Key strategies that organisations can implement to help transition back to ‘business as usual’ are outlined below.
- Embed Contract Management
- Avoid the temptation to put key supply contracts back on the shelf now they have been assessed for the immediate impacts of COVID-19. Now is the time to embed the lessons of contract management that COVID-19 forced on us. For example, check whether these contracts are still fit for purpose or whether the terms need to be reassessed in a post COVID-19 world (such as service levels and credits, performance requirements, termination events, flexibility to address ongoing supply-chain issues). Have you pivoted into online trading without terms and a privacy policy in place? Now is the time to check these things and kick off any change processes or start broadening your supply options to build further resilience for your organisation.
- If you haven’t pulled any contracts off the shelf, it’s not too late to do it. In particular, check whether any contracts have been left to expire or non-performance has otherwise been left unchecked. If you don’t, there is a real risk of waiving hard won rights you thought you had (and paid for). On the flipside, if you have made concessions on performance, assess the current status of the impact on performance and get written clarification, if you haven’t already, on an appropriate time frame for those concessions to be lifted.
- Avoid the temptation to put key supply contracts back on the shelf now they have been assessed for the immediate impacts of COVID-19. Now is the time to embed the lessons of contract management that COVID-19 forced on us. For example, check whether these contracts are still fit for purpose or whether the terms need to be reassessed in a post COVID-19 world (such as service levels and credits, performance requirements, termination events, flexibility to address ongoing supply-chain issues). Have you pivoted into online trading without terms and a privacy policy in place? Now is the time to check these things and kick off any change processes or start broadening your supply options to build further resilience for your organisation.
- Business Continuity Arrangements
- Are your own business continuity arrangements sufficient? Have you updated them to reflect COVID-19? Should you conduct further testing given the current environment may help detect further issues?
- Related to the contract management points outlined above, check if you should update your business continuity and disaster recovery requirements in your services agreements. Also, consider exercising any testing / audit rights with key suppliers.
- Are your own business continuity arrangements sufficient? Have you updated them to reflect COVID-19? Should you conduct further testing given the current environment may help detect further issues?
- Check Your Technology Requirements
- Are your policies around use of technology robust enough for the new remote working norm? Make sure your cybersecurity and privacy policies have been updated to help deal with the increased cyber-risk profile of employees working from home.
- Do your software licensing arrangements allow for the use currently being made / which you expect to be made going forward (e.g. are they linked to use at a certain site / on a specified number of devices, etc.) Do a self-audit before your software suppliers do. Also, do you need to conduct additional testing of your security systems (e.g. penetration testing)? Now is a good opportunity while people are in a range of home environments.
- Are your policies around use of technology robust enough for the new remote working norm? Make sure your cybersecurity and privacy policies have been updated to help deal with the increased cyber-risk profile of employees working from home.
- Privacy
- Related to the technology requirements outlined above, check your data breach response plans. Do they need to be updated to cover off risk associated with working from home? For example, does it deal with how to handle data breaches that may have occurred due to cyber-attacks on employees personal devices (which those employees may be using to work from home)?
- In relation to collecting health information of staff and visitors, have you relied on the ’employee records exception’ and ‘permitted general situation’ exceptions to collect and disclose COVID-19 related health data of your staff and visitors (see our related article on that point here)? Consider whether you can continue to rely on these exceptions when returning to BAU. The Office of the Australian Information Commissioner has indicated that APP entities should limit the use of these exceptions to what is necessary to prevent and manage the spread of COVID-19.
- Related to the technology requirements outlined above, check your data breach response plans. Do they need to be updated to cover off risk associated with working from home? For example, does it deal with how to handle data breaches that may have occurred due to cyber-attacks on employees personal devices (which those employees may be using to work from home)?