Managing risk within a data centre business

Whilst as a data centre provider, we help to manage a customer’s business risk by offering greater security afforded by increased physical measures and a high level of resilience of the infrastructure, it shouldn’t be considered by customers to be the only safeguard that needs to be taken to mitigate all IT business risk. There is a popular misconception that as an operator, by agreeing to host equipment our data centre, we should then be exposed to unrealistic levels of liability which could put our own business at risk.

In the UK, it is considered absolutely standard for data centres to agree a service level agreement with the customer and a service credit regime covering the main critical services which is generally based on a percentage of the monthly recurring charges. It is also entirely normal to cap the amount of service credits payable each month.

In addition, standard colocation contracts have a limitation of liability cap inserted into the agreement which denotes the maximum that can be reclaimed in damages during a contract year or a contract term. The limitation of liability is normally set as a percentage of the annual recurring revenue. Some operators offer a fixed sum but the problem with this is that often the fixed sum can be entirely unsuitable for the level of risk. Another solution is to offer the greater of a fixed sum or a percentage of the annual recurring revenue. This is sometimes used where a contract might flex during the term. However, the bottom line is the level of liability agreed between parties should always be in proportion to the size and duration of the contract.

Within a liability cap it is also normal to have a list of exclusions for categories of loss that cannot be claimed for under contract – these include loss of data, loss of contracts or goodwill, economic loss and indirect or consequential loss. We assume that the customer will have their own disaster recovery plan including a regime for full back up of data, business interruption insurance, public liability insurance and property coverage for their own equipment.

While the levels of liability of a particular contract might appear to be acceptable if viewed separately, when considered in the aggregate an operator can soon find that its total levels of liability have reached unacceptable and uninsurable levels. To mitigate against this, we carry out quarterly audits of all new contracts; the areas we cover include agreed contractual levels of liability, service credits and caps, and contract exclusions. The audit also looks at the maximum estimated loss which is effectively the sum of liability across all contracts.

VIRTUS covers this position with insurance, however, many larger operators choose to ‘self insure’ their contracts; meaning they don’t have specialised insurance to cover their potential risk and consider that their business could comfortably cover any losses in the event of a claim or multiple claims.

VIRTUS hasn’t taken this view and we work closely with our insurance broker to ensure there are policies in place to cover all eventualities.

From a customer’s perspective it is important for the operator to have adequate Public Liability insurance to deal with any damages awarded in relation to 3rd party claims arising from injury or loss or damage to property. Typically, most customers will ask for £1-5 million, however, we insure at much higher levels to deal with a maximum loss scenario. We apply the same principals to Professional Indemnity insurance.

From a business protection perspective, in addition to always agreeing proportionate limits of liability with our customers and ‘right sizing’ our levels of Public Liability and Professional Indemnity accordingly, we further mitigate our risk profile by insuring against loss of revenue.
We have learnt that by regularly reviewing our risk profile on a quarterly basis we are able to evaluate any changes and quickly adapt to ensure that the profile remains steady despite our fast business growth.