A law firm with offices in London and the West Country recently experienced a power blackout at 4pm as a result of a failure at an electrical sub-station. At that very time, the firm was on the brink of closing a film business deal worth close to £20m. Fortunately, the firm was able to implement its contingency plans, work around the blackout and close the deal, even though it was nearly two days before power was restored.

This real-life example demonstrates that disasters can and do happen at the most inconvenient moments. Besides power cuts, there are risks from floods, fraud, hacking, IT failures and terrorist bombs, to name but a few. The impact of such dangers can potentially result in large financial, human and property losses. And with today's complex business environment, both the dangers and impacts are growing daily.

What is important is to determine what can be done to protect business from the worst effects of the risks. This is where 'business continuity' comes to the fore. The term was once used interchangeably with 'disaster recovery', with a focus on helping large legal practices recover data and records. Today, however, the activity is far more all-encompassing, with the aim of protecting a firm's reputation, assets, people and profits from the genuine exposures in their everyday work.

What are the new requirements?

The Solicitors' Code of Conduct 2007 (rule five) is the latest regulatory driver for business continuity management (BCM). There have been others in the past such as the Lexcel Standard 2004 which started to embed BCM into the legal sector.

Financial Services Authority (FSA) regulations and market requirements have all contributed to the growing pressure for change, while the Legal Services Bill may place additional constraints (see chart opposite).

The new Solicitors' Code of Conduct will further embed business continuity in the legal profession. As the Code is mandatory under the rules of the Law Society, it places an obligation – through accreditation – on principals, partners, directors and members to ensure the effective management of firms in relation to absences and emergencies 'with the minimum interruption to clients' business. It also places a necessity on having a robust risk-management process.

All this means firms will need to be able to answer such questions as: how well will it cope with the unexpected long-term absence of a principal or fee earner; what will the firm do if it had to evacuate the building during working hours and was not able to return for several days; how will the firm cope with a serious security breach to its IT systems?

But the need for BCM should not be viewed as purely a compliance process. An effective BCM programme can help to resolve a number of key risk issues that are fundamental to law firms of all sizes.

- At the top of the list is reputation. Credibility and reputation are probably the key assets of any law firm and any mishandling of incidents could easily jeopardise these. Conversely, effective and timely management of crises will enhance reputation and build the confidence that clients and partners have; this is the upside of risk management.

- The continuation of business operations and support to key clients is vital. The protection of vital records and the salvage of key documents are essential factors in any disaster.

- Relocation of staff will help to minimise the disruption of services to clients and help maintain staff morale. This is true even if the business is not directly affected by a disaster but the surrounding areas are disrupted.

- As more firms have an international presence, the need to understand risk across borders is important. Hence, plans to reduce the impact of disruption to international business could be a major factor in retaining commercial business and contacts.

How can expectations be met?

The requirements of the new Code of Conduct, coupled with the other pressures, mean law firms are remitted to have sound risk management and business contingency plans in place to deal with serious business interruptions. Some will have already created such plans but many will not. For a busy firm that is unfamiliar with BCM, developing a programme that meets the requirements of the new Code may represent a real challenge. When formulating a solution, it is important to consider four key steps:

- Business impact analysis. Identify the critical business processes driving the business and analyse the losses expected from an interruption to each one of them. This stage is the most important part of the process as it enables a firm to determine the focus, prioritisation and resources required to survive a disaster. A clear and comprehensive appreciation of the risks facing the business – both now and in the future – is fundamental to a good impact analysis.

- BCM strategy development. Identify the options available to a firm to recover the business, remembering to think 'outside the box' e.g. using manual processes instead of IT. Then develop the chosen strategy to recovery for each of the key business processes. The overall strategy will link the recovery activities undertaken in different practices, locations or departments to the common set of objectives defined within the overall BCM policy for the business.

- Plan creation. Plans should be easy to read and to follow rather than long, complicated documents. Plans should follow three distinct phases in order to focus resource on critical activities at the right time.

- Exercising. It is vital that a firm continues to maintain its plan. Regular exercising is one of the most effective ways of both creating awareness of the programme and spotting problems in a real situation. Without testing, failure can be virtually guaranteed.

These steps comply with the new British Standard on BCM (BS25999) which elaborates on the critical processes to follow in the event that an incident should occur.

How can one avoid falling foul of the new code?

BCM does not need to be complicated but some level of preparedness is required and is a key part of prudent business risk management. Implementing BCM in line with the new code can feel like a real challenge, even for larger firms that have a plan. Getting a few fundamental things right can go a long way, so here are some points to consider:

- Have the partners told the business precisely what level of business continuity is expected?

- Has every member of staff been told what BCM is and what to do in the event of a major incident?

- Do department heads know how they will recover the business-critical processes for which they are responsible and how the required services and resources will be provided after a disruption?;

- are critical data and records backed up and protected?

- Do partners have the procedures to follow and all the necessary information to deal with a crisis?

- Are there simple written procedures which, if followed, will protect the staff and assets and allow the business-critical processes to recover quickly?

- Is everyone confident that the plans are current and up-to-date?

This list is not meant to be exhaustive but provides some of the key elements. If in doubt it is wise to ask those with experience in risk management and business continuity to help in formulating or refining the plan. As the risks to business multiply and governance becomes critical – the new Code of Conduct being but one factor – then the room for error is diminishing. No one wants to be held liable for failure.

Robert Hall is a managing consultant in the business continuity management team at Marsh.