Global Law Firm
Our client is a multinational law firm with over 1300 staff working globally from offices in Europe, the US and Asia Pacific regions. This is a multi-practice firm with advisors specialising in all principal areas of law acting for a wide range of clients, including families, business and high-net worth individuals.
Recognising the need to meet client and stakeholder expectations, the firm wished to update its existing business continuity plans to reflect the current organisation, business priorities, global threats and best practice. The goal was to have an integrated incident management and business continuity capability for all locations, business support teams and legal teams
At the outset, this was a traditional business continuity planning project in which the client would be taken through the BCM lifecycle to achieve an updated global business continuity plan. The project scope allowed for the threats, cultural issues and recovery strategies for all locations to be given due consideration; however, the principal focus was on the business activities undertaken in London and four regional offices in the US and Far East.
Our consultant, David Teed, began the first trips to London to kick off the project and undertake business impact analysis interviews (BIAs) on site. BIAs were scheduled with representatives of the practice divisions, business functions, regional and office managers, either face-to-face or by video conference given the widespread location of individuals. Given the similarities across teams and sites, it was possible to collect information from select managers of each of the areas represented.
Not long into the project, disruptions due to the Covid-19 coronavirus pandemic became reality in different parts of the world and it was quickly realised by both client and consultant that a different way of working was needed. The client was already on the alert having experienced early encounters with the impacts of the coronavirus in Hong Kong, Singapore and northern Italy where staff were already taking measures such as working from home.
The challenges of this project lay not only in the bringing together of multiple locations, cultures and activities into one cohesive business continuity plan, but to understand and respond to the specific impacts of the pandemic. The swift conversion to working from home at the time of lockdown and the knock on effects of such a big difference in working practices had to be understood and incorporated into the business continuity planning.
With all meetings now conducted over video links, David’s experience as a seasoned facilitator was invaluable in managing interviewees across locations on screen, whilst obtaining the information needed. The BIAs were carried out during the first weeks of lockdown when the reality of an extremely stressful situation was starting to sink in. Concern was expressed by a few interviewees that as they were already implementing business continuity in real-time, is it really necessary to be talking about developing plans now.
It was important to make people aware that loss of resource can be caused by any number of incidents. For example, cyber threats multiplied during lockdown and for an organisation reliant on IT and the need to work from home, an extended period of downtime due to a breach would be unacceptable. This was corroborated by BIA interviewees for whom the most significant concerns were:
- An incident that causes an extended unavailability of IT services
- A cyber security incident, particularly one involving a breach of client data
Discussions allowed for the current position to be understood, in particular any gaps between ‘required’ versus ‘achievable’.
Teed’s consultant adapted the BIA methodology incorporating learnings from the pandemic at that point in time. The requirements and recovery times for critical activities and supporting resources (people, premises, technology, information and supplies) were mapped out during the BIA interviews, taking account of feasible contingencies and workarounds for a range of resource-loss scenarios.
The most time-critical activities were identified as being required within four hours of a disruptive incident including incident response, IT resource recovery, crisis/client communications, priority transactions processing and the management of urgent client issues.
The client had largely adopted agile working prior to the pandemic and this stood them in good stead, being able to adapt quickly to working from home. This strategy was proven as a contingency should there be unexpected loss of office. The consultant recommended continuing the current strategy of investing in flexible and resilient technology to ensure the firm is ready and able to respond to many different types of events that could cause office unavailability (e.g. fire/flood, power loss, security/terrorism/protest incident, severe weather, earthquake, pandemic lockdown, etc.).
The business continuity project identified several improvement actions to ensure everything had been done pre-incident to mitigate risks and ensure an effective response and recovery could be managed. The Findings and Recommendations Report provided the necessary direction to allow IT disaster recovery, document management and mass notification projects to be launched.
A virtual tabletop exercise was held to validate the business continuity plan. Based on a cyber attack scenario, representatives from across the global regions responded enthusiastically recognising the value of the project in bringing together scalable response and recovery strategies that would be effective in any number of incidents.
David Teed and the client worked closely together bringing an extensive project to successful conclusion in challenging circumstances. The learnings and awareness gained by individuals has increased confidence that the organisation can continue to meet client and stakeholder expectations in the face of adversity.
The consultant continues to assist the client with training and awareness sessions for representatives with response and recovery responsibilities in different parts of the world.
The benefits of proven business continuity planning will be evident in seeking out new opportunities and maintaining existing business through and beyond the pandemic.