March 2002

When Disaster Strikes

by Bill Busch

Events of September 11 caused many businesses to take a new look at disaster preparedness. Losing thousands of lives and billions of dollars in one day sets an extreme example of outside forces testing the resilience of businesses and their leaders.

This stirs memories for many lawyers at our firm. In one night -- Thanksgiving, 1982 -- our offices in Minneapolis were destroyed by fire, ending five decades of uninterrupted occupancy, suddenly and without warning.

Some disasters are so far-reaching that it is impossible to avoid a material disruption in day-to-day operations. Such events may force a business to discard its recovery "plan" and write a new one in the midst of a real crisis. Nonetheless, anticipating potential disruptions and planning for the basics necessary to stay in business are worth the time and investment -- even if your plans are never put to the test. If a disaster does occur, being prepared may literally save your firm.

Many recovery plans focus on how to respond if a catastrophe occurs. But the planning process should also be used to prevent or reduce the risks of disaster. While the type or timing of a crisis may be impossible to predict, businesses can assess and manage their exposure, particularly in areas such as employee safety, data protection, and technology security. Most potential crises that could disrupt a business fall into a few broad categories: natural disasters (fires, storms, floods, etc.); acts of violence (terrorism, crime); and destructive mischief (theft, hacking, sabotage). It's also possible to anticipate the type of impact on your business (e.g., loss of people, physical space, documents, equipment, communications, or money).

Knowing the risks may allow a business to mitigate the damage or prevent the disaster altogether. For example, the Y2K technology crisis was widely predicted, but never really materialized. That's not because the danger wasn't real. Had we ignored the problem, the consequences could indeed have lived up to the dire predictions, resulting in the cascading effects of failed systems. But managers and technology professionals around the world assessed the risk and made corrections in advance. The result? We welcomed the new millennium with little or no disruption in business functions.

The same approach can be applied to other risks. One effective strategy is to look not for everything that could go wrong (the possibilities are infinite), but rather to focus on basic functions and how to protect them.

Even the most exhaustive preventive strategy will not shield us from disasters beyond our control. Nothing we do will prevent nature from wreaking havoc from time to time, nor can we be entirely secure from criminal behavior. The real opportunity lies in understanding how to respond and recover. This means answering "what if" questions: What if we had to practice law without electricity at the office for a week? What if all our paper files or our network files were destroyed? What if our key personnel died in an accident? What if we couldn't send email? What if our space were unavailable, starting tomorrow?

If one assumes that any of these could actually occur, it is possible to develop a plan to respond. A full disaster plan includes many topics that are beyond the scope of this discussion. But a few important points are worth noting:

Insurance. Like a doctor who makes a poor patient, lawyers making a career advising on business and risk don't always take time to review their key insurance policies, asking "what if" questions. An annual coverage review with an eye toward current replacement costs -- and the actual costs of business interruption -- can be enlightening and sobering.

Technology. In the information age, many people focus disaster planning on data security. If you have technology professionals, then you probably have off-site backups to protect your documents and data. But it's easy to have a false sense of security. How quickly are backup data available for real use? Does your backup data include software to run it? Where and how will you run your network if your physical location is destroyed? What about access to email? How will you operate if there's a sustained disruption of the Internet?

Communications. Amidst the high-tech challenges, basic communications may get insufficient attention. Continued operations -- especially in a crisis -- depend on the right internal people talking to each other. This is particularly true immediately following a disaster (when communication is often at its worst). You may or may not have phones, or email, or physical space, but your ability to reach internal people quickly and share information and instructions is critical. A simple step -- such as widely distributed off-site hard-copy directories of people, phone numbers, and home email addresses -- can vastly improve communications in a crisis.

A crisis plan should also include a strategy for dealing with clients and the media. Clients are likely to be sympathetic to a crisis, but they face their own business realities. If you can't serve their needs, they will soon find someone who can. Early and effective contact with key clients is essential.

Basic Business. Effective recovery requires early restoration of the most basic business functions, such as payroll checks, invoices, accounts payable, document production, etc. Often these are technology-driven functions, but the post-crisis environment may well leave a business without full access to pre-crisis technology and databases. Despite the IT revolution, technology has done little to reduce vulnerability to loss of physical space and hard assets.

Third Parties. One of the lessons from Y2K was that it isn't enough to have your own house in order. Many organizations now rely on others to perform functions once provided internally (e.g., network maintenance and document services). Consider how potential crises could threaten key suppliers and vendors, and know how to operate if outsourced functions were suddenly unavailable.

The Inevitable. Many of us may think it inconceivable that we would ever suddenly lose the carefully built systems, structures, and other assets on which we rely for our professional operations. But it happened to Faegre & Benson in 1982. It happened on September 11. And it will happen again.

BILL BUSCH is a partner in corporate finance and mergers and acquisitions at Faegre & Benson. He can be reached at (612) 766-7000 or wbusch@faegre.com