The current COVID-19 pandemic has severely disrupted supply chains and business operations around the world, and its impact continues to reverberate across every economic sector. While nothing can avoid risks inherent in a global pandemic, this article offers a risk mitigation and contracts review process specifically focused on an organization's third-party customer and vendor relationships. This process may be applied not just to pandemics, but more generally to other crises as well.

Step 1: Plans and Teams: When possible, establish incident response plans in advance (these may vary depending on the type of crisis) and perform regular exercises to test the plans (referred to as "tabletops"). This is already best practice for mitigating cybersecurity incidents and lessons learned there can be applied more generally. The plan among other things should identify the team responsible for the organization's response to a particular type of crisis. But if no plan exists, when disasters arise, organizations quickly should establish the team responsible for leading triage and decision-making during the crisis. The team might include key business decision-makers, operations, disaster recovery specialists, crisis subject matter experts, supply chain managers or others familiar with key vendor and customer relationships and risk managers. Team members required may change over the course of the crisis. 

Step 2: Identify Critical Risks for Third-Party Relationships: Identify and maintain a knowledge-base of supply chain vulnerabilities along with an updated database of key relationships both upstream and downstream and corresponding contracts (e.g., contracts with key suppliers or vendors and key customers). Examples include critical infrastructure providers, sole-source suppliers and third-party sourced mission-critical services. Pull the executed contracts for these key relationships. Creating an organizational culture that invites rather than stifles communication, along with easy-to-access means of reporting concerns, also can enable organizations to identify and mitigate critical risks early.

Step 3: Prioritization: Prioritize by assessing critical risks, including whether and the extent to which the key commercial commitments under contracts identified in Step 2 have or may become impacted.

Step 4: Upstream Contracts with Distribution Channel and Customers: In connection with your organization's supply of products or services, often the first step is to determine business impact. To do so, not only do you need to know what contractual commitments your organization has made, but also whether customer commitments to purchase can be modified, delayed or canceled. In evaluating third-party commitments, contract provisions should be evaluated holistically with an eye toward the potential liability under the contract if commitments aren't fulfilled. Are there "time is of the essence" or other provisions that impose strict requirements that increase risk of breach? What business continuity and disaster recovery commitments have been made and what is the extent to which they are being fulfilled? Are there force majeure or other contract provisions that may excuse performance and if so, is the crisis at issue covered (i.e., for COVID-19, is there a reference to pandemics, epidemics or outbreaks of disease or are the provisions subject to differing interpretations)? Note that there also may be non-contractual legal bases for excused performance as well so consulting with counsel can be helpful. In supply contracts, it is useful to pay particular attention to remedies, such as rights to procure goods or services at your cost, liquidated damages, contractual indemnities or termination rights which can shift risk dramatically. Review with counsel limits on contractual liability. Review insurance commitments and confirm that they have been fulfilled as well. Note too that there are circumstances when outside of a contract, performance may be excused.

Step 5: Downstream Contracts with Suppliers and Service Providers: With regard to an organization's own procurement of goods or services, strong contracting practices along with thoughtful supplier selection and careful scoping of services with decentralization of service locations can go a long way toward mitigating risk by minimizing supply chain vulnerabilities.

But when a crisis hits, as with channel and customer relationships, contract provisions should be evaluated holistically and legal rights outside of contract identified. Again, assess whether and the extent to which the vendor is excused from performance for the crisis at issue. If performance is excused, determine for how long and whether there are other available remedies. Is there, for example, an obligation to perform disaster recovery or business continuity despite a force majeure? Does the contract allow for ability to procure substitute goods or services from others and charge the nonperforming vendor for the incremental increase in cost to the company? Does the contract provide for contingent manufacturing rights or release and license of materials from technology escrows so that the company can exercise self-help? Should you have and elect to exercise termination rights, is the vendor required to perform the required transition services and at what cost? Have your suppliers' complied with their obligations to obtain insurance? Finally, if your organization has agreed to purchase exclusively from the supplier or service provider, look for any exceptions that might provide relief under the current circumstances.

Step 6: Identify Extra-Contractual Insurance and Business Options: Determine what insurance policies might apply to potential contractual or other business risk and whether seeking coverage is appropriate. Also, assess what business and commercial levers outside of contractual terms can be exercised to mitigate risk. With regard to "at risk" downstream suppliers, are there alternative sources of supply, inventory with third parties or buffer stock that can be tapped?

With regard to key customer relationships, consider what possible mitigation and remediation plans can be proposed. Does the organization have alternative and less impacted products or services that can be offered as stop-gap measure or can terms be renegotiated? For all contracts, are there commitments that your counterparty has made that they may be struggling to achieve (e.g., minimum purchase commitments), and do those offer opportunities for renegotiation more generally of the entire relationship on both sides?

Step 7: Legal Action: Legal action against third parties is often not the place many businesses will want to begin when mitigating risk. And not all legal claims arise out of third-party contracts. Nonetheless, when necessary, determine what if any legal action might be appropriate and if so, whether any terms govern how such legal action must be brought.

Step 8: Contracts Refresh: Finally, organizations might want to refresh their contract templates and consider whether amendments of deficient contracts with important vendors, channel partners and customers might be appropriate to address lessons learned and identified risks.

While the COVID-19 global pandemic has triggered unusually challenging problems both for buyers and suppliers, companies can manage and mitigate risk in the event of crises while minimizing disruption to the rest of their businesses by implementing an organized process, and strategically prioritizing the most consequential relationships.

Stephanie Sharron is a partner in Morrison & Foerster's Technology Transactions Group and is based in the Silicon Valley. Ms. Sharron advises companies on complex global procurement and supply transactions with a focus on technology-related transactions.