The nature of threats to the continuity of business varies according to the regions and countries in which a firm is located.
Before the current coronavirus situation, the threats which most business in the UK would have likely planned to defend themselves against were:
- power outages,
- IT outages,
- theft (either from within or from an outsider), and
- the failure of a supplier key to the running of an organisation.
For certain sectors – in particular, the legal and financial sectors and any large organisations handling personally sensitive data – the most likely ongoing threat to business continuity is cybercriminality.
The theft of private personal data and confidential company information from a solicitors’ practice or barristers’ chamber presents severe risks of:
- significant reputational damage in the eyes of clients and
- a large fine by the Information Commissioner’s Office if either your security protocols were not as strong as they should have been or you did not report the incidence of data theft in the correct way.
As the ongoing coronavirus crisis has demonstrated, we can’t rule any disaster scenario out completely and the planning we do to ensure business continuity must take account of all potential eventualities and their consequences.
The more significant a business interruption is likely to be, the more robust the plans we must make to recover from them.
What should a business continuity plan for a legal firm include?
Creating organisation resilience
Working out priorities and aims
The goal of any business continuity or crisis management plan is to determine:
- who you need to continue to respond to the situation,
- what each person is responsible for restoring,
- how long do the team and its individual members have to restart minimal operations,
- what equipment they need to do this and where they can find that equipment,
- which assets (physical and digital) need protecting from damage or theft,
- where each member of staff needs to be to resume their role and the equipment that they need
- the most effective means of communication between staff to restart wider operations
- communication with stakeholders (customers, suppliers, regulators, third-party bodies coming into contact through the work we do).
Your next priority should be working out the types of crisis which may affect you and the parts of your business which would be affected by such a crisis.
Certain situations will require more detailed planning than others. For every plan you work on, you should carry out risk assessments for every part of your firm whose functions and activities could be affected by a particular incident.
These risk assessments will provide with insights into:
- the departments and processes within your firm which are more vulnerable than others and
- what you can do legally to mitigate these threats.
Appointment of crisis management team
The crisis management team will normally be drawn from
- partners within the firm,
- the senior person responsible for IT and in particular the security of the systems and data contained thereon,
- the senior person responsible for finance to ensure incoming cash to the firm, and
- the senior person responsible for communications (specifically, telephones, email, website, and social media) initially between members of staff and later clients and other stakeholders
Working out maximum allowable downtime
On each of the plans you draw up, partners and other members of staff with responsibility should know exactly what they are responsible for.
There should be two measurable points of recovery – recovery to a minimal level and recovery to normal levels. You should set a maximum allowable time for each point of recovery for staff to work to.
Recovery to a minimal level means that the basic functions needed to operate the business are in place and that the process to recover and restore all documentation and data which may have been compromised during the incident.
Recovery to normal levels will depend on just how disruptive the incident has been towards the restoration of normal operations, even if, for a period of time, staff can’t come into their normal work premises to do their jobs.
The coronavirus crisis illustrates starkly the need for flexible and adaptable technology for legal firms to be able to provide normal or near-normal levels of service to clients and other stakeholders.
Documentation and data
Many legal firms have critical documents which have not yet been digitised. As part of the normal running of your business, you will have these documents securely protected against theft and damage. However, if a crisis meant that you and your colleagues can not work from the office for a prolonged period of time, you may wish to consider scanning and uploading these documents for online retrieval as soon as possible.
Most information held by solicitors’ practices and barristers’ chambers will be digital – held on computers, other devices, and on cloud computing systems. The data held on computers and other devices should be backed up regularly on the cloud in case of damage or in case they are not retrievable in the event of a disaster.
An inability to access all of the data your firm relies on to practice will severely inhibit its ability to provide legal services to your clients. Likewise, if your data is accessible remotely, it must be protected with technology like encryption meaning that, if a breach of your systems took place when the company was in recovery, the data intercepted would not be readable or usable.
Operating from out-of-office locations and intra-firm communications
For the part of your recovery plan to restore a minimum acceptable level of operations, your crisis management team will need immediate access to the equipment and systems they require to successfully complete their responsibilities.
They will then need to be able to communicate quickly and effectively with other members of staff to provide them with the equipment needed to do their job so that normal or near-normal levels of service can be restored. They will likely need computer equipment and a headset with microphone so that they can take VoIP-based calls.
Informing customers, suppliers, and other organisations
From the point at which the minimum acceptable level of operations is achieved, you should communicate with clients, suppliers, and other organisations that you are experiencing issues and that your target time for the resumption of normal or near-normal service will be that as set out in your business continuity plan.
Once at that point, you should send further communication to let customers know how to contact you so that activity can return to the normal expected levels.
Business continuity for legal firms – assistance with technological challenges
As part of our general services to legal firms, we set up (often in accordance with internal IT teams) the ability to operate away from the office and to access documents to meet the demand from staff for more flexible working and from clients many of whom now expect you to visit them at their premises rather than visit you at yours.
We’d be very pleased to be involved in assisting you with your business continuity planning with specific reference to providing your company with the technology and the infrastructure required for your practice to recover as quickly as possible.
To get in touch to discuss remote desktop options and other remote working options, please call Sprout IT today on 020 7036 8530 or email us.