emailfacebookinstagrammenutwitterweiboyoutube

A new business continuity and risk landscape

Since 2001, in my varied role at the firm, I have helped the partners to manage its risks of compliance and operations. Business continuity is always there at the back of your mind, but Covid-19 has been a game-changer in risk terms.

DAVID DOWNHAM, PRACTICE DIRECTOR|Bowling & Co, Solicitors|

Let’s start with some background on risk management and planning.

Business continuity is a key phrase often quoted whenever a business, large or small, contemplates updating or testing their disaster recovery plan – sometimes referred to as a business continuity plan (BCP). A well structured and detailed BCP will have at its core, robust risk management principles.

However, for a new business, developing a BCP would probably not even be considered a priority by the owner(s), until of course, the business encounters its first unforeseen disaster – the regrets of not creating a BCP will hit home and become a hard lesson to learn.

The usual risk suspects

Most BCP documentation will include the usual types of risk in various scenarios: such as fire, flood, theft, and temporary business disruption situations, like the computer network or telephone system being down. But, as we all know now, as the dawn of the new year of 2020 arrived, a very unusual suspect joined the lineup.

No one saw it coming

What the textbooks, politicians, academics, and global population in general never saw coming, was the Covid-19 pandemic – certainly not in terms of the scale and speed of it spreading, like some unstoppable juggernaut. And I’m certain that almost every BCP, in every business throughout the world, would not have included a risk suspect of a global pandemic. Ten out of ten if your BCP did. Going forward, this particular suspect is going to be a permanent feature of all BCPs.

Covid-19 threat

When the world realised that Covid-19 was a real and a huge threat, not only to human lives but the global economy too, business continuity and risk management took on a whole new priority for risk managers. And the reality finally hit home with the shutting down of almost all businesses globally on an unprecedented scale never seen before. The new buzzword was ‘lockdown’.

Our firm, like many others, had to make the difficult decision to close our office premises, literally overnight, following the government’s lockdown announcement on 23 March 2020. Our senior management team held a conference call that very evening and a small dedicated skeleton task force attended the office the following day to deal with priority tasks. The night before, our HR team contacted all staff to advise them that the office would be closed until further notice and importantly, not to travel to the office. Note: Ensure you always keep personnel records up to date with contact telephone numbers for all staff; an absolute must in the situation we faced.

We now find ourselves all working remotely, attempting to carry on ‘business as usual’, but it feels more like ‘business as unusual’. The key elements for any business to survive in these unusual times is to allow themselves to be adaptive, accept environmental change and use the right communication tools. Technology is at the heart of that.

We had comfort in that we had a BCP in place, containing all the right information, contact numbers, and key suppliers – bank, insurance, utilities, IT, telephones and so on. The scenarios that the BCP did not contain were of course, what to do in a lockdown and how to deal with a global pandemic. These are things we have had to learn to come to terms with. But we kept calm and carried on.

Before we look at how to cope with the Covid-19 lockdown and dealing with the remote working of staff, let’s take a look at the basics below on what a BCP should contain.

What should a typical BCP include?

Your version of a BCP may, of course, be quite different depending on the type, size, and location of your business:

  • Key contacts in business (include at least two telephone numbers for each if possible): include management, accounts, IT, department heads
  • Key responsibilities of each management contact
  • Cascade list – a sequence of who contacts who, in order, depending on the type of incident
  • A priority list of functions and detailed risk assessment – you should document key roles/departments in the firm – for example, accounts and IT network – then for each function. Have risk assess scenarios on how each function would continue to work if the system or premises were not available
  • Risk evaluation – this should be a schedule listing potential scenarios of risks (IT network issue), and risk rating each, showing measures to be taken to manage them
  • Testing record – a schedule of annual tests working on either real or simulated scenarios; keep testing so you know the BCP works when you really need it.

This is part one in a two-part blog covering the changing business continuity and risk landscape. In the next blog I will talk more deeply about specific aspects of a BCP – including, but not limited to, agile working, security and technology.

 

Stay tuned for part two, coming soon!

LPM Conference 2025

The LPM annual conference is the market-leading event for management leaders in SME law firms

SMEs vs Big Law: The tech race

Navigating tech advancements as an SME law firm