Despite calamities such as fire, flooding and cyber or terrorist attacks, your clients will expect you to be available when needed. Janet Noble looks at the importance of having business continuity plans in these uncertain times.
A business continuity plan (BCP) ensures that, following a disruptive incident, an organisation can continue to deliver products or services at predefined levels. It identifies potential threats and provides a simple framework for an effective response should an interruption take place.
The benefits
Many solicitors, especially those in smaller firms who are already struggling with the complexity of the rules and regulations, may question the benefits of a BCP. To take this view, however, would be short-sighted: it’s the smaller businesses which usually find it hardest to recover from the kind of event a BCP can address.
Having a plan:
- ensures you’re compliant with the SRA Code of Conduct 2011(IB 7.3) and Lexcel 1.3 (both of which require a BCP)
- establishes an alternative means of operations, limiting impact on business activities
- avoids financial and reputation damage by minimising disruption
- helps identify improvements to key processes which will be beneficial in the event of a disaster
- reassures and instils confidence in key stakeholders, including clients, staff and suppliers,
- could demonstrate to insurers you’re a good risk for PII cover.
Creating a plan
There are six stages to an effective plan.
1. Responsibilities
Allocate overall responsibility for business continuity planning to a partner or staff members of equivalent seniority.
It’s important they accept business continuity is part of their responsibility and that they’re willing to undertake tasks such as maintaining plans in addition to their normal roles.
You also need to secure buy-in from the management team and ensure all staff understand why the plan has been put in place.
2. Risk assessment
Conduct a site risk assessment to understand and evaluate the potential threat and the resources that directly support those site critical activities.
This will help maintain existing risk controls and implement additional ones to:
- reduce the likelihood of a disruption
- shorten the disruptive period if one does occur, and
- limit its impact.
3. Write the BCP
Plans will vary enormously between organisations but they should be as short and simple as possible and only include instructions on what do in an emergency. They should also be agreed by all partners within your firm.
4. Business impact analysis
It’s important to fully understand the impact on the organisation of a loss, interruption or disruption of business activities.
You will need to decide which activities are critical to your key services (for example, access to banking services if you are a conveyancing business) and identify what resources and assets need to be in place to continue delivering those services.
Test your plan as fully as possible, involving any third parties you intend to rely on.
5. Implement a maintenance process
Document the agreed strategies and tactics, including priorities, procedures, responsibilities and resources, in a format that is quickly accessible and easy to understand in the event of a disruption. These are the documents that will enable you to return to a pre-determined level of service.
6. Embed and communicate the BCP to staff
To be successful, business continuity must be seen as an integral part of how things are done, rather than a separate activity.
Review the plan at management meetings and train staff to be aware of it.
Regular exercises will get everyone involved so that if an incident occurs, staff will recognise it and be confident in responding to it appropriately.
Top tips
- Identify five to 10 events that would create the most damaging internal or external crisis for your firm and prepare a strategy for dealing with each of them.
- Insist all staff practise these crisis management techniques through role-playing and, where appropriate, with the help of PR, human resources and IT professionals.
- Review your policies and procedures on a regular basis.
Further information
- The Law Society has published useful information on cybercrime
- The SRA has published a regulatory risk framework
- A business continuity plan template is available to buy from the Law Society Bookshop