Many law firms do not have an effective business continuity plan in place, imagining that insurance will cover them, or even that a real catastrophe could never happen to them. Lisa Hesketh explains why a plan is vital for every firm
The last few years have seen a worrying increase in the number of severe weather events in the UK, from widespread flooding in the north-west, Yorkshire and Scotland to localised flash flooding across the country. Storms caused widespread and repeated flooding, bringing significant disruption to transport, utilities and agriculture, and flooding over 16,000 homes and businesses in England alone.
A number of the businesses affected were high street law firms, which found their offices flooded. Some of the managing partners of those firms may have thought that something so catastrophic could never happen to them, and others may have simply hoped it wouldn’t. But the last few years have taught us that these types of weather events can happen in any part of the country, and affect anyone and everyone.
Every law firm needs to be prepared for the worst. Few firms can afford to get back on their feet after such a catastrophe, and none can bypass its compliance requirements to have a business continuity plan in place.
In this article, we re-visit the basics of business continuity planning, and provide some top tips, especially for small to medium-sized firms, on ensuring your plan is fit for purpose. And Louis Tolaini, of law firm Penningtons Manches, explains how his firm has revamped its existing plan to cover all eventualities.
What is business continuity planning?
Business continuity planning identifies potential threats to your firm, and provides a simple framework for an effective response should an interruption take place. Your business continuity plan is relevant in more circumstances than just following fire, theft or flood; it will help you to continue to provide services to your clients through adversities involving things like dealing with negative media attention, or a police cordon that includes your premises.
Why is it important?
Small and medium-sized firms often see business continuity planning as only being for large, multi-office firms with complex processes that warrant planning and preparation. However, the storms we have recently faced have affected many small and medium-sized firms – either directly, or indirectly in terms of economic recovery. Business continuity planning can help you to mitigate damage and get back up and running faster and more efficiently after an interruption.
Business continuity planning also:
- ensures that you are compliant with the SRA Code of Conduct 2011 (which mandates having a business continuity plan in place)
- helps communities recover sooner (small and medium-sized law firms are the lifeblood of communities)
- helps you identify improvements to key processes that will have a beneficial effect on a day-to-day basis, as well as in the event of a disaster
- reassures and instils confidence in key stakeholders, from staff to financial backers, during an event.
Why do I need it when I also have insurance?
Your insurers will give your firm assistance through the difficult initial period of disruption while you get your business continuity plan into action. However, a business continuity plan cannot replace insurance; instead, it will help make sure that when your insurance pays out, you use the funds in the most effective way possible, supporting activities that are critical to returning you to business as usual.
We come across many law firms which are completely reliant on their insurance during an incident – but did you know that before your insurance company will assist you during an incident, it has to accept liability first? That can take time, time you do not have: the first 48 hours are the most critical.
Having a business continuity plan in place should help to minimise the impact of any cost to your business, and reduce the timescale of any potential insurance claim, which should also help to reduce your business insurance premiums.
How do I put together an effective plan?
There are six steps to creating a business continuity plan. I briefly cover each step below. This guidance is based on the Business Continuity Institute’s Good Practice Guidelines 2013 .
Agree a business continuity plan policy
This sets out the scope and governance of your business continuity programme. Its primary purpose is communication. It should:
- outline why the plan is being implemented
- provide the context in which the required capabilities will be implemented
- identify the principles to which an organisation aspires
- explain how it could be audited.
It should provide your firm with a framework around how your business continuity plan is designed, built, and communicated to interested parties. It should be short and straight to the point, and be agreed by all partners within your firm.
Embed business continuity
This is the practice that continually seeks to integrate business continuity into day-to-day business activities and organisational culture.
For the implementation of a business continuity management programme to be successful, business continuity must be seen as an integral part of the way things are normally done, rather than a separate activity, and individuals within your firm must accept that business continuity is part of their responsibility. To achieve this, you need to involve individuals in your firm, ensuring that they are willing to undertake business continuity-related tasks such as maintaining plans, in addition to their normal roles. You also need to secure buy-in from the managing partner and management team, and ensure that everybody within your firm has an understanding of your business continuity plan and why it has been put in place.
This can be achieved through making business continuity an agenda item during management meetings, incorporating business continuity plans into standard operating procedures, including business continuity awareness sessions in staff training or induction processes, and scheduling business continuity exercises to get all staff involved.
This means that when an incident occurs, staff will be competent at recognising the incident, and confident at responding appropriately and in accordance with the business continuity plan in place.
Conduct business impact analysis
Business impact analysis (BIA) is the foundation on which your business continuity management programme will be built. It identifies, quantifies and qualifies the impacts on an organisation of a loss, interruption or disruption of business activities, and provides the data from which appropriate continuity strategies can be determined. It should identify the urgency of each activity undertaken by the organisation, by assessing the impact over time of an interruption. This is where, as a firm, you should list all threats that could cause disruption to your urgent activities. You should then put together a scoring system which balances impacts against probabilities, and estimate the impact on the firm of each threat, using your scoring system. This will allow to you to identify unacceptable single points of failure and prioritise them by the level of impact.
Design your programme
This is where you decide on appropriate strategies and tactics to determine how continuity and recovery from disruption will be achieved. You will use information from the BIA stage and decisions made at the policy-drafting stage to design solutions around continuity and recovery strategies and tactics, threat mitigation measures and incident response structure.
Some strategies could include an agreement with another local law firm or office, allowing you to use their facilities temporarily. It may be that you choose to subcontract some work out or have another office on standby. But whatever you decide, you need to consider your people, premises, IT, information and equipment.
Implement the plan
This is where you document the agreed strategies and tactics – including priorities, procedures, responsibilities and resources – in a format that is quickly accessible, easy to understand, straight to the point, and preferably on waterproof paper, to assist the organisation in the event of a disruption. These are the documents that will enable you to return to a pre-determined level of service.
Validate the plan
Validation is confirming that the new plan meets the objectives set out in the business continuity policy, and thus that the plan is fit for purpose. This is achieved through three processes: exercising, maintenance and review.
Exercising involves considering a potential scenario which may cause disruption to your business, and considering how you would use your plan in that eventuality. This stage will identify any issues, including areas for improvement and information that is missing. By testing your plan, you will also be developing teamwork and raising awareness of business continuity throughout your firm.
Maintaining your business continuity planning programme is vital. Put together a maintenance programme, including a planned maintenance schedule, to ensure that everything is up to date, arrangements are still in place and documents are managed.
Test your plan as fully as possible. This should also involve any third parties you intend to rely on. Specialist suppliers, such as work area recovery providers and business continuity transport providers, will respect you running test invocations.
The majority of businesses that suffer an incident do recover, but at what cost? Business continuity planning helps you to manage an effective and efficient recovery and minimise the professional damage and reputation to your firm which can result from a catastrophic event.
Enjoy this article? Get access to many more like it by joining the Law Management Section
Case study: Penningtons Manches
Penningtons Manches was significantly affected by the Bishopsgate bombing in 1993. Louis Tolaini, head of building management, explains what he has learned about business continuity planning over the years since.
Before the Bishopsgate bomb, had you ever thought about business continuity, or what you would do if something did happen that would impact on the way you operate?
Our approach prior to the bombing was extremely limited: taking back-up tapes off-site, and keeping contact records up to date. There was no formal business continuity plan, although we had looked at business continuity portals and were at the point of deciding that we could create our own plan, which is what we did following the bombing.
Other than the Bishopsgate bomb, has your firm suffered any other incidents?
Over the years, we have suffered numerous water escape incidents which have caused power loss and soiling of paper, together with damage to equipment.
How did Penningtons manage to get back to business as usual after the bombing?
We are extremely fortunate to have multiple locations – something which we have benefited from on various occasions when we have had to temporarily relocate people to other locations within the estate during an emergency. We were also fortunate to have good relationships with other law firms and managing agents which were able to provide ‘war-room’ facilities to set up temporary operations rooms for key personnel to work from.
What was the most difficult part about creating your business continuity plan?
What we found particularly difficult was how to define precisely what our plan should cover. This is a key question to ask at the start of your business continuity program – and in a recurring manner as the organisation changes – because all later activities will stem from the answer. It is tempting to just say, ‘Everything! We need everything to run the business completely, so why not recover everything?’. The trouble is, that makes for a terribly complicated, possibly overly expensive planning effort. The challenging part for us was making it clear to leadership what is most important and enabling a focused preparedness effort.
What resources were available to you back in 1993 compared to now?
At the time, we were completely reliant on insurers in identifying ‘specialists in recovery’ when, in fact, these specialists had limited knowledge and concentrated mainly on clearance rather than recovery of items. This is a far cry from where we are today with what is available to companies and the way technology can avert potential loss.
What do you think your biggest risk would be if you did not have a robust plan in place?
Loss of business, without question, and reputational damage therein.
What would you say to other law firms out there that are reading this and do not have a plan in place?
Do not delay. To create a successful, long-lasting programme, you must have the active, recurring engagement and participation of senior leadership and key subject matter experts within your organisation from the beginning. Once senior leadership takes an active role in the planning process, focus and prioritisation will trickle down, when people see the emphasis leadership places on business continuity. As the program matures and advances, leadership’s continued involvement will ensure a commitment to continual improvement, minimising the risk and making the business as robust as it can be.
In the aftermath of the Bishopsgate bombing, it was very easy to get buy-in from all partners and staff in creating an effective business continuity plan. Nothing can prepare you for the devastation of a terrorist attack, but what you can be prepared for is creating a clear communication path which is simple to follow for those involved in your company’s disaster recovery process.
We believe that engaging service providers across our firm is essential in creating and maintaining a business continuity plan which is relevant to the way we operate. Once created, regular review is essential. Penningtons Manches is a multi-site firm and as a result, we are often faced with recovery situations in one form or another. Real events test our business continuity plan, and we learn more each time one happens, so de-briefing following an incident is also vital.
As the firm expanded, we recognised the need to have expert support, because when a disaster happens, every second counts and you cannot wholly rely on people within your company to deal with often complicated and sensitive recovery situations.
As a result, we have now engaged with disaster recovery and restoration service providers, which have extensive knowledge within the industry, and decades of experience in dealing with all different types of incidents. It is important to Penningtons Manches that we can react quickly when an incident happens, so we have an emergency response service on hand 24/7/365, and in the event that we suffer something unfortunate which has the ability to impact on the way we operate, our service provider will attend the site within three hours. Because of their knowledge within the industry and their innovative processes, we can tap into specialist services such as drying and restoration techniques, which is a huge comfort for a law firm in the recovery of documentation.