Performing any activity in the business world – from selling lemonade to arguing an appellate case – requires a combination of people, information, technology and workspace. As anyone who has experienced an office evacuation or cyber-attack might attest, meeting obligations with any of these assets unavailable can be challenging, if not impossible.
All organizations, regardless of size and sector, are vulnerable to a wide array of threats. Broadly, these include technological threats, human-caused threats (accidental and intentional) and natural hazards. It is impractical to evaluate specific threats individually, let alone prepare a defence against each. Approaching this reality using ‘enterprise risk management’ can be characterised as maintaining a layered defense designed to repel or mitigate these threats. Imagine that today after read this article, local firefighters direct your law firm to evacuate your building pending a repair to the building’s fire suppression systems. How many of these questions can you answer?
-
Which client files must you work on and critical business processes must you continue to perform in a timely matter during this interruption? If necessary, could you provide them in a modified way? How do you prioritize one over another?
-
Which people, information, technology and workplace are required to perform these tasks under emergency conditions?
-
Could alternative resources be made available, such as alternate office space or staff seconded from less time sensitive tasks?
-
How will employee and partner roles and responsibilities change during a business continuity incident? Who is in charge? Who is authorized to speak with clients? Employees? The media?
The outer layers: physical security and information/IT security are preventative. They block threats from reaching assets. When a computer hacker is thwarted by strong encryption or a thief turned away by a security guard, these layers have been successful. Should a threat succeed, emergency procedures minimise the harm caused by the threat. For example, activating a fire suppression system to limit building damage or shutting down a server to terminate a cyber-attack.
Business continuity (and recovery) is the final layer and main topic of this article. It comes into play when, despite the organization’s best efforts, a threat has successfully overcome all mitigating layers and disrupted the firm’s ability to perform its critical processes. Business continuity activities enable an organization resume these critical processes within a prescribed amount of time and facilitate a broader organizational recovery.
Business continuity is concerned with ensuring that the organization’s critical assets – people, information, technology and workplaces – can be recovered or replaced quickly enough to resume business functions before their interruption causes intolerable harm to the organization or other stakeholders. Such harm might come in the form of lost revenue or damaged reputation.
The first major component of business continuity program (BCP) is a business impact analysis (BIA). The BIA maps the time-critical activities of an organization and how long each may go unperformed before intolerable harm occurs. It also lists the minimum resources needed to perform them within an emergency context.
The second is a business continuity plan, a document which outlines recovery priorities, employee roles and responsibilities and how necessary resources can be made available within a specified period of time.
Once the first plan is written, a functional business continuity program then requires time and effort from employees on an ongoing basis. It is an unfortunate reality that many firms spend a lot of time and money developing a business continuity plan once, only for it to be left on a shelf unmaintained for years. Untested or unmaintained plans provide a false sense of security.
Risk management takes on added importance for big and small law firms in Ontario. The Law Society of Upper Canada sets due diligence obligations for members. This obligation to protect client interests includes privacy and conflict of interest, but also extends to meeting timelines. If a client’s paperwork must be submitted at a certain time or a trial date must be met, that client may be irreparably damaged if their legal counsel is unable to perform this service, even temporarily. It is therefore part of due diligence and a lawyer’s ethical obligation to their clients to manage business continuity risk as part of their overall risk management strategy.
All organizations need some form business continuity program;the level of sophistication will vary based on organizational size, complexity and the risk tolerance of management. Large firms are best served by working with a consulting firm or maintaining in-house expertise. The Disaster Recovery Information Exchange is the foremost business continuity professional association in Ontario and has Ottawa, Toronto and Southwest Ontario chapters. Smaller practices could begin by referencing DRI Canada’s Professional Practices for context.
About the Author
Stephen Mehta ABCP, MIPIS, BBA is a Continuity Consultant at Vanguard Emergency Management Consulting.
Contributions from Grace Westcott, BA, LLB, LLM.