Enlarging the Scope of Disaster Plans

Considering how much damage can result from something as innocuous as a faulty sprinkler system, it may be understandable that many law firm disaster planners previously gave their first attention to common threats, and then never got around to considering large-scale disasters. Firm planners could pat themselves on the back if they maintained proper fire safeguards, kept the firm properly insured, arranged for regular backups of key data files, and the like.

Some firms were convinced as a result of 9/11 that such a patchwork of miscellaneous point solutions was inadequate. For other firms, Hurricane Katrina should drive that point home. While we can't expect disaster plans to protect our firms from all possible risks, we should expand our planning perspective to include more catastrophic scenarios.

One approach would review each practice area within the firm separately and ask: How long can we afford to be “out of business”? Plans should then be created to address the need of each practice area in accord with its particular assessment of risks. Different practice areas will produce different scenarios.

Following are a few suggestions to consider when enlarging the scope of disaster plans to accommodate widespread disruptions. Also see the sidebar below.

Comprehensive Disasters are Different

Planning for a widespread major disaster must go far beyond planning for more localized threats. Not only are the individual losses to be contemplated more severe, but the sheer magnitude of possible destruction makes reliance on “normal” backup solutions unwise.

Katrina's key demonstration of the latter concern was the wiping out of cell phone communication towers across a wide area. Cell phones were supposed to be the backup for landline phones. Many emergency plans failed because they assumed ongoing communication capabilities. In some extreme disaster scenarios, electronic communication may simply be impossible, so team instructions should explicitly cover the case of a total communications blackout.

The usual math for recovery facilities can similarly become inapplicable in a comprehensive disaster. Having some available backup office space in a community may be sufficient to cover the needs of a few firms concurrently. But if practically every firm in a whole area suddenly needs backup facilities, the latter will be overwhelmed, even if they themselves were not put out of commission. Again, Katrina provided a future textbook case: all the nursing homes in New Orleans counted on the same few bus companies to evacuate their patients, with tragic results. The same peak-load problem applies to local backup suppliers, staffing agencies, etc.

Mirror-Location Strategies

Geographically dispersed firms clearly have an advantage when it comes to many sorts of backup measures. A firm with multiple offices can in principle have backup data from each office automatically streamed to other firm location(s) for ready backup, as a supplement to high-security commercial offline backups. Similarly, firm branches could be arranged into a “buddy system” whereby evacuees from one community would know in advance that they had a place to go for emergency housing assistance as well as business recovery. Consortia of small firms could, of course, pursue analogous arrangements, though historically they have not.

Accounting system and IT specialists are accustomed to think of off-site backups and even online mirror sites, but the CIO should extend this concept to all sorts of vital information. Certainly it should apply to word processing documents and electronically imaged case files, but the concept could be applied more pervasively to include CRM (client relations) and HR (firm personnel information). When lawyers sync their contact and calendar information from PDAs to their own office PC, it would similarly make sense for the updated file to be shipped off automatically (again securely) to their “buddy” location.

It must be added that security passwords known only to one or more individuals in a single office location are themselves a vulnerability. The firm's CIO should work out a secure multi-site strategy for ensuring that secured information does not become altogether irretrievable in a truly worst-case scenario.

Plan Accountability and Currency

The usual complaint with regard to disaster plans is that they get put in a binder and shelved. While inattention to important-but-not-urgent matters is commonplace, an aggravating factor in some firms may be that a threat-oriented plan is not properly aligned with people's main jobs. After all, how many primary job descriptions at a law firm deal with floods, earthquakes or terrorism?

An approach more conducive to keeping disaster planning on the front burner is to align responsibilities along functional lines such as the following:

• The HR Director has responsibility for all aspects of protecting all the people who work for or at the firm (including on-site contractors, visitors, etc.).
• The CIO has responsibility for all aspects of protecting and recovering the firm's information assets and communication capabilities.
• The CFO has responsibility for protecting and recovering the firm's financial assets.
• The Facilities Manager has responsibility for protecting and recovering the firm's offices, office equipment, and other physical assets.
• The Managing Partner has responsibility for ensuring the recoverability of matters in progress, for protecting the interests of clients (including pro bono clients), and for contributing the firm's support to recovery of the overall legal system.
• Disaster planning specialist consultants (for physical safety, IT backup-recovery, etc.) work with all the above individuals but report directly to the Executive Director.
• The Executive Director has overall responsibility for disaster planning; s/he coordinates efforts to limit plan overlaps and oversights, and ensures that all components of the plan are coherent.

Integrating Disaster and Security Planning

Disasters are not limited to natural events: disgruntled employees, unhappy clients and deranged strangers have also wreaked havoc on law firms. So it's important that your disaster plan is complemented by good routine security operations.

When employees depart, obtain all keys, computer disks and other proprietary or confidential documents that may have been taken home or offsite. Employee agreements should acknowledge that certain (carefully specified) information is confidential and proprietary, and always remains the property of the firm.

Make sure clients are happy with your services by seeking to develop loyalty amongst and with them. Create a comprehensive system of communication with them, so that you know who they are, what they need and want from their relationship with you and whether they believe you've addressed their wants. Effective communication is the cornerstone of loyalty, and loyalty begets assistance beyond the call of duty in time of need.

Conclusion

The sidebar below suggests some topics to consider when expanding your disaster plan. Detailing a disaster plan and practicing its emergency procedures have always been challenging, however, and doing so for an expanded plan will be even more difficult ' so it's time to get started.

This checklist reflects the suggestions in the accompanying article for improving accountability in law firm disaster planning. If your plan doesn't address some of these issues, consider pursuing them in the upcoming weeks and months.

Protecting Your People (HR)

q Carefully plan emergency evacuation procedures, with clear lines of command and both local and remote gathering points.

q Improve procedures for check-in and nose-counts. Rescue teams shouldn't have to guess how many people are still in a destroyed or flooded building.

q Don't rely on cell phones alone for communications backup. Investigate and acquire walkie-talkie and satellite-based technology. Develop and practice contingency plans for dealing with total communications blackouts.

q Create, maintain, and practice using a communications 'tree' for keeping in contact with firm members and others the firm may have a responsibility to help. Your emergency communication system should include lawyers, staff, clients, vendors and courts, depending on the nature of your practice.

q Provide alternative methods for internal communication, since some may not work: Set up a call-in 'hotline' or recorded message number. Establish a 'phone-tree' and keep it up to date. It typically is easier to call out of, rather than into, a disaster area, so establish an out-of-area contact. Also provide links from the firm's regular Web site to a special Web site for this purpose.

q Establish an Employee Assistance Program. By virtue of their relative lack of capital as compared to partners, employees typically are in a more precarious financial position after a disaster. Consider creating a fund for your staff, with the firm matching contributions.

Protecting Your Information (CIO)

q View information protection comprehensively: cover work in progress, archives, business-accounting-tax information, client and marketing information, etc.

q Assign selected staff members to contact clients and vendors to let them know what has happened, and explain the status of their pending matters. Be truthful and credible; convey that the crisis is being handled properly, and that the firm will continue to take care of all clients' needs or vendors' concerns. Store phone lists in multiple off-site, accessible locations.

q Back up all computer data. Store important records and documents off-site. Everything you save on the computer should be backed-up on a regular basis. This also applies to crucial paper records such as master files, time and billing records, court dates and appointments, wills, powers of attorney, and corporate records. The frequency of computer backups depends on how much work you produce between backups and how much you can afford to lose.

q Store all important data and paper backups off-site. The 'off-site' should include locations that are beyond the city or, perhaps, state lines. With multiple offices, this issue is addressed. With one office, it may be appropriate to have a duplicate server in another part of the country.

Protecting Your Financial Assets (CFO)

q Review (or establish) your insurance coverage. Insurance is a central aspect of disaster planning and recovery. Understand the fine print. Your policy should be tailored to your specific practice. It should cover damage to or loss of real and personal property, loss of revenue, general liability, reconstruction of destroyed documents, and extra expenses related to a disaster or catastrophe.

q Review claims procedures before the need arises

q You will undoubtedly need to disburse funds for rent, payroll, settlements, etc. A disaster will likely interrupt work in progress and continuing practice development, so give the collection of existing accounts receivable top priority.

q Arrange automatic funding on an emergency line of credit, separate from operating lines of credit.

q Establish a solid relationship with your banker. Maintaining close contact with your bank will help if you need an emergency loan.

Protecting the Physical Facilities (Facilities Manager)

q Create a complete inventory and photo-document your entire office with all its contents (before and after) to prove losses.

q Protect valuable physical assets (artwork, etc.).

q Plan for temporary space. Contingency space planning ranges from a temporary control center for your disaster recovery team, to finding temporary office space for transferring the entire firm. Contact building managers and real estate agents in advance to establish contingency.

q With CIO, arrange access to compatible computer equipment. Consider a reciprocal arrangement with another firm that uses similar computer, accounting and litigation support equipment.

Meeting the Firm's Commitments (Managing Partner)

q Conduct a firm risk assessment. Analyze the possible consequences of a disaster. Review your current state of readiness; look for weaknesses. Review your insurance policies, alternative work sites, and information and document storage. Bear in mind that different practice groups may have different requirements.

q Have a plan for returning to business as usual. A critical responsibility of a law firm after a disaster is to resolve or move along all current cases or work-in-progress. You may need to get continuances or reschedule depositions. You might need to refer some or even all cases to another firm. Are the case files current and accessible?

q Have a written succession plan. Should the firm lose rainmakers or key firm managers, a clear succession plan can help the firm survive and smooth the transition.

Coordinating the Plan (Executive Director)

q Prepare a specific disaster recovery plan manual. Spell out exactly who does what after a disaster. Create disaster recovery teams to support the accountable senior managers identified in the plan.

q Identify the committee members to all staff and to the building managers. Regularly convene the committee to review the manual, revise the procedures and do a run-through.

' Ed Poll

Considering how much damage can result from something as innocuous as a faulty sprinkler system, it may be understandable that many law firm disaster planners previously gave their first attention to common threats, and then never got around to considering large-scale disasters. Firm planners could pat themselves on the back if they maintained proper fire safeguards, kept the firm properly insured, arranged for regular backups of key data files, and the like.

Some firms were convinced as a result of 9/11 that such a patchwork of miscellaneous point solutions was inadequate. For other firms, Hurricane Katrina should drive that point home. While we can't expect disaster plans to protect our firms from all possible risks, we should expand our planning perspective to include more catastrophic scenarios.

One approach would review each practice area within the firm separately and ask: How long can we afford to be “out of business”? Plans should then be created to address the need of each practice area in accord with its particular assessment of risks. Different practice areas will produce different scenarios.

Following are a few suggestions to consider when enlarging the scope of disaster plans to accommodate widespread disruptions. Also see the sidebar below.

Comprehensive Disasters are Different

Planning for a widespread major disaster must go far beyond planning for more localized threats. Not only are the individual losses to be contemplated more severe, but the sheer magnitude of possible destruction makes reliance on “normal” backup solutions unwise.

Katrina's key demonstration of the latter concern was the wiping out of cell phone communication towers across a wide area. Cell phones were supposed to be the backup for landline phones. Many emergency plans failed because they assumed ongoing communication capabilities. In some extreme disaster scenarios, electronic communication may simply be impossible, so team instructions should explicitly cover the case of a total communications blackout.

The usual math for recovery facilities can similarly become inapplicable in a comprehensive disaster. Having some available backup office space in a community may be sufficient to cover the needs of a few firms concurrently. But if practically every firm in a whole area suddenly needs backup facilities, the latter will be overwhelmed, even if they themselves were not put out of commission. Again, Katrina provided a future textbook case: all the nursing homes in New Orleans counted on the same few bus companies to evacuate their patients, with tragic results. The same peak-load problem applies to local backup suppliers, staffing agencies, etc.

Mirror-Location Strategies

Geographically dispersed firms clearly have an advantage when it comes to many sorts of backup measures. A firm with multiple offices can in principle have backup data from each office automatically streamed to other firm location(s) for ready backup, as a supplement to high-security commercial offline backups. Similarly, firm branches could be arranged into a “buddy system” whereby evacuees from one community would know in advance that they had a place to go for emergency housing assistance as well as business recovery. Consortia of small firms could, of course, pursue analogous arrangements, though historically they have not.

Accounting system and IT specialists are accustomed to think of off-site backups and even online mirror sites, but the CIO should extend this concept to all sorts of vital information. Certainly it should apply to word processing documents and electronically imaged case files, but the concept could be applied more pervasively to include CRM (client relations) and HR (firm personnel information). When lawyers sync their contact and calendar information from PDAs to their own office PC, it would similarly make sense for the updated file to be shipped off automatically (again securely) to their “buddy” location.

It must be added that security passwords known only to one or more individuals in a single office location are themselves a vulnerability. The firm's CIO should work out a secure multi-site strategy for ensuring that secured information does not become altogether irretrievable in a truly worst-case scenario.

Plan Accountability and Currency

The usual complaint with regard to disaster plans is that they get put in a binder and shelved. While inattention to important-but-not-urgent matters is commonplace, an aggravating factor in some firms may be that a threat-oriented plan is not properly aligned with people's main jobs. After all, how many primary job descriptions at a law firm deal with floods, earthquakes or terrorism?

An approach more conducive to keeping disaster planning on the front burner is to align responsibilities along functional lines such as the following:

• The HR Director has responsibility for all aspects of protecting all the people who work for or at the firm (including on-site contractors, visitors, etc.).
• The CIO has responsibility for all aspects of protecting and recovering the firm's information assets and communication capabilities.
• The CFO has responsibility for protecting and recovering the firm's financial assets.
• The Facilities Manager has responsibility for protecting and recovering the firm's offices, office equipment, and other physical assets.
• The Managing Partner has responsibility for ensuring the recoverability of matters in progress, for protecting the interests of clients (including pro bono clients), and for contributing the firm's support to recovery of the overall legal system.
• Disaster planning specialist consultants (for physical safety, IT backup-recovery, etc.) work with all the above individuals but report directly to the Executive Director.
• The Executive Director has overall responsibility for disaster planning; s/he coordinates efforts to limit plan overlaps and oversights, and ensures that all components of the plan are coherent.

Integrating Disaster and Security Planning

Disasters are not limited to natural events: disgruntled employees, unhappy clients and deranged strangers have also wreaked havoc on law firms. So it's important that your disaster plan is complemented by good routine security operations.

When employees depart, obtain all keys, computer disks and other proprietary or confidential documents that may have been taken home or offsite. Employee agreements should acknowledge that certain (carefully specified) information is confidential and proprietary, and always remains the property of the firm.

Make sure clients are happy with your services by seeking to develop loyalty amongst and with them. Create a comprehensive system of communication with them, so that you know who they are, what they need and want from their relationship with you and whether they believe you've addressed their wants. Effective communication is the cornerstone of loyalty, and loyalty begets assistance beyond the call of duty in time of need.

Conclusion

The sidebar below suggests some topics to consider when expanding your disaster plan. Detailing a disaster plan and practicing its emergency procedures have always been challenging, however, and doing so for an expanded plan will be even more difficult ' so it's time to get started.

This checklist reflects the suggestions in the accompanying article for improving accountability in law firm disaster planning. If your plan doesn't address some of these issues, consider pursuing them in the upcoming weeks and months.

Protecting Your People (HR)

q Carefully plan emergency evacuation procedures, with clear lines of command and both local and remote gathering points.

q Improve procedures for check-in and nose-counts. Rescue teams shouldn't have to guess how many people are still in a destroyed or flooded building.

q Don't rely on cell phones alone for communications backup. Investigate and acquire walkie-talkie and satellite-based technology. Develop and practice contingency plans for dealing with total communications blackouts.

q Create, maintain, and practice using a communications 'tree' for keeping in contact with firm members and others the firm may have a responsibility to help. Your emergency communication system should include lawyers, staff, clients, vendors and courts, depending on the nature of your practice.

q Provide alternative methods for internal communication, since some may not work: Set up a call-in 'hotline' or recorded message number. Establish a 'phone-tree' and keep it up to date. It typically is easier to call out of, rather than into, a disaster area, so establish an out-of-area contact. Also provide links from the firm's regular Web site to a special Web site for this purpose.

q Establish an Employee Assistance Program. By virtue of their relative lack of capital as compared to partners, employees typically are in a more precarious financial position after a disaster. Consider creating a fund for your staff, with the firm matching contributions.

Protecting Your Information (CIO)

q View information protection comprehensively: cover work in progress, archives, business-accounting-tax information, client and marketing information, etc.

q Assign selected staff members to contact clients and vendors to let them know what has happened, and explain the status of their pending matters. Be truthful and credible; convey that the crisis is being handled properly, and that the firm will continue to take care of all clients' needs or vendors' concerns. Store phone lists in multiple off-site, accessible locations.

q Back up all computer data. Store important records and documents off-site. Everything you save on the computer should be backed-up on a regular basis. This also applies to crucial paper records such as master files, time and billing records, court dates and appointments, wills, powers of attorney, and corporate records. The frequency of computer backups depends on how much work you produce between backups and how much you can afford to lose.

q Store all important data and paper backups off-site. The 'off-site' should include locations that are beyond the city or, perhaps, state lines. With multiple offices, this issue is addressed. With one office, it may be appropriate to have a duplicate server in another part of the country.

Protecting Your Financial Assets (CFO)

q Review (or establish) your insurance coverage. Insurance is a central aspect of disaster planning and recovery. Understand the fine print. Your policy should be tailored to your specific practice. It should cover damage to or loss of real and personal property, loss of revenue, general liability, reconstruction of destroyed documents, and extra expenses related to a disaster or catastrophe.

q Review claims procedures before the need arises

q You will undoubtedly need to disburse funds for rent, payroll, settlements, etc. A disaster will likely interrupt work in progress and continuing practice development, so give the collection of existing accounts receivable top priority.

q Arrange automatic funding on an emergency line of credit, separate from operating lines of credit.

q Establish a solid relationship with your banker. Maintaining close contact with your bank will help if you need an emergency loan.

Protecting the Physical Facilities (Facilities Manager)

q Create a complete inventory and photo-document your entire office with all its contents (before and after) to prove losses.

q Protect valuable physical assets (artwork, etc.).

q Plan for temporary space. Contingency space planning ranges from a temporary control center for your disaster recovery team, to finding temporary office space for transferring the entire firm. Contact building managers and real estate agents in advance to establish contingency.

q With CIO, arrange access to compatible computer equipment. Consider a reciprocal arrangement with another firm that uses similar computer, accounting and litigation support equipment.

Meeting the Firm's Commitments (Managing Partner)

q Conduct a firm risk assessment. Analyze the possible consequences of a disaster. Review your current state of readiness; look for weaknesses. Review your insurance policies, alternative work sites, and information and document storage. Bear in mind that different practice groups may have different requirements.

q Have a plan for returning to business as usual. A critical responsibility of a law firm after a disaster is to resolve or move along all current cases or work-in-progress. You may need to get continuances or reschedule depositions. You might need to refer some or even all cases to another firm. Are the case files current and accessible?

q Have a written succession plan. Should the firm lose rainmakers or key firm managers, a clear succession plan can help the firm survive and smooth the transition.

Coordinating the Plan (Executive Director)

q Prepare a specific disaster recovery plan manual. Spell out exactly who does what after a disaster. Create disaster recovery teams to support the accountable senior managers identified in the plan.

q Identify the committee members to all staff and to the building managers. Regularly convene the committee to review the manual, revise the procedures and do a run-through.

' Ed Poll