COVID-19—Mitigating Risks to Critical IT Projects and Services

Written by Stephen Burns, Sébastien Gittens, Michael Whitt, Ruth Promislow, and Matt Flynn

Given the disruptions arising from COVID-19, organizations are well advised to consider how such disruptions will impact their key information technology (IT) projects and services. In particular, starting with those projects and services with the highest priority, we recommend that organizations:

• review and prioritize their in-flight projects and services (current and in procurement process);
• review their existing compliance, reporting, governance, risk identification and mitigation processes for the in-flight critical IT projects and services; such as:
  • licensing compliance (especially, given remote work);
  • service levels: specific service levels and related reporting;
  • key personnel;
  • confidentiality and cybersecurity;
  • change management;
  • business continuity and disaster recovery plans and processes; and
  • contractual relief, such as notice of disruption, excusable failure, and force majeure provisions;
• seek details from the relevant IT vendors and service suppliers as to:
  • how they are currently mitigating COVID-19;
  • how they plan to manage in the coming months, including:
    • supporting remote work;
    • using alternative communication and collaboration solutions;
    • restricting in-person meetings and maintaining social distancing; and
    • restricting travel, especially, international travel; and
    • compliance with any applicable recommended courses of action by the applicable public health authorities;
  • how they plan to prepare and manage the recovery from COVID-19;
  • how these plans will impact the critical projects and services, including their planned approach to resourcing (including key personnel), timelines, deliverables and governance; and
  • how these plans will continue to evolve as the world responds to COVID-19; and
• review (and, if needed, update) the organization's existing: (i) IT governance processes and resource availability to mitigate the potential COVID-19 disruptions; and (ii) applicable policies.

Organizations are well advised to adopt a pro-active approach to obtaining the information needed from their critical vendors with respect to their response to COVID-19 and to be clear about their expectations around the responsible mitigation, response and recovery activities which may be required.

If you have any questions regarding the information in this article, please contact a member of the Bennett Jones Technology Law group. In addition, please visit our COVID-19 Resource Centre for other COVID-19-related materials.