Navigating the impact of the pandemic on technology contracting in preparation for a post-COVID-19 world.
By Brian Meenagh and Alexander Hendry*
A recent Latham.London blog post recommended five steps that customers should take when procuring technology and related services in light of COVID-19 and future pandemics. This blog post examines five additional considerations for customers based in the Middle East.
As a starting point, the recommendations in the Latham.London post still apply, and Middle East customers should:
In addition, Middle East customers should consider the following.
1. Dealing with local resellers
Many of the world’s international technology vendors do not supply directly to customers in certain Middle East countries. Instead, they resell their technologies and services through local partners who may, in turn, add value to the arrangement by providing parts of the solution — most typically, implementation or maintenance services.
If a customer is purchasing technology or services from a local reseller, the customer should consider how such reseller might be affected by a pandemic, for example:
International vendors may make changes to longstanding arrangements as a result of COVID-19. For example, international vendors may decide to build new on-the-ground capability in key Middle East markets, to reduce their reliance on local resellers. Customers should speak to local resellers and international vendors about their plans, and how future procurements might be affected and restructured as a result.
2. To what extent is a vendor dependent on international travel?
Throughout the Middle East, technology vendors are often dependent on international travel routes remaining open. This may be because a vendor:
The world has learned the fragility of free movement. The operating assumption is that borders will reopen, but when and to what extent remain unknown. Moreover, there are no guarantees that this will be the last global event that forces borders to close.
Middle East customers should scrutinise the extent to which international and domestic travel is a critical necessity for a technology vendor, and ask questions about possible alternative arrangements should travel become difficult or impossible.
Depending on the circumstances, and if remote working is not possible or inadequate, customers may wish to prioritise vendors with locally based personnel, or require that a vendor maintains a certain percentage or number of its personnel resident in the customer’s country or city. Customers should also consider this more broadly across their technology supply chains, to ensure that they are not overexposed to the vulnerabilities of any one particular travel route, country, or area.
Business continuity and disaster recovery (BCDR) schedules, a key feature of contracts pursuant to which services are provided on an ongoing basis, have traditionally focused on handling physical disruption to vendors’ delivery infrastructure. From now on, these schedules should also address how the vendor will continue to provide services in the event of a pandemic and any resulting restrictions on international travel.
3. Remote capability
The governments of a number Middle East countries took swift and decisive action in response to COVID-19, including, in some countries, the comprehensive closure of private sector workplaces except essential services. In many places, and even industries, this was the first time that, to carry on doing business, companies had to enable their personnel to work remotely — and many were simply not prepared.
Remote working likely will be more common post-COVID-19. Therefore, customers should consider:
Customers will want to ensure that their businesses are equipped to handle any future scenarios in which remote working is desired or becomes a necessity.
4. BCDR vs. data localisation
COVID-19 has changed perceptions of what constitutes good BCDR planning. In recent history, catastrophic events — even wars and natural disasters — have typically been confined to a single country or region. Consequently, in many archetypal BCDR scenarios, having a backup data or service centre a few hundred miles away might be considered sufficient.
Pandemics are unique in the geographical scale and timing of their impact. They affect a large number of countries, and they can do so quickly and almost concurrently. In such circumstances, relying on a failover site in a neighboring city, or even country, may be unwise, and broader “geographical hedging” (i.e., having contingencies located farther apart, in different countries, regions, or continents) may be required.
This can be particularly challenging in the Middle East, where certain countries have data localisation requirements that oblige customers to store their data in the same country as the customer, and prohibit or restrict its export. Therefore, a vendor’s backup data centre cannot be outside the customer’s country.
Throughout the COVID-19 pandemic, data centres have proved to be fairly resilient, and their most vulnerable component may be their people. So how will a vendor ensure that any personnel who need access to a data centre can have it? And to what extent is remote access a viable alternative?
Customers should ask vendors how they intend to ensure that their contingency measures are sufficiently geographically diversified, whilst maintaining compliance with local laws. Customers should also investigate how a vendor’s BCDR planning dealt with the pandemic, and ensure that any failures or weaknesses have been addressed.
Also, localisation requirements may not always apply to all data. Customers should involve their information security teams to determine what data must be stored in-country and what data can be stored offshore.
5. Increasing regulation — who bears the cost?
In response to COVID-19, many governments, including several in the Middle East, have invested heavily in their respective private sectors to help mitigate the economic impacts of the pandemic. At the very least, such investments are likely to be accompanied by increased scrutiny of the benefitting industries and businesses. They may also be followed by increased regulation, requiring businesses to take certain precautions and implement preventive measures to give them the best chance of weathering the next pandemic or economic disaster, and to limit the need for state intervention in the future.
With that in mind, customers should keep scanning the horizon to ensure that they are not caught off-guard. Governments may take a risk-averse approach to some of the issues discussed in this post, and in some countries, new regulations may emerge, such as regulations that require businesses to invest in on-shore technology, or that make it more difficult for customers to receive services that are dependent on international travel.
Customers should also ensure that their technology contracts contain adequate “Change in Law” and “Change Control” provisions, to ensure that they fairly apportion any risks or costs that may arise as a result of new legislation, and any changes to the solution that are required as a result.
So what next?
The coming months, perhaps even years, will see considerable change that will have a material and lasting effect on technology contracting. For many customers, it may be difficult to know what their own business will look like post-COVID-19, let alone what their technology supply chains will look like. But the customers who learn from the impacts of COVID-19, and who adapt their approach to technology contracting accordingly, will be the ones best-placed to succeed in a post-COVID-19 world.