Business continuity management – necessary evil or real benefit?

Implementing business continuity management

Many organisations think of business continuity management (BCM) as a necessary evil required by regulators and clients seeking assurances that they will continue to receive the service levels they have come to need and expect, regardless of any incidents or disruptions that might get in the way. The reality for the many law firms embracing BCM is that it brings about benefits and improvements, regardless of whether or not they experience a major incident.

This article explains the key fundamentals of BCM, highlights some of its benefits and serves to identify some of what is needed to satisfy the requirements of:

The ‘Business continuity practice note’ issued by the Law Society on 29 January 2009;
Rule 5.01(1)(k) and (l) of the Solicitors’ Code of Conduct 2007, now in force; and,
The Law Society’s Lexcel v4 Practice Management Standard, launched on 23 October 2007.

So what is BCM?

BCM can be defined as ‘managing the risk of an
incident preventing the organisation from achieving its operational objectives’.

It is a management process that sits extremely well within a management systems framework, alongside quality management and so on. The requirements for establishing a BCM system are set out in BS 25999- 2:2007 – the fastest selling standard of all time published by BSI, the UK’s National Standards Body. The standard has been recognised and adopted worldwide, which is testament as much as anything to its value to organisations of all sizes and across all industries.

The standard acts as a reference point for explaining all the necessary components of an effective management system that delivers and continually improves business continuity.

Achieving operational objectives

The BCM definition above refers to the achievement of operational objectives, which is the real pointer for getting BCM to work for you. If BCM is really going to be of benefit, it must be based around the firm’s operational objectives. Those who participate must understand them, or at least be pushed into considering them, when it comes to choosing which of the firm’s activities to plan for.

In a well-run firm, all activities undertaken contribute to the achievement of operational objectives. So should the firm put plans in place to ensure the continuity of all activities? The answer is most definitely ‘no’!

Organisations that try to plan for everything end up with nothing, having spent a great deal of time and expense in the effort. It is vital to have a clear focus on those activities, which if stopped would have the most devastating consequences. Firms should, therefore, have a clear understanding of the impacts if a particular activity were to be stopped for increasing periods of time.

The impacts to be measured are best identified by consideration of what would get in the way of achieving the firm’s objectives and might typically include the following:

Poor client service;
Falling foul of the regulators;
Upsetting staff;
Not paying suppliers;
Not managing cashflow;
Not collecting from clients;
Incurring penalties and fines; and,
Insufficient attention to health and safety issues.

The BCM life cycle

Section 4 of BS 25999-2 sets out the key stages of implementing and operating the BCM system.

Understanding the organisation

Having considered the impacts that would prevent the firm achieving its objectives, the firm must then determine what might give rise to those impacts. This leads me to what I believe is the most important, most misunderstood, most under-valued and most maligned part of BCM – namely the business impact analysis (BIA). In essence, the BIA tells you which activities you need to focus on and which you can do without in the short-term. When conducted properly, the BIA achieves agreement, or at least consensus, as to how long it would be before stopping an activity caused unacceptable levels of impact across all the categories considered.

In essence, you must identify the activities to which you must give urgent attention following an incident in order to avoid these untenable levels of impact.

The BIA is part of the phase in the BCM lifecycle labelled ‘Understanding the organisation’. For many years, I have been concerned about this phrase, which, I am reliably informed, was coined in the early 1990s by Ray Powell FBCI. I have always thought it rather patronising for business continuity specialists to suggest, as an opening bid, that top management does not understand the organisation.

What I now realise is that it means ‘creating a common level of understanding among all those who participate proactively in BCM’.

One of the real benefits of BCM is raising the level of understanding of its many contributors, because it provides the opportunity for some really creative thinking and new ideas for improving the way in which the firm’s business is conducted.

As well as identifying so-called ‘critical’ activities on which to focus, the BIA unearths other essential information about activities, including:

Its recovery time objective (the time within which the activity must be recovered);
Dependencies on other activities, key personnel, resources and third parties; and,
Innovative and imaginative ways of carrying on important activities in the absence of normal facilities such as computer systems and applications.

The BIA should capture financial information (for example, revenue losses and additional costs), but will not give you definitive financial losses that an incident would cause. However, it does provide some sensible and justifiable estimates that can influence management decision-making.

Most importantly, the BIA promotes consensus on the relative priority of each activity, which is what counts. It’s very much like time. When someone says they don’t have the time to do something (BCM, for example), it’s not really true, because we all have the same amount of time available. It’s how we allocate our time that dictates what gets done and what gets put aside. When implementing BCM, and following an incident that disrupts all activities, it is vital to put aside activities that, in the short-term, are not important, so that you can devote your full attention to those that are.

The role of risk assessment

Many publications, including the Lexcel Standard (v4), appear to place risk assessment (the evaluation of potential threats, impacts and likelihood) as the platform for undertaking BCM. Such an approach often results in BCM only addressing anticipated threats based on the likelihood of their occurrence. The beauty of basing BCM on the BIA is that it enables you to come up with BCM arrangements that will deal with ‘unexpected’ as well as ‘expected’ events.

The old adage that ‘prevention is better than cure’ applies equally to BCM, so it is undoubtedly a good idea to carry out a risk assessment in relation to critical activities and anything that supports them. This should identify preventive and mitigating action that can be taken to limit the impacts.

Continuing the BCM lifecycle

Having identified the firm’s ‘critical’ activities and key information about all activities, attention should now focus on the ‘critical’ activities. BS 25999-2:2007 clearly spells out the purpose of each subsequent stage:

Determining BCM strategy – ensure that BCM arrangements are identified that will enable the firm to recover its critical activities within their recovery time objectives. The standard does not require it, but some consideration should be given to the feasibility of recovering activities not identified as critical. They will have much longer recovery-time objectives and, in most cases, will not require BCM arrangements and detailed plans to be put in place before the incident occurs;
Developing and implementing a BCM response – ensure that appropriate plans and arrangements are developed and implemented to manage any incident and continue the firm’s critical activities; and,
Exercising, maintaining and reviewing – verify the ongoing effectiveness of the firm’s BCM arrangements in order to provide greater assurance that, following an incident, critical activities will be recovered as required.

Typically, the firm’s critical activities account for less than 25 per cent of all activities, so the effort required to achieve all of the above is manageable and, with the knowledge obtained from the BIA, justifiable.

The business continuity plan

In many references to BCM, a lot of emphasis is placed on the business continuity plan (BCP). In many ways, the BCP is the least beneficial outcome from the process. As with producing the ‘annual budget’, many regard participation in the process and overcoming the challenges that it poses as more important than producing the final document. The same is true of BCM. More important than the BCP is the work that has gone into establishing an effective management system, conducting the BIA, investigating and implementing the BCM arrangements, training and education, and ongoing exercising, testing and maintenance.

Lexcel accreditation in the context of BCM

The enactment of the Legal Services Act 2007 may well increase the number of mergers and acquisitions in the legal services sector. The structure and processes that Lexcel requires firms to establish, provides an excellent platform for integration between the different firms that have come together. When firms merge, a key issue is to assimilate people and get consistency of service across geographically dispersed sites. Lexcel provides a good operational framework across different levels and topics so that these issues can be addressed effectively. Most importantly, it can help to promote consistency of service to clients.

So does achieving Lexcel accreditation imply anything about the firm’s BCM? In section 2, relating to strategy, the provisions of services and marketing, Lexcel requires practices to have a BCP, which must include:

An evaluation of potential threats and the likelihood of their impact;
Ways to reduce, avoid and transfer the risk; and,
Processes for testing and checking the BCP.

There is also the requirement to conduct an annual review of the BCP.

For the reasons stated above, the emphasis on risk assessment and the BCP leads me to conclude that firms without an effective BCM capability may get away with it. Hopefully, the requirements to test (more commonly referred to as exercise) the BCP will catch a few firms out and push them into doing it properly with all the ensuing benefits.

Even if there were more emphasis on the entire process of BCM, it would be unreasonable to expect an all-embracing standard, such as Lexcel, to go into a lot of detail. This concern applies equally to information security and data protection as well as BCM. Practitioners in those disciplines would undoubtedly share my concerns that firms are not being shown the way to get real benefits from addressing some of the more ‘peripheral’ aspects of running a firm.

In summary

There are clear benefits to tackling BCM in line with the requirements BS 25999. The benefits go way beyond having a BCP and being prepared to deal with a major incident that disrupts the firm’s activities. Without reference to a specialist standard, such as BS 25999 and an understanding of its underlying key principles, firms are unlikely to experience and reap the full benefits.

Malcolm Cornish is managing director and principal consultant of Recovery Management International. He can be contacted at malcolm@rmi-uk.co.uk