Events of September 11 caused
many businesses to take a new look at disaster preparedness.
Losing thousands of lives and billions of dollars in one day
sets an extreme example of outside forces testing the resilience
of businesses and their leaders.
An Ounce of Prevention
This stirs memories for many lawyers at our firm. In one night
-- Thanksgiving, 1982 -- our offices in Minneapolis were destroyed
by fire, ending five decades of uninterrupted occupancy, suddenly
and without warning.
Some disasters are so far-reaching that it is impossible to avoid
a material disruption in day-to-day operations. Such events may
force a business to discard its recovery "plan" and
write a new one in the midst of a real crisis. Nonetheless, anticipating
potential disruptions and planning for the basics necessary to
stay in business are worth the time and investment -- even if
your plans are never put to the test. If a disaster does occur,
being prepared may literally save your firm.
Many recovery plans focus on how to respond if a catastrophe
occurs. But the planning process should also be used to prevent
or reduce the risks of disaster. While the type or timing
of a crisis may be impossible to predict, businesses can assess
and manage their exposure, particularly in areas such as employee
safety, data protection, and technology security. Most potential
crises that could disrupt a business fall into a few broad categories:
natural disasters (fires, storms, floods, etc.); acts of violence
(terrorism, crime); and destructive mischief (theft, hacking,
sabotage). It's also possible to anticipate the type of impact
on your business (e.g., loss of people, physical space,
documents, equipment, communications, or money).
Events Outside Your
Knowing the risks may allow a business to mitigate the damage
or prevent the disaster altogether. For example, the Y2K technology
crisis was widely predicted, but never really materialized. That's
not because the danger wasn't real. Had we ignored the problem,
the consequences could indeed have lived up to the dire predictions,
resulting in the cascading effects of failed systems. But managers
and technology professionals around the world assessed the risk
and made corrections in advance. The result? We welcomed the
new millennium with little or no disruption in business functions.
The same approach can be applied to other risks. One effective
strategy is to look not for everything that could go wrong (the
possibilities are infinite), but rather to focus on basic functions
and how to protect them.
Even the most exhaustive preventive strategy will not shield
us from disasters beyond our control. Nothing we do will prevent
nature from wreaking havoc from time to time, nor can we be entirely
secure from criminal behavior. The real opportunity lies in understanding
how to respond and recover. This means answering "what if"
questions: What if we had to practice law without electricity
at the office for a week? What if all our paper files or our
network files were destroyed? What if our key personnel died
in an accident? What if we couldn't send email? What if our space
were unavailable, starting tomorrow?
If one assumes that any of these could actually occur, it is
possible to develop a plan to respond. A full disaster plan includes
many topics that are beyond the scope of this discussion. But
a few important points are worth noting:
Insurance. Like a doctor who makes a poor patient,
lawyers making a career advising on business and risk don't always
take time to review their key insurance policies, asking "what
if" questions. An annual coverage review with an eye toward
current replacement costs -- and the actual costs of business
interruption -- can be enlightening and sobering.
Technology. In the information age, many people focus
disaster planning on data security. If you have technology professionals,
then you probably have off-site backups to protect your documents
and data. But it's easy to have a false sense of security. How
quickly are backup data available for real use? Does your backup
data include software to run it? Where and how will you run your
network if your physical location is destroyed? What about access
to email? How will you operate if there's a sustained disruption
of the Internet?
Communications. Amidst the high-tech challenges, basic
communications may get insufficient attention. Continued operations
-- especially in a crisis -- depend on the right internal people
talking to each other. This is particularly true immediately
following a disaster (when communication is often at its worst).
You may or may not have phones, or email, or physical space,
but your ability to reach internal people quickly and share information
and instructions is critical. A simple step -- such as widely
distributed off-site hard-copy directories of people, phone numbers,
and home email addresses -- can vastly improve communications
in a crisis.
A crisis plan should also include a strategy for dealing with
clients and the media. Clients are likely to be sympathetic to
a crisis, but they face their own business realities. If you
can't serve their needs, they will soon find someone who can.
Early and effective contact with key clients is essential.
Basic Business. Effective recovery requires early restoration
of the most basic business functions, such as payroll checks,
invoices, accounts payable, document production, etc. Often these
are technology-driven functions, but the post-crisis environment
may well leave a business without full access to pre-crisis technology
and databases. Despite the IT revolution, technology has done
little to reduce vulnerability to loss of physical space and
Third Parties. One of the lessons from Y2K was that it isn't
enough to have your own house in order. Many organizations now
rely on others to perform functions once provided internally
(e.g., network maintenance and document services). Consider
how potential crises could threaten key suppliers and vendors,
and know how to operate if outsourced functions were suddenly
The Inevitable. Many of us may think it inconceivable
that we would ever suddenly lose the carefully built systems,
structures, and other assets on which we rely for our professional
operations. But it happened to Faegre & Benson in 1982. It
happened on September 11. And it will happen again.
BILL BUSCH is a partner in corporate
finance and mergers and acquisitions at Faegre & Benson.
He can be reached at (612) 766-7000 or firstname.lastname@example.org