By Sam Bray
Let’s be honest — most law firms do have a Business Continuity Plan (BCP) tucked away somewhere. It’s been signed off, it ticks the right boxes, and it might even be sitting neatly in a shared folder labelled “Compliance.” But has anyone really looked at it recently? More to the point — has anyone tested it?
You don’t need me to tell you that regulators like the SRA expect continuity planning to be more than a paper exercise. It’s about being able to keep the show on the road when something unexpected happens — whether that’s a cyberattack, a flood, or just the office Wi-Fi deciding to throw in the towel.
As someone who spends a lot of time with law firms thinking about risk and resilience, I’ve seen too many BCPs that wouldn’t last five minutes in the real world. That’s not a criticism — these things are hard to test, especially when you’re trying to keep everything else running.
But there are ways to put your plan through its paces without shutting down operations or triggering a panic. Here are some practical (and sanity-preserving) approaches that have worked well in firms I’ve worked with.
Talk it through first
One of the easiest starting points is what we call a tabletop exercise. It’s a structured conversation — often over a couple of hours — where key people in the firm talk through how they’d handle a particular crisis. You choose a realistic scenario (say, a ransomware attack or a total systems outage) and then go step by step through your response.
This sort of dry run can be incredibly revealing. It shows who’s supposed to be doing what, where there are gaps, and whether your decision-making processes actually make sense under pressure. It’s also a safe environment to ask the awkward “what if” questions without breaking anything.
Test the tech (safely)
If you’ve got some IT confidence, you can start to test more technical elements. Can you restore your data from backup? Does your team know how to access systems remotely if the office becomes unavailable? What happens if a key server goes down?
These tests don’t have to be disruptive — they can be run in a controlled way, ideally during quiet periods and in isolated environments. The key is to work closely with your IT team (or provider), plan in advance, and make sure everyone knows it’s a drill.
Check your communications
One area that’s often overlooked is how you communicate in a crisis. Would you be able to get hold of everyone quickly? Do you have up-to-date contact information for all staff? Are your templates for clients or regulators ready to go?
A simple contact tree drill — where you test how long it takes to get a message out and get responses back — can be really valuable. And it doesn’t have to cause any disruption. In fact, silent tests (where you monitor delivery without expecting replies) can still give you useful insight.
Build everyday awareness
A good continuity plan isn’t just something for the partners and IT team. Everyone needs to know what’s expected of them. I’ve seen firms use short e-learning modules, team briefings, and even simple “what would you do if…” exercises to help build that awareness.
The aim isn’t to terrify people — it’s about making them feel prepared and confident. When staff know their role in a disruption, the whole firm becomes more resilient.
Go live (carefully)
If your BCP is already quite mature, you might eventually consider a partial live simulation. That could mean asking a single department to operate from backup systems for a day, or triggering your remote working setup as if the office were out of action.
These tests are more complex and should only be done once you’ve tried the other methods. But they can be a brilliant way to find the little niggles that don’t show up on paper — and to make sure your plan holds up when it really counts.
And a final word of advice…
Whatever kind of test you run, document everything. Regulators want to see evidence — not just that you’ve tested, but that you’ve learned something and improved as a result. That means taking notes, logging actions, and updating your plan accordingly.
Also, make sure people know what’s happening. No one likes to be blindsided by a fake fire drill — especially when they’ve got a deadline.
A good rule of thumb? Test your BCP at least once a year. If you’ve changed systems recently or moved office, you might want to do it sooner.
If your last test was a while ago — or if you’ve never tested your plan at all — it’s probably time to dust it off. You don’t have to do everything at once, and it doesn’t have to be perfect. But getting started is the most important step. You’ll thank yourself if something goes wrong.
