Building a legal ops continuity plan involves a number of steps, starting with data gathering, as we previously discussed. Gathering critical business information helps you establish priorities and assess impact, creating the framework for developing your continuity strategy, incident response handling, and communication planning. In this article, we'll walk you through how to harness this information to assemble, deploy and maintain your continuity plan. We also will share a number of continuity planning resources which can assist with the planning process.
The critical business information you collect in Phase 1 of the planning process will form the toolkit you need for assembling your continuity strategy and plan, including:
- A list of potential risks to the business, with likelihood and severity
- A prioritized list of systems (and any dependencies) needed to ensure the continued operation of your firm or business
- A list of acceptable down times for each function
- Contact information for internal teams and vendors
BUILDING YOUR CONTINUITY PLAN - PHASE 2
developing continuity strategies
The next step in the continuity planning process is to evaluate the items collected above and develop approaches for addressing and overcoming any risks. These strategies will become the foundation for your incident response plan, the playbook you'll use for responding to events which impact your business. This is also a good time to identify the team members needed for your recovery and continuity processes.
During the strategy development process, it is also essential to perform a gap analysis against your current capabilities and gain approval from management for any investment which might be needed. While doing this, it's important to evaluate a variety of different risk mitigation strategies and not over-engineer your solution. For example, while manual workarounds aren't optimal long-term solutions, the use of a manual logging may be an appropriate strategy for a short-term availability issue with your legal management system. In the case of a more prolonged outage, the strategy could shift to rely on a backup site or alternate system.
building an incident response plan
With the continuity strategies in place, it's time to dive into the details and create an incident response plan. The incident response plan should identify critical services, recovery teams, and potential relocation options as well as all continuity and disaster recovery procedures. In considering a line-of-business application, for example, an incident response plan for a short-term outage would include:
- When to utilize a manual log
- The location of the manual log, policies, and procedures for updating
- Who is responsible for maintaining the log
- The criteria for switching to the manual log
- Who makes the decision to switch to the manual log
- Criteria for switching back to the electronic system
- Who decides to switch back to the electronic system
- How information in the manual log is transferred back to the electronic system
The steps above cover much of what is needed to manage through a short term outage, but as you will see in the next section, it's also important to have a communication plan in place to ensure coordination during any incident.
the importance of communication planning
The communication plan is an often overlooked but equally important part of the business continuity process. If employees or vendors don’t receive the appropriate communication at the right time, the best incident response plans can go awry. Therefore, it is essential that clear lines of authority are identified, communication channels are agreed upon and incident messaging is treated as an integral part of the response plan. This can include having a standing conference call number ready for check-ins during an incident, automated dialing programs which notify employees that a location is closed or pre-built email templates to simplify the communication process. It is also important to have clear rules for employees regarding communication with media. A communication plan should include:
- A pre-built email and group email list with appropriate links and procedures to notify team of invocation of incident response plan due to an outage
- A meeting with IT and/or vendor to assess situation using pre-arranged conference call number
- A regular email to teams with status updates
- Standing meeting with IT and/or vendor to assess progress
- A pre-built email and group email list confirming closure of the incident and processes to switch back to electronic system
Awareness, Training and Testing
With the incident response and communication plans in place, it is time for training and testing. Frequently, these can be combined to help build awareness around the plan and also identify potential improvements. Once the plan has been launched, you should try to test your plan at least once a year with realistic scenarios. It is also important to not only replicate a major incident, but also the confusion, miscommunication and smaller incidents that go along with it. Once the test is conducted, any lessons learned should be compiled and plans updated with information picked up from the exercise.
Additional Business Continuity Resources
We collected the following resources for useful tools and information for organizations developing business continuity plans:
- IBHS’s Open for Business Continuity Toolkit provides downloadable templates to facilitate continuity planning
- The Disaster Recovery Institute International provides The Professional Practices for Business Continuity Management, a body of knowledge designed to assist in the development, implementation, and maintenance of business continuity programs
- Department of Homeland Security provides a number of resources to assist with business continuity planning
Stay tuned next for our next installment in our Legal Ops Continuity Series: Essential Business Continuity Technologies For Legal, where we’ll highlight essential technologies that help legal teams ensure and maintain continuity of critical resources.
About the Hyperion Legal Ops Continuity Series
Throughout this series, we’ll explore best practices for ensuring readiness and continuity, while also highlighting lessons learned from law firms and corporate legal teams (both positive and negative) over the last several months. By the end of this series, you will have an in-depth understanding of each of the keys to successful continuity planning and execution. Additionally, we will also compile all of the checklists, frameworks and lessons learned into a Legal Operations Readiness Resource kit.