Be Prepared – expecting the unexpected
If there is one thing that we all should have learned over the past year it is that we cannot predict with any certainty what is just around the corner and how it will affect us, our businesses and our daily lives. We are quite clearly not, in many respects, in charge of our own destinies no matter how much we think we have tamed the world through science and endeavour. From bushfires to flooding, from coronavirus to terrorist threats, we are all at the whim of others – whether those others are human or natural causes.
That being the case, we should all be expecting the unexpected and, where the unexpected could impinge upon what we do, we should be making contingency arrangements to mitigate the effects. In fact, there is an argument for saying that the unexpected is simply that which we should have anticipated but did not. As C S Lewis once said “We must stop regarding unpleasant or unexpected things as interruptions of real life. The truth is that interruptions are real life”.
Expecting the unexpected for many people is simply a sensible way to behave. For the provider of a legal service, however, it is essential and those who rely on a legal service should be able to expect that it will be available when it is needed – whatever the circumstances. If you as a legal provider want your clients to be able to rely on you, then they must be able to have confidence that your practice will be up and running effectively, no matter what happens; that if you have a deadline to meet, a transaction to complete or a court hearing to attend, that you will be there to attend to their interests.
That is where Business Continuity Planning (BCP) comes into play – having in place a plan or process which takes account of the unthinkable happening and ensures that, in extreme cases, you can still function effectively as a provider of legal services. We looked at BCP in some detail back in July 2013 in a two-part article entitled “Planning for the unexpected – Business Continuity Planning” (www.lawyersdefencegroup.org.uk/planning-for-the-unexpected-business-continuity-planning/) and much of what we said in that article – in particular about the steps needed to implement a BCP in the second of the two articles – still apply as much now as they did then. You might also find useful a Home Office Guide which was published in November 2014 “Expecting the Unexpected” (www.gov.uk/government/publications/expecting-the-unexpected) or the wiki produced by the Business Continuity Management Institute (https://www.bcmpedia.org/wiki/Main_Page).
We will not, therefore, go through all of the details of preparing and implementing a general continuity plan. Instead we will look at some of the more current issues that might arise, how they are likely to impact upon those in legal practice and what they should be thinking about in relation to them.
The regulatory imperative
We will start, however, by considering the regulatory imperative upon solicitors and others to take steps to plan for the unexpected. We did cover this in the 2013 article, but since then many of the rules have changed.
But first, what is business continuity planning? At its simplest, BCP is the process of putting in place a system that allows for the avoiding, preventing, anticipating and recovering from potential threats to a business. It is about ensuring that personnel, systems and assets are protected from interruption or damage and thus able to function in the event of a disaster – of whatever kind. The thinking is that by being planned in advance, and taking account of what should happen if the unexpected were to occur, that the impact upon the business and its clients will be reduced. This has been expressed rather more grandly as “A holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. Also, the management of the overall programme through training, rehearsals, and reviews, to ensure the plan stays current and up to date” – (https://www.bcmpedia.org/wiki/Business_Continuity_Management_(BCM)).
In other words, therefore, it is about planning before something goes wrong what will happen if and when it does go wrong and taking steps to put in place alternatives and backups.
Although clearly relevant – increasingly so it would seem – we are not just talking about major incidents such as volcanoes, earthquakes, flooding, pandemics or terrorism when we talk about business continuity planning. Often, it could involve planning for far more mundane events such as burst pipes, systems failures, vandalism, staff absences or even just bad weather. In other words, it is as much about being prepared for the types of things that could occur almost every day of every year as it is about the major catastrophes that we have witnessed around the world over the past 12 months.
It is about ensuring that if anything happens that could impact upon your business that you are able to deal with the requirements of the business, its staff and, most importantly, its clients. The excuse that you could not perform a contract because events outside of your control had prevented you from doing so is not going to be a convincing one if you could have planned ahead to mitigate the loss.
From a purely regulatory perspective you are required to ensure that your practice and clients do not suffer as a result of risks to the business. From the perspective of the firm, paragraph 2.5 of the SRA Code of Conduct for Firms requires that “You identify, monitor and manage all material risks to your business, including those which may arise from your connected practices” whilst paragraph 4.2 requires that “You ensure that the service you provide to clients is competent and delivered in a timely manner, and takes account of your client’s attributes, needs and circumstances”. From the individual perspective, paragraph 3.2 of the Code of Conduct for Solicitors, RELs and RFLs requires that “You ensure that the service you provide to clients is competent and delivered in a timely manner” and that, by reason of paragraph 3.5, that “Where you supervise or manage others providing legal services … you remain accountable for the work carried out through them”.
Given the potential for the unexpected to happen anywhere in the world, it is worth noting the provision in the second half of paragraph 4.2, namely “including those which may arise from your connected practices”. Connected practices are defined as:
“a body providing legal services, established outside England and Wales which is not an overseas practice or an excluded body but is otherwise connected to an authorised body in England and Wales, by virtue of:
- being a parent undertaking, within the meaning of section 1162 of the Companies Act 2006, of the authorised body;
- being jointly managed or owned, or having a partner, member or owner in common, or controlled by or, with the authorised body;
- participating in a joint enterprise or across its practice generally, sharing costs, revenue or profits related to the provision of legal services with the authorised body; or
- common branding”.
So clearly if your business has connected practices, then factors that pertain where those practices are situated must also be taken into account.
Although no longer applicable, indicative behaviours in the SRA Code of Conduct 2011 continue to be useful in predicting what the SRA will take into account in relation to these duties. Thus, indicative behaviour IB(7.3) required that solicitors identify and monitor “financial, operational and business continuity risks including complaints, credit risks and exposure, claims under legislation relating to matters such as data protection, IT failures and abuses, and damage to offices” whilst IB(7.4) required them to make “arrangements for the continuation of your firm in the event of absences and emergencies, for example holiday or sick leave, with the minimum interruption to clients’ business”.
So far as other legal practitioners are concerned, licensed conveyancers are required by their handbook to “systematically identify and mitigate risks to the business and to Clients” (Overriding Principle 2f “Maintain high standards of work” in the CLC Code of Conduct and see also the “Management and Supervision Arrangements Code”). CILEx members, practitioners and entities are required by Paragraph 8 of their Code of Conduct to “Act effectively and in accordance with proper governance and sound financial and risk management principles” and at Paragraph 9.1 to “Identify, assess, manage and promptly address risks to money and assets entrusted to you by clients and others”. Those at the Bar are subject to the BSB Code of Conduct which requires, at Rule C18, that:
“Your duty to provide a competent standard of work and service to each client (CD7) includes a duty to inform your professional client, or your client if instructed by a client, as far as reasonably possible in sufficient time to enable appropriate steps to be taken to protect the client’s interests, if:
1 it becomes apparent to you that you will not be able to carry out the instructions within the time requested, or within a reasonable time after receipt of instructions; or
2 there is an appreciable risk that you may not be able to undertake the instructions.”
Whilst at rule C89.8 that “appropriate risk management procedures are in place and are being complied with”.
Not that professional regulatory provisions are the only factors that must be taken into account in relation to business continuity planning. You may find that you have to agree to include business continuity provisions in agreements which you enter into for the provision of legal services – especially if you are planning to do work for large organisations or in the public sector. For example, the Civil Contingencies Act 2004 places a legal obligation upon health authorities, emergency services and local authorities to assess the risk of emergencies and take steps to plan for business contingency management – which includes ensuring that suppliers have suitable processes as well. If your business is a limited company, then s 174(1) of the Companies Act 2006 requires that “A director of a company must exercise reasonable care, skill and diligence” which includes ensuring business continuity and which could leave directors who fail to make plans liable to other directors and shareholders.
So far as the data that you hold about individual clients and others is concerned, you are under duties to be found (currently) in the GDPR which provides at Article 5(1)(f) that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)” whilst Article 32(1) of the GDPR provides:
“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
Those then are some of the overarching duties to which lawyers are subject. How does this translate into some of the issues which face us today? What factors should we be considering as relevant and how should we be responding?
At the time of writing, two key issues are at the top of the “unexpected” events polls – the impact of coronavirus and the potential for firms to be affected by flooding and other global warming factors. In all cases where firms are at risk, they should ensure that:
- they appoint someone within the firm to act as the central point for all communications (and that they have a deputy able to take over should something happen to them);
- carry out a risk assessment to ascertain how at risk they are and then to take steps to mitigate that risk wherever possible;
- produce a written business continuity plan which should be communicated to all potentially affected staff, and
- carry out testing to ensure that the procedures are sufficiently robust.
It is not the intention of this article to set out the medical and health related steps that individuals need to take in order to mitigate the impact of coronavirus upon them. These are adequately dealt with elsewhere by those more qualified to comment. However, there are factors to which firms and businesses should give consideration in terms of planning for the future, including the worst-case scenario of a significant escalation in the number of cases. These include:
- taking action to reduce the risks of exposure in the workplace and ensuring that everyone is kept up to date on what those actions are. This could range from simple actions such as ensuring that toilets and washrooms have hand sanitiser, encouraging staff to wash their hands regularly, providing tissues and providing face masks for any staff in vulnerable situations through to regular screening of those staff who are most at risk;
- ensuring that everyone’s contact numbers and emergency contact details are up to date and that all staff know what to do in the event that they believe that they may have contracted the virus;
- training senior staff and managers in being able to recognise the symptoms of coronavirus;
- training all personnel in relation to any relevant processes, for example how to report in if they are sick and issues such voluntary quarantine, sick pay and what to do if a colleague develops the virus;
- limiting face-to-face contact wherever possible so that staff are not put in harm’s way. You might want to consider electronic communication methods, for example; and
- reviewing travel arrangements for staff and ensuring that those who have to go to places where they might contract the virus – e.g. court and public buildings, overseas offices etc. – know what to do to reduce the potential impact.
Management and Supervision
- reviewing who in the firm does what, the skills they possess and their experience of the various areas of work that the firm does so as to ascertain whether there are those who would be able to take over from colleagues in the event that they contract the virus;
- keeping track of the work that the firm has taken on and in particular whether it would be able to cope were a significant number of staff to be affected;
- putting in place contingency arrangements – possibly including reciprocal arrangements with other firms – in the event that the firm did not have enough staff, or staff with the right skill set, to address the needs of clients;
- ensuring that clients are made aware of any contingency arrangements and getting their agreement to those arrangements being implemented in the event of problems arising;
- reviewing which matters are critical and would require immediate actions whatever the situation as to staff absences or personnel issues and which are less critical and could be accorded less priority. This could be addressed with systems such as a key-dates diary;
- making sure that staff continue to be supervised adequately notwithstanding the absence of managers and partners;
- making sure that more than one person in the firm is aware of the issues on any matters that are urgent so that they could, if necessary, take over;
- putting in place home-working arrangements where it is possible to do so – this might involve changes to systems, technology updates and revised working practices;
- reminding those staff planning to work from home of the need for confidentiality – including in relation to members of the family;
- putting in place “deputies” for those who undertake key roles such as COLP, COFA, MLRO and MLCO; and
- not being “spooked” into agreeing to unsafe or illegal arrangements – it is a sad fact that there will be those who will try to capitalise on the situation in the hope that firms that are affected will be less thorough. This includes not revealing information that should not be revealed and not dealing with anyone that cannot prove that they legitimately represent the interests of a client or third party.
Dealings with others
- keep track of whether issues have arisen at any of the courts or other public bodies with whom the firm deals. If, for example, court staff are affected adjournments may be necessary or matters may be switched to other courts or locations;
- be aware that other firms may have issues even if your own does not. Build flexibility, where possible, into house buying chains and warn clients in advance of issues that might arise;
- make clients aware of the importance of telling you as soon as possible if they become affected so that other parties or the courts can be warned; and
- make sure that the firm does not discriminate in the way in which it deals with others – for example by acting to the detriment of a particular racial group based purely upon the fact that the virus has spread more in that person’s country.
All of the indications are that the flooding that we have recently experienced is not going to be a freak one-off and that firms, especially those in areas at risk, should be taking steps to ensure that they are not affected. Here business continuity planning can help. Firms whose offices are close to rivers or waterways that might flood should ensure that they have contingency plans in place so that client matters are not adversely affected in the event of flooding. That might include alternative operating arrangements where necessary or simply procedures for where items at risk are to be moved in the event of a flood alert.
They should also consider:
- ensuring that offices have adequate flood defences wherever possible;
- making the premises as flood resistant as possible and in particular taking steps to prevent flood water from entering the building wherever possible for example by the use of barriers for doors, air bricks and vents or flood resistant doors;
- ensuring that toilets and the like either are fitted with non-return valves or bungs so as to prevent foul water from entering the premises in that way;
- moving electrical sockets, wiring, computer cabling and ventilation away from skirting boards;
- moving electronic equipment, especially business critical equipment, onto upper floors if possible or mounting them on plinths so that they are not on the floor;
- keeping important papers and files on upper floors where possible or in water-tight cabinets where it is not possible;
- back-up all electronic data to somewhere away from the office;
- implement procedures so that the firm can operate from a remote location in the event that the main premises are flooded;
- keep copies of insurance policies in a safe location where they can be accessed quickly if needed;
- making sure that staff know what is expected of them in the event that the premises is subject to flooding – for example how to access data, how to work from home, whom to contact about the issues that arise;
- making sure that everyone’s contact numbers and emergency contact details are up to date;
- putting in place contingency arrangements for dealing with urgent client matters and making sure that where flooding is imminent that client files are kept away from the office at risk;
- considering issues such as confidentiality should the premises need to be entered by rescuers or workmen making good the problems or if client files need to be removed from the premises;
- warning clients if there is a possibility of disruption to their matters.
3. Security threats
Unlike flooding, it is not at all easy to predict where a security threat might arise although clearly there will be those places which are more vulnerable than others – for example those firms who practise in sensitive areas such as near to embassies or government buildings or those with offices overseas in potentially high-risk areas.
Whilst the chances of a firm being affected by a security incident are probably not high, nevertheless some basic precautions should be taken to help ensure that they are not adversely affected. Those precautions could include:
- carrying out a risk assessment to ascertain the extent to which the firm or its premises are at risk. Depending upon the level of risk some or all of the following may be applicable;
- reviewing security at the firm’s premises and, if the firm undertakes work that might place it at risk in its own right, the security of all staff whether or not they are at the premises;
- ensuring that staff are able to be made aware if there is a heightened level of risk at any particular time;
- training staff to be vigilant at all times and so that they know what they are looking out for in terms of threat indicators and whom they should contact in the event that they witness suspicious activity;
- putting in place contingency plans so that the business of the firm can continue notwithstanding the security threat;
- identifying critical operations that could be especially affected;
- putting in place evacuation and lockdown procedures where necessary and ensuring that all personnel are aware of what these are and their role in those procedures. This can include, for example, making sure that staff know how to evacuate the building safely;
- ensuring that all staff know how to respond to a terrorist incident;
- maintaining up-to-date lists of all personnel and ensuring that the firm is aware at any given time of who is at which premises;
- implementing some form of identity verification – e.g. the wearing of passes, electronic doors, etc.;
- considering some form of electronic surveillance e.g. CCTV;
- checking bags of those entering the building; and
- appointing security personnel.
It is not possible to anticipate all eventualities – they would not be the unexpected if we expected them to occur. However, through business continuity planning we can take steps to mitigate the impact of those things we are aware of and can put in place generic provisions to guard against a range of issues that might conceivable have the same effect.
The starting point for all firms is to carry out a business continuity risk assessment and to implement processes to address those risks assessed. Bear in mind, however that unless everyone in the firm is aware of the assessment and of the provisions put in place to address the matters identified, then it will not be effective.