Preparing for disaster
The benefits of business continuity management, and some practical tips for creating an effective business continuity strategy
Imagine the following scenario: your firm occupies an office on the fourth floor of a city centre building. You arrive at the office particularly early on Monday morning as a major transaction you are working on is due to complete in two days’ time, only to find that part of the street is cordoned off and smoke is billowing from your office building. Several fire engines are already at the scene tackling the blaze.
Your thoughts turn to practical matters. How on earth are you going to progress the work which needs your urgent attention? There is no point in trying to work from home, as you don’t have access to work email or documents there. The files are in the office, as is your BlackBerry, both of which would at least have provided you with access to key documents and your client’s contact details.
Unsure of what to do, you try contacting a work colleague whose mobile number you have on your own mobile phone, but there’s no answer. Before long, others start turning up for work, unaware of the incident, but no one seems to have a clear idea of who to contact or where to go.
Your office ends up being out of commission for a number of weeks, and the firm largely incapacitated for part of that time. A large number of files have been destroyed, having been doused in foam and water by the fire brigade. In order to complete the deal you were working on, you ended up arranging to get copies of critical documents from the client, and to work from their offices, using your personal email account.
The fallout from the incident included various important documents and files being destroyed, a number of client instructions not being followed up timeously, deals being delayed and time limits being missed. As a result, the firm found itself having to write off considerable levels of fees as well as losing potential instructions and clients.
Incidents like this one affect businesses in the UK every day. In some instances they cause minor disruption, but sometimes the impact on the business is devastating. A study conducted in the US, for example, found that around 60% of businesses that experience a major disaster such as a fire fold within two years. Organisations which have planned for such eventualities stand a much better chance of being able to continue to operate both in the immediate aftermath of a disaster and longer term.
In reality, it is reckoned that nearly 50% of lawyers are ill prepared should their firm experience a major disaster, according to a YouGov/BT Global Services survey.
Looking at the table of possible scenarios below, how would your firm cope if any of the events listed were to occur? What arrangements would your firm require to have in place to minimise the adverse impact on the firm and its clients? Would you know what responsibilities have been allocated to what people, or who to contact in the firm regarding contingency arrangements?
Let’s consider how our opening scenario might have played out if the firm had had robust business continuity procedures in place.
Just as you are about to head to the office early on Monday morning you receive a call from the office manager. He informs you that there has been a fire in the office building, and that it will not be possible to access the building, today at least. He explains that you can work from home, using the firm’s remote access desktop and email applications. The firm’s arrangement with another firm a few blocks away means that a room (the other firm’s IT training room) will be available for certain fee earners and functions until temporary office space can be arranged.
The office manager asks you to contact clients (for whom you are the principal client contact), prioritising those with work ongoing. A list will be emailed to you later in the morning with the relevant contact details and a suggested script to inform them of the situation and to explain that business will be carried out while the office is out of commission.
You make arrangements to work from your client’s offices for the day, given the need for a number of meetings with your client anyway, and, thanks to effective remote working applications and the provision of remotely located backup servers, you are able to continue working effectively with as little disruption as could be expected in the circumstances.
While, inevitably, there will be considerable disruption to any business which experiences a fire or other major incident, this scenario does illustrate the value of effective contingency arrangements. The likelihood of serious disruption for the firm and its clients is minimised, and while a failure to prepare can engender bad publicity, being able to operate effectively in the face of a potential crisis can actually increase clients’ confidence in the firm.
If you are considering developing a business continuity strategy, or require to review an existing one, there are a number of points worth considering:
Achieving effective business continuity management
The fundamentals of business continuity management are the same for all organisations. They include:
- Management commitment
Commitment to effective business continuity management – at the most senior level – is a prerequisite. Larger firms should have a management structure. Has sufficient resource been committed to the role of business continuity manager?
- Risk evaluation and control
Has the firm undertaken a risk assessment? Is it up to date? Is it meaningful? If your firm’s risk assessment is to be a valuable tool in identifying and addressing key risks, it needs to prioritise risks based on their impact on the business and their likelihood.
Consider both “hard” impacts (such as financial loss, breach of law or regulations, failure to adhere to service levels agreed with clients, increased costs, loss of data), and “soft” impacts (such as reputational damage or loss of competitive advantage).
Remember to consider recovery priorities and timeframes in case of an incident which interrupts normal operation of the business.
A business continuity strategy should respond to the firm’s assessment of risks and their potential business impact primarily in identifying the most effective risk controls. While it is logical to prioritise the most likely threats (such as fire, flood, IT failure) when developing a risk prevention strategy, when it comes to planning an emergency response to an actual incident, focusing on the cause can be counterproductive. Your emergency response strategy should be practical and deliverable regardless of the particular cause of the disruption. You will need to consider strategies for dealing with minor, moderate and major incidents, each with short, medium or long term disruption potential.
You should establish programmes of regular tests and exercises, and use the output from these both as role-familiarisation opportunities and to improve your business continuity procedures.
Business continuity management is not a one-off project. Your firm’s staff, IT systems, business processes, clients – and perhaps even premises – are bound to change over time. Regardless of how thorough a plan your firm has in place, if it is only ever put on the shelf and forgotten about, you would almost be as well not having one at all.
Business continuity management should be viewed as an ongoing process – so that it continues to provide the best possible protection for your practice, and that you are indeed “prepared for disaster”!
What can go wrong?
Acts of God/major accidents
- Storm damage/severe weather
- Contamination/air pollution
- Power failure/surge
- Burst pipes
- Heating failure
- Telephone/internet outage
Pandemics/public health scares
- Flu pandemic
- Legionella outbreak
- Food poisoning
- Other contamination issue
- Terrorist attack
- Computer virus
- Employee sabotage
- Civil unrest
- Stolen equipment
- Software failure
- Network outage
- Hardware failure
- Any critical device breakdown
Business continuity practical tips
- Consider having a reciprocal agreement with another firm/client to use their facilities in the event of a major incident.
- Consider investing in systems which permit remote access working. Where practical, provide the facility for fee earners to access their entire desktop remotely.
- Thoroughly test any remote access systems that you have. Check whether they cope with large numbers of users accessing systems at one time.
- Use off-site back-up servers which reduce the risks of losing data in case of damage or loss of in-office equipment.
- Do not assume that your IT backups are failsafe. Make a point of attempting to retrieve backed-up information on a regular basis.
- Keep copies of the firm’s business continuity plan off-site in the possession of the key personnel who have allocated responsibilities in terms of the business continuity plan.
- Ensure that up-to-date contact details for all colleagues are remotely accessible.
- Don’t underestimate the potential disruption of smaller incidents – denial of access, loss of utilities etc. Check your insurance arrangements, and the level of cover they provide in case of damage to facilities and business interruption.
- Keep your business continuity plan reviewed and updated, at least annually.
- Ensure that your business continuity plan is as comprehensive as possible. Check the advice provided on the Department for Business Innovation and Skills website (www.berr.gov.uk/ whatwedo/sectors/infosecadvice/continuitymanagement/page33396.html).
Three top risk management targets
The Society’s Insurance Committee has identified three categories of claim (based on the frequency, severity, or avoidability of claims) which it believes the profession should be specifically targeting:
- Break notice defects
break notices not being served in accordance with the terms of the lease and therefore being ineffective
- CML Handbook breaches
lender claims alleging breach of CML Handbook reporting requirements
- Overlooked securities & inhibitions
claims for inhibitions or postponed securities which have not been identified from searches undertaken, including form 12 and form 13 reports
The committee believes that the adoption of effective risk management measures could effectively eliminate the incidence of these claims.
Identify possible gaps in your systems and procedures, and prioritise the actions you/your firm will take to address them.
The authors and Marsh
Calum MacLean is a former solicitor in private practice who works in the FinPro (Financial and Professional Risks) National Practice at Marsh, the world’s leading risk and insurance services practice. Mhairi Scott-Bennett is a client executive at Marsh specialising in the provision of office and general insurance facilities specifically for professional clients. Email contacts: email@example.com and firstname.lastname@example.org
The information contained in this article provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insureds should consult their insurance and legal advisers regarding specific coverage issues.
Marsh Ltd is authorised and regulated by the Financial Services Authority.