Want to Assure Your Firm's Future? Plan for Disaster

Planning for a disaster is one of the most specialized, most overlooked, and most vital business-strategy endeavors. 'Disaster' can come in many forms, any of which can mean the demise of a law firm. The goal of disaster planning is making a recovery that ensures the survival of the firm. If, as a lawyer or a law firm, you think planning for disaster recovery is a luxury you can ill afford in a time of increasing cost and profitability pressure, think again. Considerable research suggests that you are actually jeopardizing your future through unpreparedness. The U.S. Department of Labor, for example, says most companies that experience a major disaster are out of business within five years, because only 25% of companies have a disaster plan.

There are two types of law firms: those that have experienced a disaster, and those that will. 'Disaster' for a law firm is not a question of 'if,' but rather of 'when.' The only unknowns are what type of disaster, when it will occur, and how devastating it will be. A catastrophic storm or disease epidemic are disasters, but so, too, are burst water pipes that destroy vital property or files, or a computer system meltdown to the unprepared.

Defining Disaster

Not every disruptive event is a disaster. Professional liability, malpractice claims, client relations problems, and poor business judgment are all problems for a firm, but they are also part of everyday business. By contrast, any of the following events constitutes a disaster ' an unexpected event that could drive an unprepared firm out of business:

• Natural disaster (hurricane, tornado, flood, fire);
• Technology disaster: building structural failure (roof collapse, water pipes burst), computer technology failure (electronic work files or entire laptop computers lost or in jeopardy);
• Health disaster (epidemics, environmental catastrophe); and
• Crime disaster: violent crime (workplace assault by employee or client, terrorism, hostage situation, bomb detonation, robbery), cybercrime (hacking, identity theft/ phishing, employee sabotage).

Considering how much damage can result from something as innocuous as a faulty sprinkler system, it may be understandable that many law firm disaster planners previously focused attention on more common threats, and never considered large-scale disasters. In the past, firm planners could pat themselves on the back if they maintained proper fire safeguards, kept the firm properly insured, arranged for regular backups of key data files, and the like. Then came 9/11. Many firms were suddenly aware that the former patchwork of miscellaneous point solutions was inadequate. For all other firms, Hurricane Katrina should have driven that point home. While we can't expect disaster plans to protect our firms from all possible risks, we certainly should expand our planning perspective to include more catastrophic scenarios.

Ten years ago it was doubtful that cybercrime, terrorist attack, or avian flu would have made any list of law firm disaster worries; today, they are at the forefront. Successful disaster recovery planning starts when you not only understand the threats you potentially face, but also realize that your ultimate goal is to plan so that you remain in business ' no matter what threat or disaster you may encounter.

Creating the Mindset Before Creating the Plan

Disaster recovery plans don't just happen. Before you can create a plan you must create the infrastructure and mindset that will make a plan possible. Such an effort should embrace the following elements.

1) Review each practice area in the firm separately. Ask how long it can afford to be 'out of business' and what resources it would need to get up and running. Create your overall plan to reflect the risk scenarios of each practice area. Transactional lawyers often have time frames that are measured in hours. Litigators' time frames may run from the few hours needed to secure a temporary restraining order, to the years that 'bet-the-company' disputes require. Lawyers focusing on intellectual property or taxation will have similarly varied time frames.

2) Assume a widespread disaster. Some of the best laid plans can go awry if you depend on cell phones for backup communication, and the disaster wipes out communication towers in a wide area, or if you arrange for backup electronic and physical record storage in the same city as your current operations, and the disaster affects the entire area. Both of these were problems for New Orleans firms in the wake of Hurricane Katrina. A widespread disaster also will overwhelm the local disaster-recovery infrastructure, from extra office space to temporary staffing.

3) Think outside your usual geographic frame of reference. Geographically dispersed firms clearly have a leg up when it comes to many sorts of backup measures. A firm with multiple offices can, in principle, have backup data from each office automatically streamed to other firm locations for ready backup, as a supplement to outside backup resources. Similarly, firm branch offices can provide emergency housing and office arrangements for the affected office. Small firms or sole practitioners can follow the same principle by creating relationships with peers in other cities, using Bar Associations as one resource to do so.

4) Take off the organizational blinders. Accounting and technology specialists are accustomed to thinking of off-site backups for their immediate functions, but often neglect to extend the thought process to other materials: word-processed documents, imaged case files, client-relationship data files, personnel records. Often, the electronic information in these categories is password-protected, and only the people who intimately use it have the passwords. A prepared organization should work out a strategy for ensuring that this kind of secured information is not irretrievable should a worst-case disaster take the few people who know the passwords.

Developing the Plan Elements

With this analysis complete, your concern can turn to how to define an effective, detailed disaster-recovery plan and make it work. These elements are essential to any such plan, whether you are coping with a major disaster, or simply the day-to-day traumas that any firm can face:

• Conduct a firm risk assessment to review readiness and look for weakness;
• Prepare a specific disaster-recovery plan manual that creates a
  disaster-recovery team and spells out who does what;
• Review (or establish) your insurance coverage ' clearly understand what's included, and consider additional liability coverage for natural disasters and for crime (including kidnapping);
• Create a complete inventory and photo-document your entire office with all its contents to prove losses;
• Create an internal emergency communication system for lawyers, staff, clients, vendors, and the court, incorporating recorded hotline messages and out-of-area contact points;
• Have several cell phones for use by firm personnel if phone service is lost;
• Plan for temporary space by contacting building managers and real estate agents to establish plans that accommodate furnishings, computers, and phones;
• Back up all computer data and store data backup as well as important records and documents off-site;
• Consider installing a computer program that will be able to undelete/reclaim files that are inadvertently ' or intentionally ' erased;
• Have a plan to carry on key practice matters ' requesting a continuance or rescheduling a deposition ' by referral arrangement with another firm;
• Keep accounts-receivable current so you have necessary extra funds for rent, payroll, settlements, and other cash demands;
• Establish a solid relationship with your banker so you can get an emergency loan;
• Establish an employee assistance fund to help tide over staff in the event of a disaster, setting it up with employee contributions and matching firm grants;
• Have a written succession plan, which can be invaluable should a primary rainmaker or managing partner die; and
• Create security procedures to protect your premises and files against disgruntled employees, unhappy clients, or deranged outsiders.

One of the biggest typical flaws of disaster plans is that once they are written, they are filed away and neither reviewed nor tested. No matter how good a disaster recovery plan is on paper, it must be regularly reviewed and tested. Once you do create a plan, review and revise it regularly to keep it from going stale and becoming useless. More importantly, the firm must periodically pretend there is a disaster, implement the elements of the plan, and change those aspects that didn't work as well as desired.

It's All About People

The importance of testing and review illustrates the fact that disaster and recovery planning is ultimately about people. You will need acceptance, involvement, and support from a broad cross section of the firm to create the plan. All key firm stakeholders and leaders must be involved or at least lend their full support; without an investment in the plan's creation, they won't feel an obligation for its implementation. That includes the individuals with key implementation responsibility, as well as senior management and partners. By making sure that our people are prepared and taken care of, we make sure that the firm survives. We then can continue to fulfill our purpose as lawyers: serving our clients and making their lives better.

Ed Poll is the President of LawBiz' Management Company (http://www.lawbiz.com/ and http://www.lawbizblog.com/) and a longtime member of the A&FP Board of Editors. He may be contacted at 800-837-5880 or [email protected].

Planning for a disaster is one of the most specialized, most overlooked, and most vital business-strategy endeavors. 'Disaster' can come in many forms, any of which can mean the demise of a law firm. The goal of disaster planning is making a recovery that ensures the survival of the firm. If, as a lawyer or a law firm, you think planning for disaster recovery is a luxury you can ill afford in a time of increasing cost and profitability pressure, think again. Considerable research suggests that you are actually jeopardizing your future through unpreparedness. The U.S. Department of Labor, for example, says most companies that experience a major disaster are out of business within five years, because only 25% of companies have a disaster plan.

There are two types of law firms: those that have experienced a disaster, and those that will. 'Disaster' for a law firm is not a question of 'if,' but rather of 'when.' The only unknowns are what type of disaster, when it will occur, and how devastating it will be. A catastrophic storm or disease epidemic are disasters, but so, too, are burst water pipes that destroy vital property or files, or a computer system meltdown to the unprepared.

Defining Disaster

Not every disruptive event is a disaster. Professional liability, malpractice claims, client relations problems, and poor business judgment are all problems for a firm, but they are also part of everyday business. By contrast, any of the following events constitutes a disaster ' an unexpected event that could drive an unprepared firm out of business:

• Natural disaster (hurricane, tornado, flood, fire);
• Technology disaster: building structural failure (roof collapse, water pipes burst), computer technology failure (electronic work files or entire laptop computers lost or in jeopardy);
• Health disaster (epidemics, environmental catastrophe); and
• Crime disaster: violent crime (workplace assault by employee or client, terrorism, hostage situation, bomb detonation, robbery), cybercrime (hacking, identity theft/ phishing, employee sabotage).

Considering how much damage can result from something as innocuous as a faulty sprinkler system, it may be understandable that many law firm disaster planners previously focused attention on more common threats, and never considered large-scale disasters. In the past, firm planners could pat themselves on the back if they maintained proper fire safeguards, kept the firm properly insured, arranged for regular backups of key data files, and the like. Then came 9/11. Many firms were suddenly aware that the former patchwork of miscellaneous point solutions was inadequate. For all other firms, Hurricane Katrina should have driven that point home. While we can't expect disaster plans to protect our firms from all possible risks, we certainly should expand our planning perspective to include more catastrophic scenarios.

Ten years ago it was doubtful that cybercrime, terrorist attack, or avian flu would have made any list of law firm disaster worries; today, they are at the forefront. Successful disaster recovery planning starts when you not only understand the threats you potentially face, but also realize that your ultimate goal is to plan so that you remain in business ' no matter what threat or disaster you may encounter.

Creating the Mindset Before Creating the Plan

Disaster recovery plans don't just happen. Before you can create a plan you must create the infrastructure and mindset that will make a plan possible. Such an effort should embrace the following elements.

1) Review each practice area in the firm separately. Ask how long it can afford to be 'out of business' and what resources it would need to get up and running. Create your overall plan to reflect the risk scenarios of each practice area. Transactional lawyers often have time frames that are measured in hours. Litigators' time frames may run from the few hours needed to secure a temporary restraining order, to the years that 'bet-the-company' disputes require. Lawyers focusing on intellectual property or taxation will have similarly varied time frames.

2) Assume a widespread disaster. Some of the best laid plans can go awry if you depend on cell phones for backup communication, and the disaster wipes out communication towers in a wide area, or if you arrange for backup electronic and physical record storage in the same city as your current operations, and the disaster affects the entire area. Both of these were problems for New Orleans firms in the wake of Hurricane Katrina. A widespread disaster also will overwhelm the local disaster-recovery infrastructure, from extra office space to temporary staffing.

3) Think outside your usual geographic frame of reference. Geographically dispersed firms clearly have a leg up when it comes to many sorts of backup measures. A firm with multiple offices can, in principle, have backup data from each office automatically streamed to other firm locations for ready backup, as a supplement to outside backup resources. Similarly, firm branch offices can provide emergency housing and office arrangements for the affected office. Small firms or sole practitioners can follow the same principle by creating relationships with peers in other cities, using Bar Associations as one resource to do so.

4) Take off the organizational blinders. Accounting and technology specialists are accustomed to thinking of off-site backups for their immediate functions, but often neglect to extend the thought process to other materials: word-processed documents, imaged case files, client-relationship data files, personnel records. Often, the electronic information in these categories is password-protected, and only the people who intimately use it have the passwords. A prepared organization should work out a strategy for ensuring that this kind of secured information is not irretrievable should a worst-case disaster take the few people who know the passwords.

Developing the Plan Elements

With this analysis complete, your concern can turn to how to define an effective, detailed disaster-recovery plan and make it work. These elements are essential to any such plan, whether you are coping with a major disaster, or simply the day-to-day traumas that any firm can face:

• Conduct a firm risk assessment to review readiness and look for weakness;
• Prepare a specific disaster-recovery plan manual that creates a
  disaster-recovery team and spells out who does what;
• Review (or establish) your insurance coverage ' clearly understand what's included, and consider additional liability coverage for natural disasters and for crime (including kidnapping);
• Create a complete inventory and photo-document your entire office with all its contents to prove losses;
• Create an internal emergency communication system for lawyers, staff, clients, vendors, and the court, incorporating recorded hotline messages and out-of-area contact points;
• Have several cell phones for use by firm personnel if phone service is lost;
• Plan for temporary space by contacting building managers and real estate agents to establish plans that accommodate furnishings, computers, and phones;
• Back up all computer data and store data backup as well as important records and documents off-site;
• Consider installing a computer program that will be able to undelete/reclaim files that are inadvertently ' or intentionally ' erased;
• Have a plan to carry on key practice matters ' requesting a continuance or rescheduling a deposition ' by referral arrangement with another firm;
• Keep accounts-receivable current so you have necessary extra funds for rent, payroll, settlements, and other cash demands;
• Establish a solid relationship with your banker so you can get an emergency loan;
• Establish an employee assistance fund to help tide over staff in the event of a disaster, setting it up with employee contributions and matching firm grants;
• Have a written succession plan, which can be invaluable should a primary rainmaker or managing partner die; and
• Create security procedures to protect your premises and files against disgruntled employees, unhappy clients, or deranged outsiders.

One of the biggest typical flaws of disaster plans is that once they are written, they are filed away and neither reviewed nor tested. No matter how good a disaster recovery plan is on paper, it must be regularly reviewed and tested. Once you do create a plan, review and revise it regularly to keep it from going stale and becoming useless. More importantly, the firm must periodically pretend there is a disaster, implement the elements of the plan, and change those aspects that didn't work as well as desired.

It's All About People

The importance of testing and review illustrates the fact that disaster and recovery planning is ultimately about people. You will need acceptance, involvement, and support from a broad cross section of the firm to create the plan. All key firm stakeholders and leaders must be involved or at least lend their full support; without an investment in the plan's creation, they won't feel an obligation for its implementation. That includes the individuals with key implementation responsibility, as well as senior management and partners. By making sure that our people are prepared and taken care of, we make sure that the firm survives. We then can continue to fulfill our purpose as lawyers: serving our clients and making their lives better.

Ed Poll is the President of LawBiz' Management Company (http://www.lawbiz.com/ and http://www.lawbizblog.com/) and a longtime member of the A&FP Board of Editors. He may be contacted at 800-837-5880 or [email protected].