What's worse than a disaster? How about doubling your
disaster with a disastrous set of discovery plans, policies
Disaster recovery and business continuity planning
moved to center stage in IT planning issues in the last
few years. While these subjects deservedly command the
attention that they get, firms too often do not find
the time and assets necessary to pay full attention
to all the issues and execution of good plans often
remains a problem.
The fact is that nothing sharpens a disaster plan
more than suffering a disaster. However, as time begins
to stretch out after the last disaster, the energy,
focus and urgency of disaster plans tends to dissipate.
Great plans and procedures gradually grow inadequate
and irrelevant. They also tend to focus on "fighting
the previous war." Part of a good plan is to address
this inevitable inertia.
What steps can you take to improve your planning and
procedures and prevent preventable disasters? While
no plan can account for every contingency or be totally
bullet-proof, the following seven steps will help you
avoid adding insult to injury from self-inflicted disasters.
1. Determine Your Core Business, Really. They
call it business continuity for a reason. Everything
flows from accurately determining what your core business
is, including priorities, policies and procedures. Unfortunately,
if you ask everyone at a law firm what the core business
of the firm is, you probably will not find a lot of
consistency in the answers. If that is the case at your
firm, you should be worried about other things than
just disaster recovery, but lack of understanding of
the core business almost certainly will lead to problems
in the event of a disaster. It is essential that key
managers and firm leaders be involved in the disaster
planning process. It's also instructive to read and
listen to the stories of firms that have made it through
big disasters. Pay attention to what they focused on
for both the short term and long term. A common
theme is enabling fee-earners to return to generating
fees for paying clients as quickly as possible. It's
easy to focus too intently on technology issues when
the big concern is generating cash flow to keep paying
employees and moving forward. Be a pest and force the
decision-makers to make decisions about core business
elements that must be protected and quickly restored.
2. Use Scenario Planning. The easy
approach to disaster planning is to create a checklist
of issues and find ways to address each of them. Unfortunately,
as the military maxim goes, no plan survives first contact
with the enemy. Working through a number of "what
if" scenarios will help you find holes in your
planning and identify real and important issues. It
is not a well-conceived plan if it is dependent on managing
partners surviving and everyone returning to the office
the next day. Wipe out the executive committee in a
scenario and see how you plan works. Question your assumptions.
Create plausible story lines. Do you like the movie
"Die Hard"? Run your disaster plan under the
Die Hard scenario and see what happens.
3. Write the Plan As If You Will Have to Read
it Someday. Make no mistake – unless
you have a written plan, you don't really have a plan.
Take out your plan and really read it. Is it filled
with platitudes and assumptions? Do you see steps that
say nothing more than "Restore network operations"?
Imagine you are not there and someone untrained has
to pull out the plan and use it. Can they?
4. Negotiate Great Agreements. Firms
are starting to look at outsourcing many aspects of
disaster planning. What are you third party providers
obligated to do under the contracts you have signed?
Is it adequate or even helpful? Can you get out of agreements
and move to other providers? What service levels must
be provided? What happens if they are not provided?
If you do not raise and negotiate issues, I guarantee
you that the terms of any contract you sign will be
more favorable to the provider than they are to you.
5. Adopt a Portfolio Approach. The
modern approach to financial investments emphasizes
diversification and mixing low-risk, low-return ("safe")
investments and high-risk, high-return ("risky")
investments in a basket that reflects your risk tolerance.
The same concepts have recently migrated into the world
of IT planning. You can also think of this approach
as "not putting all your eggs in one basket."
Consider a variety of approaches, overlapping techniques
and both novel and standard approaches. Diversify your
risks, responses and procedures.
6. Focus on Failure and Redundancy.
There is a notion in disaster planning known as "elegant
failure." The idea is that failures will happen
and it becomes important to know what happens after
the failure. In "elegant failures," the fix
is a good and effective one. For example, if I have
a backup email service that comes into action within
one second of a catastrophic Exchange Server failure,
I have an elegant failure. If my firm loses email service
for three days and attorneys have to use Hotmail accounts
for email, I do not have an elegant failure. Look at
various points in your processes and procedures. Consider
what happens when a failure occurs at each of these
points and the options that you may have. Can you set
up some elegant failures?
7. Test Rigorously and Repeatedly.
When I was in school, we had fire drills on a regular
basis. I have no doubt that we would have gotten out
of the school safely in the event of a fire. On the
rare occasions that I've been involved in fire drills
or false alarms while at law firms, I had no doubt that
few people would make it out alive if a fire actually
occurred. It's important to test your plan, practice
your procedures and do so on a regular basis. Lackadaisical
practicing and testing guarantee poor results when something
bad actually happens.
My best advice is to treat these matters as if they
actually matter. Your livelihood and your life may be
at stake one day and you will regret any half-hearted
steps that you made in the past. Make time for disaster
recovery, be a pest at getting answers to your questions,
challenge assumptions, develop a thick skin for deal
with the ribbing you are likely to take for being "too
serious," and keep in mind that we live in volatile
and dangerous world.
This article is reprinted from his materials for
his session on disaster recovery at ABA
Dennis Kennedy (firstname.lastname@example.org)
is a well-known legal technology expert, technology
lawyer and blogger. He is member of the ABA Law Practice
Management Section’s Council, Webzine Board
and the ABA TECHSHOW 2005 Board. His blog (http://www.denniskennedy.com/blog/)
and his web page (http://www.denniskennedy.com)
are highly-regarded resources on technology law and
legal technology topics.