Survive and protect… Top tips for business-continuity planning

Business-continuity management has become a hot topic among law firms that are keen to protect their businesses and people against all eventualities. With clients increasingly demanding evidence of business-continuity plans, it is an issue that can no longer be ignored.

By Clive Restall, business continuity manager, Allen & Overy LLP

Is money important to a law firm? Of course not! Well, from a business-continuity practitioner’s point of view and, in the short term, loss of income and profit can be unimportant. Any firm of reasonable size can suffer such a loss with little or no lasting impact. In any case, the loss may be insured. What is of real concern to any law firm is the risk of loss of reputation. If there is a significant dent in a firm’s reputation then there is likely to be a medium to long-term impact on client confidence and an erosion of the client base. It will affect the firm’s ability to grow and achieve its strategic objectives. These impacts, collectively, could have a major effect on a firm’s ability to realise its true potential in terms of size and earnings.

Loss of reputation can arise from many causes including:

Errors and omissions in legal work;
Compliance failure;
A failure of management controls;
A staff member’s bad judgement, either within the workplace or in his/her private life;
Failure to deal effectively with the publicity that may flow from an event in which the media takes an interest;
The failure of a firm to recover following an interruption event (fire, flood, IT failure).

So, as a business-continuity practitioner for a legal practice, one of my principle objectives has to be addressing reputational risk.

Is business-continuity management all about planning?

Business-continuity management (BCM) is often thought of simply as a process to develop plans that will respond to incidents, but the reality is more complex than this. The process includes risk assessment and business-impact analysis. The risk assessment identifies risks to the business and enables a programme of risk reduction. It is better to reduce or eliminate risk rather than just have the capacity to respond when an incident occurs.

Nonetheless, the plan is an essential part of an organisation’s armoury. You wouldn’t drive a car without insurance, so why run a business without a business-continuity plan (BCP)? But what is a plan? Documentation is important, but only as a formal record of the recovery process and supporting resources. When a disaster occurs, there is no time for everybody to sit down and read what is, generally, a formidable tome. My advice would be to work at getting the recovery processes into the culture of the organisation through exercises and awareness training, and the provision of summary documents to assist the communication process and identify priority actions. The crisis-management team, in responding to a plan invocation, needs to react instinctively.

There is no substitute for a full and demanding programme of testing for both crisis management and business recovery. Exercises take many forms and each form can be set at differing levels of complexity. Examples of types of exercise are:

Scenario/desktop;
Testing the escalation and cascade processes;
Training in handling media in a crisis;
IT component recovery and full IT-recovery tests;
Combined exercises involving IT and workplace recovery.

A programme of testing should apply increasing levels of difficulty for the participants. Continuously turn up the heat by introducing new challenges to maximise the learning.

How long does it take to produce a plan?

The answer is, as long as you like. The formal processes of risk assessment and impact analysis can take weeks or months before the plan starts to be developed. It could take a year before a detailed plan document is ready for issue for a sizeable organisation. The business continues unprotected during this time.

But don’t assume that you need to complete the risk analysis and impact assessment before you start to develop the plan. These elements of the process can be pursued simultaneously. In the early stages of a BCM project you should establish:

An escalation procedure;
Team composition and contact data;
Staff call trees;
A broad strategy for recovery;
Somewhere for the crisis team to meet.

Okay, so the plan template hasn’t been fully populated and there has been no testing but at least you will be informed if there is an incident and you will be able to assemble your specialists who will be able to respond. There isn’t a completed plan in place, but at least you have a fighting chance of developing a response.

The plan needs to be supported with resources

The plan shouldn’t be a wish list. Nothing should be promised in the plan unless its delivery is guaranteed within the agreed timescale. This can relate to the recovery of IT applications, work-area provisions, access to meeting rooms, IT equipment, know-how material and other general supplies stored off-site.

Driven from the top

Senior management need to take ownership of the plan. After all, it is their business that is being protected.

It will be difficult to get other members of staff to take BCM seriously unless they see that it is being driven from the top. Involving your senior management in tests and exercises will help get them committed to the process. Seek their guidance on the composition of the teams and setting the recovery strategy. Ask them to sign off crisis-management and business-recovery plans to confirm the accuracy of the information and data, that the plan has been properly distributed and that its provisions will meet the needs of the business.

A word of warning

In your discussions with senior management or the business, avoid use of acronyms and jargon. Their use is rife in business-continuity circles. What is meant by HROT, PRCT, ECT, SAT, ITDRT and WARCS? How can we hold people’s attention if we use terms such as ‘iterative business process decomposition’ and ‘survival time drivers’? It’s a turn-off. They don’t do anything to promote our cause.

Is it all worthwhile?

Generally, I think of my organisation as one that doesn’t suffer disasters. This may be due to the size of the practice or the success of its risk-management initiatives. But since joining the organisation in 2002, I have accumulated quite a list of actual events and near misses. Some of these have caused degrees of interruption and others have come dangerously close. We have suffered two power failures, three bomb threats, flooding in Prague, an accidental discharge of the fire-suppressant gas in the London IT room and various technical failures. Our plans have also responded to the New York power failure, the Madrid bombings, the SARS outbreak and, of course, the London bombings and attempted bombings in July 2005.

We are not accident prone. These sorts of events happen all of the time to most businesses. Usually, with some good fortune, they don’t have any major impact, but we only need one of them to strike a little nearer to a vital organ.

What do our clients expect of us?

Having a BCM programme makes good business sense. BCM should be a standard form of protection for any organisation, along with insurance and locks on the doors. If an established organisation suffered a disaster or business interruption and failed to recover effectively, there would be a wholesale loss of confidence (back to reputation again).

Many of our clients are large financial organisations where effective business continuity is a way of life. The regulators require these businesses in the finance sector to have BCM, which should incorporate both an ability for the organisation itself to recover, and confirmation that critical suppliers have business-recovery plans in place. In many cases, we would be categorised as a critical supplier to such organisations. Regardless or our own business needs, therefore, our business-continuity plans are a necessity for our commercial relationships.

Increasingly, clients are asking us to provide statements regarding the existence, maintenance and testing of our business-continuity plans.

In summary

You need a crisis-management and business-recovery plan;
Loss of reputation is likely to be your biggest risk in terms of likelihood and quantum;
Incorporate risk-management techniques into your BCM programme;
Get recovery principles into the culture of your organisation;
Exercise, exercise, exercise and exercise;
If you do not have a plan, go for some quick wins – put elements of a plan in place prior to completing the formalities;
The plan should be fully supported by resources that are guaranteed to be available within the prescribed timescales;
Secure buy-in and support from senior management;
Clients will expect your organisation to have an effective recovery plan.

Post script

Please note that Clive Restall currently chairs the BCP Law Firm Forum, which has been set up to enable the exchange of ideas and experiences between the larger London-based law firms. It is active in the promotion of BCM learning and seeks to establish informal reciprocal recovery arrangements between member firms. There are currently 14 member organisations. If you would like to know more about the forum, please e-mail clive.restall@allenovery.com.

Clive Restall is business-continuity manager at Allen & Overy LLP. He can be contacted at clive.restall@allenovery.com