Feature

posted 25 Aug 2010 in Volume 13 Issue 1

Masterclass: Crisis averted

Allen & Overy’s global business continuity manager Clive Restall shares his insights on how to keep business running smoothly in a worst-case situation.

Four things you will learn from this Masterclass:

1) How to increase your firm’s resilience against crises

2) What to include in your business continuity plan

3) How to prepare your recovery team and all staff

4) Which recovery provisions to prioritise

A robust business continuity management (BCM) programme is an essential element of any organisation’s defences. Insurance is no substitute. Effective BCM will protect the business and its stakeholders, maintain critical business processes and protect a firm’s reputation and client base.

This article identifies some of the challenges that the business continuity manager may face, and seeks to offer some ideas and guidance.

Management buy-in

Senior management support is essential to the success of a BCM programme. No one is going to take BCM seriously or devote time to it if there is no visible buy-in at board level. Hopefully, such support will be readily forthcoming because the management team will see value in the process as an instrument to:

· identify and reduce risk;

· increase the resilience of the firm;

· plan for crisis response; and

· plan for business recovery.

BCM is not just concerned with structuring large documents that will probably never be read and hopefully never be used. The process increases a firm’s resilience by minimising residual risk and provides a mechanism for response and recovery should a crisis or interruption occur. It also provides a level of confidence for clients.

Programme implementation will generate awareness of BCM across the firm and address training and exercises for the crisis and recovery teams. It is certainly not just a document! Accessibility of large amounts of information, such as contact details, will be essential during a plan invocation, but how to respond in a crisis needs to be second nature to a well-trained management team. In a crisis, the recovery teams are not going to spend the first two hours reading the planning document!

If you need to convince your senior management, then catalogue your own firm’s interruptions and near misses. Often, senior management will not be aware that some of the events have occurred. Culturally, there may be a desire to keep quiet about misfortune, especially where it might attract criticism but, if you keep senior management aware of how close their organisation sometimes comes to a serious interruption, BCM will be accepted as a necessity.

There is more ammunition available in the form of the SLA Code of Practice, Rule 5.01, which imposes an obligation on solicitors in England and Wales to plan for “the continuation of the practice in the event of … emergencies, with the minimum interruption to clients’ business”.

Once BCM is established in an organisation, it is likely that management will look to the BC plan as a basis for addressing minor incidents and interruptions – not just major occurrences and disasters. So the plan has to be adaptable to all kinds of event. In fact, this is good news, because it creates a management dependency on BCM for what are often fairly normal events such as bad weather, transport strikes and Icelandic ash clouds!

However, don’t expect the plan’s established provisions to be acceptable to management for all incidents. BCM practitioners will usually develop plans from a worst case perspective. In the event of the total loss of an office or data centre, recovery objectives of 48 or 72 hours may be acceptable for some processes, and a plan to have 20% of people back at work within 24 hours may be an acceptable goal. But, management will, rightly, demand ‘best possible’ recovery, regardless of the provisions of the plan. An incident will rarely result in total destruction. So, the task of the crisis team following an incident is to immediately assess resource availability and apply those resources to the very best effect. The expectations for recovery, in the event, may go well beyond what is stated in the plan.

Client expectations

Clients will expect their law firms to be resilient and to have recovery plans in place so that critical work can be progressed despite an interruption or disaster.

In addition to demonstrating to clients that it has dependable recovery plans, Allen & Overy can confirm the rigour of its processes through its certification against the British Standard (BS25999). Increasingly, A&O is receiving from clients requests to explain the substance of its recovery plans; it is important that we have a good story to tell, and the achievement of BS25999 is further evidence of a robust process.

Recovery strategy

It is important to be clear on what a recovery plan is expected to achieve. Traditionally, BCM has concentrated on processes and IT applications that are deemed business critical. However, in my view, BCM has progressed to a point where senior management would expect a superior level of recovery. Plans should aim to get as many people working as normally as possible, as soon as possible. Don’t just agree a worst-case recovery objective with the business and apply it to every scenario. Management will demand the best available recovery according to the circumstances.

The firm will only operate effectively and efficiently if the majority of its processes, IT systems and support services are available. Whilst direct service to clients will be agreed as the most critical process, many support services contribute to what is delivered – such as know-how, meeting room facilities, document production, printing, mail handling, scanning and archive file retrieval. Other services, such as time recording, billing and marketing, will support the operation and financial health of the firm.

Similarly, IT applications will vary in criticality. But, if a fee-earner is going to work effectively and efficiently, then he/she will need access to the full range of applications. Certainly, recovery can be prioritised in favour of the most critical systems such as email and document management, but recoverability of virtually all IT applications should be assured according to agreed timescales. The fee-earner cannot work effectively with only a partial toolbox. Recovery plans should identify all frontline and supporting applications and indicate their respective recovery times in order to provide a level of certainty in respect of all business functions.

Ensuring resilience

It is important to share the load and embed the process within the business. BCM is a programme that expands over time. The more that you do, both to add resilience and plan for a crisis, the more you will find to do. Help is needed!

Each business unit should appoint an administrator who will be the BC manager’s trusted helper. The administrators will plan maintenance and development in their own areas, support tests and exercises and provide the BC manager with a direct link to the business. The administrators provide a strong internal network of committed people.

The administrators need to be prepared to devote time to the process. Their role in support of BCM should be formally recognised in their job descriptions and in appraisals. Make sure that they are properly engaged; provide them with training; help them in the performance of their function – don’t just leave them to it! Don’t forget that they have a day job too.

Adding substance

Make sure that the plan can deliver what it promises. It is not just a shopping list of things that you hope will be achievable when a crisis occurs. Resources should be guaranteed as available or obtainable within prescribed timescales in order to ensure plan delivery. You can have no real confidence in a plan unless its provisions are assured (see box: Checklist).

If you use an external provider for recovery provisions, make sure it is one in which you can have confidence. Ensure that recovery provisions actually exist and are not promised to too many interested parties. A professional disaster recovery provider should be able to provide an assessment of its risk profile in order to demonstrate that it is not overcommitted or overexposed in a particular area.

Checklist: Business Continuity Plan

Guaranteed resources should include:

· recoverable critical IT applications and effective restoration of electronic data;

· remote working capabilities (make sure that there is sufficient technical capacity to facilitate substantial simultaneous logons);

· workplace recovery, including access to workstations and telephony;

· the ability to reroute telephone and fax communications;

· infrastructure to support the recovery of critical services such as mail handling, scanning, document production and printing;

· client meeting facilities; and

· offsite disaster packs which provide information and materials including stationery, critical information and contact details.

Peer support

Textbooks and courses are certainly available but, in my view, the most effective learning comes by actually doing the job and talking to one’s peers in other organisations – particularly those within the same industry. Within the job itself, tests and exercises provide learning opportunities surpassed only by real invocations.

Talking to peers in other organisations provides a basis for discussing common problems, exchanging ideas and learning from each other’s experiences and mistakes. Hearing another firm’s honest account of a problematic recovery will always provide an excellent opportunity for learning and improving one’s own procedures.

Routine drills

Tests and exercises are essential as a means of building confidence in plans and in seeking opportunities for improvement. We cannot close the business down to emulate a ‘full test’, so we have to make do with testing components of the plan.

Forms of testing include IT application recovery, tabletop exercises, activating the cascade, testing at the work area recovery site and telephone diversion. Specialist training is also available for specific areas such as handling the media in a crisis.

In any test or exercise, make sure that it is demanding and stretches both the boundaries and the participants. It is easy to stage a test that will be a perfect success. I would much prefer a test to go badly because these are the ones from which we learn most, and they generate an appetite for further tests because they demonstrate the value of the process.

Staff awareness

It is also important to raise general awareness of BCM arrangements internally. Staff presentations, posters and other internal communications can be effective. But, in my view, the best means to raise awareness is by staff participation, and the best way to involve everyone is to practise the cascade. I will usually ask that people call our freephone emergency recorded message service in response to the cascade. This enables the number of effective calls to be confirmed and, by adding an educational message to the service, increases the element of awareness training.

Since achieving certification against the British Standard (BS25999) in February 2009, I have found the Standard to be a valuable tool for driving awareness training and gaining support from the business for testing. The BSI auditors visit annually and no one wants to let the side down! Even without the certification, a firm can make use of its own internal audit function to encourage involvement from all sides of the business.

Plan accessibility

The plan needs to be visible, portable and accessible. Huge documents can be counterproductive. If there is too much information and instruction, there is a danger that the plan will never see the light of day – even in a crisis. Summary plans can be effective in providing clear messages and act as ‘quick start’ guides to crisis management.

Try to provide information in a portable and easily accessible format. Use of Outlook Contacts can be most effective as a vehicle for plan delivery. Hard copies or CDs of the larger documents can be provided as ‘manuals’ with the details.

Global application

If a firm is to claim a high level of resilience through its BCM programme, then it needs to be able to confirm effective BCM on a global basis. When you roll out a programme internationally, there is a much heavier reliance on local administrators
to develop and maintain plans and initiate exercises.

Regular audits and visits by the BCM manager – to both conduct desktop and other exercises and deliver awareness training to staff – will support local initiatives and ensure that the global BCM programme is in place and operating effectively. Local senior management buy-in is essential and communication from central management will confirm the firm’s global expectations.

International BCM administrators will need support and training, as well as help with the initial development of plans. To assist, partially completed templates can be provided to offices, based on global standards. These can then be developed and completed
to reflect local crisis response and recovery requirements.

I would guard against the imposition of demanding requirements for local risk assessment and business impact analysis (BIA) because these can be onerous and, in many respects, a central risk assessment and BIA can have global application. My advice would be to cut straight to plan development as this would achieve a quick win. Local differences in risk and impact can be addressed later.

Reaping rewards

Implementing BCM can be a challenge, but there are rewards. An enlightened management team will accept and embrace the need for resilience, risk reduction and recovery planning. A client will value assurances that its law firm, or any other service provider, will be able to continue to operate despite crises or other operational difficulties, and the interests of other stakeholder will be safeguarded.

It will require management support, business commitment and budget, but the effort expended can provide greater resilience and deliver a strong recovery capability.

- clive.restall@allenovery.com