When disaster strikes

Since 1 July 2007, the new Solicitors' Code of Conduct has required all law firms in England and Wales to implement business-continuity management. Allen & Overy's business-continuity plan is now an important mechanism for handling a whole variety of potential business crises or interruptions.

By Clive Restall

Originally, business-continuity-plan invocations were the preserve of the major incidents – fires, terrorist incidents, floods etc. Nowadays, the business continuity plan (BCP) is seen as a vehicle to assist management in their response to a broad range of incidents and problems. The majority of large organisations are affected by incidents and interruptions that require the implementation of a BCP. Each incident requires action of some sort from senior management, and the BCP is seen as the most appropriate vehicle for effecting a response. Like all business-continuity professionals, I have recorded a number of incidents throughout my career. At Allen & Overy LLP (A&O) we have had to respond to floods in Prague, the New York and Rome power failures, the bombings in Madrid and London, SARS and submarine cable damage during an earthquake near Taiwan.
Business continuity management (BCM) has therefore evolved into a proactive mechanism for senior management to use as a tool to address all manner of interruptions, crises, problems and irritations.

The drive for business-continuity management
BCM is a comprehensive programme that includes risk assessment, risk improvement and the provision of a fully documented BCP that is properly resourced and tested.
BCM is a vital element of a business’s defences. It aims to address the safety and security of staff, protection of assets (tangible and intangible), maintenance of critical business operations and the protection of reputation. It is arguably more important than insurance. An insurance portfolio provides only financial recompense for the loss of (mainly) tangible assets. Following a serious event, it will do little or nothing to maintain the business, client confidence or long-term fee-earning potential. Few organisations will entertain going without insurance, yet many still operate without BCM.
Many clients will regard BCM as a necessary component of an organisation’s protection. In the UK, the Financial Services Authority requires financial organisations to verify the recoverability of their critical suppliers and a law firm could be classified as a critical supplier by many such institutions. Certainly, questions are being asked more regularly about BCM in business tenders.
From 1 July 2007, Rule 5.01 of the new Solicitors’ Code of Conduct requires all law firms in England and Wales to have BCM in place.Disasters or disruptions can result from many causes including fire, explosion, flood, police cordon, health risks (for example, legionella), technical failures, loss of power, sabotage and supplier failure. An inability to recover effectively from such events can impact on fee income, client work and reputation. Where reputation is affected, there can be a long-term impact on earnings. Even minor interruptions can have serious consequences for the business.
Incidents of a purely reputational nature can have a devastating effect and can arise from professional error, non-compliance and misconduct. BCM must have the ability to respond to all forms of crisis. Many business-continuity practitioners will seek to define the implications of disasters or interruptions in terms of loss of income. In my view, it is usually the risk of reputational damage that holds the more compelling argument. Most organisations can afford a short-term reduction in income but they are unlikely to be able to withstand a significant blow to their reputation.
The planning element of BCM provides for effective crisis response and business recovery. The plan incorporates procedures that address escalation, internal and external communications (including media), casualty handling, staff safety and welfare, and the delivery of critical recovery resources identified in the plan.
The plan must be fully resourced to ensure that it is deliverable. Resources include people, the facility to recover critical IT systems, the provision of alternative work area and off-site ‘disaster packs’ containing critical information and materials. The plan should also be supported by other specific services including telephone call diversion, salvage operations and a recorded message service.
Other essential requirements of BCM include testing, maintenance and review, and awareness training. I will come back to these later.

Preliminary processes
The first step in the BCM process is to develop a thorough appreciation of the risks to the business. The risk assessment should provide a sound basis for BCM and ensure that the BCP is developed to respond to real exposures. Many risks can be mitigated or even eliminated through risk improvement and good business practice but there will always be an exposure to a residue of risks that can lead to a disaster or some form of interruption. It is for this reason that any business, regardless of the efforts expended on risk improvement, needs a robust, up-to-date and fully tested BCP to protect its stakeholder interests.
Once the risks have been identified, it is necessary to determine how they could affect the business. This is the Business Impact Analysis (BIA) stage of the process. Once the impacts are understood, it is necessary to assess what the business would need in order to effect the reinstatement of critical processes. The analysis leads to the development of a recovery strategy, and the identification of information and resource requirements. These elements are established through the BIA and form the basis for the development of the plan.

Scope
The plan should address the processes of both crisis management and business recovery.
For the business-recovery element, I would suggest that BCM has developed to a position where we should no longer restrict our efforts to business critical processes. Management will expect to get back to normal as soon as possible after an interruption, where ‘normal’ means fully functional. Certainly, it remains essential to prioritise the recovery but there are now very few functions (front line or support) that can be ignored in the development of a recovery plan.
IT applications have to be regarded similarly. Previously, we could have identified a handful of IT systems that were required to be guaranteed recoverable within a stated timescale. Often, other less critical applications were not afforded the luxury of a formal IT disaster-recovery plan. They may have been ignored as non-critical or regarded as recoverable on a ‘best endeavours basis’. Either way, there was no formal recovery plan.
In recent years, there has been a significant increase in the number of supporting (on the face of it, perhaps less important) IT applications. Most, if not all, business processes are now supported by myriad systems that simply enable employees to do their job effectively and efficiently. Take these away and people cannot function properly. In my view, an organisation needs to have formal plans for the recovery of the majority of its portfolio of IT applications.
A&O’s general recovery strategy goes beyond the recovery of critical business processes, aiming towards getting as many people working as normally as possible in the shortest timeframe.

The importance of communications
Following a major event or business interruption, a rapid and effective system of communication is an essential part of the recovery process. Information has to be disseminated speedily to all those who need it. The process has to be managed centrally in order to control the flow of information and ensure its accuracy, consistency and quality of presentation. Poor information handling is a common failing during crisis response and can easily damage reputation and exacerbate the impact of an incident.
Following an incident an immediate requirement would be to mobilise the crisis-management team (CMT). Attention would then turn to the need to contact staff, clients, suppliers and external agencies committed to providing support. The plan should contain comprehensive contact information so that these groups can be reached. An early information bulletin should be made available providing an outline of what has happened.
Where there are casualties, the dissemination of information should be handled with great care and sensitivity.
A staff cascade list or call tree, contained within the plan, will enable staff to be contacted in order to inform them of an incident that may affect their attendance at work the next day or to advise them where they should report to work. A recorded message facility can be of enormous value as a tool for keeping staff informed.

Responding to the media during and after a crisis
The press will be seeking information upon the occurrence of a newsworthy event and organisations will often be ill-prepared – particularly when the central management team's attentions are diverted towards other key issues such as dealing with casualties and business recovery. The reputation and public perception of an organisation is seriously at risk if the handling and control of information to the media is conducted badly.
It is important for the spokesperson to be trained in dealing with the press in crisis situations. The ‘rules of engagement’ during crisis response are significantly different from normal press handling (for example, public relations). Appropriate training is available from specialists in this area.

People issues
Business continuity practitioners recognise, quite rightly, that the safety, security and welfare of people are the key priorities in any plan invocation. But, in reality, these priorities may not always be given adequate prominence within BCPs. It is essential that plans should have clear and established procedures that give due emphasis to this aspect of crisis response.

The drive for resilience
No matter how resilient an organisation is, business continuity remains an essential means of protection against residual risks and those risks that cannot be avoided. Nonetheless, any strongly managed business will strive continually for improved resilience. Some of the resiliencies that we have developed at Allen & Overy over recent years include the below.

Geographical resilience
We have extended the geographical spread of our London based operations. We have transferred our primary data centre to a location well outside London and established a regular tape backup to three remote sites.

Virtual file
All critical documents are scanned to a virtual file. This provides resilience in our record keeping and is a major benefit to resilience. But there is another significant advantage. During disaster recovery, we would have our people working across a range of locations. The virtual file enables everyone with security permission to access the same set of documents. This avoids the problems of hard copy mail: who should receive a particular document; should it be copied to a number of recipients; who is involved on a particular legal matter?

Remote working
Home or remote working is often seen as a panacea for recovery by the uninitiated and as a red herring by the BCM fraternity. I agree that, unless someone uses home working regularly during ‘business as usual’, reliance on it should be treated with utmost caution.
Within A&O, our remote working capability is well advanced. Our people, armed with ‘Secure ID’ tokens, can access core applications from their home PCs. This practice is firmly established and many staff use this facility on a regular basis. As such, it is justifiably recognised as a significant adjunct to our BCM resources. The capacity in terms of simultaneous users is set at a high level to facilitate disaster-recovery requirements. I would advise any organisation, relying on a similar recovery provision, to check its capacity because the demands during disaster recovery will be much higher than business as usual.

Synchronous replication and active/active
We have moved away from the use of tapes as the primary vehicle for data backup. Our core applications are backed up synchronously between our primary and backup data centres.

Exercising the plan
Once the plan has been issued and recovery provisions made available, it should be exercised or tested. This testing may involve:

Desktop exercises for the crisis-management teams;
Business-recovery desktop exercises for each operational department;
Tests of the work-area recovery site;
IT disaster recovery;
Telephone divert;
Cascade exercises;
Specialist training – media handling;
Training of switchboard operators on kit at the work area site;
Training of HR staff and first aiders in providing emotional support to staff during and after a crisis.

All forms of tests should be repeated at regular intervals with a progressive increase in the demands of the tests.

Maintenance and review
Plans become out-of-date very quickly. Information such as personal contact details change constantly. It is imperative that the plan is subjected to regular review. Names and personal contact information should be updated monthly. A more in-depth review should be performed every three months. This quarterly review should not be confined to the detail within the plan. It should extend to a reappraisal of the recovery strategy and the necessary resources that underlie the plan.

Creating awareness
Everyone with a direct connection to the business should know that there is a BCP in place and be aware of their responsibilities in the event of a crisis or disaster. Once the plan is in place, it will be necessary to advise staff of the broad objectives of the plan and what they should do following an interruption event. An awareness programme should be implemented.
The existence of robust recovery arrangements may be considered to be a competitive advantage that could be exploited. As a result, reference to the continuity plan in business prospectuses could be an important element in building client confidence.

Clive Restall is global business continuity manager at Allen & Overy LLP. He can be contacted at clive.restall@allenovery.com