Risk assessment does not need to be complex, and an overly complex approach may actually inhibit planning and adoption. Keep it simple.
- Identify the broad risk scenarios you are trying to mitigate
- Conduct a confidential information impact analysis of those scenarios
- Conduct a business impact analysis of those scenarios
- Identify the service impact of each scenario
- Consider your recovery objectives for each of those services
3.1 Risk Scenarios
Identify the scenarios you are planning to mitigate (and by exclusion, those you are not). When identifying risk scenarios, avoid focusing on highly specific or unlikely events (such as detailed natural disaster scenarios). Instead, the emphasis should be on understanding the operational impact that various disruptions could have on the firm's ability to function.
For example, consider scenarios like loss of access to the office (regardless of the cause), loss of critical equipment or data, or the unavailability of key staff. By concentrating on these broader operational impacts, firms can develop practical and flexible plans that address a wide range of potential threats without becoming bogged down in improbable details.
Some examples:
- Loss of access to the office due to fire, flooding, or severe weather, or anything making it impossible for staff to enter the premises
- Extended power outage that disables computers, phone systems, and access to critical digital resources
- Cyberattack such as ransomware, which encrypts files and prevents access to important client data
- Sudden unavailability of key staff members due to illness, travel disruptions, or personal emergencies
- Major equipment failure, such as a server crash or loss of internet connectivity, halting regular operations
- Loss of confidential information from theft or accidental deletion, impacting the firm’s ability to function securely
3.2 Confidential Information Impact Analysis
For each of the scenarios identified in section 1.1, consider what confidential information (i.e. both client confidentiality and PII) may be compromised, and what action (and which corresponding policies and procedures) are required in each scenario. Consider both applicable privacy legislation and law society requirements as minimum standards.
Note the BC & DR planning process does not contemplate all possible scenarios that may impact client confidentiality or expose PII, nor should it specify detailed action plans. These should be maintained separately in more comprehensive policies and procedures focussed on confidential information. The BC & DR plan simply invokes those policies when appropriate.
3.3 Business Impact Analysis
The purpose of business impact analysis is to consider how the firm’s business is affected in each of the risk scenarios identified above. This is a broad assessment of “how likely is it” and “how bad would it be if it happened”.
Assess Probability
For each of the scenarios identified section 1.1, consider how likely this scenario is to happen. Assess an impact of high, medium or low. Some guidance:
- High: this scenario occurs frequently to comparable firms or businesses, or for whatever reason, is very likely to occur to your firm in the next 2 years.
- Medium: this scenario occurs occasionally to comparable firms or businesses, or for whatever reason, is somewhat likely to occur to your firm in the next 3-5 years.
- Low: this scenario rarely occurs to comparable firms or businesses, or for whatever reason, is not likely to occur to your firm in the next 5-10 years.
Assess Impact
For each of the scenarios identified in section 1.1, consider the ethical, legal, financial, and reputational consequences of extended service outages. Assess an impact of high, medium or low. Some guidance:
- High: you can’t serve clients; you are in violation of your legal or regulatory obligations, e.g. a cyberattack has compromised or encrypted all firm and client data
- Medium: client service is impacted in a way obvious to the client, e.g. access to key information is temporarily unavailable; a transaction closing will need to be postponed
- Low: client service impacted in a way not obvious to the client, e.g. lawyers may need to relocate and work from home; work needs to be completed manually or in a less convenient way
Prioritize
The priority is the result of the impact and probability on the following matrix:
| Impact | ||||
|---|---|---|---|---|
| H | M | L | ||
|
Probability
|
H | 1 | 2 | 3 |
| M | 2 | 3 | 4 | |
| L | 3 | 4 | 5 | |
Prioritize your planning accordingly. Events with the highest priority should be planned first, and in greater detail.
3.4 Service Impact
For each risk scenario you identify, list what critical services you expect to be temporarily unavailable or permanently lost when that scenario happens.
Some examples:
- Office space
- Cloud services
- Client communications
- Calendaring and docketing
- E-filing capabilities
- Time entry and billing
- Trust accounting
Think about broad services, not specific technologies. For example, email is the service that matters, not Outlook or Microsoft 365. Think also about historical data vs current capabilities. For example, does the scenario impact historical email, or the ability to send and receive email right now, or both?
3.5 Recovery Objectives
For each of the services you identify, set targets to restore normal operations that reflect client service needs as well as budget.
- RTO (Recovery Time Objective): how long it takes to restore service
- RPO (Recovery Point Objective): how much data is lost, measured in time
For example, an RTO of 4 hours and an RPO of 12 hours would mean:
- If a service became unavailable at 10:00 AM on Wed,
- the target time to have that service available would be 2:00 PM on Wed, and
- the data would be as it was at 10:00 PM Tue
These concepts are intended to apply to digital services which can be restored from backup, as opposed to restoration from physical disaster scenarios. Practicality is required here. While modern technology can provide very low RTO and RPO, the cost of doing so rises exponentially as those objectives approach zero.