December 18, 2018

Last Updated on January 15, 2024

Law firms typically outsource much of their IT, and their most critical data is often cloud-hosted.  That means the data is protected and the lawyers can work remotely… so why do a Business Impact Analysis (BIA)?

Why BIA is Important for Law Firms

The reason is that a BIA is really about identifying, understanding, and planning for risk—it’s not just about business continuity or data protection.  Every business that cares about its performance in the face of unanticipated circumstances needs to do a BIA.
Because what firms often miss—unless they do a BIA—are the interdependencies among functions and the dynamic prioritization of functions that become critical in any disruption.  Through a BIA, you gain insight into how your organization functions on an everyday basis, and how that inherently creates risks you need to plan for. 

Protecting Critical Functions During Peak Periods

For example, like most other corporate entities, law firms experience various cyclical peaks and ebbs.  Oftentimes these cycles are predictable: not much new business happens on Christmas Day, tax attorneys go nuts between January and May, accounting has monthly, quarterly and yearly closeouts to contend with, etc. 
During peak periods, systems that support the impacted functions become more critical than at other times.  This includes the data feeds from other systems, without which a critical system cannot fully support a critical function.
A “lower-priority” procurement system (System C), for instance, may become much more critical at times when the criticality of the accounting function peaks.  When the accounting function peaks, the accounting system peaks and may also drag that pesky System C into a peak as well.  A BIA raises awareness of these kinds of process and data flow relationships/interdependencies. 
There are also “ad hoc” activity/criticality peaks that people don’t generally think about until they’re in the middle of them.  For a law firm, these could include deadlines for patent or intellectual property filings, deadlines for appeals filings, and so on.
Anytime you have a legal team working on an issue and they’re coming up against a deadline, the systems they’re using become hypercritical.  Those responsible for recovery (e.g., the recovery coordinator or IT department) need to be aware of these dynamic issues, because business outcomes may depend on that awareness.
This could be as simple as a partner proactively emailing the IT coordinator to say, “Hey, the Real Estate team has a big deadline on Friday so if something happens keep systems P and Q at the top of the list.”  But it requires the managing partners, team leads, etc. to be aware of the issue and its potential business impact.  A BIA can help law firms create policies and procedures to proactively address these kinds of situations.

Single Points of Failure

A further benefit of BIAs is that they raise awareness of single points of failure (SPOFs)—not just systems or infrastructure but also people—and corresponding business impacts. SPOFs inherently are more susceptible to outages or to risks coming to fruition.  Some SPOFs will be obvious; others much less so.
Likewise, the concerns that can arise from interdependencies of key systems with SPOFs are often not obvious.  Better to do a BIA and be aware of them now.  The alternative is to find out about them the hard way and potentially suffer financial and reputational repercussions that could have been avoided. 
To talk with an expert about getting started with a BIA, contact Pivot Point Security

For more information on Business Impact Analysis and Business Continuity Management: