RISK MANAGEMENT GUIDE FOR LAW FIRMS
By Dave Fortain & John Kauffman
INTRODUCTION:
Managing your business's exposure to risk is now more important than ever. As a law firm you understand that today, even seemingly inconsequential incidents may result in expensive legal actions. Neglected facility repairs can snowball into major property expenses. Less than thorough hiring practices can turn into significant Workers' Compensation or General Liability claims. Disasters can strike at any time, and if the business is not prepared, the results can be devastating. With so much at risk, a comprehensive Risk Management Program is not only important; it is critical to the business's successful operation.
EMERGENCY PREPAREDNESS PLANNING
Emergency Preparedness Planning is the process of planning for and responding to emergencies so that your firm can return to normal operation with a minimum of disruption. A plan strives to provide for the safety of your clients, visitors, and employees; protect physical and informational assets; and minimize loss of income due to business interruption.
The first element of a plan is a written emergency preparedness policy statement that clearly reflects the law firms commitment to the emergency preparedness process. The policy statement should:
• Define the purpose and objective of the policy
• Define the lines of authority
• Be fully endorsed by top management
Define the organizational structure with a clearly defined chain of command and designated roles and responsibilities.
• Appoint an Emergency Coordinator
• Appoint and charge the Emergency Preparedness Planning Team
• Appoint alternates and backups
Identify assets critical to the firm (account's receivables, contracts, automation equipment, customized software programs, law books, client's possessions, etc.) that are crucial to the organization's survival.
Examine and assess internal and external capabilities that could contribute to or aid the Emergency Preparedness Planning process. This review will assist in evaluating the firm's current capabilities for emergency prevention, preparedness, response, and recovery.
Emergency Preparedness primary objective is to have a plan in place to properly position the firm to effectively respond to, and recover from, an emergency. Thus,
• Establish emergency communication systems (cellular phones, etc.)
• Establish relationships with community organizations (police, hospitals, etc.)
• Establish reciprocal arrangements with similar types of firms
• Plan for life safety: establish evacuation plans and routes
• Ensure protection of physical assets and vital records
• Gather information and identify resources for emergency preparedness
(Response team personnel listing, external organization listing, etc.)
Protect the continuity of automated processes and communication networks. Conduct a business impact analysis to define and prioritize critical functions of the firm, establish recovery time-frame requirements, and determine the computer automation and communication equipment necessary to support the critical functions.
Protect computer hardware with surge protectors, battery backups, uninterruptable power supplies (UPS), physical security, and environmental controls. More complex preparedness strategies may involve backup generators, equipment redundancy, quick-ship contracts, vendor hot sites or cold sites, mobile recovery units, and/or reciprocal agreements.
Protect data and software with disk mirroring, shadow copies, image copies, incremental backups, virus protection, and/or hierarchical storage techniques. Back up copies of critical software and data on a regular basis, and store them offsite, along with equipment configuration files, current recovery plans, and documentation.
Emergency Response primary objective is to have a plan in place to properly position the firm to stabilize and control an emergency. Thus,
• Assign specific individuals (e.g., switchboard operator) to receive and process emergency calls and related information
• Establish procedures to alert and warn employees
• Establish procedures to engage the Emergency Preparedness Plan, activate alarms, and notify emergency officials.
• Evacuate, shelter, and account for personnel
• Document the incident and all actions taken
Emergency Recovery primary objective is to have a plan in place to resume the firm's normal operation after an emergency has ended, or as soon as possible and practical during the emergency. Thus,
• Conduct pre-emergency recovery analysis and planning
• Prioritize short-and long-term recovery goals and objectives
• Establish policies and procedures to conduct damage assessment, salvage operations, activate recovery communications, and provide employee support
Conduct pre-training analysis and planning (to prioritize what training is needed). Establish policies and procedures for employee training, training schedules, tests and drills, and test documentation.
Conduct a formal audit of the entire plan at least once a year. The review should identify areas to update, determine completeness, assess chain of command, evaluate employee knowledge and awareness, assess trigger mechanisms, and evaluate inventory resources.
Update the Emergency Preparedness Plan whenever there are new members, new operations, new or renovated sites or changes in layout, and firm mergers or acquisitions.
