1. Introduction
1.1 Who should read this practice note?
Managing partners, practice managers and all staff concerned with the management and day to day operation of practices.
Top of page
1.2 What is the issue?
Solicitors' practices need effective business continuity management (BCM) so they can handle their clients' business if something goes wrong.
This practice note outlines the essentials of BCM for solicitors and contains links to further help.
Top of page
2. What is business continuity management (BCM)?
BCM is not just about IT systems recovery. The British Standard for BCM, BS 25999, describes it as a management process that:
- identifies threats and impacts
- builds the capacity for an effective response
Its objective is to protect:
- stakeholders
- reputation
- brand
- value-creating activities
Top of page
3. Good practice for BCM
Practices should do all of the following:
- allocate overall responsibility for BCM to a partner, or staff members of equivalent seniority
- conduct a risk assessment leading to risk improvement and increased resilience
- create a written business continuity plan fully supported by necessary recovery provisions
- conduct a programme of testing
- implement a process of maintenance
- communicate the BCM plan to staff
The Department for Business, Enterprise and Regulatory Reform provides extensive guidance to assist firms in implementing business continuity management .
Top of page
4. Professional rules and statutory provision
Implementing BCM arrangements will help your practice to comply with the following:
4.1 Rule 5: Business management in England and Wales
Rule 5 deals with:
- the supervision and management of a firm's in-house practice,
- the maintenance of competence
- the internal business arrangements essential for the proper delivery of services to clients
5.01(1)(k) requires provision for 'the continuation of the practice of the firm in the event of temporary absences and emergencies, with the minimum of disruption to clients' business.'
5.01(1)(l) requires provision for 'the management of risk'.
Top of page
4.2 The Data Protection Act 1998 (DPA)
The seventh data protection principle in Schedule 1 of the Data Protection Act 1998 (DPA) requires data controllers to take appropriate technical and organisational measures against:
- unauthorised or unlawful processing of personal data
- accidental loss or destruction of, or damage to, personal data.
Top of page
5. More information
5.1 Status of this practice note
Practice notes are issued by the Law Society as a professional body for the benefit of its members. They represent the Law Society's view of good practice in a particular area. They are not intended to be the only standard, nor do they necessarily provide a defence to complaints of misconduct or of inadequate professional service. Solicitors are not required to follow them.
They do not constitute legal advice and, while care has been taken to ensure that they are accurate, up-to-date and useful, the Law Society will not accept any legal liability in relation to them.
For queries or comments on this practice note contact the Law Society's Practice Advice Service.
Top of page
5.2 Terminology in this practice note
Must - a specific requirement in the Solicitors' Code of Conduct or legislation. You must comply, unless there are specific exemptions or defences provided for in the code of conduct or relevant legislation.
Should - good practice for most situations. If you deviate from this, you must be able to justify why this is appropriate, either for your firm, or in the particular retainer.
May - a non-exhaustive list of options for meeting your obligations. Which option you choose is determined by the risk profile of the individual firm, client or retainer. You must be able to justify why this was an appropriate option to oversight bodies.
Top of page
5.3 Other products
Managing information security within your practice.
5.3.2 Training and events
5.3.3 Law Society publications
Top of page