Cover story: Plan of action

The new Solicitors’ Code of Conduct increases the emphasis placed on business-continuity provisions, obliging firms to keep the risk of disrupting client business to a minimum. Increasingly larger firms now have some form of business continuity plan in place, but with risk profiles continually changing, ongoing assessment and maintenance are essential. By Richard Brent

All lawyers are accustomed to dealing with dilemmas – focusing on tricky problems and attempting to find satisfactory solutions that will work for their clients. It is also understandable that they are often perceived to be more risk-averse than most; careful to ensure that a clause or term can’t be disputed by opposite numbers looking for a loophole. Risks come in all shapes and sizes though, and while a sentence can make all the difference to a lucrative transaction, an event such as a serious power cut risks disrupting the operation of an entire organisation. This was brought home in London on 12 February 2007, when a burst water main flooded an electricity substation and left hundreds of central businesses without power. Energy supplier EDF said the outage began late on the Sunday evening, and some of the 1,200 customers were still being reconnected as the sun set on Monday. The legal community was also notably affected. The Royal Courts of Justice, for instance, had to be closed for the day.

With dependence on technology only increasing, it is difficult to see how any firm could continue to function as normal in this scenario – with no phone or e-mail, never mind complex management software – and even a day’s lost productivity can seriously dent a business’s profits. Indeed a recent survey carried out by Economist Intelligence Unit found that almost half (47 per cent) of organisations’ risk managers said unplanned downtime of IT systems for just 24 hours could take their business to the point of no return – calling its very survival into question. While lawyers scrutinise the technical details of law, managing partners also need to consider this bigger picture.

Somewhat more encouragingly, however, the same survey showed three-quarters of the same businesses are investing more time and money in preparing for such problems through operational risk management – and a similar 71 per cent are focusing more on their business continuity plans. Law firms seem to be part of this trend. The issue is how much resource and management time they can afford to spend on planning for an incident that will hopefully never happen.

Julia Graham, director of risk at DLA Piper and a Fellow of the Business Continuity Institute, believes law firms have already refined their outlooks quite dramatically, with client demand for reassurance being a significant driver. “I think law firms’ attitudes have changed enormously in recent years. If you’re in a service business, which we all are, our clients are keen to know that we’ll be there if they need us. The rising regulatory interest is also a factor, but most importantly the profession now realises we have to be there to look after our clients. Generally, when it comes to operational-risk areas – and especially business continuity – the larger law firms in particular have realised they now have to do these things properly.”

Steve Sumner, IT director of Cambridge-based Taylor Vinters, agrees that firms are focusing more on the importance of business continuity. “I think there is a greater awareness of the need to dedicate time and resources to it now than a year or two years ago, but it’s being led by the partnership and the regulatory bodies rather than disaster scenarios such as 9/11. Perhaps there’s a move to looking at occurrences that might be more likely to happen, but are less dramatic than the proverbial plane falling out of the sky.”

Revised regulations

In any case, before long new regulations will mean firms have no choice but to incorporate a business-continuity plan in their wider strategies. The draft new Solicitors’ Code of Conduct includes a requirement for the principal of the firm to make arrangements for “the continuation of the practice of the firm in the event of absences and emergencies, with the minimum interruption to clients’ business” – a clear emphasis on the impact risk has on client service. The Solicitors Regulation Authority expects that the Code will come into force some time in the summer shortly following ministerial approval. On 1 March 2007 evidence of a business continuity plan also became a mandatory requirement for all practices assessed against the Law Society’s practice-management quality mark Lexcel, which is currently being revised. The new requirements are designed to provide a clearer best-practice framework for firms, calling for employment of a person with overall responsibility for business continuity; an evaluation of the severity and likelihood of risks; ways of reducing that risk; and a regular process of testing the plan.

Testing the plan

Alistair Roberts, a member of Patrick Stone Associates, which provides advice on business continuity planning, says: “Law firms are increasingly taking business continuity more seriously, but there are certainly still lessons to be learnt. I think most law firms now have some form of continuity plan in place, but not enough of those plans are generally tested. Law firms are anxious about anyone being inconvenienced within the management structure, or time being lost, but you need to test these things work in reality.”

Clive Restall, global business continuity manager at Allen & Overy LLP, explains that his firm runs a wide range of tests, including different desk-top exercises for the separate crisis-management and business-recovery teams, and a cascade ‘call-out’, or ‘call tree’, whereby five or six people call another five or six people in an incident, forming an ongoing chain of communication. “I’d like to do so much testing that everyone would instinctively know what to do. We need to get business continuity management into people’s cultures. We can achieve that through the plan-development process, but even more so through the testing process,” Restall explains. He acknowledges that there are some limits to who can be involved, however. There are some 2,500 people working for Allen & Overy in London, of whom around 150 are directly involved in business continuity and crisis management, and their testing procedures. “We also run an awareness programme to make sure all staff have at least some knowledge of the plan. Of course it would be nice to have all 2,500 involved – or even a whole department – but this would have an unacceptable impact on client service.”

Sumner agrees: “Testing is a broad term. There’s quite a lot you can test, but when it comes to a serious event, there has to be a degree of caution surrounding when you actually exercise it. People need to give some thought to the disruption it can cause.”

Graham says DLA Piper uses test days at its disaster-recovery centre to assess various elements of functionality, while desk-top scenario tests range from one carried out recently to examine the impact of a pandemic even to something like a kidnap. There is also a rigorous programme of IT tests, which always follows quite a set format, she adds.

According to Roberts, however, one of the areas firms may need to address is an assumption that business continuity is just a question of IT failure. “A lot of firms think that’s really all it’s about, but they need to think wider than an IT collapse, because all sorts of things can happen – including your staff not turning up or your building being inoperable.”

Pandemic preparations

He also believes firms need to give greater thought to the reality of remote working in this regard. A number of reports have warned of the potential impact on staff sickness and absence levels if a pandemic scenario were to materialise, for example. Indeed, last year banking giant HSBC predicted that up to 50 per cent of staff could be absent at any one time in the event of a bird flu pandemic, adding it was preparing for people to work from home or use teleconference facilities.

Roberts explains: “A lot of people might say they won’t go to work, which is really the equivalent of closing an office. So there must be some sort of plan for many more people to be able to work remotely than law firms are prepared for at the moment. That involves an investment of course, but it can actually be tested. I don’t think it’s beyond people to log in at home on one Saturday in a year. One firm suddenly found that the whole thing collapsed under the weight of calls.”

Restall agrees that this is a concern, but explains that Allen & Overy already has a strong remote-working capability. “Our secure ID tokens mean people can work from their homes quite effectively. People do that during business as usual, so we know it works. But I would advise any organisation to check the number of simultaneous users that can use their remote facility. It tends to be restricted by the number of servers and lots of people are going to be logging on remotely in the event of a disaster.” Although Allen & Overy is not planning for bird flu per se, it does take the risk of flu pandemic very seriously. Restall explains: “We need to plan for the worst. We need to gear the plans for a severe pandemic, and perhaps one with a high mortality rate and fear factor. It may be necessary to limit the number of people that actually have to come into the office and tell others to stay at home for a period.” A number of law firms have even begun to show moves in terms of arranging for medical aids, including surgical gloves, face masks and anti-virals, he adds.

Graham also believes that law firms should be equipped to handle the demands of remote working as a matter of course. “Law firms are very mobile anyway. People work from home on a regular basis, so I don’t think it’s a particular issue for us. I think information security is more the issue. And if you’re going to use remote technology as the solution for a pandemic, I don’t think the security issues are any different to the ones you should be considering every day of the week.” DLA monitors the World Health Organisation website regularly, however, and it also took on board the output from the meeting of the World Economic Forum in Davos in January. The Forum’s Global Risks 2007 report identified 23 core global risks to the international community over the next ten years, ranging from energy-supply interruptions and climate change to international terrorism and transnational crime. The list also included pandemics. “We ran all our group risks against theirs to see if there were any big issues that we ought to be thinking about but aren’t,” Graham says.

Sumner thinks although the threat of pandemic such as bird flu should be on agendas, the reality of such an incident is hard to replicate. “I suspect that until it were actually to happen, people’s provisions probably wouldn’t be tested. It would be very difficult for a firm to say we’ll send 30 per cent of our staff home for a week, and there are extreme costs associated with that. I think there is more that could be done though, not necessarily in a pandemic situation, but surrounding sickness in general – even the common cold.” Taylor Vinters is confident in its own remote-working capability though, which was recently tested when half of the office building was refurbished. “We had our lawyers working remotely and hot-desking – sharing areas – and that went extremely well. There were some issues such as a loss of interaction perhaps, although we don’t see it as something everyone would do five days a week. But it is a vital link in our business continuity and disaster recovery strategy.”

Sharing experiences

Pandemic is also one area where firms and risk departments can work together to learn from each other’s experiences and thereby enhance their own plans. Communication between organisations was one of three fundamental issues identified in the World Economic Forum report – namely the challenge of encouraging investment in risk-reducing measures in ‘interdependent’ settings. The report states: “The economic incentive of a decision-maker to invest in protective actions depends on whether others are expected to follow suit.” In other words, it may be seen as a disincentive to plan for risk if others in a system are not doing the same.

Sumner believes firms are becoming increasingly willing to share their more unfortunate stories. “I think there’s more of an exchange of information between people now. Firms are becoming more aware of the small events others have had. For example, people are a bit more open to saying they had a certain loss of service for an hour or four hours.”

Although law firms hold a great deal of information that must be kept confidential, there is some room for sharing resources as well. On joining Allen & Overy in 2002 Restall set up a BCP forum for the major law firms. Reciprocal arrangements between firms originated in the 1990s, he explains, but the feeling was that a number of people involved had moved on by the start of the new millennium. Initially comprising just the largest of firms, the forum now has 18 members, including DLA Piper, and the firms meet quarterly to update one another and share ideas.

Restall explains: “The group has always encouraged a lot of openness. It became quite obvious that we could benefit from sharing each other’s experiences, and even mistakes. There is also a willingness to assist in any way we can when one of the members suffers some sort of disaster or interruption. We can share meeting rooms and the more public parts of the library.” Speakers are also invited, with one consultant recently running a group desk-top exercise – something the forum hopes to repeat later in 2007.

As there are pragmatic restrictions on the number of people that can be actively involved in business-continuity planning, strong communication channels are also vital within the firm. “Lots of communication but keep it simple”, is DLA’s approach, but Graham says she noted an interesting difference in risk strategy on coming to work for a law firm for the first time. “We adopt what I call the Henry Ford principle – ‘you can have it as long as it’s black’. Law firms are lean and mean, which does make things a little prescriptive, but that has proved to be the way to get lawyers to buy into the subject. A light touch but wide engagement is a successful strategy in our industry.” DLA also has a basic template for plans that is transferable internationally. “A lot of law firm offices are quite small. Many of our offices have between 50 and 100 people working, so I’ve got to give them something that is simple to use,” Graham explains. Although the London plan looks slightly different, the principle of simplicity is the same – an approach that also extends to communicating plans with clients. Graham gives each client a simple sheet with the contact names and numbers for the people who know, manage, and have access to the plans. Clients are permitted to inspect the full plan if they ask, but the list is designed to avoid imparting too much information, which is likely to be out-of-date once given in any case. DLA is also migrating its plans from Word to a software package this year for ease of updating and remote access to ensure plans are being adequately tested.

Allen & Overy similarly attempts to limit complexity when communicating its plans. Restall gives people a summary plan – a list of the key points to help them “hit the ground running”. The firm also has a contract with Vocal – the organisation the police uses to send SMS message alerts in London – while an emergency phone line plays a recorded message if a major incident occurs. As the cascade call-out can take a long time, staff can call this number to get the very latest information on the unfolding disaster, with half-hourly or hourly updates from the firm’s crisis-management team.

Senior involvement

In addition to providing information, the phone line should reassure people with an implied message that the disaster is being dealt with effectively and from the top. For Roberts, this is imperative for a strong business continuity plan. “The person who really ought to be driving it is the managing partner. The partnership weight means it is seen as being taken seriously,” he says.

At Taylor Vinters the managing partner works with Sumner, the finance director and facilities manager as a collective, and at DLA Piper it is also an issue for the board, with the senior partner holding board-level responsibility. “We steer it through a steering group of lawyers and non-lawyers, but it’s always being reported on so it’s always in front of the board,” says Graham. “It’s something a lot of risk managers search for and I realise I’m very fortunate to have that direction from the top.” Restall reports to Allen & Overy’s head of safety and security, and together they manage the business continuity function. To address operational and maintenance issues they have an established series of contacts covering the London departments and international offices. These contacts assist with the development and maintenance of the plans on a local basis.

Such senior-level involvement certainly suggests law firms recognise the seriousness of the risks they face. The media may thrive on a disaster, but the traumatic events of 7 July 2005 – when 52 people lost their lives in the London bombings – mean, if businesses were at all complacent before, it is impossible for them to remain so. The recent spate of letter bombings in and around London also drives home just how vulnerable people can be to attack, even when doing something as mundane as opening the post. Security policies and processes are needed to protect against likely and unlikely risk. The problem is that the larger-scale the risk, the harder it is to replicate and predict repercussions. A thoroughly thought out business continuity plan and testing programme can go a significant way towards preparing for the worst.