Continuity planning takes drama out of a crisis

No matter how effectively a business protects itself through insurance, there are some events for which this cannot provide a complete solution.  For instance, insurance can never provide full or cost-effective protection against the long-term or permanent loss of clients, employees, reputation or employee loyalty.

Many organisations worry about how they would cope with a major catastrophe, such as fire, resulting in the loss of a key office.   Planning for such an event is often referred to in a variety of ways and the terms Emergency Planning or Disaster Recovery are often used to  describe a variety of different things.

It is suggested that a better way to approach such risk planning is to think in terms of planning for business continuity: there are many events which, although not a full scale disaster, could still seriously affect a firm if not handled correctly.   

Business Continuity Planning is the formulation of a detailed strategy incorporating pre-emergency planning, incident handling and post-event recovery, applicable to a variety of threats to the operation of the business.

Why plan?

Many organisations, not just solicitors, remain sceptical about the need for business continuity planning.   This can be for a number of reasons, but the most common in practice are:

The relative infrequency of catastrophic events

• Whilst this is correct, the point of Business Continuity Planning is to limit the impact of events, no matter how unlikely they may seem

A belief that, should a disaster happen, pre planning will be of limited use in any event

• Planning will always have beneficial effects in a disaster situation, since it allows retention of some measure of control

Confidence that any disaster can only effectively be managed on an ad hoc basis

• Responding to events as they happen is a superficially attractive option and is wedded to a belief that planning can never be an effective tool to manage an unexpected situation.  In practice, experience shows that ad hoc responses to disaster are seldom successful and they tend to create confusion and duplication of effort.

Business Continuity Planning is about having the ability to withstand interruptions to the business and having in place recovery procedures for critical processes.  An effective Business Continuity Plan will include the key actions, personnel and services needed to manage the incident or event and the recovery process.   Maintaining control in a crisis situation is important: there are likely to be a number of tasks to be completed and these should be undertaken in a logical way by designated individuals without prompting.   Duplication of effort wastes time and increases the chances of critical tasks not being attended to.

The creation of an effective plan is a complex matter, although the individual stages are relatively straightforward.  Difficulties in creating a plan usually stem from a combination of factors. Consider the following:

What to avoid:

Delegation: whilst delegation of the task of creating a Business Continuity Plan is acceptable, delegation of responsibility is not.  Without support and commitment from partners, the planning process will run into difficulties, both in the speed at which it takes place and the quality of the end product. Many plans languish in half-completed obscurity because responsibility no longer rested with people who had the authority to make decisions.   It should be borne in mind that the assets and business which a Business Continuity Plan seeks to protect are those of the partners – an effective Business Continuity Plan should be the product of enlightened self-interest.

Information overload: many individuals are put off planning for business continuity simply because of the amount of information and related steps which require to be addressed.   It is important to attempt to break down what can be a major project into easy to manage blocks. As long as these blocks are defined and have a set time for completion, business continuity planning can be a relatively painless process.

Lack of responsibility: as with any project, someone at a senior level requires to take responsibility for the progress of the planning process. This overall responsibility should ultimately rest with one of the partners.

Focus on IT:  Information technology is a vitally important part of most practices’ day-to-day business operations, even if this is restricted to accounts systems. IT disaster recovery is big business and there are many suppliers of specialised services, ranging from data recovery from physically damaged hard drives to hosting alternative sites with pre-configured client software. However, IT recovery must be viewed as one part of a successful Business Continuity Plan – recovery of IT systems must be incorporated as part of the overall business continuity strategy. Recent research from the Chartered Management Institute (CMI) highlighted the need for all businesses to take into account loss of skills as a factor of equal or greater importance than IT when planning for disaster.   This is particularly important for legal practices, which depend on the knowledge of individuals.

Complacency: the majority of Business Continuity Plans are untested: The CMI findings suggests that only 25% of businesses in the UK have a Business Continuity Plan which is subject to testing. Unfortunately, when planning for what could be a catastrophic situation, the option of testing under real conditions is undesirable. Although an annual test of the plan can be seen as an unnecessary burden, setting aside four or five hours every year may pay dividends should the worst happen.

Lack of awareness: Continuity plans are of limited use where few people know of their existence – in an emergency, time will be wasted if individuals do not know they are supposed to be following a plan.

The following should be considered when embarking on a review of Business Continuity Planning strategy:

Pre-emergency planning:

Physical security

Review security arrangements at a very basic level – making sure that those persons with office keys are aware of their duties regarding securing the premises and setting any alarm systems.  Practices without building alarm systems should perhaps review whether such a system might be a worthwhile investment.  Installation may also help to gain a reduction in office insurance premiums.   

Systems back-up procedures

Audit/review/test back-up procedures to ensure that they are effective.  Allocate responsibility for such procedures.  Provide appropriate guidance and training to the staff concerned.

Secure off-site storage of back-ups must be an essential element of a practice’s continuity procedures.

Insurances:

Review insurance arrangements to ensure that the scope of cover and the sums insured are adequate and check, specifically, the events in which business interruption cover will apply and the period for which that cover will operate.  For some types of cover, insurers require to have details of the firm’s equipment and it is therefore essential that insurers are advised timeously of any acquisitions of equipment/software.

Contact Details:

In the event of denial of access to your office, would contact details be easily and rapidly obtainable? Are there any others that should be on the list?  How would you contact clients if the office was closed or destroyed?

Incident Handling:

Have a plan in place describing, prioritising and allocating responsibility for the action to be taken in the event of a theft, fire, flood etc. and records being lost or destroyed. The plan should include a list of contact details of those who may be able to provide assistance according to the type of event.  This may include –

• the police
• the firm’s office insurers
• the Master Policy insurers (per Marsh), at least on a precautionary basis – it may be that loss of systems and data will result in claims
• the Society’s Chief Accountant. particularly if the firm’s accounting records have been compromised,
• Architects
• Loss adjusters
• Consulting engineers
• Local press
• Software suppliers
• IT consultants
• HSE
• Stationery suppliers
• Telecommunications provider

Post Loss Recovery:

The firm should have a clear idea of which are the most important parts of the business. Arrangements might be made for temporary relocation to other premises in the event of the firm’s offices being destroyed or severely damaged.  Ideally, there will be facilities to enable IT systems to be re-instated on a skeleton basis, sufficient to allow the practice to continue its business.  Sometimes this will not be a feasible option but the planning stage should have provided an alternative.

Similarly, from the impact assessment, the firms should have knowledge of which areas of the firm’s business require to be up and running according to a set timescale. That timescale could vary from hours to months (fig a) eg:

Planning:

When considering planning for business continuity, try to think of the types of situation with which you might be faced.   Whilst it is a remote possibility that the firm will be faced with a major incident, a minimum amount of time devoted to planning may pay dividends.  Situations in which a plan may be useful could include:

• Unexpected absence of a principal or fee-earner
• Having to evacuate the building during working hours
• Having to cope with an out-of-hours emergency

Each will require a different set of responses, both in terms of incident handling and recovery.  It may not be much of an emergency if a particular partner is absent for a short period through illness but if the absence threatens to be long term, does anyone else in the firm have the capabilities to pick up that partner’s workload?

It is impossible to provide generic solutions covering every eventuality but some pointers may be suggested by the following table.  If making a plan, try to think of matters that might be forgotten in the heat of the moment… (fig b)

This assumes that there are a number of tasks to be completed depending on the state of the building and whether access can be gained.

At the same time as X is undertaking his/ her set of tasks, someone else in the firm should be assisting – for instance, AB, when contacted, should know that he/she has to undertake certain tasks (Fig C).

Although this perhaps seems somewhat overblown, a plan like this avoids:

• X having to stand in the rain, wasting time trying to get in touch with members of staff
• Half of the staff turning up at the site to see if they are required

The table does not cover all of the issues and it stops short of looking at actual recovery of the business, which is something that firms should look at in detail.

Summary

Business Continuity Planning should be an important part of every firm’s overall risk management strategy. Whilst it is seldom at the top of anyone’s agenda, the effects of failing to respond efficiently to a crisis can be devastating – the majority of organisations without a continuity plan go out of business following a major incident.   It is easy to adopt the ‘it won’t happen to me’ attitude.   In all likelihood, it won’t. However, given that even simple steps – such as having an up to date off-premises list of key contacts – could help get a firm back up and running, time invested in some form of business continuity planning is time well spent.

The information in this page is (a) intended to provide guidance on matters of practical risk management and not on issues of law, (b) necessarily of a generalised nature and (c) not intended to endorse or recommend any particular product or service. It is not specific to any practice or to any individual and should not be relied on as stating the correct legal position. Alistair Sim is Director in the Professional and Financial Risks Division at Marsh UK Limited. Charles Sandison is a Consultant with the Business Risk Consulting Division of Marsh UK Limited. He specialises in risk issues resulting from new technology which includes advising solicitors on issues of information security.