This column was prompted by an article in the Toronto Globe and Mail's Report on Business during that post-Christmas period of year-end retrospectives. In "Earthquake. Tsunami. Floods. Here is how a battered industry is getting back on its feet" (Globe and Mail, December 27, 2011), Greg Keenan analyzed how Japanese automakers were affected by recent natural disasters: last March's powerful earthquake and tsunami and the Thailand floods. The devastating impact was aggravated by problems with the automakers' suppliers: the automakers suffered severe parts shortages but were unable to adjust to these problems because of their inability to obtain critical information from the suppliers. Interestingly, in the longer term, the automakers have responded by: (i) developing a more extensive and intricate knowledge of their supply base, one that now extends down to third and fourth-tier suppliers; and (ii) requiring more flexibility from their suppliers, including that the suppliers retain more inventory on hand and have the capacity to shift production between factories.
The issues that confronted the automakers are potential problems for any business that outsources. Outsourcing customers should be thinking about the consequences of disasters, both those affecting themselves and those affecting their service providers, and including appropriate provisions in the outsourcing agreement to deal with these impacts. In this blog, I want to discuss some thoughts about these disaster recovery provisions.
1. Disaster Recovery Services are not "Included" Services
During one set of negotiations, just after the customer discovered that disaster recovery services were not automatically included as part of the base service offering, the customer's lawyer said, with some dismay, words to the effect that:
Your client has data centres all across North America and you have described to us your extraordinary depth of information technology experience. Surely, if a disaster were to occur, you have the expertise, ability and capacity to migrate our systems to one of these other sites.
Respectfully, in these circumstances, the customer's lawyer missed the point. Certainly, the service provider will have the expertise to respond. And, at the moment the disaster occurs, the service provider may indeed have personnel and infrastructure not otherwise occupied that are available to assist. But all that is serendipity which is not a very strong foundation for the customer's disaster recovery plans.
Nor can an obligation for the service provider to provide the expertise, ability and capacity to respond to a disaster be inferred because the outsourcing contract happens to contain a "sweeps" provision such as the following:
The Services shall be deemed to include all other services, duties, functions or responsibilities that, while not specifically described herein, are reasonably and directly required for the proper performance and provision of the Services.
Even if it were possible to make this argument, it would be defeated by the force majeure provisions of the outsourcing agreement that excuse a party's non-performance resulting from events beyond its reasonable control.
In thinking about disasters, the customer should document its requirements for disaster recovery services in the outsourcing agreement so that it has firm commitments to which it can hold the service provider accountable.
2. Disaster Recovery Planning vs. Business Continuity Planning
A disaster recovery plan is not the same thing as a business continuity plan. The disaster recovery plan is a tactical plan, describing the process by which a business recovers from the disruption of a disaster. A business continuity plan, on the other hand, is more comprehensive. It describes how a business can continue to operate, and to make money, not just in the event of a disaster, but also following smaller disruptions, e.g. the departure of key employees such as the CEO, problems with suppliers, fraud or criminal activity, negative publicity or cyber-attacks. One definition of a business continuity plan I have seen is:
"Business Continuity Plan" means a description of procedures, information and advance arrangements that will guide the timely recovery and ongoing provision of services, programs and operations within a predefined period of time, following the occurrence of an event, including a Disaster, that interrupts operations or disrupts the delivery of the Services and includes a disaster recovery plan which details the back-up and recovery procedures to be followed by the Service Provider, in the event of a Disaster, for systems supporting essential services.
The disaster recovery plan will be a component of the business continuity plan and needs to be developed as part of the business continuity planning process. But it is not the same thing as a business continuity plan.
This means it is inappropriate for a customer to transfer the responsibility for developing, maintaining or updating the customer's business continuity plan to its outsourcing service provider. That responsibility should remain with the customer: it is the customer who needs to determine the level of interruption the business can sustain, the amount the customer is willing to pay for business continuity services and the role of insurance. The service provider's responsibility, within this context and using its technical expertise, is to develop the disaster recovery plan in conjunction with the customer and to provide the disaster recovery services according to this plan.
Still, there is one sense in which business continuity plays into development of the disaster recovery plan. Consider the new attitude of the Japanese automakers to their suppliers: the automakers are demanding more information about their supplier base including about the suppliers of their suppliers. In the same vein, as part of a customer's disaster recovery planning, and given the material adverse impact that a disaster affecting the service provider can have on the customer, the customer should be seeking information about the service provider's business continuity plan and perhaps about the business continuity plans of the service provider's material subcontractors.
3. Disaster Recovery Statement of Work
Although international standards exist (e.g. ISO/IEC 24762:2008: Guidelines for information and communications technology disaster recovery services), there is no well-defined level of disaster recovery services that can be incorporated into an outsourcing agreement simply by referring to "industry-standard levels of service". Instead, each outsourcing agreement should provide for a detailed description of the disaster recovery services to be provided to the customer including the steps to be taken before, during and after a disaster. This detailed description of services is normally set out in a separate statement of work and becomes, in effect, the disaster recovery plan.
The disaster recovery services statement of work should, for example:
(a) deal with the transition of responsibility for disaster recovery services from the customer to the service provider following signing of the outsourcing agreement;
(b) establish recovery point and recovery time objectives for the respective services;
(c) set out the obligations of the service provider to retain redundant resources or, if redundant resources are not to be provided, the steps to be taken following the occurrence of a disaster to replace resources impacted by the disaster;
(d) describe the services to be provided in response to different types of disasters;
(e) document the responsibilities for declaring that a disaster has occurred and the process to be followed;
(f) specify how frequently and in what manner (paper test versus simulation) the disaster recovery plan is to be tested and any rights of the customer to participate in the testing or to review the test results;
(g) require the service provider to remedy any deficiencies identified in the testing within a specified period;
(h) require the disaster recovery plan to be updated on a periodic basis and, in any event, following implementation of any material change in the services; and
(i) require the service provider to provide, within a specified period of time after declaration of the disaster, a report detailing the root cause of the disaster, the steps taken by the service provider in response to the disaster and any recommendations the service provider may have with respect to improving the disaster recovery plan for the services;
4. Force Majeure
One final point. Most outsourcing agreements will include a provision excusing a party's non-performance where the non-performance is the result of a Force Majeure Event:
"Force Majeure Event" means an event which is beyond the applicable party's reasonable control, and that interferes with, delays or prevents performance of the obligations of such party, provided that the non-performing party is without fault in causing or failing to prevent such occurrence, and such occurrence cannot be circumvented through the use of reasonable alternative sources, workaround plans or other similar means
The definition of Force Majeure Event should be subject to the service's provider disaster recovery obligations: the service provider should not be excused from performance of the services following the occurrence of a disaster to the extent that the disaster is within the purview of the agreed to disaster recovery plan.
Twenty-five years ago, outsourcing contracts discussed disaster recovery in the same breath as back-up and archiving of data. The agreements included provisions describing the frequency with which customer systems, information and data were required to be backed up, the applicable retention periods and storage locations and, occasionally, the service provider's obligations to verify its ability to retrieve data from tape. The agreements did not usually say much more about the services to be provided in the event of a disaster. But times have changed. Outsourcing agreement will now set out expressly how the parties are to deal with disasters and other interruptions of service. It is important however for the customer and the service provider to take a thoughtful look at these provisions to ensure that the parties' obligations in the event a disaster occurs correspond with their expectations.