every facet of an organization’s operations and engagements with customers and partners. The main components of a BCP are lowering risk, maintaining operations, qualifying partners and suppliers, product strategy, business execution, and maintaining access to applications, data, technology, and facilities. A successful BCP begins with the tone and conviction of the organization’s management team. A solid BCP will be developed by first conducting a business impact analysis that identifies the risks of disruptions to an organization’s functions including identifying key internal managers or personnel. Identifying these key personnel is important for internal succession planning as part of a resilient BCP. The next step is internally planning the framework that will include, organizing recovery teams, communication teams, developing relocation plans, writing the business continuity and disaster recovery procedures, document manual workarounds, assemble the plan, validate, gain management approval, and test the plan. The resiliency of a BCP is dependent on whether it is viewed as a static or evolving document. It is important that training is continuously offered to business continuity teams, orientation exercises, and that the BCP is updated as needed.
It is essential to consider the internal aspects of the business as well as external dynamics, including customer needs, economic demands and supplier deviations. For instance, a business should consider how their suppliers are affected and how these external factors will affect the business’ ability to operate, as well as the steps the business can take to overcome these challenges. As such, a critical component of a BCP is identifying the strategic partners, suppliers, vendors, and customers that are critical to the organization’s operations, and integrate these third parties into the BCP. This will compel an organization to take steps to incorporate certain provisions in agreements with these third parties, such as a disaster recovery plan for the preservation of critical data, minimizing downtime, or maintaining critical components of the IT infrastructure.
Ultimately, the BCP should outline how a business will continue to operate regardless of any disruptions caused by critical system failures, virus attacks, natural disasters, or any loss of access to the core infrastructure of the organization or impact to the supply chain. A BCP is a blueprint for strategy, tactics, and scenario planning to deal with an event or crisis, such as the one we are in today.
Disaster Recovery Plans in Third-Party Agreements
Because of the downstream effect, COVID-19 is having across the globe, parties are having to look at their third-party agreements to justify excusing performance, mitigating non-performance, or compelling performance. Parties should take caution and carefully review these agreements with legal counsel as there is often an interplay between provisions and an unlikely clear path to a desired outcome. This is even more so when an organization has specifically negotiated a disaster recovery provision in the agreement. These disaster recovery plans are part of an organization’s BCP. The disaster recovery plan’s purpose is to have a process in place that will allow a business to recover enough data and system functionality to allow the organization to continue operations. Since some IT infrastructure is outsourced to vendors, having a disaster recovery plan in agreements with these vendors is critical.
Under the difficult situation we are in today, some vendors may be finding it difficult to perform and contemplating ways to terminate agreements with minimal damage. However, if you are a vendor that has agreed to a disaster recovery plan provision, you may want to seek counsel before deciding you are unable to perform. These disaster recovery provisions are negotiated with the purpose of minimizing downtime in the event of a disaster and customers will argue that this is the type of situation contemplated by the provision. Understandably, no one could have anticipated the current circumstances we are in and this is where counsel can provide guidance by reviewing the agreements and advising on compliance and/or mitigation.
Preparing for a Potential Exit
As organizations scramble to try to meet this unprecedented disruption caused by COVID-19, this is also an opportunity to strengthen internal processes or implement a BCP that could minimize the effect of disruptions like the one we are experiencing now. Critical to the success is not only having an internal process that can overcome these unforeseen disruptions, but also working closely with business partners and reflecting this partnership in agreements. Leveraging a BCP to address potential exit strategies will put an organization in the best possible position to weather the storm – no matter the outcome.
Please reach out to Hopkins & Carley’s Corporate attorneys with any questions. To stay up-to-date with the latest legal issues regarding COVID-19 please visit the Hopkins & Carley COVID-19 Resources page.