April 2018

Disaster recovery 101: Essentials for a plan that works

Ever wonder if your firm could survive a major disaster? How much it would cost you in lost revenue for a day, a week or months?

Natural disasters have crippled law firms across the country. Firms in Florida, Texas, Puerto Rico, the U.S. Virgin Islands and California are still reeling from the damage caused by recent hurricanes, flooding, wildfires and mudslides.

The best way to plan for such disasters is by developing a business continuity plan.  The ABA-sponsored webinar, Surviving a Disaster: Putting It All Together, Writing and Testing a Business Continuity Plan,” provided guidance on putting one together.

“Business continuity is the capability of the business to continue delivery of products or services at acceptable predefined levels following a business disruption,” said George B. Huff Jr., a special adviser to the ABA Standing Committee on Disaster Response and Preparedness and founder of The Continuity Project LLC in Alexandria, Va..

A business continuity plan will help a firm “get back to normal as quickly as possible after an incident,” Huff said. “Every destructible event has a predictable life cycle and contingency planning can enable a law firm to respond, continue and return to normal operation.” 

W. James Williams, business continuity specialist at Sidley Austin LLP in Chicago said a typical plan will detail how a firm can “be operational no later than 12 hours after activation and be capable of [guiding] sustained operations for up to 30 days.”

However, one size does not fit all. A good plan should be tailored to fit a law firm’s needs and it should be easy to use, emphasized panelists.

The setup includes:

Governance – Clarifies expectations; enables meaningful management involvement; and describes the recurring planning process via the implementation of policy, standard operating procedures, objectives and scope. “It provides for the who, what and the how,” Huff said. “A key component is getting the right people in the right seats for each role in the BCMS (business continuity management system).”

Analysis – Summarizes BCMS requirements and includes a business impact analysis, which covers the consequences of a disruptive incident on the organization, with the objective of defining and justifying business continuity requirements; and a risk assessment, which is an analysis of business risk that may affect a firm’s ability to deliver its most critical products and services, with the objective of determining approaches to becoming more resilient.

Strategy identification –  Provides options to management regarding how to become more resilient and how to recover and respond; leverages business requirements from the analysis phase to identify, evaluate and implement risk mitigation, response and recovery strategies aimed at reducing the likelihood, or minimizing the impact of, a disruptive event.

Planning – Guides the organization through all phases of response and recovery: crisis management, crisis communications, business continuity, IT disaster recovery.

Testing and training – Validates capabilities and plan content; highlights weaknesses and areas for improvement; provides critical hands-on training to the personnel responsible for response and recovery.

Continual improvement – Keep the program up-to-date and reflective of organizational change via management reviews; corrective actions and closure of gaps; develop performance metrics.

Once a business continuity program is written, “it is not a one-and-done plan that sits on a shelf,” Huff said.  It requires training and regular evaluation.

Training ensures that all employees know their roles following plan activation. Moreover, it will verify that designated recovery systems work and clarify where the plan needs revision.

There are many types of testing and training exercises, said Eric B. Kretz, director of The Continuity Project LLC. However, he strongly recommended using the Homeland Security Exercise and Evacuation Program (HSEEP) as a reference. “It is a 100-page document that breaks down exercise and evaluation to a standard and functional baseline that most people in emergency management refer to,” he said. “It talks you through how to manage a program, how to design and develop, how to conduct an exercise and how to do an evaluation and follow through on improvements.”

“Surviving a Disaster: Putting It All Together, Writing and Testing a Business Continuity Plan” was presented by the ABA Committee on Disaster Response and Preparedness, Law Practice Division, Solo, Small Firm and General Practice Division, Section of State and Local Government Law and Center for Professional Development.

The program was moderated by Chauntis T. Jenkins-Floyd, attorney with Porteous, Hainkel & Johnson in New Orleans and chair of the ABA Standing Committee on Disaster Response and Preparedness.

Topic: