Skip to main content

Step-in to the real world? Interesting tips on step in rights in IT contracts

-

Step-in to the real world? (How to ensure that your outsourcing step-in rights are effective and enforceable)

Morrison & Foerster LLP
United Kingdom 

 Outsourcing service providers frequently complain that customers demand rights and remedies which are simply unrealistic given the nature of the services. A prime example is when a customer insists that its outsourcing contract include broad “step-in” rights that allow the customer to take over service delivery if there is a service failure (or even an imminent risk of a service failure). In our experience, step-in rights are an area where a healthy dose of realism would benefit negotiations and result in a better contract.

Over recent years, step-in rights have become a standard remedy in outsourcing deals (particularly, in regulated industries such as financial services). However, all too often, step-in rights are treated as boilerplate or included in contracts as part of a box-checking exercise, with little consideration of what is actually practical. Meanwhile, technology solutions and service delivery models have changed dramatically, leaving traditional step-in approaches out-of-date.
In the past, it was more common for outsourced services to be provided on a dedicated basis (often using technology and personnel transferred from the customer). In those cases, a step-in option is a more plausible remedy. In theory, the few retained customer IT staff would be able to re-enter the customer’s old data centre and supervise its former employees running the company’s former equipment. However, more often these days, outsourced services are provided through shared infrastructure and facilities with non-dedicated staff and significant use of third party technology. Cloud-based services are a perfect example of the direction that modern service delivery has taken. As a result, the traditional “across-the-board” step-in is almost never appropriate – but you’d never know it from many contract negotiations.
Rather than wasting time and effort negotiating a set of step-in rights which are not going to achieve the customer’s aims and, at best, will only act as leverage in the event of a critical service failure, outsourcing customers should pursue targeted and realistic step-in rights. Not only will that cut down on lengthy and difficult negotiations but, more importantly, it also means that, if a serious service problem occurs, the customer has a workable remedy.
BACKGROUND - WHAT ARE STEP-IN RIGHTS?
Step-in rights are intended to offset the risk of service failure and help ensure continuity of service delivery in the event that the service provider is unable to perform.
In general terms, “step-in” means the right of the customer to step into the shoes of the service provider, (i.e., replace the service provider in the provision of the services). However, there is no standard definition of “step-in”. In its most traditional sense, it means that the customer (or its nominee) steps in to manage the service provider’s own resources used to provide the services. Or, more practically, it can mean that the customer either steers the services away from the service provider to another provider temporarily (and, thus, over-rides any exclusivity provisions) or merely interposes a much greater level of hands-on management and control over the service provider’s service delivery. Understanding the impact of service delivery realities on step-in rights and the contractual issues that they present are key elements in choosing appropriate levels of step-in rights and developing a practical contractual approach.
ARE STEP-IN RIGHTS MANDATORY?
When outsourcing in the financial services sector, there is a common perception that step-in rights are mandatory.
In the UK, this is not the case. However, the UK Financial Services Authority has indicated that step-in can help demonstrate compliance with regulatory requirements such as those under MiFID (Markets in Financial Instruments Directive 2007) which require the regulated entity to take appropriate action if it appears that the service provider may not be able to carry out its functions effectively and in compliance with applicable laws and regulatory requirements. Accordingly, it is advisable for financial services organisations that operate in the UK to consider including step-in rights as part of the risk mitigation approach in all of their material outsourcing agreements. But the question remains: What type of step-in rights actually work?
In the U.S., step-in rights are not expressly required by regulators of financial institutions. However, step-in rights could form part of the type of the overall risk mitigation strategy recommended by regulators.
CHALLENGES AND CONSTRAINTS
In order to come up with practical step-in rights, the customer should identify up-front all of the potential challenges and constraints, for example:
  • the location from which the outsourced services are performed (e.g., if the services are provided from an offshore location, this may make any form of hands-on step-in extremely difficult);
  • the customer’s level of internal resources and expertise (often customers do not have the internal skills and experience that would enable them to run a step-in service effectively);
  • any regulatory authorisations/licences which would be required to perform the services;
  • any restrictions on the service provider’s ability to provide the customer (or its nominee) with access to third party software, equipment, etc;
  • the potential of further disruption and adverse impact to service performance if step-in rights are exercised; and
  • in cases where the customer wants a third party to carry out the step-in, the potential difficulty and expense of finding a provider that is willing and able to step in within the required time frame.  
We explain further on in this Alert how an outsourcing customer can try to address these types of challenges and constraints when formulating its step-in approach.
TRIGGERS
In addition, the customer will need to consider carefully the circumstances that will trigger step-in rights. For example, triggers could include the following:
  • a prolonged force majeure event which will, or is likely to, cause a serious threat to the business;
  • a material breach by the service provider or another event which entitles the customer to terminate the contract;
  • a material interruption or delay in the provision of the services;
  • a serious risk exists to the health or safety of persons or property;
  • step-in is required to comply with law; and/or
  • step-in is required or advised by a regulator.
Again, when negotiating the triggers, the customer should try to be realistic. The service provider is likely to push for very limited and narrowly defined triggers which are linked to material failures and/or critical circumstances (e.g., where the remedy is more proportionate). If there are more practical and reliable remedies available for certain circumstances (e.g., requiring the provider to relocate service delivery from a primary to a back-up site), the customer should focus on tailoring those remedies rather than relying on step-in rights as a cure-all for service delivery disruptions. Step-in rights should never be relied on as an alternative to robust disaster recovery and business continuity planning.
NOTIFICATION
A contract will need to specify how the customer may exercise its step-in rights (e.g., whether the customer must notify the service provider in writing that it is exercising its step-in rights, detailing which services will be affected and when the step-in period will commence). The service provider may push for more detailed notice procedure. It is also likely to require a backstop date so that the step-in period cannot continue indefinitely (particularly where the service provider has fixed management costs which it would continue to incur even if services are suspended and/or if it is subject to key personnel provisions which would prevent it from moving personnel off the account during the step-in period).
EXTENT AND NATURE OF STEP-IN
The customer will want its step-in rights to be as flexible as possible. However, before demanding a blanket right of step-in in respect of all or any of the services (which is likely to be resisted by the service provider), the customer should consider whether particular services are indeed severable or whether interdependencies exist which mean that there will be practical constraints on exercising step-in rights only in respect of certain parts of the services.
STEP-IN ACTIVITIES
Of course, the customer’s main aim is to ensure that the services are kept up-and-running. The question is: How should step-in rights help that happen? Historically, step-in would involve the customer taking over the running of the services temporarily while they were being stabilized. However, it is increasingly rare to find the circumstances where that is going to be appropriate. Taking over service provision is likely to involve the customer having to take control over facilities and staff, not just software and hardware. And how feasible is it for the customer to parachute into a secure data centre and start telling someone else’s employees how to run a service without a detailed knowledge of the underlying processes and procedures? Moreover, where services are provided from an offshore site or using shared infrastructure or the “Cloud” and non-dedicated staff, taking over the running of the services is not going to be workable.
Accordingly, the customer should move away from the traditional all encompassing step-in rights and focus instead on sensible and workable alternatives. For example, more practical step-in rights could involve:
  • suspending the service provider’s performance of the affected services and procuring services that are equivalent to the affected services from an alternative third party for the duration of the step-in event (and thus overriding any exclusivity provisions); and/or
  • imposing a much greater level of hands-on management or control over service delivery, whether that involves actively supervising/managing service provider staff based at the customer’s sites, requiring service provider staff to undertake certain training, appointing customer personnel or a third party to shadow the service provider’s personnel to try to evaluate the underlying cause of any service problem, etc., and/or requiring the service provider to include the customer and/or any third party appointed by the customer in any remediation discussions and planning undertaken by the service provider.
The first approach to engage another provider to take over service delivery works best in cases where the services at issue are severable and can be performed remotely or from the customer’s facilities. This avoids the difficulty of convincing the original service provider to allow a substitute provider (and a competitor) to access its facilities and systems. If the customer has appropriate internal resources, it could also temporarily in-source the applicable services as a means of preventing service disruption without having to engage a new provider. In the best of all worlds, the customer would have arrangements in place with a panel of qualified providers who are familiar with the customer and the services, allowing the customer to redirect work from the troubled provider to another provider standing ready to perform. This flexibility is, in part, one of the reasons for the popularity of multi-sourcing.
The second approach to exercise greater management control over service delivery could work well as a first step in a two-phase step-in where management efforts are first employed to avoid a more substantial step-in. The oversight approach could be implemented through a set of emergency governance procedures that are triggered when service interruption appears imminent. Using existing governance committees and tools that are agreed upon in advance in the account governance documentation would reduce the potential delay of implementing entirely new structures at a critical time.
STEP-IN ASSISTANCE
Whichever form of step-in rights the customer exercises, it should consider what support and assistance it will need from the service provider (e.g., obtaining, or assisting the customer to obtain, any required authorizations, consents or licenses; providing access to infrastructure, resources, data, facilities, premises, personnel and information, etc.). Key areas of cooperation should be specified in the contract. Outsourcing contracts usually include general commitments from the service provider to cooperate, but detailed requirements that reflect the service delivery environment and the realities of the customer’s internal constraints will pay off if the customer ever finds itself ready to exercise its step-in rights.
CONSEQUENCES OF STEP-IN
To avoid any disputes, the effects of exercising step-in rights, in particular, on the charges should be considered up-front. From the customer’s perspective, it will not wish to pay any charges which relate to suspended services and will want the service provider to pick up any additional costs incurred by the customer (for example, incremental amounts above the charges that are paid to a third party substitute provider). However, the service provider may resist this, particularly where it has fixed costs which cannot be defrayed or mitigated if the services are suspended, or where the step-in trigger is not related to service provider’s default (e.g., where force majeure is the trigger, etc.). In addition, the service provider may argue that its costs have increased as a result of certain acts or omissions committed by the customer or any person acting on its behalf during the step-in period and may wish to recover such costs from the customer. Understanding and assigning financial responsibility for the financial consequences of a step-in is critical to reaching a reasonable solution.
It is also wise to detail the impact of step-in on the performance of the services, including on the service levels. The service provider will seek reasonable service level relief if the step-in involves the customer or another provider taking direct control of service delivery. In cases where the step-in rights involve more subtle forms of control, such as greater oversight, the customer may argue that service levels should continue to apply.
There may also be other impacts that need to be considered (for example, the service provider may push for an express statement that the customer is liable for any damage to the infrastructure, etc., that is caused by the customer (or its nominee) during the step-in period). Again, the appropriateness of such requests depends on the level of step-in exercised by the customer.

 STEPPING-OUT
The parties will also need to decide how and when the step-in period comes to an end. Again, the customer is likely to want to cover ‘stepping out’ in general terms (e.g., if the step-in event comes to an end or service provider can demonstrate to the customer’s reasonable satisfaction that the step-in trigger no longer applies, the parties will agree and implement a ‘step-out’ plan). However, the service provider may push for a more detailed step-out procedure, including a specific notice period, etc. Customers using replacement providers will need to ensure that the step-out plan aligns with the replacement provider contract. In cases where step-in is exercised through enhanced governance and management oversight, the step-out plan could be carried out as a phased reduction in the customer’s increased supervision. Of course, even after exercising step-in rights, the customer may decide that it needs to terminate the affected services or the contract, and the contract should make clear that the customer will retain its termination rights despite having invoked step-in. Retaining that flexibility is key for the customer.

 CONCLUSION
By being more realistic about what is achievable and thoughtfully assessing the mechanics of step-in rights, customers can help ensure that their step-in rights are not a toothless remedy, but are an effective tool to deal with critical service failures.

Morrison & Foerster LLP - Susan McLean Alistair Maughan and Scott W. Stevenson

Comments

Post a Comment

Please share your valuable comments and thoughts on this article. Thanks!

Popular posts from this blog

Responding to Software Review Audits- Good tips on how to handle audit requests and settlements

-
Image
Managing Audits to Prevent Unauthorized Disclosures by Technology Teams by Keli Johnson Swan in Blogs , Software Audits Disputes involving software usage are on the rise for businesses of all sizes. In some cases, technical teams respond to a software publisher’s or a third party’s audit request and provide significant amounts of data without notifying anyone on the corporate governance or the legal teams.  It is critical for those teams to evaluate the publisher’s legal ability to audit, and to identify the data the publisher is entitled to request. It is not uncommon for the legal team to discover the existence of a software audit or license verification after the company has received a demand for damages arising from alleged over-usage of software. Often, employees responding to an audit request do not understand the request and provide inaccurate or incomplete information. Once this information is disclosed, it can expose the business to a damages cla
Read more

"What is the right thing to do?" What's The Difference Between Compliance And Ethics?

-
Image
  What's The Difference Between Compliance And Ethics? Bruce Weinstein, Ph.D. Contributor Customized ethics keynotes, training, and online courses for CE credit May 9, 2019, 01:19pm EDT  TWEET THIS High-character leaders ask, "What is required of me?" but they don't leave it at that. Ethical leaders also ask, "What is the right thing to do? How would an honorable person behave in this situation?" I've noticed some confusion about the roles that ethics and compliance play in organizations. This confusion arises, in part, from the way these two fields are identified. Some companies have only a compliance department. Others have a compliance  and  ethics (or ethics and compliance) department. Some companies have a Chief Ethics Officer separate from compliance. To get some clarity on these crucial roles, I asked seven leaders who are involved in both ethics and compliance to explain the similarities and differences as they saw them. I'll present their vi
Read more

Influencers in the workplace: Can promotional work on social media be regarded as moonlighting?

-
Image
  Lawtons Africa Jun 9, 2023 4 min read Influencers in the workplace: Can promotional work on social media be regarded as moonlighting? Author: Andile Mphale– Candidate Attorney Supervised by: Lavery Modise– Consultant https://www.lawtonsafrica.com/post/influencers-in-the-workplace-can-promotional-work-on-social-media-be-regarded-as-moonlighting The use of social media has many benefits; one of them being the creation of work and income opportunities, such as doing promotional work on social media. Promotional work on social media has also given rise to the term “influencer”. An influencer is someone with a substantial following or a notable online presence, who can influence potential consumers into purchasing a product or service through social media endorsements or recommendations and receive a reward for that. There are influencers who do promotional work on social media on a full-time basis and make a living from it. There are also influencers who do promotional work on social med
Read more