Planning for the unexpected – Business Continuity Planning – Pt II
In Part I of these two articles dealing with Business Continuity Planning, we looked at the business reasons behind putting in place a Business Continuity Plan and the benefits which could be derived from doing so. In this, the second article we will look at the steps which you will need to take to implement such a plan.
Need for a bespoke plan
Right. So you are convinced that you need a plan. What do you need to do to implement one? Is there one perhaps that you can just go and copy – perhaps someone else’s that you have found on the Internet. No one is going to know if you just copy and paste one into your office manual, are they?
Wrong. A BCP has got to address issues for your practice and has to reflect the type of practice you are and the work that you do. The BCP for a multi-national commercial firm is going to be different from that for a small high-street practice, just as the plan for a firm that does conveyancing and probate is going to be different from the plan for a firm that does only criminal litigation.
Fortunately, help is at hand in that there are some basic processes that you will need to follow in setting up your plan and there are common elements which will be found in most BCPs. The following checklist will assist you in creating a BCP – although do remember that the plan is not only about what you write down – it is about what you do, the protections you put in place and how you train and update your.
The Implementation Checklist
There are effectively five main stages to the creation of a BCP.
Stage One – Analysis – what are the threats and what could go wrong
Stage Two – Solution – what processes need to be put in place, or actions taken, to minimise the impact of those threats on the firm and its clients and staff
Stage Three – Testing – seeing whether the processes and actions which form the solution will work and if not making changes to them to ensure that they do
Stage Four – Training & Documenting – ensuring that everyone knows about the BCP and what they need to do to implement it and when
Stage Five- Review and maintenance – ensuring that the BCP continues to be valid and that where changes occur either within or outside the firm, that the BCP is updated accordingly.
Within those five stages are nine steps which you will need to take.
Stage One – Analysis
Stage One involves accepting that the firm needs a BCP, appointing those who are to take the BCP forward, getting buy in from all personnel, and assessing the nature, impact and severity posed by threats to the firm.
Step 1 – appoint a BCP Champion – a person or persons (depending upon the size and complexity of the practice) to be responsible for the process and to drive it through to completion. That person needs to make themselves aware of the needs of business continuity planning so that they can help direct others within the firm. They should also either be a partner or someone else with similar seniority so that they can ensure that everyone within the firm takes the process seriously and contributes accordingly.
Step 2 – consult with relevant staff, partners and managers – this can either be on a one-to-one basis or through a meeting, or meetings, to ascertain what for them would be an event which could affect their work or require steps to be taken. All personnel are going to need to be involved should the plan need to be implemented, so getting their buy in at this stage is a good idea. In addition, it will ensure that those analysing the likely events against which contingencies need to be made are fully aware of the factors in all parts of the firm. If need be, a team can be appointed from within the process to help take the BCP forward
Step 3 – carry out a risk assessment – based upon the results of the consultation and upon the analysis of those involved in creating the BCP. This will involve:
- identifying the range of potential threats the firm faces;
- analysing their potential impact on the business;
- assessing the likelihood of each threat occurring.
In other words, the firm will need to:
- create a list of all of the matters which could present a risk, e.g. flooding, fire, power outages, illness/death of key staff, vandalism, theft, terrorist activity etc.;
- consider the extent to which the firm will lose out as a result of each type of unexpected event and how much processes will be interrupted. Included within this is an analysis of whether the damage or loss will get worse the longer the disruption lasts;
- determine the probability of each threat occurring so that the firm can decide which threats to prioritise in the planning process.
Thus, for example, the initial assessment may reveal that a potential threat to the firm is from flooding from a local river. In looking at the extent to which the firm will be affected consideration would be given to the fact that the firm has third floor offices and so would not be affected by flooding to the same extent that a firm with ground floor offices or basement storage would be in that the water would be less likely to cause physical damage to files, equipment, furnishings and decorations. However, if members of the firm were unable to get to the office because the flood waters prevented access to the building, then in the short-term the firm would be equally as affected as the ground floor firm in terms of getting to client files and data. Finally, consideration would have to be given to the likelihood of flooding occurring – has it occurred in the past, has work been undertaken to prevent flooding in the future and so forth.
Stage Two – Solution
Having identified the nature, impact and severity of the threats, Stage Two looks at what the firm will do in order to avoid the threats, minimise their impact and mitigate the losses the firm is likely to suffer.
Step 4 – Develop plans to deal with the various threats that have been identified. This will involve going through each of the identified threats to the firm and devising processes which will deal with those threats.
Bear in mind that the threats may themselves have different levels of severity. Taking the example above, flooding may be slight and may only affect the roads surrounding the office making it difficult for staff to get to the office, they may be severe in the general area of the office affecting the supply of electricity and telephones to the area the office is in or they may be severe in the immediate vicinity of the office causing actual flooding of the premises. Each separate level will require a different level or type of response.
A summary of many of the issues which you should be considering is set out at the end of this section.
Step 5 – write up the plans and ensure that the first steps towards putting in place contingency plans are taken. This may involve, for example:
- systems for backing up IT data – preferably off-site;
- systems for ensuring that work can continue to be undertaken from other sites – use of cloud computing, access to systems via the Internet, etc.;
- having a telephone system which defaults to another number of your main number becomes unobtainable or at least back-up numbers which can be given to clients;
- setting up an emergency web site link where staff can log-in to get updates on emergency situations;
- identifying alternative premises from which work can be undertaken – for example branch offices, homes of partners/directors, short-term accommodation;
- identifying agents who could undertake court appointments if firm unable to attend;
- training staff to be able to take over from other key staff in emergencies;
- keeping duplicates of important documents off-site;
- having a plan for dealing with adverse press coverage – for example if a member of staff is accused/convicted of fraud.
Stage Three – Testing
So far as is possible, going through the plans that have been put in place and making sure that they work before they are rolled out to the firm as a whole.
Step 6 – Testing a business continuity plan. Whilst it can be difficult, time consuming and expensive to simulate potential threats to the firm it is nevertheless an important part of the BCP since it will help show whether you have covered all angles, and whether your plan is achievable.
In addition, it can increase your business and trading partners’ confidence in your business’ ability to recover from disruption and help to raise staff awareness of the plans.
Before you undertake any tests, whether practical or technical, you should have a clear objective as to what you hope to achieve – for example how long it takes to get the IT system up and running again, how easy it is to contact key personnel other than via their office phone or how effectively can staff access data at an alternative site.
Having carried out the test you should decide whether the response which you achieved is satisfactory – for example in terms of the time taken to set up the system or the length of time before a client would be able to get hold of a staff member.
Amongst the outcomes that you will want to test will be:
- the extent to which staff can do their jobs without access to either data or files and at what point the lack of access becomes critical;
- how easy it is to restore data and whether that data is up-to-date. If not, how much is lost and is that loss critical;
- whether any third parties involved have performed adequately;
- how prepared staff were for dealing with the threat and the extent to which they knew what to do – clearly some staff will have to be trained (the next step) before this can be tested;
- how easy it is to notify clients of the problem and the contingency plans put in place.
Stage 4 – Training and documenting
Having ensured that the solutions work in practice, it is essential that the firm documents fully what should be done and by whom in the event of a threat to the firm and that all personnel are trained in their roles and know what to do and in what circumstances.
Step 7 – documenting procedures. It is essential that all of the solutions to dealing with threats to the firm are recorded, documented and, most importantly, made available to those who will need them in a format which they can access wherever they are and whenever the threat arises. Thus it is no use producing a paper only version which staff will keep in their office if the threat arises when staff are elsewhere. Similarly, a plan which is accessible only through the internal network will not be of use if the threat is that the network is no longer available.
For this reason, firms should consider making the BCP available online (suitably passworded of course), that staff know how they can access it and that there is a number they can ring in an emergency to check on any specific aspects of the response to the threat.
Step 8 – training in the procedures. Whilst much of the BCP will be self-evident, there may be aspects which require that the staff be trained in what to do and how to do it. This may include how to access data when they are not in their office, how to set up auxiliary telephone systems or how to respond to contact from the press.
Stage 5 – Review and maintenance
It is essential to ensure that the BCP continues to be valid and that where changes occur either within or outside the firm, that the BCP is updated accordingly in order to accommodate those changes.
Step 9 – ongoing review and update – specific review dates need to be scheduled so that the plan continues to be looked at regularly. Changes in the firm, the way it operates, the areas of work it covers, the number and location of offices and other factors should also prompt an automatic review of the plan.
Contact the Lawyers Defence Group
If you require further information about business continuity planning, or help with implementing a BCP within your practice then the Lawyers Defence Group can assist you.
For further information, or to contact the Lawyers Defence Group about business continuity planning:
- phone on 0333 888 4070
- email on email@example.com
- request a callback using the form in the right hand menu and someone will call you back
- write to Lawyers Defence Group at one of the addresses on our contacts page