Covid-19 (coronavirus) and IT: The business partner in the IT environment influences the performance of the own IT

published on 10 March 2020 | reading time approx. 3 minutes

 
How can the own company react to this?

 
Through a varying degree of outsourcing in IT or through a certain dependence on third parties within the IT services in the company, Covid-19 can also indirectly affect the availability, performance and security of your own IT in such a way that it is serious­ly endangered. What recommendations can be made here against this back­ground of risk?

The performance of the integrated IT suppliers, IT service providers, and in general third-party providers and service providers such as computer centre operators is elementary in view of the Covid-19 threat situation. As the coronavirus becomes more widespread, it can be assumed that these third parties will also be affected to varying degrees. Partial to complete failures are to be expected. Concrete preparations must be made with regard to three phases:

• Preparatory Phase »

• Phase in Case of Crisis »

• Post-Processing Phase »

In the following, we would like to provide valuable information on how the company should behave.
 

Preparatory Phase

Depending on the local course of the distribution of the coronavirus, one or the other company still has some room for manoeuvre for preparation. With regard to IT suppliers, IT service providers, computer center operations, etc., it is important to include the infrastructure and geography of these partner companies in the risk analysis.

In concrete terms, this means whether the existing risk analysis with regard to IT has also included the effects of personnel failures or the availability of resources of these third parties in the risk assessment. If this is not the case, the risk analysis should be extended or corrected by these dimensions.

The conclusion to be drawn from this is whether, if the risk assessment is adjusted, the emergency measures existing in the company are also adequate or also require adjustment.

In concrete terms, this means in any case:

• Classification of business partners in the IT environment into risk classes according to their significance for the individual IT services in your own company
• Assessment of partial and complete failures with regard to the emergency plans defined or yet to be defined
• Determination and integration of a partial crisis team for the business partners in the IT environment within the corporate crisis team

Depending on the importance of the business partner in the context of the classification into risk classes, this also means

• Clarification of contracts against the background of service levels, performance owed, especially in emergencies/crises, and agreed reporting and expiration conditions, any contractual penalties that may exist, etc.
• Despite the existence of various certificates (PS 951, C5, DIN/IEC 27001 etc.) on the service provider's performance and security, it is also necessary to assess the current status of the service provider. For this purpose it is necessary to query the availability of personnel and resources required for the own IT services for the first time and thereafter continuously. Emergency controlling is a suitable option!
• Determination of the point in time at which the emergency specifically occurs with regard to the business partner and the sub-crisis team must be convened.
• This presupposes that the company has designed and prepared emergency measures in advance with regard to a partial or complete failure of one or more business partners in the IT environment.
  • Contractual assurance about an alternative business partner (e.g. emergency services via an emergency computer center, etc.) and definition of steps for taking over the services.
  • Adjustment of own service levels to the business areas for a limited period of time (i.e. lowering of own service levels such as availability, restart, accessibility etc.).
  • Temporary reorganisation of services within e.g. the group (takeover of support services by foreign subsidiaries etc.).
  • Acceptance of a potential failure, possibly with transfer of the financial risks to an insurance company.

 

If the company lacks the capacity and know-how for the preparation phase, it is recommended to involve the Rödl & Partner crisis team.

 

Phase in Case of Crisis

If, according to definition from the preparation, the crisis occurs and one or more business partners in the IT environment are affected, measures are initiated in line with the defined emergency plans.

As a general rule, it can be assumed that the contingency plans only partially cover or foresee the emergency that has actually occurred, so that the first action of the sub-crisis team is to analyse the current situation and derive options for action.

Depending on the severity of the course of Covid-19, it can be assumed that the promised services of the business partner may have to be legally demanded at short notice.

Depending on the severity of the course of events in your own company, your own ability to implement the contingency plans could also be threatened in the event of multiple emergencies. In this case it is recommended to involve the Rödl & Partner crisis team.
 

Post-Processing Phase

In addition to the effort required to return the emergency-related reorganisation measures to normal operation, the following also apply

• to re-embed the individual crisis situation in the concepts as a lesson-learned solution,
• if necessary, to conduct a dispute with the claims of the business partners with regard to additional and special services,
• to restore the correctness with regard to the internal control system, the allocation of rights by the emer­gency operation, etc. and to check the successful production and
• to check whether the emergency measures have restored the level of data and information security to an optimal level.
• For this purpose, it is recommended to run an ongoing cybersecurity check for your own company and your business partners in the IT environment right at the beginning of the emergency.

It can be guessed that the company has an enormous amount of work to do in the post-processing phase with regard to the actual business model in the environment of catching up on purchasing backlog, production backlog, etc., so that the resources in the IT environment may be lacking. In this case it is also advisable to involve the Rödl & Partner crisis team.