Accountants
The Client
A long-established accountancy practice offering end-to-end accountancy services for corporates, own business operators and individuals. Based in the UK with approximately 300 employees and specialists spread across several regional offices.
Internal recognition of the advantages of business continuity and an increasing number of stakeholders requesting evidence of effective business continuity planning, brought the firm to Teed to request help developing their business continuity plan and recovery strategies.
The Challenge
The geographical spread of different practices and specialists highlighted the dependence on centrally managed technology to support critical activities, chief amongst these the time-critical payments that clients and their staff depend upon. In particular increased cybersecurity threats highlighted the importance of ensuring the firm would not be “found wanting” if faced with a major security incident. The potential reputational damage could have significant implications for the firm, therefore threats and risks needed to be fully understood and managed appropriately.
Teed worked with the client to implement a comprehensive business continuity programme defining their strategy to help manage the response to, and consequences of, unexpected adverse situations. The principal deliverable was the business continuity plan detailing the incident management structure, strategies and checklists of actions to deal with a range of scenarios that could imperil the business.
Initially, budget constraints were such that an exercise to validate the plan and recovery strategies was not included in the project. Subsequently, the client recognised the value of making sure the plan worked in practice, engaging Teed to develop and facilitate a tabletop exercise.
The Solution
Teed’s consultant initiated the project with a business impact analysis covering seven support areas and eight accountancy practice areas. Representatives from each office were asked to identify priority activities which, if disrupted, could cause an unacceptable degradation of service. Once priorities were understood, resource requirements, contingencies and workarounds were mapped to ensure critical activities could be managed in a range of scenarios, including the all-important payroll service.
A tabletop exercise was designed and facilitated by Teed’s consultant. 15 people from across the practice who could be involved in a business continuity type situation considered the impacts of three scenarios related to denial of access, cybersecurity and unavailability of people. The exercise succeeded in raising awareness of the importance of business continuity planning and how to use the plan. Out of the exercise, 20 improvement actions were identified for consideration which will increase overall resilience and assurance once fully implemented.
It is worth noting that only one “business continuity threatening” level action was raised: the need to implement a Security Operations Centre (SOC) capability. A SOC team monitors IT environments 24/7 and raises alerts if unusual activity is detected, enabling rapid containment of the potential threat. Given the firm’s dependence on technology for maintaining client services coupled with the confidential nature of information managed, the BC project showed the importance of capturing cyber security intrusions early to minimise impacts and helped to justify the investment in a SOC capability.
The recommended IT disaster recovery (DR) improvement actions identified the activities needed to ensure the firm’s DR capability is wholly effective for both internal IT, and third party managed, solutions.
The Result
The firm is confident that a fully validated business continuity plan is in place providing reassurance to staff and stakeholders alike. Individuals know their responsibilities in adverse situations. The defined roadmap of activity for ongoing maintenance and improvement alongside the business continuity policy will help embed good practice and preparedness moving forward.
Reputation is paramount for professional services firms and if jeopardised, could mean a loss of confidence and market share. Following Teed’s involvement, the partners, directors and management team are comfortable that risks are dealt with appropriately and have been independently verified.