Here today, gone tomorrow? by Sponsor Aon

Here today, gone tomorrow? By Sponsor Aon




Some smaller firms still hold the mistaken belief that business continuity is only relevant when you die. Of course, if you have no succession plan in place, then dying will pose a serious business continuity issue for whoever you have lined up to handle your affairs but the vast majority of business continuity risks don’t involve death.


Business continuity is defined in ISO 22301.2012 as the “capability of a business to continue delivery of its services at acceptable predefined levels following a disruptive incident”. The standard is very comprehensive. After all, the standard is recognised in almost every country in the world. Whether it is appropriate for your firm will depend on all the circumstances. What is crucial is that you have a plan so that your practice will survive whatever life throws at it.


Your professional obligations are implied rather than explicit. For example, reading between the lines, Principle 4 requires you to act in the best interests of each client even if the ceilings at your offices have collapsed due to a burst pipe. Principle 5 requires you to provide a proper standard of service to your clients even if the person handling the matter is in hospital recovering from a triple heart by-pass. Principle 6 requires you to maintain the public’s trust even when your systems have been hacked by fraudsters.


More generally, Principle 8 requires you to run your business effectively and in accordance with proper governance and sound financial and risk management principles. If you haven’t implemented a plan that is appropriate to the size and nature of your practice, then it is hard to see how the SRA would think you are compliant.


Some of the Indicative Behaviours (IBs) in the SRA Code of Conduct give a clearer indication of what is required, even though they themselves are not mandatory. For example, if you can identify and monitor business continuity risks including matters such as IT failures and damage to offices, the chances are that you have met your obligations in the Code. Likewise, if you have made arrangements for the continuation of your firm in the event of absences and emergencies with minimum interruption to clients’ business, your practice is probably compliant (see IB 7.3 and IB 7.4).


Before you create a new plan or review an existing plan that is a little long in the tooth, reflect on the risks that would have an adverse impact on your ability to deliver your service. Let’s call this process a business impact risk assessment. It makes sense to start by reviewing your risk register to see whether any of the risks on it threaten your business. The register is likely to include Accounts Rules breaches. If any of them indicate a developing trend, failure to address this could result in intervention, perhaps the most serious business continuity threat to your practice - after death.


Most of the risks you face should be well recognised by your COLP (because he or she should have a good understanding of risk and compliance issues) but, at some stage, it is essential to engage with key individuals in each team, practice area, floor or office to establish whether there are other risks that have been completely overlooked.


A high-profile risk that no firm can afford to ignore is cyber risk. If a firm such as DLA Piper can be targeted, you can be too! As most attacks are automated, don’t assume that being small will make you invisible to fraudsters. Even small firms often hold several million pounds in client account.


Obvious risks will include fire and flood, but don’t forget about threats posed by the weather, at different times of year. A summer thunderstorm which takes out your IT. A flash flood following torrential rain which floods the basement where you archive files and wills. A frozen pipe in the premises two floors above yours which brings the ceiling down over a weekend and shorts out all your power. 


Looking at external factors, consider the sole practitioner who, some years ago, thought it was a good idea to have his office over a bakery. Bread ovens get very hot. One day it got too hot and caught fire. The bakery went up in smoke – and the law firm with it. His practice never recovered. Contrast him with the London firm that, more recently, faced a serious fire caused by an electrical fault. Its business continuity plan worked very well and the firm continued to operate normally.


Other, less tangible business continuity risks might include over-dependence on one or two specialist lawyers or a trophy client that generates 90% of new business. If either decided to move firms, the impact could be devastating.


For each business continuity risk, be clear about the likely impact on the services you provide. When assessing probable impact, think about all your procedures and the people needed to implement them. Then prioritise resources to the most critical ones. Whilst all your procedures are important, some will be more time critical than others. You need your servers backed up and some PCs but does everyone need a laptop? Identify those who can work from home and those who should just be sent home until further notice.


Rebuilding your email, document management, accounts and banking systems are likely to be at the top of your agenda. Do consider, however, whether every aspect of each function is required immediately. Unless money is no object, resist the temptation to say that you need everything back up just as soon as possible. Think instead of timescales such as half a day, a full day, 3 days, a week. What do you absolutely need straight away, as soon as possible? What could you park for a week or longer? Each firm will be different but examples might include client billing, the latest round of file reviews or your bank reconciliation statement (so long as you are still within the 5-week window). You needn’t spend a lot of money on your business recovery as long as you’re realistic about what you need and by when. 

When collating all your thoughts into a plan, try to avoid writing a book. Some firms end up with a document that is 30 pages long. Remember that this is something you need ready access to in an emergency, without any advance notice. If the size of the document makes it less portable, it may be next to useless. Your plan should be accessible via the internet, on your phone or perhaps at home, if you live near work.


Aim for practicality, rather than a reference manual. Aim to reduce the plan to one or two pages, which is feasible. Neatly folded, it can be carried it in a purse or wallet, and it’ll be with you whenever you need it. If you save it online, you may be able to download it but as you’re likely to be on the phone all day, having a paper document might be easier.


Finally, the acid test. Your plan should be tested at least annually. The testing can be undertaken out of hours, perhaps over a weekend. Another option is to announce a business continuity scenario during a team meeting and see how it plays out.


A law firm is like any other business. To succeed, it needs to be well managed and there is no more crucial time to be in control than when in the middle of a crisis. Crises can occur at any time and, typically, they occur at the least opportune moment. With a well thought out plan, you should be able to weather the storm.


For more information on this article, please contact: Marco D’Ovidio, Associate Director, Aon UK Limited

On 0117 9485116


Whilst care has been taken in the production of this article and the information contained within it has been obtained from sources that Aon UK Limited believes to be reliable, Aon UK Limited does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it. In any case any recipient shall be entirely responsible for the use to which it puts this article. This article has been compiled using information available to us up to 19 October 2017.

Subscribe to Updates

Subscribe to:
Like   Back to Top   Seen 7 times   Liked 0 times

Subscribe to Updates

If you enjoyed this, why not subscribe to free email updates and join over 498 subscribers today!

Subscribe to updates

Enter your email address to be notified of new posts:

Subscribe to:

Alternatively, you can subscribe via RSS RSS

‹ Return to

We never share or sell your email address to anyone.

I've already subscribed / don't show me this again

Latest Events

Our Partners

Latest Jobs

Latest Training

Latest Social

Devon & Somerset Law Society

Local professional organisation for solicitors in Devon and Somerset providing training, recruitment, social events, mediation, complaints...

Exeter. 1-10 employees

Our Partners


01392 366 333

Aston Court
Pynes Hill

Tel: 01392 366333

Contact Us Find US



Devon & Somerset Law Society

Local professional organisation for solicitors in Devon and Somerset providing training, recruitment, social events, mediation, complaints...

Exeter. 1-10 employees

Copyright © 2021 Devon & Somerset Law Society. All Rights Reserved. | Powered by 3.6.5