Skip
  • Who-we-are-banner

    Business Continuity Policy

This statement covers Business Continuity preparedness and response for the Firm.

1. Scope

Business Continuity for Charles Russell Speechlys covers any type of incident which has the potential to cause significant disruption to the Firm and its ability to operate.  This includes traditional threats, such as building problems and IT failure, and emerging and growing threats, such as terrorism and information security attacks.

2. Principles and Values

  • Standards and associated behaviours for Business Continuity should be based on protecting key resources and services. The top priority will be the safety, security and welfare of staff and other stakeholders affected by a Business Continuity incident.
  • Business Continuity impact during an incident will be measured in terms of:
    • staff and stakeholders (including on-site visitors) – health and welfare; security (physical and cyber);
    • operational/service provision – service levels maintained to an acceptable level;
    • financial stability – critical financial processes maintained, including payroll and supplier payments;
    • regulatory breach – (aim for) zero regulatory breach;
    • reputation protection – effective communication and engagement with all stakeholders, the public, and the media.

3. Business Continuity Governance

The following are in place to manage our Business Continuity response and measure the effectiveness of Business Continuity:

  • Business Continuity Policy Statement (this document);
  • response plans at senior management and operational level. It uses traditional bronze, silver, and gold structures;
  • specialist 'expert plans' to support specific scenarios, including technical IT and information security responses;
  • communications plan, covering internal and external audiences (including media);
  • off-site/workplace recovery facility (for building issues);
  • post-incident review process;
  • tracking document – status of all Charles Russell Speechlys Business Continuity plans, including last update and exercise;
  • analysis of specific requirements – for example, critical IT systems;
  • exercise schedule and programme – exercising should take place twice yearly;
  • supplier continuity process (ie, assurance from critical suppliers of their Business Continuity capability).

4. Ownership and Accountability

  • The COO has ultimate responsibility for Business Continuity and OpCom are accountable for the appropriate level of response and resilience.
  • This means ensuring the rules, structures and processes are in place to support a proportionate response and a framework which encourages a 'resilience' approach based on cost-vs-risk-speed.
  • Key roles and responsibilities within Business Continuity and resilience:
    • ownership and accountability – COO and OpCom;
    • governance, programme planning, delivery and facilitation – Sponsor (COO), Programme Lead (Director of ICS) and Business Continuity Partner (Databarracks);
    • strategic impact planning, and directorate response and recovery – senior managers;
    • team level impact planning, and team and individual response – all staff/all levels, led by line managers;
    • operational risk- Business Continuity link – Director of Risk and Business Continuity Partner (Databarracks);
    • expert planning and support - Incident Controllers within IT, Information Security, Facilities, Health and Safety, and Human Resources (HR);
    • communications planning and support – Communications Team;
    • media statements and interviews – COO in the first instance, or a relevant member of the Central Management team*;
    • supplier planning and management – Procurement manager & internal supplier relationship managers;
    • supplier Business Continuity capability and response – all critical suppliers, especially within IT and Facilities.

5. Priorities

  • Firm priorities during an incident will vary according to the nature and timing of an incident.  However, the following are the highest generic priorities for the Firm.  The order of importance will depend on the incident:
    • People - staff duty of care (HR) and stakeholder duty of care;
    • External reputation - internal and external communications processes (including media management);
    • Switchboard/direct lines - telephony and systems;
    • Legal and Enforcement - imminent court cases;
    • Payroll and expenses;
    • Finance/cashiers - cash flow (billing and cash collection) and bank deadlines;
    • IT Service Desk and Support - support for IT failures;
    • Information Security – cyber-attack response.
  • Note: The most critical times of year for Charles Russell Speechlys are financial year-end, January for Tax returns, and calendar year-end for transactional teams.  Priorities during this period may change and will be dictated by the impact on the business at this time.

6. Linked Disciplines

  • Several business disciplines are closely linked to Business Continuity.  For Business Continuity to function effectively, planning and incident response must be a collaborative approach with the following teams:
    • IT Operations and IT Disaster Recovery;
    • Information Security;
    • Facilities/Building Management;
    • Health and Safety;
    • Human Resources;
    • Operational & Legal Risk (legal implications of an incident);
    • Communications.
    • Finance
  • The success of Business Continuity capability relies on the input and support from others in the Firm, and it is the Programme Leads’ responsibility to establish and maintain strong relationships with representatives of the above support teams.

7. Link with the External Professional Bodies

Depending on the nature of the incident, the relevant regulator may need to be informed. This will be decided by the Programme Lead and the Director of Risk.

Back to top