Read time: 8 minutes
It is important that architecture practices have a Business Continuity and Crisis Management Plan (BCCMP) in place so that they are resilient, disruptions to their operations are minimised (when they might arise) and clients have the assurance that their projects can continue with relative ease and consistency, should the unexpected occur.
This note addresses the business continuity for architecture practices in the context of the sudden loss of a practice director and disaster planning (such as natural disasters, political upheaval, cyberattacks and pandemics). It provides a guide as to the considerations that an architectural practice may wish to consider when developing a BCCMP, which will be unique to the relevant architectural practice.
Page contents:
The Business Continuity and Crisis Management Plan (BCCMP):
The Business Continuity and Crisis Management Plan (BCCMP)
A BCCMP sets out various disaster/disruption scenarios which may impact the operation of a business together with a plan to resolve the issue/s while continuing business operations. It is critical in formulating a BCCMP to understand the likelihood of the potential risks which a practice faces and the potential impact to the practice of such risks eventuating.
A BCCMP is a practical tool used to address the risk of a disaster or disruption scenario interfering with business as usual in the operation of an architectural practice.
Part A: Sudden death or illness of a partner/director/company owner
A sudden death, illness or departure of a key personnel member can disrupt the daily running of an architectural practice. A BCCMP may set out a phased approach to manage this scenario.
Depending on the size of the practice, the BCCMP may establish a small ‘crisis team’ within senior management. Consideration should be given to what authority members of the crisis team will have to make decisions in relation to communication (internal and external), project management as well as in relation to insurance, financial and legal issues.
It is important that the BCCMP is readily accessible, easy to use and understand and is regularly reviewed and tested.
Phase 1: Communication
Members of the crisis team should be responsible for promptly preparing communication to staff within the practice, clients and if necessary, more broadly.
Communication may vary depending on the audience. However, it should always be clear, calm and factually accurate.
Clients should be notified individually when introducing new contacts within the practice. This is expanded further in the Phase 2 section below.
An external communication strategy should be developed. For example, a notice could be displayed on the practice's website, social media (LinkedIn, Instagram, Facebook etc) or distributed to the practice's mailing list etc. In doing this, the practice should consider sharing information in relation to:
- whether there will be an office closure
- whether funeral details will be made public for clients/others to attend or whether the funeral will only be open to family and close colleagues
- other opportunities to commemorate the individual by way of memorial with family, clients and other stakeholders.
Phase 2: Project management and delivery
Every practice should have a platform whereby all staff can access current (and past) projects as well as client lists. Project/file management software and excel spreadsheets are useful tools. It is important to ensure that this information is stored, whether physically or virtually, in a secure location. Backing up remote data to be stored remotely or via a cloud-based platform should also be considered (to provide protection in the event a practice’s physical office is impacted, for instance by fire or by way of cyber incident). Refer Acumen note Cloud computing.
Projects should be reallocated to alternative practitioners as soon as practicable. In doing this, the practice should:
- identify the project/s and new responsibilities that require reallocation
- identify any impending deadlines
- assess the capacity and skill set of existing personnel - who is best placed to take over the project/s and extra responsibilities? Is extra training required? Will additional staff or contractors be required on a temporary or permanent basis?
- consider whether another team taking over a project will impact the progress of the project/s (and whether this will affect factors such as cost or quality). Client/s should be informed accordingly.
The reallocating of projects and tasks should be done in a respectful way which:
- acknowledges the contributions of the individual, while considering the emotional impact on staff
- is realistic about the potential impacts to project delivery and continuity.
The practice should inform clients of the sudden death, illness or departure of the staff member individually and be mindful that the client may be disappointed or apprehensive about a new staff member taking over the project. The incoming architect should be prepared to assure clients that the project can still be delivered, and the practice's contractual obligations can otherwise be met (after an appropriate and realistic assessment of the requirements of the project).
In the case of sole practitioners, the process of the transfer of projects should be considered, in consultation with any impacted clients.
Phase 3: Maintaining the practice's day-to-day operations
A member of the crisis team should be nominated as responsible for financial operations. Consideration should be given to their authority levels to manage the practice's financial and legal affairs as well as any insurance-related matters, to maintain business continuity, with appropriate safeguards and oversight in place.
In relation to finance, their role may include:
- managing the practice's payroll (including any payment of superannuation and meeting tax liabilities)
- processing payments
- overseeing the coordination of accounting requirements.
The team member responsible for financial operations must understand and/or ascertain who is legally able to act on behalf of the practice/company/entity (including the requirements of any constitution, for instance whether a common seal is required to execute documents).
It will also be necessary to consider who may need to be formally notified in the event of a director/architect's death or departure, for instance, it may be necessary to notify:
- the practice's bank/s, insurer/s and/or ASIC
- the relevant state or territory architects registration board (including any changes or updates to the practice's insurance policy, in line with the practice's obligations under the relevant Architects Act and Architects Regulations.
Sensitive information such as pin numbers on the practice's bank accounts, security pins and keys should be stored in a secure place but be able to be accessed by the crisis team, subject to necessary oversight/safeguards.
Phase 4: Reflecting
An eye should be kept on the new responsibilities given to staff and resourcing as well as the progress of projects. Adjustments should be made as required.
Part B: Succession planning
Architectural practices should have a succession plan in place. For smaller practices, this may include a plan to transfer a practice. Refer Acumen note Succession planning.
Sole practitioners need to consider what their intentions are for their practice following their death or departure. Sometimes, dissolution of the practice may be most appropriate. Merging the practice with another may be an alternative solution however, these arrangements should be made as soon as possible while the practice's owner/director has legal capacity.
For both small and large practices, succession planning may also involve identifying and mentoring future leaders within the practice so that they are able to step up when the need arises or considering whether external recruitment is required.
Consideration should also be given to insurance requirements and whether any run-off cover is required. Seek advice from a qualified insurance broker about suitable professional indemnity insurance arrangements.
Part C: Disaster scenarios
The BCCMP should also cover disruptions that may be planned (to a certain extent) such as floods or bushfire risk, as well as unplanned disruptions such as fire, computer system failures and cyberattacks. Practical considerations in this regard are outlined below.
Practices should undertake a risk assessment summary exercise whereby risks/scenarios are identified and ranked in accordance with likelihood of the risk, and the potential impact of the risk, if it were to eventuate. Appropriate strategies can then be developed within the BCCMP.
Fire/environmental/health crises
The BCCMP should cover natural disasters, physical incidents (such as accidents/fire) and health-related events such as pandemics. The recent COVID-19 pandemic highlights the importance of preparing for the next disaster, having regard to the likelihood and potential impact of such events.
Continuity strategies should consider:
- emergency response plans
- applicable legislation and codes
- staff management and safety
- alternative work sites
- making IT applications/servers accessible remotely.
Technology disruptions
BCCMPs should cover disruptions such as network failures, hardware failures and cyberattacks. Additionally, it is recommended that practices have some preventative measures in place.
Preventative measures
Architectural practices can implement strategies to prevent a system failure and/or cyberattack. Practices can implement strategies such as:
- running regular tests of systems and updates
- regularly backing up data on a cloud-based system or external drive
- regularly updating passwords and not reusing previous passwords
- considering the use of multi-factor authentication systems
- running regular training sessions for staff on cyber security.
Separately, practices should consider what platforms they use to host their confidential information and consider the adoption of Australian Standards: AS/NZS ISO/IEC 27001 in terms of their information security management system.
Confidential information can include financial data, employment records, contracts, drawings, plans and anything else shared on the basis that it should not be shared with others. Whether information is confidential is assessed on a case-by-case basis. Architects should commit to observing the confidentiality of their clients’ information and have appropriate safeguards in place to protect it. Refer also Acumen note Privacy legislation – coverage and exemptions.
Managing disruptions: system failures and cyberattacks
Cyberattacks are becoming more frequent and more sophisticated, so it is important to stay up to date to be responsive. The most common cyberattacks are phishing, spear phishing and HTTPS phishing. BCCMPs must have a strategy in place to manage this kind of disruption. The BCCMP should address the steps required to resolve the disruption as well as managing the aftermath and developing a strategy for the prevention of a recurrence.
If client confidentiality is compromised, be aware that this may be grounds for a complaint to the relevant state or territory architect registration board or constitute a breach of privacy legislation.
The best strategy is to mitigate the risk of any breach of confidentiality/privacy. However, it is also important to have plans to manage any potential or actual breach of confidentiality or privacy. For instance, what arrangements will apply in terms of notifying clients, other impacted persons, regulators (if applicable) or insurer/s.
Insurance
Insurance is a key component of managing risk in any architectural practice. In addition to obtaining professional indemnity insurance, architectural practices should ensure that they have in place an appropriate insurance program to address other risks, such as fire, flooding, political upheaval, pandemics and cyberattacks. Advice should be sourced from an experienced insurance broker to ensure that adequate cover is in place. Refer Acumen note General practice insurance.
Part D: Feedback and review
It is recommended that the BCCMP is reviewed regularly to ensure it remains current. It is also recommended that after a disruption or crisis, that the crisis team reflect on the success of the BCCMP, lessons learned as well as identify areas of improvement so that the BCCMP can be updated if required.
Staff should be trained on the aspects of the BCCMP that are relevant to their roles/responsibilities.
Resources
- NSW Small Business Commissioner, Cyber Security Awareness, NSW Small Business Commissioner website.
- Australian Signals Directorate, Small Business Cyber Security Guide, Australian Signals Directorate website.
Authors: Natasha Stojanovich and Simone Karmis, Lander & Rogers
This note has been prepared in collaboration between the Australian Institute of Architects and the Association of Consulting Architects Australia, as joint copyright holders to this note.
Disclaimer
This content is provided by the Australian Institute of Architects for reference purposes and as general guidance. It does not take into account specific circumstances and should not be relied on in that way. It is not legal, financial, insurance, or other advice and you should seek independent verification or advice before relying on this content in circumstances where loss or damage may result. The Institute endeavours to publish content that is accurate at the time it is published, but does not accept responsibility for content that may or has become inaccurate over time. Using this website and content is subject to the Acumen User Licence.