Business Continuity Planning in Small Law Firms
By Pam Hill
Downtime can have an almost immediate impact on the long-term financial viability of a small firm. Limited resources in both money and manpower to build application and data recovery solutions, remote access systems, and alternate workspace can make recovery of a smaller firm problematic. The good news is that modern technology and a little creativity can help a firm of any size build a business continuity capability.
A true business continuity capability depends on application and data availability, but those are not the only considerations. Any business is a complex tapestry of systems, data, people, process, vendors, and information needs. In order to have a comprehensive recovery capability, a firm must give consideration to all of these assets.
There is no doubt that technology is the core of any business continuity capability. A technical business continuity plan must be considerate of data protection, application availability, as well as the ability to access systems when the office is shut down. Any plan should cover a “local” disaster that affects only one component of the network, such as a single server failure, as well as a more systemic outage where the entire network/office is unavailable.
Priority One: Data Protection
Data protection for smaller firms generally means simple tape backup. New technology allows for disk-to-disk to tape back-up, which is much faster than the traditional tape version. True data protection requires that data be stored in two physically separate locations, requiring nightly offsite rotation of tapes to a secondary location. Generally, there is some resistance to this method based on the potential delay in file restoration while waiting for the tape. One advantage of disk-to-disk to tape backup is that the file is stored locally on disk, but the data are protected offsite on tapes. Regardless of the inconvenience of offsite tapes, a core concept of disaster recovery is having access to redundant data stored where the same disaster can’t affect both locations. It doesn’t have to cost a lot, and it is the single most important step to take in developing a recovery capability.
Another vital component is testing the data on the backup tapes. In general, 80 percent of all restores fail the first time due to corruption of data on the tapes, or a problem with the tapes themselves. In reality, you will never know if backup tapes work if you don’t test them regularly.
Other data protection strategies available include offsite vaulting of data to a data hosting/warehousing vendor. These solutions tend to be more expensive (around $800/month) and as such are not widely deployed in smaller firms. Another reasonably expensive, yet highly effective, solution is the replication of data from primary to secondary systems with tools such as NSI Doubletake or Replistore. These tools reside on the primary and secondary systems and manage asynchronous data replication, and well as failover/failback from both systems when the primary system becomes unavailable. The advantage is the relatively rapid recovery these tools allow. The disadvantage is the cost for the tool (around $2000/server), as well as the cost for redundant systems and infrastructure.
True application availability means clustering or load balancing redundant systems, so if one server fails, the other can take over. This clustering can occur with the equipment sitting next to each other, or in two separate locations. In the best case, the primary and back up systems would be in two separate locations so the same disaster could not impact both systems. Server consolidation through virtualization with tools such as VMWare will allow you to create lower cost redundant backup systems, because you can effectively shrink many applications/servers down to a few.
One less then perfect, but cost-effective, option is to move all systems into a hardened data center facility. This can significantly reduce the risk of a data center disaster from ever occurring. A collocation facility is designed for telecommunications (Internet/WAN) and infrastructure redundancy (such as power and HVAC)—the two components that commonly fail within a standard office building (which are not generally built with such redundancy in mind). Once all systems are housed within this secure facility, application/data access occurs over a telecommunications network from your office to the facility (Internet or direct access, depending upon your architecture). This does not eliminate the risks inherent in nonredundant systems, but it does greatly reduce the likelihood of a data center outage from occurring to begin with.
Collocation vendors can also provide 24/7 network and server monitoring, disk/tape backup, server and OS maintenance, as well as hands-on assistance in technical problem solving and recovery. Collocation facilities range in pricing, but you can expect to pay an average of $750/rack of equipment/month, and around $1000/month for Internet connectivity. Shared “half racks” of equipment are also available, and pricing varies greatly. Other choices include outsourcing the application to a hosting vendor, where the vendor can either fully host the application, or provide disaster-related “continuity” services (after a disaster has occurred).
No doubt, email is the single most critical application in a law firm. Email continuity can be addressed with a product such as MessageOne’s EMS or Outlook Extension solutions. With EMS, your email address (e.g., JDoe@firmA.com) is recovered immediately, along with your calendar and contacts. You can also choose to recover the last 30 days of email. MessageOne also provides a BlackBerry continuity solution. Keep in mind, as good as these products are, they still provide for email continuity, not email recovery. You will still need to fully recover your email architecture to get back to gain access to your historical email messages.
The cheapest option is to use a home email address, or set up backup email addresses in a free account such as Yahoo, Hotmail, or GMail. After a disaster, the new email addresses would be sent to clients, staff, or other key stakeholders as a temporary measure. This approach is cheap, but has obvious client relationship concerns and so should be used only as a last resort.
Many service providers also provide postdisaster continuity services for document management as well as financial systems, but they are much more expensive than email continuity services (the high demand for these services has lowered the cost).
Another option is to work with a top-quality vendor who can provide you emergency response, such as drop shipping of preconfigured equipment, 24/7 monitoring and problem escalation, remote evaluation of the network/systems, and on-site support. Emergency contracts cost more, but in an emergency they will be worth every dollar. The net result is a longer recovery time, but a cheaper “insurance policy” than building redundant applications/data.
Along with application availability, it is important to build some capability for remote access into the critical applications. Most firms are addressing this need based solely on the requirement by lawyers to be able to work anywhere (e.g., home, trial site, war room, etc.). At its simplest, remote access can be accomplished by building web-based solutions (such as Outlook Web Access). Web-based solutions do not always have the same functionality, so often are not feasible to work from on a daily basis. A more common deployment is to build a Citrix or Terminal Services architecture, which allows for access into systems from any Internet/WAN connection. Don’t forget to address security if you are opening up your systems to the outside.
Having the best quality, high availability solutions won’t matter if you can’t access the systems, so give as much thought to access as you do to redundancy/availability of applications and data.
Critical Postdisaster Considerations
The ability to communicate with employees, clients, and so forth is the single most important process following any disaster. Make sure you have all employee contact information documented, including cell phone, home email addresses, alternate phone numbers, and BlackBerry PINs (which allows for direct device to device communication, even if the email and BlackBerry servers are down). Blackberry PIN-to-PIN communication has proven to be one of the most effective methods in every major disaster since 9/11, as they operate on a different frequency from cell phones, which tend to overload during a widespread disaster. Store all employee as well as client contact information (or other critical stakeholders such as cocounsel, opposing counsel) in an offsite location as well so you can access it if the facility is closed for some reason.
Have some manual recovery capability for other critical processes, such as conflicts checking, critical date management/docketing, and client records management. Remember, you must inform potential clients if you are completing an informal (versus formal) conflicts check due to an outage. Most malpractice insurance providers require maintenance of critical dates in two separate places (systems or paper) anyway, so make one place geographically diverse from the office. For instance, print or email your calendar to your home on a weekly basis to build redundancy. Scan critical client records and email them to your home, or store them on a portable device. Take your laptop and PDA home with you at night.
Simple steps can make all the difference in planning for a disaster. There are too many options for disaster recovery and business continuity to mention in one article. The most important question to ask yourself is, if you couldn’t get into your office, what would you need to be able to work? Include people, records, vendors, data, applications, images, and so forth into the mix, and then think through how to build redundancy for them.
Ms. Pam Hill has more than twenty years of experience in business continuity planning, colocation site selection, and project management. She has managed and implemented all phases of business continuity planning, including business impact analysis, risk analysis, technology recovery solution development and centralization, life/safety planning, crisis management and communications, alternate data center/workspace selection, and business resumption planning. Ms. Hill, Solution Group Leader-Business Continuity for Chicago-based Project Leadership Associates, has spent the past ten years in the business continuity planning consulting field, with extensive hands-on experience in planning and successful recoveries. She is widely recognized as an industry-leading expert on business continuity planning and frequently presents for national associations and conferences. Ms. Hill can be reached at email@example.com.