What are the CQS Core Practice Management Standard business continuity requirements?
As per section 1.2 of the CQS Core Practice Management Standards, practices must have a business continuity plan that must include the following four elements:
- An evaluation of potential risks that could lead to business interruption
- Ways to reduce, avoid, and/or transfer the risks
- Key people relevant to the implementation of the plan
- A procedure to test the plan annually
What potential business continuity risks could conveyancers face?
The Law Society’s CQS guidance states that firms must first identify the potential risks that could cause business interruption and evaluate them, recommending that a SWOT or PESTLE analysis can be used for this purpose. The aim is to identify the areas of vulnerability and take steps to mitigate them.
Some of the business continuity risks that conveyancing firms may face are:
- Hacking, cyber attacks, and data theft or loss:
- Loss of communications or facilities (IT, access to the building)
- Loss of key personnel and loss or unavailability of key role holders (MLRO, COLP)
- Physical, geographic, and location risks (flood, fire, adverse weather, terrorist attacks)
- Pandemics
How can conveyancing firms mitigate business continuity risks?
After the evaluation of risks, the business continuity plan must outline ways to reduce, avoid, or transfer these risks. This will ensure that the practice remains operational even during an interruption. Options for mitigating risks include insurance, outsourcing critical functions, and investing in technology and infrastructure. The most suitable option for each conveyancing firm will depend on the type of risks they face and the resources they have available.
Let’s look at each of the risks mentioned above and how you might be able to mitigate those risks.
Hacking, cyber attacks, and data theft or loss
Conveyancing practices store sensitive data such as client information and financial details, but also hold a powerful position with regard to their clients and other stakeholders in a transaction. As such, they must take measures to protect against hacking, cyber-attacks, and theft. Should a firm become victim to an attack, it can be devastating for the firm’s reputation, accreditations and finances, potentially leading to the closure of the business depending on the severity of the attack.
But luckily, there are a number of ways you can mitigate the risk of cyber-crime. First and foremost is cyber security training for all employees. Your employees are often your best defence against cyber criminals, so they need to understand the risks, how to spot red flags and what procedures they need to follow to give themselves the best chance of catching cyber criminals before any damage is caused.
It's also wise to take regular backups of data and invest in cyber security software to help mitigate the risk of data loss or theft. Simple products like Multi-Factor Authentication is a great start, but Microsoft 365 has a plethora of tools available to help prevent cyber attacks before your employees even know about them.
It may also be wise to look into cyber insurance to insure against the risk of an attack. Speak with your broker about the best options for your firm and ensure you understand when an insurer will pay out and what exclusions apply.
Loss of communications or facilities (IT, access to the building)
Conveyancing practices rely on technology and facilities for their operations. They must have contingency plans in place in case of loss of communications or access to their facilities. Options for mitigating this risk include having backup communications equipment, secure remote access capabilities, and alternate facilities for work.
There are a number of decisions you will have to take when considering this risk. First of all is how you’d like your data to be hosted. Will you have everything stored locally, on your business premises, or will you choose a cloud hosting provider? By having a local installation, you may have more control, but you’ll also need to consider whether you have the resource or expertise suitable to handle any potential downtime. This is a worry you won’t have with a third-party cloud provider.
By choosing cloud hosting, you can ensure that people with expertise are on hand 24/7 to manage any disruption to your network, whilst also ensuring updates to your software and security are taken care of proactively. When assessing providers, look at the uptime guarantee that they provide. The minimum standard you should expect is 99.99% uptime.
Loss of key personnel and loss or unavailability of key role holders (MLRO, COLP)
The loss or unavailability of key personnel can disrupt the operations of the conveyancing practice. The business continuity plan must address these issues and include a plan of action in case of such incidents. Proper training of key personnel on their roles and responsibilities, as well as having backup personnel in place.
It may not be practicable in all cases to have backup personnel for key roles such as your MLRO or COLP, in which case it may be prudent to outsource some of your work to cover for this. There are many compliance consultants who can support you with file audits or general advice. Likewise, if you find yourself short in your cashiering, secretarial or reception departments, there are options for outsourcing for all of these, saving you the cost and hassle of hiring new staff or training a temporary worker.
Physical, geographic, and location risks (flood, fire, adverse weather, terrorist attacks)
Conveyancing practices can consider measures like having backup locations, investing in fire suppression systems, and regularly updating emergency evacuation plans.
Where risks like these do occur, having all of your data held in the cloud can prove invaluable. By having data backed up in the cloud, the only issue you’ll face is replacing any damaged hardware, which will hopefully be covered by your buildings and contents insurance policy. You’ll then just need to connect your new hardware to the cloud and install any applications you need. However, if you choose Software-as-a-Service (SaaS) products, this becomes even simpler as there is nothing to download. You simply login online from any device, be it a Windows PC, Mac or Chromebook.
Pandemics
The pandemic in 2020 demonstrated the importance of having a contingency plan in place for UK conveyancing practices. To mitigate the risk of operational disruption during a pandemic, measures such as remote work options, technology infrastructure, and risk management processes should be incorporated into the business continuity plan. Proper training on these measures and regular review and update of the plan can also help ensure smooth continuation of operations.
Similar to the location risks, having SaaS or cloud software can be a lifesaver. During the pandemic, those firms that had decided to move to the cloud were able to pivot instantly and ensured disruption was minimised, at least until the Government all but made the conveyancing process illegal.
This is another risk you need to consider. Should another pandemic make conveyancing impossible as people can no longer move house, how does your business survive? You can ensure you have a contingency fund in place to cover the cost of these periods or you can choose to diversify your business and take on other practice areas, though you must ensure that your firm has the appropriate expertise to carry out any new areas of work.
Key people relevant to the implementation of the plan
The business continuity plan must also identify the key people who will be responsible for implementing the plan. This includes consideration of deputies in case of unavailability of key personnel. Proper training of key personnel on their roles and responsibilities can help mitigate the risk of disruption due to personnel loss or unavailability.
Some of the roles that will likely be involved in this process are the Partners, COLP/COFA/MLRO/MLCO, Practice or Operations Manager, Head of Conveyancing and your IT Manager.
A procedure to test the plan annually
The business continuity plan must include a procedure to test it annually. This will verify the plan's effectiveness in the event of a business interruption. Testing the plan regularly also provides an opportunity for improvement and updates to be made as necessary.
Fail to prepare, prepare to fail
In conclusion, a business continuity plan is crucial for UK conveyancers to ensure they can continue providing their services in the face of potential risks and disruptions. The CQS Core Practice Management Standards and the Law Society Guidance provide a framework for developing a comprehensive plan that addresses potential risks, outlines ways to mitigate them, and includes measures for testing and training personnel. It's important for conveyancing practices to take these requirements seriously and prioritize the development and implementation of a robust business continuity plan to ensure the continued success and stability of their operations.