Developing a Plan continued

Where to Start?

FIrst you need to understand how your business operates. Do you have a plan for the steps to take in the event of an absence or catastrophic event? The scope of some of the steps will obviously be different depending on whether you are ill for a week, or a fire sweeps through your office destroying all of your on-site files. A plan to deal with one eventuality will not be sufficient to deal with all others. Keep a copy of your plan off-site in a secure location so it remains intact and accessible.

In order for you to perform risk assessments, you must analyze:

  1. the likelihood of the risk; and
  2. the cost/consequences to the firm should the risk manifest.

Some risks might be so remote that the only practical way of dealing with them is to purchase insurance against the risk. Other risks might be more common, but their impact on the practice might be negligible, so an assessment should be made as to the amount of effort needed to protect against the risk. Still other risks fall into the "no-brainer" category, such as installing and updating virus protection software on your computers.

Remember that just because you have formulated a plan, risk management does not stop there—it is an ongoing process. You should continually be evaluating:

  • what your practice risks are;
  • how to minimize both the likelihood of these risks occurring and the consequences if they do occur.

You have a positive obligation to protect the types of records referred to in Rules 3-68 to 3-71, to ensure they are reasonably secure against all risk of loss, destruction, unauthorized access, use or disclosure.