• strict warning: Non-static method view::load() should not be called statically in /home/lawdocs/public_html/sites/all/modules/views/views.module on line 906.
  • strict warning: Declaration of views_handler_filter::options_validate() should be compatible with views_handler::options_validate($form, &$form_state) in /home/lawdocs/public_html/sites/all/modules/views/handlers/views_handler_filter.inc on line 607.
  • strict warning: Declaration of views_handler_filter::options_submit() should be compatible with views_handler::options_submit($form, &$form_state) in /home/lawdocs/public_html/sites/all/modules/views/handlers/views_handler_filter.inc on line 607.
  • strict warning: Declaration of views_handler_filter_boolean_operator::value_validate() should be compatible with views_handler_filter::value_validate($form, &$form_state) in /home/lawdocs/public_html/sites/all/modules/views/handlers/views_handler_filter_boolean_operator.inc on line 159.
  • strict warning: Declaration of views_plugin_row::options_validate() should be compatible with views_plugin::options_validate(&$form, &$form_state) in /home/lawdocs/public_html/sites/all/modules/views/plugins/views_plugin_row.inc on line 134.
  • strict warning: Declaration of views_plugin_row::options_submit() should be compatible with views_plugin::options_submit(&$form, &$form_state) in /home/lawdocs/public_html/sites/all/modules/views/plugins/views_plugin_row.inc on line 134.

Disaster Strikes. What’s Your Business Continuity Plan?

disaster recoveryFires. Floods. Tornadoes. Hurricanes. We’re all aware of the havoc that disaster can wreak on business. But few law firms have a true Business Continuity Plan (BCP) in place. They often overlook how vendors and service providers may be impacted (and the implications to the firm if there are disruptions of supplies or resources).

Law firms must consider the probability of every type of threat and its potential impact. Think of the nature (local, regional, or national), scope (who is affected), and duration of an event.

6 Steps to Follow When Creating a BCP:

  1. Secure management acceptance and establish a crisis management team
  2. Analyze current situation and resources
  3. Design appropriate solutions
  4. Implement aspects of the plan and communicate with stakeholders
  5. Test plan validity
  6. Maintain data, systems and processes on a regular basis

5 Key Questions to Ask:

  1. Which position should be responsible for developing/maintaining the plan?
  2. Which functions (or positions) should be involved in the planning?
  3. Which position(s) will have the authority to implement the plan?
  4. Once a plan is developed, how will we communicate the plan to stakeholders?
  5. How will changes to the plan be documented (i.e.: will there be an audit trail)?

When defining responsibilities or authority, identity positions (and not people) to ensure the plan has a shelf life.

Once you identify your crisis management team, you are ready to begin the Analysis Phase.

 In your analysis, ask these questions:

Functions: Which are critical, important, and marginal? What is the potential damage to the firm (clients, employees, partners, and other stakeholders) of not performing this function? What amount of data loss can be tolerated? How much time can elapse before the function is partially or fully restored?

Contact Information: Do you have names, current phone numbers, email addresses, and physical addresses for attorneys, staff, clients and vendors, as both electronic and hard copies? Who has these copies?

Critical Organizational Materials: Do you have copies of your insurance policies, leases, contracts and shareholder agreements? Are the copies located offsite and do key members of the crisis management team have access to them?

Facilities: What is the potential for operating in each facility if it is partially or temporarily damaged? What alternative security exists if public safety personnel are not available? Is a secondary worksite critical? If so, where should it be located and who will have access to it? Will a command center be required? If so, who will have access to that center and under what conditions?

Equipment and Supplies: What items and equipment (computers, copiers, scanners, faxes, cell phones, landlines, desks, paper, pens) are required if the primary work site is damaged or inaccessible? What spare parts of peripherals (toner, batteries, chargers) are required to ensure that equipment can operate? Will certain items be distributed to key personnel or will they be stored in a secondary location? Will vital support items (food, water, first aid, cots, cash) be stored in a remote location?

Technology: What type of offsite backup system exists? What hardware is necessary for a remote site? Will it be owned by the firm or owned and maintained by a third party? How will date be replicated and on what time schedule? What application types and data need to be kept at a secondary location?

Communication: How will you communicate with employees and clients before and after a crisis? (Facebook and Skype are excellent here). What third-party systems exist to communicate with stakeholders during the crisis? Who from the firm will handle communication with public health and safety officials?

Human Resources: What skills and knowledge are required to maintain critical functions? Which individuals are best suited to perform those functions? What backups exist if those individuals are not available? Can any functions be outsourced to a remote provider? How would functions be performed if a majority of the population were quarantined for 2-4 weeks?

General Operations: If facilities are destroyed, where can mail and deliveries be sent? Will employees of the firm or a third-party staff the location? What methods exist for purchasing (emergency credit cards, cash resources) if banking and financial systems are not operational? How will payroll be handled?

Risk Management: Does your current insurance cover offsite locations used for emergency purposes? Does your policy cover costs you incur above normal expenses to avoid suspending operations? What are the terms of your business interruption insurance?

Existing Internal Plans: Do you have a written facilities evacuation plan, a fire protection plan, and an employee manual with policies governing crises? Which elements can be standardized across plans or policies?

Government Compliance: What do state and federal wage laws require for employee compensation during crises (particularly for any work done remotely)? What requirements in HIPAA, OSHA, FLSA, and ADA impact the protection of employee medical privacy during a pandemic? What distinctions exist between job tasks performed on a regular basis and those on an emergency basis to ensure there are no violations of ADA (particularly regarding working remotely)? What business licenses or other code requirements must be met for offsite facilities?

External Resources: What local (police, fire) state or federal (FEMA, CDC) health or public safety agencies have information to assist the firm? What national organizations (i.e.: American Red Cross) have programs or resources available?

The above questions are intended as a guide, but each firm should consider its unique situation and corporate culture when considering disaster planning.

Threat/Vulnerability Analysis

Now that you have established your current situation, you are ready to begin a Threat/Vulnerability Analysis.

Identify the types of emergencies that may impact the firm, and assess each in terms of the probability of occurrence, the human (injury, loss), property (replacement costs, temporary facility costs), and business (loss of data, full service interruption) impacts, and the internal and external resources available. Rate each of these factors on a scale of 1-5 (1 being the lowest and 5 being the highest). Total the scores for each emergency or threat. Address the threats with the highest totals first.

Your plan should be simple and standardized for different threats. Make it easy to understand and easy to execute. Test your plan to ensure it is both viable and practical. Try conducting a mock disaster exercise, replicating conditions similar to what you would experience in a real disaster. This exercise will expose potential vulnerabilities in your plan so that you can address them. Conduct these mock drills annually or when new factors arise, such as moving locations to a new facility, or new public safety laws. Make sure to have systems in place to regularly maintain data, infrastructure and policies required by the plan, and recheck the plan on an annual basis. If you live or work in a hazard-prone environment, I strongly recommend testing your plan several times throughout the year.

Download a copy of this article

  • Catherine Massey is CEO for LawDocsXpress, the leader in legal process outsourcing. Her team of 200 legal professionals in every US region operates 24/7/365, operating in earthquakes, fires, hurricanes, blizzards, power outages and floods.  Contact us to discuss your business continuity requirements.