Business Continuity Contract Guidelines

1. General Before entering into any agreement it is necessary to determine the criticality of the service and the appropriate continuity approach. Best practice would suggest this is done by means of a Business Impact Analysis (BIA).

The BIA will provide information on criticality of systems; maximum tolerable downtime; Recovery Time Objectives, (RTOs) etc.

. All services, including resilience and continuity requirements, requested from a supplier must be specified upfront, or, if this is not possible, at least a roadmap specified as to when the business continuity requirements will be assessed, and/or reviewed to avoid unnecessary costs and risks of retrofit.

. Any risks that remain unmitigated should be owned and signed off at Director Level

2. How critical is this service BS 25999 (The British Standard for Business Continuity) defines critical activities as:

. Those activities which have to be performed in order to deliver the key products and services which enable an organization to meet its most important and time-sensitive objectives

The BBC has defined business critical as:

. Areas/services/processes, essential to our output on air and/or On-Line. Viewers; listeners and/or users are likely to notice disruption immediately/within seconds or minutes

For individual Divisions & Services, the BIA will provide information on criticality.

The impact of technical convergence should also be considered. e.g. a network failure may previously only have affected desktop PC’s but could now affect Broadcast and other critical technologies such as VOIP (Voice over IP) telephony. It is essential that this is considered when the BIA is completed to assess criticality.

3. Dependencies Before entering into a contract any dependencies / interdependencies including reliance on third parties or technical resources within the BBC to deliver services must be established.

Where the BBC’s reputation could be at risk if the service provider fails to deliver, consideration must be given to appropriate resilience & DR arrangements. Examples could include General Election programmes, Wimbledon etc.

Where the BBC may incur liabilities for a service failure it may be appropriate to have back to back contracts to agree with the BBC’s service provider how the liabilities will be met.

4. Governance & Policy . The Service provider should be required to demonstrate ownership at Board level of Business Continuity Management. . The service provider should be required to maintain a formal and effective Business Continuity Management System that is consistent with BS25999. . The Service Provider must put in place Business Continuity Plans, based on BBC requirements. Consideration should be given to whether the BBC should pre-approve plans (Visibility & Control) or whether the BBC should have visibility only.

If the BBC has visibility and control this may affect our ability to apply any contractual sanctions

5. Business Continuity Plans . Service Providers’ Plans should consider the capability:

o of capacity planning and flexibility o of delivering appropriate resilience levels o of delivering Risk Assessment & Business Impact Analysis o of meeting Broadcast/Output Criticality requirements o of Monitoring & Reporting business continuity activity o of meeting Availability requirements(*See maintenance below)

. The planning process should ensure completion of:

o Risk and Business Impact Analysis o identification of single points of failure o Disaster Recovery (IT) arrangements o Crisis Management Plans o Incident notification and escalation procedures o Key contacts and numbers o Regular plan Maintenance o Regular rehearsal programme

6. Technical Maintenance . The BBC and service provider should agree appropriate targets for maintenance particularly of critical 24/7 plant

7. Failure to perform and service credits . If a supplier fails to perform to agreed levels (SLA’s) then service credits may be received from that supplier. SLA’s with agreed levels of Service credits for non compliance must also be agreed for Business Continuity requirements.

. Although it is important to agree what sanctions will be applied following any failure (such as Service credits or Liquidated damages) it is important to remember that the reputational damage may already have been done by the time the sanction is applied.

8. Force Majeure Clause The basic concept of Force Majeure is to release the parties from their obligations in the event of such an incident. Often this clause is specific in detailing the instances when Force Majeure can be invoked and includes events such as floods, Power outs, Industrial disputes etc. All of these are the exact events that we would expect Business Continuity plans to cover.

The Force Majeure clause must therefore indicate that either:

. should any Force Majeure event occur the business continuity requirements continue to be delivered and on what basis i.e on a “best endeavours basis” / “reasonable endeavours”

Or

. that the Force Majeure clause specifically names the types of impacts for which the Service must continue to be delivered e.g. Pandemic, Industrial Action, Utilities failure etc.

9. Exit Clauses . The contract should detail how the contract can be exited, what are the obligations on hand over to the BBC, or another supplier, and what, if any, are the Intellectual property rights of the supplier over any the services they provide us.

. Consideration should be given to the specifics of any exit plan, particularly around availability of specialist skills