Technology

Print This Article

Seven Ways to Avoid Disaster in Your Disaster Recovery Planning and Procedures
by Dennis Kennedy
January 2005

What's worse than a disaster? How about doubling your disaster with a disastrous set of discovery plans, policies and procedures?

Disaster recovery and business continuity planning moved to center stage in IT planning issues in the last few years. While these subjects deservedly command the attention that they get, firms too often do not find the time and assets necessary to pay full attention to all the issues and execution of good plans often remains a problem.

The fact is that nothing sharpens a disaster plan more than suffering a disaster. However, as time begins to stretch out after the last disaster, the energy, focus and urgency of disaster plans tends to dissipate. Great plans and procedures gradually grow inadequate and irrelevant. They also tend to focus on "fighting the previous war." Part of a good plan is to address this inevitable inertia.

What steps can you take to improve your planning and procedures and prevent preventable disasters? While no plan can account for every contingency or be totally bullet-proof, the following seven steps will help you avoid adding insult to injury from self-inflicted disasters.

1. Determine Your Core Business, Really. They call it business continuity for a reason. Everything flows from accurately determining what your core business is, including priorities, policies and procedures. Unfortunately, if you ask everyone at a law firm what the core business of the firm is, you probably will not find a lot of consistency in the answers. If that is the case at your firm, you should be worried about other things than just disaster recovery, but lack of understanding of the core business almost certainly will lead to problems in the event of a disaster. It is essential that key managers and firm leaders be involved in the disaster planning process. It's also instructive to read and listen to the stories of firms that have made it through big disasters. Pay attention to what they focused on for both the short term and long term. A common theme is enabling fee-earners to return to generating fees for paying clients as quickly as possible. It's easy to focus too intently on technology issues when the big concern is generating cash flow to keep paying employees and moving forward. Be a pest and force the decision-makers to make decisions about core business elements that must be protected and quickly restored.

2. Use Scenario Planning. The easy approach to disaster planning is to create a checklist of issues and find ways to address each of them. Unfortunately, as the military maxim goes, no plan survives first contact with the enemy. Working through a number of "what if" scenarios will help you find holes in your planning and identify real and important issues. It is not a well-conceived plan if it is dependent on managing partners surviving and everyone returning to the office the next day. Wipe out the executive committee in a scenario and see how you plan works. Question your assumptions. Create plausible story lines. Do you like the movie "Die Hard"? Run your disaster plan under the Die Hard scenario and see what happens.

3. Write the Plan As If You Will Have to Read it Someday. Make no mistake – unless you have a written plan, you don't really have a plan. Take out your plan and really read it. Is it filled with platitudes and assumptions? Do you see steps that say nothing more than "Restore network operations"? Imagine you are not there and someone untrained has to pull out the plan and use it. Can they?

4. Negotiate Great Agreements. Firms are starting to look at outsourcing many aspects of disaster planning. What are you third party providers obligated to do under the contracts you have signed? Is it adequate or even helpful? Can you get out of agreements and move to other providers? What service levels must be provided? What happens if they are not provided? If you do not raise and negotiate issues, I guarantee you that the terms of any contract you sign will be more favorable to the provider than they are to you.

5. Adopt a Portfolio Approach. The modern approach to financial investments emphasizes diversification and mixing low-risk, low-return ("safe") investments and high-risk, high-return ("risky") investments in a basket that reflects your risk tolerance. The same concepts have recently migrated into the world of IT planning. You can also think of this approach as "not putting all your eggs in one basket." Consider a variety of approaches, overlapping techniques and both novel and standard approaches. Diversify your risks, responses and procedures.

6. Focus on Failure and Redundancy. There is a notion in disaster planning known as "elegant failure." The idea is that failures will happen and it becomes important to know what happens after the failure. In "elegant failures," the fix is a good and effective one. For example, if I have a backup email service that comes into action within one second of a catastrophic Exchange Server failure, I have an elegant failure. If my firm loses email service for three days and attorneys have to use Hotmail accounts for email, I do not have an elegant failure. Look at various points in your processes and procedures. Consider what happens when a failure occurs at each of these points and the options that you may have. Can you set up some elegant failures?

7. Test Rigorously and Repeatedly. When I was in school, we had fire drills on a regular basis. I have no doubt that we would have gotten out of the school safely in the event of a fire. On the rare occasions that I've been involved in fire drills or false alarms while at law firms, I had no doubt that few people would make it out alive if a fire actually occurred. It's important to test your plan, practice your procedures and do so on a regular basis. Lackadaisical practicing and testing guarantee poor results when something bad actually happens.

Conclusion.

My best advice is to treat these matters as if they actually matter. Your livelihood and your life may be at stake one day and you will regret any half-hearted steps that you made in the past. Make time for disaster recovery, be a pest at getting answers to your questions, challenge assumptions, develop a thick skin for deal with the ribbing you are likely to take for being "too serious," and keep in mind that we live in volatile and dangerous world.

This article is reprinted from his materials for his session on disaster recovery at ABA TECHSHOW 2005.


Dennis Kennedy (dmk@denniskennedy.com) is a well-known legal technology expert, technology lawyer and blogger. He is member of the ABA Law Practice Management Section’s Council, Webzine Board and the ABA TECHSHOW 2005 Board. His blog (http://www.denniskennedy.com/blog/) and his web page (http://www.denniskennedy.com) are highly-regarded resources on technology law and legal technology topics.