Operational resilience
The ability of an organisation to withstand disruption of its operations and still function determines whether or not it is resilient.
The actions taken in such events are often set out in business continuity plans (BCPs) or crisis management and disaster recovery procedures.
Many businesses, such as essential service providers, are legally required to have business continuity measures in place. Others, particularly technology suppliers, have them as a matter of good business practice.
UK and European financial regulators have introduced the concept of ‘Operational Resilience’, which will require financial organisations to set impact tolerances that their important business services can withstand in a crisis.
Contractual resilience
Embedding impact tolerances within the third party contracts that govern the provision of your important business services should be one of the key components of success in the drive to be resilient.
But what happens when the relevant event that causes the operational disruption is not isolated to your business but impacts the world at large?
Although no one can be expected to prepare for such an event, or even to have legislated against it in the contract, organisations can still deploy the main components of Operational Resilience post hoc in order to reduce disruption to their technology supply chain.
The key components required to achieve this involve communication and good contract management, which should be deployed via the steps described below.
Steps to achieve legal risk control over a tech supply chain
- Identify your critical technology supply relationships – if your organisation’s critical technology supply relationships are not obvious, identify your important or critical business services and products and work back from there to find the third party suppliers that contribute to their delivery.
- Situation report – build a situation awareness picture in respect of the current operational performance of each critical technology supply relationship. Work with your business stakeholders to identify and report on:
- What is going on with the relationship – is the supplier performing or failing? Do you know whether they have invoked their BCP?
- What isn’t known at this time?
- Reliance on automated processes vs. human intervention – in order to establish what is likely to fail.
- Stability of product and service in a business-as-usual environment – an automated process may be perceived to be more stable than a human one but not when that process usually requires constant attention by a developer who is now working from home in another time zone.
- Rank of each relationship from high (compliant) to low (non-compliant) – based on the information collected above. Prioritise which suppliers you focus on from there.
- Dig out the contracts – find the contracts that govern the critical technology supply relationships. Construct a spreadsheet containing the following information in respect of each contract:
- Primary purpose of the contract – what is the supplier required to provide under the contract?
- Core commitments – are the core commitments governed by service levels or service level agreements?
- Service performance assurances – are the commitments backed up by warranties, etc.?
- Information governance – how are the parties required to communicate with each other and to provide information?
- Escalation procedures – how should issues be escalated to senior personnel?
- Are there crisis-related measures? – does the contract contain a BCP or similar procedure? How are they invoked?
- Contractual relief – what relief from performing the contract can the supplier claim, such as force majeure or material adverse change or effect? Are these concepts defined? What are their triggers?
- No waivers – does the contract contain a no waiver clause, meaning that any waiver given or any acquiescence to a failure or breach will not constitute a permanent waiver?
- Governing law and jurisdiction – what law governs the contract, and to which forum should disputes be submitted?
Checkpoint
- This could be the time to digitise your contracts, if they aren’t already. Putting them into a digitally searchable form will allow you to collect the information listed above quickly with a limited amount of manual review (we can help with this).
- Jurisdictional issues should not be relevant while you are in rescue mode. You could, however, get ahead of the game by asking local counsel (if relevant) for their interpretation of the contractual reliefs while you focus on the practical steps.
- Identify the risks – your spreadsheet should contain some analysis of the information that you have compiled. Your interpretation of what the contractual position will be in the event that the crisis impacts the commercial relationship is crucial at this stage. This is when GCs and their legal teams add their value but remember to stick to your lane. What may seem obvious to you may not be to your commercial stakeholders. For example, can your organisation stop payment in the event a supplier fails in its service provision and/or relies on force majeure as contractual relief?
- Roles and responsibilities – roles and responsibilities, including leadership roles, should be assigned and drawn up. A RACI (responsible, accountable, consulted, and informed) matrix chart in the form below1 can be used for this purpose:
-
Supplier management – clear and open lines of communication with the critical suppliers should be opened as soon as possible by your procurement team or accountable business stakeholder. This should serve as an early warning system for situations that may arise, such as when a supplier may fail; whether a supplier will invoke contractual relief provisions; or when a supplier will implement its BCP.
Collaborating with the supplier to understand what their pressure points are can avoid some disastrous consequences later down the line. For example, relaxing certain provisions within the contract could allow the supplier to focus on other more critical areas of their service provision. Agree in writing that any such relaxations are temporary, however.
- Nuclear options – having contractual power over a supplier will not help you during a crisis. Termination is likely to harm a customer more than the supplier. Maintaining the status quo should be its key objective at this time. The same logic applies to claiming liquidated damages or service credits, which are often token gestures.
- Battle log – run a log of all major events that are occurring; the steps you have taken; and decisions made. You may not have time to implement these via a contract amendment, so recording them somewhere will serve as a useful reminder, and as evidence.
Where do we go from here?
- Technology will save us! – it always has. It will be even more valuable in a crisis. Technology supply chains play a vital part in ensuring the delivery and use of that technology. Their preservation should therefore be a priority of any organisation during a crisis.
- New normal – the longer a crisis continues, the more likely new ways of working become the ‘new normal’. Think about the good things that come out of working in this way and adopt them as your business-as-usual practice when we return to normality.
- RACI Template
Client Alert 2020-231
