Skip to main content
Article | Risk Management Matters – Legal PI

Did your Business Continuity Plan work during the pandemic? What will you do next?

Risk & Analytics|Financial, Executive and Professional Risks (FINEX)
COVID 19 Coronavirus

By John Hosie | August 11, 2020

At the start of 2020 every firm would have had in place a risk register and a Business Continuity Plan (BCP) of some description.

Typically a BCP would have detailed how the firm would have been able to continue trading if a supplier was not available, key staff were absent, the IT systems were down for a short time or the office suffered a flood or fire. However, it was almost inconceivable that a global pandemic would mean that offices were inaccessible for three months, key suppliers were in some cases unable to trade, new IT solutions had to be adapted en masse and key policies and procedures had to be changed to meet an ever-changing situation, and all at very short notice.

Even for those firms that encourage home working, the sudden need to have all their staff working remotely, with no access to offices, was unprecedented and put considerable strain on IT resources. In moves to keep businesses going appropriate consideration to the risks and the actions to mitigate those risks were sometimes bypassed, for many they simply had to be, or businesses would have ceased to operate.

Virtual conferencing software became essential, staff were suddenly working from home with little or no oversight, and established policies and procedures had to be adapted and changed. Operational resilience rather than cyber risk became the focus.

Inevitably legislative and regulatory requirements may have been overlooked or flexed slightly during this period. The Solicitors Regulation Authority (SRA)1 has committed to a proportionate approach to enforcement, and the Information Commissioners Office (ICO)2 has committed to taking into consideration the current circumstances in how they exercise their enforcement powers, both regulators have issued guidance designed to help firms3.

That said the legislative and regulatory requirements have not changed, specifically the ICO has stated that the 72-hour window in which you are required to report a data security breach still applies, although the regulator will take ‘an appropriately empathetic and proportionate approach’4.

Equally it may be the case that the regulators make the case that the firm had weak policies and procedures in place both before and during the lockdown, or that weak controls would have led to the breach irrespective of the impact of the lockdown.

Back to normal?

As we now start to return to established working practices or commit to new longer-term methods of working, careful consideration needs to be given to the last few months. Specifically, those areas that were particularly challenging and what action is now required.

Some of the areas that may need to be considered include:


A review of both the security and usability of the systems would be appropriate. Consider whether the IT systems were robust and secure, were there any security breaches, were staff able to work remotely and do so efficiently with minimal disruption to client service? Do staff understand the increased risks of working remotely, including the distractions on their time and focus?

If IT systems are overly restrictive then staff will find solutions to bypass those restrictions, these solutions may in turn compromise your IT security, for example sending emails to personal email accounts.

Data protection and client confidentiality

Has client data been compromised through working from home? Are your employee’s working environments conducive to the confidential nature of legal services, and if not, can they be improved.

Equally if data has been compromised then some consideration should be given as to whether the matter requires reporting to the ICO. Firms are advised to maintain detailed records of any decisions in this respect, as they may be required in the future.

Regulatory requirements

Specifically, were you still able to manage the client account as required, were reconciliations undertaken and performed as stipulated, were any unreconciled items or other anomalies identified and resolved or is there now further work required in this area? Will your accountant be able to undertake and provide the accountants report within the required timescale?

In relation to Anti Money Laundering (AML) checks and client due diligence the lockdown may just have been the catalyst for change within the profession. Many firms had no choice but to consider digital ID checks and alternative means of verifying their client. If so then consideration needs to be given to whether this has improved your ability to spot fraud and/or money laundering. Equally any change in your approach to satisfying client due diligence procedures would need to be clearly documented and consideration given to this change within your firm wide risk assessment.

Policies and procedures

Similar to any changes in your money laundering policies, you also need to ensure that any changes to other parts of your policies and procedures are clearly documented, even if they have since reverted back to the previous approach.

Documenting when changes were made and why will assist with addressing any regulatory enquiries at a later date.

It is also worth considering how accessible your policies and procedures were to staff when working remotely, did they have full access to them? If not, then the risk is that staff will instigate their own approach, which may bypass the controls and checks required.

Equally an opportunity exists here to consider any changed or adapted approach and whether this improves upon the previous procedure. Discussions with staff members on why they took a different approach might just reveal more efficient and appropriate working practices.


During the lockdown period it is perhaps easy for staff to overlook, or not identify, complaints or for those complaints to have been sent to a furloughed staff members inbox, or an inbox that has not been managed as rigorously as previously.

The Legal Ombudsman has publicly stated that it will be as ‘flexible as possible’ during this period of time5. However as with the regulators the boundaries of that pragmatism may flex over time.

Supervision and audit

Just as IT security may have been overlooked as operational resilience took precedent, for many supervision and audit may also have taken a less prominent role.

As with all other areas discussed it would be pragmatic to document why the pause took place and how you now plan to audit going forward, for example will you be looking to catch up on any backlog, or focusing on high risk areas and ensuring any critical dates are not being missed?


Requirements around staff training and CPD have not changed. It should be particularly noted that the Legal Sector Affinity Group guidance suggests AML training would be preferable every two years6.

There may have been a pause on focusing on training as other areas took precedent, but at some point this will need to be re-considered.


The effect of the lockdown is perhaps not yet fully realised, as we are only just starting to see firms returning to workplaces. Some firms may take the view that they do not need the real estate and office premises that they previously occupied, and that remote working is better for them and better for their staff.

It is also possible that a second wave of the virus in the UK may prompt a further lockdown period, it is important therefore that firms consider what went well, and what needs to be adapted to be better prepared in the future.







6 Section 3.7.3 of the Guidance,


Lead Associate - Finex PI UK Legal Services

Contact Us

Related Capabilities