Business Continuity and Disaster Recovery

Dr Sam De Silva analyses Best Practice for Business Continuity and Disaster Recovery Schedules in Strategic Commercial Contract
Business Continuity and Disaster Recovery

Business disruptions, whether the result of natural disasters, technology failures or criminal acts ("incident"), can threaten the business of a customer. Business continuity generally refers to the capabilities needed in the wake of an incident to restore the functionality and availability of networks, systems, and data. Recovery and reconstitution methods must be adequate to cope with the consequences of an incident. If a customer has engaged a service provider to manage various functions or process on its behalf, the responsibility for business continuity usually falls on the service provider.

In addition, outage at a service provider's facility can impact delivery of customer projects, and customers want to be assured that the service provider has a sound business continuity plan. An increasing number of customers also demand that the service provider is responsible to continue delivery of service irrespective of whether the outage was caused by a force majeure event. Such demand is particularly high in services contracts where the service provider proposes to run the customers' business processes.  

The business continuity provisions in a services contract should set out the customer's requirements in relation to business continuity, including the requirement on the service provider to develop, review, test and maintain a business continuity plan and as a subset a disaster recovery plan.

The business continuity provisions will typically set out what level of adverse impact on the services is appropriate in order for the provisions of the Business Continuity Plan to activate (either in relation to all services or on a service by service basis, depending on business criticality).

Structure

The general requirements relating to the business continuity provisions are usually set out in the terms and conditions at the front of the contract. Such provisions are likely to set out the obligations of the service provider in relation to the development and testing of the Business Continuity Plan and compliance with the services related to business continuity.

The Business Continuity Schedule will set out the detail of either:

  • the initial Business Continuity Plan; or
  • the required content of the Business Continuity Plan together with the procedures and processes for agreeing the initial draft within set timescales following the effective date of the contract.

It may or may not be feasible or desirable to agree a baseline draft of the Business Continuity Plan prior to the effective date of the contract depending on:

  • the nature of the services; and
  • the amount of work to be undertaken before the commencement of the operational phase of the contract.

Business Continuity Schedule

The Business Continuity Schedule should set out the detailed provisions relating to business continuity including the requirements on the service provider to develop, review, change and maintain a Business Continuity Plan.

It should be noted that the obligations placed on a service provider with respect to business continuity and disaster recovery may vary considerably depending upon the nature of the project. On one hand the service provider may be required to provide a full and integrated business continuity and disaster recovery service; on the other hand it may simply be required to undertake a limited range of functions that interface with a wider set of business processes. Consequently, the scope of the Business Continuity Schedule will vary correspondingly.

What follows in the remainder of this article is considered to be typical but must be tailored to the particular business needs of any given project.

The Business Continuity Plan is a dynamic document which must adapt to the changing needs of the customer's business, the nature of the services and the mode of service delivery. It is also possible that the Business Continuity Plan will need to be developed to cover new contingencies during the term of the contract.

If it is not practical or feasible to develop a baseline Business Continuity Plan before the effective date of the contract then the Business Continuity Schedule needs to set out the detailed procedure and applicable timescales for the Business Continuity Plan to be agreed. The customer should retain control of approval of the document, and the right to require amendments or additions to it, in order to ensure that the requisite content is included.

Depending on the complexity of the services, it may be the case that the Business Continuity Plan will need to deal separately with different services or service streams depending on the:

  • business criticality; and
  • severity of impact of a disaster.

Key Principles

The key principles underlying the Business Continuity Schedule should be:

  • to ensure that, in the event of a failure of or disruption to the services, the customer is able to maintain continuity of service provision or restore services fully within a specified period of time (for example, x hours);
  • to prevent loss of data;
  • to prevent or minimise (as far as possible) any impact on the achievement of the service levels; and
  • to ensure that normal provision of the services is recommenced as soon as possible.

The Business Continuity Plan needs to address all possible levels of impact on the Services (from minimum disruption to total failure) and predict (as far as possible) the range of disasters that might affect the services.

Business Continuity and Disaster Recovery

by Dr Sam De Silva

Partner - Head of IT Law and Outsourcing Law, Penningtons Manches LLP

Dr Sam De Silva is a partner and the head of the IT and Outsourcing practice at leading UK law firm Penningtons Manches LLP. His main areas of practice are technology projects and the outsourcing of technology and business processes.  He has been published widely and speaks regularly on these topics and is Chair of the Law Society's Technology and Law Reference Group. Sam is also one of very few UK solicitors who is a Fellow of the Chartered Institute of Purchasing and Supply (FCIPS), Fellow of the British Computer Society (FBCS) and a Chartered IT Professional (CITP).  He is also an IT Law Accredited Member of the Society for Computers and Law.  

Tracker Pixel for Entry