How have UK and US outsourcing arrangements been affected by the COVID-19 outbreak?

With outsourced services capable of being provided (in many cases) far from a customer’s site, in the early stages of the COVID-19 outbreak, customers and suppliers may have been confident that their outsourcing strategy would be unaffected by the outbreak. As the geographical scope of the outbreak widened to encompass all areas of the globe, many have been left wondering how resilient the outsourcing model will prove to be.  Indian BPO and/or ITO outsourced service providers (“OSPs”) in particular have been hit hard, given their reliance on sectors such as the financial services and insurance sectors.  Once the situation has stabilised, we anticipate all customers will be looking to reduce costs in response to a decline in their profitability which will affect all OSPs.  OSPs may have little leverage to resist demands to cut the costs of the services they provide.  But there may also be opportunities to maintain OSP market advantage through increased use of automation and more strategic use of AI to deliver low cost basic IT services.    

Impact of remote working

Given that many national governments have advised that all non-essential travel should be suspended and companies switch their workforces to working from home, this has inevitably caused significant consequences both for OSPs’ customers and the OSPs themselves.  OSPs are finding they now need to service a workforce which is now operating from multiple remote working locations or from a mirror site. It will likely also involve more reliance on call centres supporting the remote customer workforce who may be unfamiliar with remote work protocols and require much more assistance to be able to operate business as usual.  It may also place a strain on OSP systems due to the high number of people having to access systems remotely. 

This switch in delivery of services is mirrored by the way in which the OSP itself has to operate – with OSP employees also having to work from home in many countries, many of whom are reduced in number.  This can be problematic from a customer perspective as:

• some functions simply may not be capable of being delivered remotely from an employee’s home (and it assumes too that the employees have appropriate facilities to use to work from home, which may not always be the case);
• the OSP may not be able to meet the increased service volume required when the OSP employees are delivering the service whilst remote working. Even in ‘normal’ working circumstances, an OSP might have struggled to upscale in light of increased customer demand.  The obstacles to meeting demand for increased capacity whilst OSP staff are remote working and the OSP staff absence rate is likely to be much higher than usual should not be underestimated;  
• with OSP resource scarce due to staff shortages as a result of illness, furloughing or otherwise, OSPs may be taking difficult decisions about allocation of resources across all their customer contracts, and deciding which customer contracts to prioritise;
• some contracts require the OSP to deliver the services from a specific site, which is capable of audit and monitoring by the customer;
• there is likely to be at least a short term impact on an OSP’s compliance with relevant service levels: (i) whilst the workforce adjusts to remote working (if this is permitted by the contract) and; (ii) if the OSP workforce experiences a significant rate of COVID-19 related sickness absence; and
• there may be an impact on data privacy if the same data hygiene practices used at OSP sites cannot be implemented and audited as robustly in relation to OSP remote working employees. For European based companies, it is clear that regulatory authorities do not consider that the outbreak should prevent a company continuing to comply with its obligations under GDPR in respect of remote working data security practices. 

In addition, if OSPs are unable to maintain their workforce at full strength for cash flow reasons and are therefore taking the option to furlough their staff for a period of time, this may also affect delivery of services and the ability to meet relevant service levels.  On the flip side, customers who are also choosing to furlough staff / compel staff to work remotely may be looking to reduce the amount of services required (for example, if offices are unoccupied, this can lead to reduction in amounts of cleaning and facilities services required).  There may be productive commercial discussions to be had about adjustments which can be made to services and service levels during this unprecedented time.    

“Essential services” & outsourcing

Current UK COVID-19 regulations restricting movement permit key workers who cannot reasonably work from home with justification (‘reasonable excuse’) to leave home.  The ‘reasonable excuse’ criterion is also relevant to workers in a supply chain, whose services are necessary for the continued functioning of essential businesses.  Customers could consider providing them with a letter setting out the grounds for believing that they are important/critical to the customer’s ability to continue to keep providing key/essential services. This gives those within the customer supply chain additional support, when considering how the restrictions on movement apply to their own employees, as well as evidence to support their ‘reasonable excuse’ case if challenged by an enforcement authority.  The customer should also consider if those in its supply chain should also to consider issuing “justification letters” to those of their employees who are required to leave their home to work in case they themselves are challenged whilst performing their work activities (including travelling to and from the place where they are working).

Force majeure and frustration

Customers and OSPs may also be reaching for their contracts to establish if the force majeure provisions offer any relief from the consequences of contractual non-performance. In complex outsourcing arrangements, we would expect the contracts to include robust force majeure provisions which are likely (in most instances) to extend to the COVID-19 outbreak.  Absent any contractual force majeure provisions, parties to an English law governed contract would need to examine whether the common law doctrine of frustration would allow either party to show the contract has been frustrated, which is a much higher hurdle to overcome. 

OSPs will be looking to see if they can seek relief as a result of a force majeure event (such as the impact of government legislation preventing non-essential travel / forcing most businesses to close).  Where this is the case, an OSP would still be required to take steps to mitigate the effects of the event, but may be able to issue a contractual force majeure notice allowing suspension of the contract.  Weighing up the options available to the customer and the OSP may mean adoption of more collaborative commercial approaches, perhaps adjusting the contractual service level / service credit regime for a defined period of time, whilst the outbreak is on-going.  It is likely that if the customer’s obligations are limited to paying for the services it receives, that the customer could not rely on an applicable force majeure clause to excuse its non-performance.  This is because the COVID-19 outbreak will not, in most instances, be acting as the primary cause which prevents the customer from making payment to the OSP.  Refusal or deferral of payment (without more) may not be permitted under a force majeure clause, as the wording of the clause and circumstances which exist at the time it is invoked will determine its effect. Likewise, OSPs will not be able to argue in most cases that the fact the contract has become more expensive to perform due to the outbreak (perhaps because of increased wage bills, increased time involved in delivering a project) is a force majeure event entitling it to suspend or terminate the contract.  This is because changes in economic or market circumstances affecting the profitability of a contract or the ease with which the obligations can be performed are not force majeure events.   

Disaster recovery / business continuity plans

Most (if not all) outsourcing arrangements will contain highly detailed business continuity plans, especially for businesses operating in regulated sectors, developed collaboratively by the parties.   It will also usually be a contractual requirement that this plan be tested on an annual basis.  For instance, in the UK, the UK Financial Conduct Authority recently surveyed the outsourcing practices of UK life insurers (to assess the concentration risk posed by heavy industry reliance on a limited number of OSPs), looking at business continuity plans.  As OSPs typically conduct the business continuity testing, the amount of information provided by the OSP and the interrogation of the test results provided by the OSPs is critical as this enables proper assessment to be made of the resilience of the continuity plans.  In the life insurance context, the FCA was concerned that where only limited information is provided by the OSP it may not be possible to confirm that the testing is robust or that the continuity plans are fit for purpose.   

Customers may now be scrutinising the results of most recent testing to see if the analysis provided was sufficient to allow oversight of the OSP’s response to the COVID-19 outbreak. However, the type of disruption caused by the global spread of the virus may well not have been contemplated in these plans.  If services were to be provided from a different service centre (in the same country), in a situation of national shutdown, both the primary and contingency site would be affected by restrictions on business operations.  And contingency sites in other countries may also not be operational.   

What changes should businesses implement in light of lessons learnt from the COVID-19 outbreak? 

We see this outbreak as likely to change how OSPs plan for large scale customer remote working in the future.  Customers will also be revisiting their business continuity plans, perhaps engaging third party consultancies to undertake annual security reviews of their OSPs (together with a view of business continuity planning), going on-site to conduct the review.