Business Continuity Planning for Law Firms

Blog
Mar 2, 2020
Olga Hout

For law firms, a successful business continuity plan (BCP) isn’t just about backing up your data. It’s about implementing companywide processes that are designed to prepare your entire workforce for any number of disasters. It’s about avoiding liabilities that could arise if your BCP is outdated or incomplete. But most importantly, a successful BCP allows your firm to live up to its legal and ethical obligations to your employees and clients by continuing to operate efficiently even in the event of a disruption.

That is why business continuity planning is such an essential company-wide responsibility. It involves the development of strategies designed to ensure the restoration of critical business processes, as well as the recovery of critical information systems integral to such functions during service or operational disruptions impacting your entire firm. BCP defines how critical processes, departments, information systems, and business units will work in tandem in a coordinated response to any disruption.

The most successful BCPs take a divide-and-conquer approach. Employees at your firm need to be educated that the responsibility for staying afloat during a disruption does not fall solely on the shoulders of the information technology (IT) department. Senior management must also reinforce the notion that business continuity is an organizational responsibility, and because everyone is impacted by a disruption, everyone must contribute to your firm’s recovery. This is why a tightly unified planning process  involving each business unit’s plans and roles in the resumption of essential processes must be developed.

The objectives of business continuity planning

Often, the court of public opinion is far less lenient than federal and civil ones, and an unfavorable verdict can result in irreparable harm to your firm’s reputation. Though business continuity planning is essential to all companies during disruptions, it aims to accomplish the following objectives for law firms.

  • To continue to represent clients competently and diligently and accommodate their immediate needs.
  • To avoid missing critical deadlines.
  • To safeguard client confidentiality and communications.
  • To support the firm despite reduced revenue.
  • To ensure ethical business practices.

Unfortunately, disruptions come in many flavors. A tornado or hurricane could knock out your voice and data communications, and restoring a damaged infrastructure may take terrestrial and wireless service providers days or even weeks. Outbreaks of diseases like Ebola, influenza, and SARS affect not only your staff availability but also your customers, who will need your assurance that your firm is operating even under these panic-inducing types of disruptions. Then, of course, there are crises that arise from human-made disruptions, such as acts of terrorism, cybercriminal attacks, technological failures, human error, and many others.

The importance of impact analysis

An essential step in any business continuity plan is a Business Impact Analysis (BIA), a process that distinguishes critical from non-critical functions.

A critical function is one whose implication for stakeholders or the extent of damage to the law firm is considered unacceptable or disastrous. Moreover, any function that is dictated or required by law is automatically regarded as critical. These functions must be identified in a BIA.

Furthermore, impact analysis leads to the identification of each critical function’s recovery requirements. These include the timeframe in which the critical operation is restored after a disaster, and the business and technical requirements essential to the recovery of each vital process.

Critical components of a business continuity plan

Law firms vary in size and specialization, so there is some flexibility in the elements that comprise a firm’s BCP. However, all plans should address the following:

  • Data backup and recovery (hard copy and electronic): This encompasses a clear identification of where primary books and records, as well as backup files (hard copy and electronic), are kept. Law firms should also be prepared to provide a detailed description of the data backup and recovery process during major business disruptions.
  • Identification of all mission-critical systems: What is deemed to be a mission-critical system varies based on each law firm. Some examples would include access to customer files, safeguarding client confidentiality, and encryption.
  • Recovery time: Law firms should have a BCP in place designed to minimize business recovery time objectives for both critical and noncritical functions.
  • Alternate communications between customers and the firm and between the firm and its employees: These encompass the provisions to be made to ensure an interrupted connection among everyone involved.
  • Alternate physical location of employees: In the case of disruptions, there should be designated alternative sites for employees (this includes key personnel) in the resumption of business operations.
  • Critical business constituent, law firm, and counterparty impact: This covers the effect significant business disruption can have on a law firm’s relationships with other firms, counterparties, and other stakeholders, and how it will address such impacts.
  • Regulatory reporting: This should spell out the capability of a law firm to ensure compliance with regulatory reporting requirements in the event of business disruption.
  • Incident Management: A plan should be in place to prepare, protect, and respond to any incident. 
Topics