Disasters can be, well, even more disastrous to law firms because their responsibility to protect client data does not dissipate post-disaster. In fact, former ABA President Steve Zack was quoted as saying, “They [law firms] must represent the client competently and diligently, safeguard client’s property, and maintain client confidentiality and communications. These obligations are neither excused nor waived following a disaster.”
Not only that, but any amount of system downtime has immediate and drastic effects on revenue, since your attorneys can't very well bill when they are unable to work.
Perhaps that’s why our law firm clients frequently ask us how they can better plan for a disaster and test their disaster recovery plan. Here’s what we advise.
Step 1: Determine the levels of disaster scenarios to consider testing
- An important file is lost. Can you restore it in a timely and effective fashion?
- Your organization’s server fails. Can it be virtualized? Replaced?
- There is a biohazard that has made the office inaccessible. Can all employees work remotely?
- Your office burns down. Can you function?
- The worst of all possible disasters: The entire city where your office is located is struck by disaster. Are you out of business?
Review each practice area in the firm separately. Ask how long it can afford to be “out of business” and what resources it would need to get up and running. Create your overall plan to take into consideration the specific risk factors for each practice area.
Step 2: Plan to test the scenarios
Industry standards suggest that you test your plan for a failed server situation twice a year and for a Level 4 disaster scenario (your office burns down) once a year. Note that as the severity of the simulated disaster situation increases, the more downtime the test will require.
Of course, when you have a quicker way to recover from a disaster (backup systems in place, server virtualization methods, etc.), the less downtime a simulated disaster will require. Consider your direct costs as well as the cost of downtime before you decide which testing level is best for your firm. If you find that this cost is simply too high, consider testing only the most common disaster scenarios — server failure and file loss.
Step 3: Test your scenarios
Once you have a detailed disaster recovery plan in place, you must be sure that your solutions will work the way they're supposed to.
1) With the help of external consultants and/or your internal IT team, plan the disaster recovery test with the full knowledge (and acceptance) that it will require downtime. Then, comprehensively communicate this to all attorneys, staff, and clients.
2) Ensure that you have an executive-level user involved in the testing scenario so that you have someone on the “front lines” who can evaluate the test from a business continuity perspective. A Managing Partner from each practice area would work.
3) As you are conducting the test, keep a detailed log of everything that does not go as planned (as well as the solutions that worked well). This way, the test will inform the plan’s revisions.
4) When your test is complete, review your log and incorporate any suggestions to modify your plan (and, if necessary, your technology) so you are ready for the next test.
With multiple surveys reporting that cost-per-minute of downtime can range from $15,000 to $30,000, and many law firms reporting recovery point objectives (RPO) as approximately two hours, the cost of a disaster can really add up—especially depending upon the nature of your law firm.
While transactional attorneys often report an RPO in hours, litigators’ timeframes can be shorter or longer, depending. When designing and testing a disaster recovery plan for your law firm be specific, be meticulous, and be comprehensive. It could be what keeps you in business.