Professionals are being cautioned that failure to evidence an up-to-date, testable business continuity plan could land them in hot water with their regulator, writes Veronica Cowan, but to what extent should a company heed these stark warnings?
Businesses making a New Year's resolution to invest in business continuity planning could find themselves bewitched, bothered and bewildered by the sheer number of organisations offering 'solutions' to all manner of catastrophes that could potentially befall them. This is no sweeping statement - an internet search litmus test for the words 'business continuity solutions' returns page after page of firms touting for customers.
Yet despite BCP being such a buzz word and popular consultancy offering at the moment, the proportion of companies putting it high on their corporate agenda has fallen. This is a worrying trend and counter-productive in terms of building business resilience as it could mean some organisations that should be taking action are not. According to a survey last year by the Chartered Management Institute, only 40% of companies polled had continuity plans in place, down from 46% in 2005, with some firms continuing to view it exclusively as an IT-related discipline. Keith Tilley, managing director UK for Sungard Availability Services, warns: "Our message is stark: get serious about business continuity or jeopardise the future of the entire organisation."
Perhaps companies are suffering from the BC equivalent of compassion fatigue - symptoms include weariness and glazed eyes caused by repeated images of floods, fires and computers on the blink. But regulated professionals are now being warned that failure to demonstrate an up-to-date, testable BCP could land them in hot water.
Insurance brokers, for example, must be able to demonstrate an effective plan to the Financial Services Authority as part of their authorised status. And commentators are increasingly warning that directors, business owners or partners who fail to take action on BC risk accusations of dereliction of duty and, therefore, potential litigation.
But how real is this threat? Has there been any evidence of regulators cracking down and enforcing their rules on BC when they uncover non-compliance? And if a broker failed to recommend effective BCP to their clients, could they really face a professional indemnity claim in the event that the client suffered an uninsured loss because a business interruption policy was void due to the absence of such a plan?
Like brokers, solicitors are also now subjected to a regulatory rule surrounding BCP (see box, p30) but has this hit home yet? Frank Maher, a partner with Legal Risk, observes: "There are 9000 law firms, and they don't tend to have many fires." So how should solicitors comply with rule 5 of the Solicitors' Code of Conduct? "It's horses for courses," says Mr Maher. "Big firms with FSA-registered clients will require their lawyers to comply in line with their own regulatory requirements, but for a one-man band a more proportionate approach is needed."
Sue Maudsley, also a partner with Legal Risk, notes that the code only came into force on 1 July 2007, and that its predecessor applied to sole practitioners. She also says that fairly simple precautions could be used. "Some law firms still keep a paper diary and have no back-up files and, while larger firms can plug in anywhere, smaller ones could have reciprocal arrangements with a firm down the road."
Proportionality is what this is about. Jeffrey Negus, a spokesman for the Solicitors Regulation Authority, tries to put this rule into perspective: "We would not expect solicitors to go to unreasonable lengths to comply. The approach is generally to be sensible rather than prescriptive and there is a difference between a one-man firm on the high street and a massive firm in a skyscraper. It is up to solicitors to use common sense."
He explains the BC requirement is partly directed at stopping solicitors going away on holiday, for example, and leaving clients with no means of contact and advice, which some have done in the past. It is early days but Mr Negus is not aware of any solicitors falling foul of the new rule.
However, Sandra Neilson-Moore, head of the European law firm practice at Marsh, comments regulators are likely to enforce rules about issues of which consumers have complained, "so if lack of business continuity planning is causing problems for consumers, the regulator will enforce it".
As far as brokers are concerned they potentially face a double-edged sword: their own failure to have a plan as a regulated firm, and their failure to properly advise clients about their own requirements. However, Ian Mason, head of the financial services regulatory team at Barlow Lyde and Gilbert, is sceptical about the second claim, noting that - in regulatory terms - brokers' duties relate to their own business practices, and not those of others. Furthermore, although firms can use BC planners and the like to assist them, the compliance duty cannot be delegated and remains with the principal.
Given the importance to the economy of the financial services sector, it is hardly surprising that the FSA requires authorised firms to have "appropriate arrangements" to ensure they can meet regulatory obligations (see box, above), and no regulator will make itself a hostage to fortune by stating in advance that it would or would not take action in the event of a given breach. Clues have to be gleaned from guidance and public statements. Clive Briault, former director of prudential standards at the FSA (now retail managing director), said in 2003: "Our policy on business continuity is designed to be flexible and to be interpreted in accordance with the nature, scale and complexity of a firm's activities."
That was more than four years ago and things can change, but Robin Gordon-Walker, who has served as a spokesman for the FSA since January 1999, has no recollection of enforcement action being taken by the regulator in relation to lack of BCP. This accords with Mr Mason's recollection, although he says: "Bigger firms, with the greater risk of bomb or fire threats would all have a disaster recovery site," and, on a compliance visit, the regulator would ask even a small broker about its plan and facility to back-up records. He insists the rule is being enforced.
As to the legal status of the rulebook, Mr Gordon-Walker explains that the Financial Services and Markets Act 2000, from which the FSA derives its powers, is an enabling Act, which empowers it to make rules binding on those it authorises. "These rules do not have the status of statutory instruments", he says, "but are passed by the board, and firms have to comply." Some duties around BCP are set out in statute. One is the Civil Contingencies Act 2004, which requires category one organisations, such as county councils, to have plans to show how they will continue to deliver critical services during an emergency, and all local authorities must provide general advice and assistance to the business and voluntary sector at large. But some commentators claim that the Companies Act 2006 could also have an impact on this area of business.
Tony Gimble, managing director of new entrant in this arena Crisis Survivor, notes that the 2006 Act puts emphasis on the duty of directors to promote a company's success, in terms of a long-term increase in value. He extrapolates from this that failing to put measures in place to help a company survive a serious disruption or disaster could call into question directors' observance of their duty of care under the Act.
Effect on directors
Perhaps it could, but as Simon Graham, a solicitor specialising in corporate governance at Wragge and Co, points out, the Companies Act has not altered the duty on directors - it has merely codified the existing law. He agrees that safeguarding shareholders' assets is part and parcel of a director's duty, and that appropriate systems and other measures need to be considered.
"What is appropriate will depend on a range of factors, including the size and type of company, the nature of its business and the resources available to it," he says. While the duty will be higher on those who bring a special skill to the board, such as an IT director, "that is a million miles from saying that if a company should suffer a loss for whatever reason its directors will have to pay compensation for breach of duty and/or face being disqualified".
Mr Graham adds: "Courts do not rush to second-guess good faith decisions made by directors - in fact, to the contrary. Claims against directors are rare, and the government's own spokesmen say that may well continue after the codification of directors' duties (and derivative claims for that matter)." Moreover, commercial misjudgement, he notes, is no ground for disqualification. Something more is required. He also notes that the essential part of the company's annual business review of risks and uncertainties was existing law before 1 October 2007, when the new 2006 Act was implemented.
One area of concern is whether insurers would rely on a failure to comply with a BC rule to evade liability or decline to insure a firm that could not show they had a plan in place.
Mr Maher does not think professional indemnity providers would refuse to insure law firms who failed to maintain BC plans, although he considers that breach of rule 5 could be of evidential value in a lawsuit, as demonstrating a failure to comply with good practice. Ms Neilson-Moore observes that a claim could not be avoided because someone has not complied with a regulatory rule - unless there is a material non-disclosure about compliance or the insurer successfully asserts that the person knew they had not complied and failed to disclose it as a material fact.
If the insurer specifically excluded it, she adds, and the rule was breached, there would need to be a link between breach and loss. She reports that business interruption insurers are already asking whether such plans are in place, and that the level of detail required will vary according to the type and size of risk. That is hardly surprising, given that policies cover loss of profits, and lack of a plan could lengthen the time they have to pay out.
But surely different dynamics are present with PI insurance, given that one of the risks insured against could be a claim in relation to damage to, or loss of, a client's documents, and professional negligence. A comprehensive plan could reduce some of the risks, but would its existence be reflected in reduced premiums, policyholders might reasonably ask?
Mr Gimble concedes: "In the end what we are purveying is common sense", but he insists that, while BCP may be showing signs of decline as a priority at the top end of the market, it is flourishing in the small to medium-sized enterprise sector: "They are more interested in it than big plcs." Shaun Kelly, head of business solutions at Crawford and Company, says the last four years has "seen a cementing of the evolution from 'disaster recovery' plans to the more extensive discipline of business continuity management", supported by the publication, in November 2007, of the new BS 25999 standard. "During 2008, a business may choose to seek accreditation by independent subject matter experts that it meets BS 25999, which provides evidence that they have a 'fit for purpose' programme."
Long and short
So will these plans serve a real purpose or just become bits of corporate 'bling'? Ian Hogarth, client development director at Homeserve Emergency Services, comments on the "lack of co-ordination between individual plans" during the floods. "Every business seems to have one but very few are linked to the businesses that need to work together. For example, insurers' plans are rarely linked to those of loss adjusters or building service providers in the event of a major incident. This often results in a fairly uncoordinated response to major events during the first few days until those involved sit down as a group and start making decisions and taking action together."
This begs the question, says Mr Hogarth, as to whether "businesses are genuinely putting together plans which will help to manage a response to a major incident or just as something to show compliance with regulatory obligations?"
A principal in a firm, a director of a company or a member of an LLP, which is a recognised body, must make arrangements for the effective management of the firm, and in particular provide for the continuation of the practice of the firm in the event of absences and emergencies, with the minimum interruption to clients' business; and the management of risk. Source: Solicitors Code of Conduct 2007, Rule 5:
A firm should have in place appropriate arrangements to ensure it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly tested to ensure their effectiveness. Source: Financial Services Authority's Systems and Controls Handbook 3.2.19G.
- Analysis: The mystery of the missing Insurance Fraud Taskforce report
- Green light for UK-US insurance trade deal
- Roundtable: Is a single customer view taking off in insurance?
- Travel insurtech Pluto begins beta test
- O’Connor replaces Fairchild at the helm of Broker Network
- Majority of customers support a ban on dual pricing
- Blog: What workplace inequality means for insurers