Planning for the unexpected

Software as a service (SaaS), delivered through the cloud, may be impacted by unforeseen catastrophes. Is it time to insist on a force majeure clause in such contracts?

Johannesburg, 18 Sep 2023
Leon Steyn, CEO of Dante Deo.
Leon Steyn, CEO of Dante Deo.

The advent of the cloud has seen an increasing number of businesses adopting strategies to take advantage of this new technology delivery model, notably in the office and productivity and infrastructure spaces. While its cost efficiencies might still be debated, the one advantage that cannot be denied is the agility and scalability offered by the cloud, particularly as one doesn’t need to invest in additional staff or technology in order to gain this benefit.

However, Leon Steyn, CEO at Dante Deo, points out that while many organisations are happy when signing, for example, a software as a service (SaaS) agreement, there are still clauses they fail to insert that they really should insist on.

“Essentially, I am talking about asking for a ‘force majeure’ clause, which is something generally included in contracts to deal with a situation where a party cannot fulfil its obligations, owing to an unforeseeable and unavoidable catastrophe,” he says.

“Notably in the SaaS space, the dynamics around access have changed, and if your company does not have access to the service provider’s data centre – due to an unexpected event like a war, strike, riot, flood or other act of God – you may well lose access to your software.”

Steyn is quick to add that the responsibility to request a force majeure clause lies with the customer, as it is unlikely that service providers would raise an issue that might lead them to have to assume additional risk.

“Thus, it falls to the customer to have the conversation with their provider around issues like the latter’s business continuity and recovery service (BCRS), whether there is enough redundancy built into their system if an undersea cable breaks, and (in South Africa) what contingencies they have developed to deal with ongoing load-shedding.

“I regularly meet clients who claim they have been unable to work due to a lack of access caused by one of these blackouts. So load-shedding alone demonstrates the tangible risk businesses face around the availability of infrastructure, and companies need to learn from this and start managing such risks more effectively.”

He adds that another looming risk is created by climate change, explaining that certain hardware can only function effectively with a certain temperature band. And don’t forget that the people who service the hardware can also only operate effectively in a comfortable environment, he adds.

“This is why it is necessary to raise the issue of force majeure, in order to ensure there is a balance of risk in the agreement. Of course, while it really is the service provider that should assume this risk, it is unlikely they will assume it all. So you will have to be just as clear as them when it comes to knowing exactly how to react and what to do, in the case of an unexpected event.”

Overcoming unexpected risks is achieved through a combination of proactive and reactive responses. Reactive, suggests Steyn, is an approach focused on creating a disaster recovery plan, a crisis committee or a war room, and running scenario planning and ‘what-if’ situations. Through these, it is easier to prioritise where your energy should be directed.

“However, there is also a proactive component, which involves things like looking at your IT controls – both within your organisation and with your external suppliers. This should include patch management, server uptime and recovery, and cyber threats,” he notes.

“You should also undertake an audit of these IT controls, both internally and with your highest risk vendors, to ensure you have a clear indication of what to expect, and more crucially, whether your service provider has the relevant controls in place to manage an unexpected event.”

Remember that the risk probabilities will only keep increasing in this open, digital world we live in. Therefore, it is critical to bring a force majeure clause and IT controls KPIs into future software agreements.

“The advantage for businesses in SA is that if we take the lessons learned from load-shedding, and other events like the July 2021 riots, we can quickly recognise the danger of failing to plan properly in an unstable political climate. Ultimately, it's about planning for the future by learning from the present.”