Enlarging Scope of Disaster Plans

Some firms were convinced as a result of 9/11 that such a patchwork of miscellaneous point solutions was inadequate. For other firms, Hurri-cane Katrina should drive that point home. While we can't expect disaster plans to protect our firms from all possible risks, we should expand our planning perspective to include more catastrophic scenarios.

One approach would review each practice area within the firm separately and ask: How long can we afford to be “out of business”? Plans should then be created to address the need of each practice area in accord with its particular assessment of risks. Different practice areas will produce different scenarios.

Following are a few suggestions to consider when enlarging the scope of disaster plans to accommodate widespread disruptions.

Comprehensive Disasters Are Different

Planning for a widespread major disaster must go far beyond planning for more localized threats. Not only are the individual losses to be contemplated more severe, but the sheer magnitude of possible destruction makes reliance on “normal” backup solutions unwise.

Katrina's key demonstration of the latter concern was the wiping out of cell phone communication towers across a wide area. Cell phones were supposed to be the backup for landline phones. Many emergency plans failed because they assumed ongoing communication capabilities. In some extreme disaster scenarios, electronic communication may simply be impossible, so team instructions should explicitly cover the case of a total communications blackout.

The usual math for recovery facilities can similarly become inapplicable in a comprehensive disaster. Having some available backup office space in a community may be sufficient to cover the needs of a few firms concurrently. But if practically every firm in a whole area suddenly needs backup facilities, the latter will be overwhelmed, even if they themselves were not put out of commission. Again, Katrina provided a future textbook case: All the nursing homes in New Orleans counted on the same few bus companies to evacuate their patients, with tragic results. The same peak-load problem applies to local backup suppliers, staffing agencies, etc.

Mirror-Location Strategies

Geographically dispersed firms clearly have an advantage when it comes to many sorts of backup measures. A firm with multiple offices can in principle have backup data from each office automatically streamed to other firm location(s) for ready backup, as a supplement to high-security commercial offline backups. Similarly, firm branches could be arranged into a “buddy system” whereby evacuees from one community would know in advance that they had a place to go for emergency housing assistance as well as business recovery. Consortia of small firms could, of course, pursue analogous arrangements, though historically they have not.

Accounting system and IT specialists are accustomed to think of off-site backups and even online mirror sites, but the CIO should extend this concept to all sorts of vital information. Certainly it should apply to word processing documents and electronically imaged case files, but the concept could be applied more pervasively to include CRM (client relations) and HR (firm personnel information). When lawyers sync their contact and calendar information from PDAs to their own office PC, it would similarly make sense for the updated file to be shipped off automatically (again securely) to their “buddy” location.

It must be added that security passwords known only to one or more individuals in a single office location are themselves a vulnerability. The firm's CIO should work out a secure multi-site strategy for ensuring that secured information does not become altogether irretrievable in a truly worst-case scenario.

Plan Accountability and Currency

The usual complaint with regard to disaster plans is that they get put in a binder and shelved. While inattention to important-but-not-urgent matters is commonplace, an aggravating factor in some firms may be that a threat-oriented plan is not properly aligned with people's main jobs. After all, how many primary job descriptions at a law firm deal with floods, earthquakes or terrorism?

An approach more conducive to keeping disaster planning on the front burner is to align responsibilities along functional lines such as the following:

• The HR Director has responsibility for all aspects of protecting all the people who work for or at the firm (including on-site contractors, visitors, etc.).
• The CIO has responsibility for all aspects of protecting and recovering the firm's information assets and communication capabilities.
• The CFO has responsibility for protecting and recovering the firm's financial assets.
• The Facilities Manager has responsibility for protecting and recovering the firm's offices, office equipment, and other physical assets.

The Managing Partner has responsibility for ensuring the recoverability of matters in progress, for protecting the interests of clients (including pro bono clients), and for contributing the firm's support to recovery of the overall legal system.

Disaster planning specialist consultants (for physical safety, IT backup-recovery, etc.) work with all the above individuals but report directly to the Executive Director.

The Executive Director has overall responsibility for disaster planning; s/he coordinates efforts to limit plan overlaps and oversights, and ensures that all components of the plan are coherent.

Integrating Disaster and Security Planning

Disasters are not limited to natural events: disgruntled employees, unhappy clients and deranged strangers have also wreaked havoc on law firms. So it's important that your disaster plan is complemented by good routine security operations.

When employees depart, obtain all keys, computer disks and other proprietary or confidential documents that may have been taken home or offsite. Employee agreements should acknowledge that certain (carefully specified) information is confidential and proprietary, and always remains the property of the firm.

Make sure clients are happy with your services by seeking to develop loyalty among and with them. Create a comprehensive system of communication with them, so that you know who they are, what they need and want from their relationship with you and whether they believe you've addressed their wants. Effective communication is the cornerstone of loyalty, and loyalty begets assistance beyond the call of duty in time of need.

Conclusion

Detailing a disaster plan and practicing its emergency procedures have always been challenging, however, and doing so for an expanded plan will be even more difficult — so it's time to get started.

Some firms were convinced as a result of 9/11 that such a patchwork of miscellaneous point solutions was inadequate. For other firms, Hurri-cane Katrina should drive that point home. While we can't expect disaster plans to protect our firms from all possible risks, we should expand our planning perspective to include more catastrophic scenarios.

One approach would review each practice area within the firm separately and ask: How long can we afford to be “out of business”? Plans should then be created to address the need of each practice area in accord with its particular assessment of risks. Different practice areas will produce different scenarios.

Following are a few suggestions to consider when enlarging the scope of disaster plans to accommodate widespread disruptions.

Comprehensive Disasters Are Different

Planning for a widespread major disaster must go far beyond planning for more localized threats. Not only are the individual losses to be contemplated more severe, but the sheer magnitude of possible destruction makes reliance on “normal” backup solutions unwise.

Katrina's key demonstration of the latter concern was the wiping out of cell phone communication towers across a wide area. Cell phones were supposed to be the backup for landline phones. Many emergency plans failed because they assumed ongoing communication capabilities. In some extreme disaster scenarios, electronic communication may simply be impossible, so team instructions should explicitly cover the case of a total communications blackout.

The usual math for recovery facilities can similarly become inapplicable in a comprehensive disaster. Having some available backup office space in a community may be sufficient to cover the needs of a few firms concurrently. But if practically every firm in a whole area suddenly needs backup facilities, the latter will be overwhelmed, even if they themselves were not put out of commission. Again, Katrina provided a future textbook case: All the nursing homes in New Orleans counted on the same few bus companies to evacuate their patients, with tragic results. The same peak-load problem applies to local backup suppliers, staffing agencies, etc.

Mirror-Location Strategies

Geographically dispersed firms clearly have an advantage when it comes to many sorts of backup measures. A firm with multiple offices can in principle have backup data from each office automatically streamed to other firm location(s) for ready backup, as a supplement to high-security commercial offline backups. Similarly, firm branches could be arranged into a “buddy system” whereby evacuees from one community would know in advance that they had a place to go for emergency housing assistance as well as business recovery. Consortia of small firms could, of course, pursue analogous arrangements, though historically they have not.

Accounting system and IT specialists are accustomed to think of off-site backups and even online mirror sites, but the CIO should extend this concept to all sorts of vital information. Certainly it should apply to word processing documents and electronically imaged case files, but the concept could be applied more pervasively to include CRM (client relations) and HR (firm personnel information). When lawyers sync their contact and calendar information from PDAs to their own office PC, it would similarly make sense for the updated file to be shipped off automatically (again securely) to their “buddy” location.

It must be added that security passwords known only to one or more individuals in a single office location are themselves a vulnerability. The firm's CIO should work out a secure multi-site strategy for ensuring that secured information does not become altogether irretrievable in a truly worst-case scenario.

Plan Accountability and Currency

The usual complaint with regard to disaster plans is that they get put in a binder and shelved. While inattention to important-but-not-urgent matters is commonplace, an aggravating factor in some firms may be that a threat-oriented plan is not properly aligned with people's main jobs. After all, how many primary job descriptions at a law firm deal with floods, earthquakes or terrorism?

An approach more conducive to keeping disaster planning on the front burner is to align responsibilities along functional lines such as the following:

• The HR Director has responsibility for all aspects of protecting all the people who work for or at the firm (including on-site contractors, visitors, etc.).
• The CIO has responsibility for all aspects of protecting and recovering the firm's information assets and communication capabilities.
• The CFO has responsibility for protecting and recovering the firm's financial assets.
• The Facilities Manager has responsibility for protecting and recovering the firm's offices, office equipment, and other physical assets.

The Managing Partner has responsibility for ensuring the recoverability of matters in progress, for protecting the interests of clients (including pro bono clients), and for contributing the firm's support to recovery of the overall legal system.

Disaster planning specialist consultants (for physical safety, IT backup-recovery, etc.) work with all the above individuals but report directly to the Executive Director.

The Executive Director has overall responsibility for disaster planning; s/he coordinates efforts to limit plan overlaps and oversights, and ensures that all components of the plan are coherent.

Integrating Disaster and Security Planning

Disasters are not limited to natural events: disgruntled employees, unhappy clients and deranged strangers have also wreaked havoc on law firms. So it's important that your disaster plan is complemented by good routine security operations.

When employees depart, obtain all keys, computer disks and other proprietary or confidential documents that may have been taken home or offsite. Employee agreements should acknowledge that certain (carefully specified) information is confidential and proprietary, and always remains the property of the firm.

Make sure clients are happy with your services by seeking to develop loyalty among and with them. Create a comprehensive system of communication with them, so that you know who they are, what they need and want from their relationship with you and whether they believe you've addressed their wants. Effective communication is the cornerstone of loyalty, and loyalty begets assistance beyond the call of duty in time of need.

Conclusion

Detailing a disaster plan and practicing its emergency procedures have always been challenging, however, and doing so for an expanded plan will be even more difficult — so it's time to get started.