Are You Prepared for a Disaster?

Disasters can take many forms for an organization. They might include a compromised computer, a power outage, severe weather, an active shooter situation, a bombing, or a virus. Some of these situations are not as severe as others, but all need a plan to protect employees, clients, business partners, data, and files.

An organization needs a plan which:

• Identifies levels of disasters and responses
• Identifies systems, tasks and processes that are critical to the operation of the company
• Identifies personnel responsible for business recovery activities
• Identifies alternate operations and processing locations
• Identifies the resources required to continue to effectively function, such as:
  • Vital Records
  • Office Furniture and Equipment
  • Data Processing Hardware and Software
  • Supplies
  • Business Partners

The basic objectives of a disaster recovery plan should be:

• To protect personnel, assets and informational resources from further injury or damage
• To minimize economic losses resulting from interruptions of business activities
• To provide a plan of action to facilitate an orderly recovery of business operations

Disaster Definitions

Level 1 disasters are considered a loss of power or other business sustaining services for an expected period of up to 48 hours. Damage is not large scale. It may consist of minor damage to the building, lack of access due to weather or city infrastructure conditions or significant hardware/software damage.

Level 2 disasters are ones in which the outage is expected to last from two to five days. Damage is more serious than Level 1 and may mean heavier losses to equipment and documentation (files, reports, contracts) due to prolonged events (fire, flooding).

Level 3 disasters are ones in which the outage is anticipated to last in excess of five days. Damage could extend to total destruction of the building, requiring replacement and/or significant renovation of the facilities. If a health pandemic occurs, consider this a Level 3 disaster.

Level 4 disasters involve immediate danger of possible injury, such as an active shooter situation. These disasters should be addressed separately because they require active participation immediately from all personnel.

Disaster Recovery Team (DRT)

The Disaster Recovery Team (DRT) must include members who understand specific aspects of the business. This may include business partners, such as data providers, and technology. The team should meet regularly – perhaps quarterly. If members are not at the same location, connect via a conference site, such as Zoom. Becoming familiar with a product like Zoom or Go To Meeting will better prepare the team to respond to a disaster when everyone is not at the same location.

A meeting which includes vital members of the organization and the team should meet twice a year.

Emergency Phone Numbers

The first list should include only employee phone numbers. It is highly recommended that team members maintain this list of numbers either in a smartphone or in an address book that is kept off-site. Identify the members of the team who will maintain this list. Send “test” messages occasionally to ensure the sender knows how to do it and the phone list is current.

Choose methods of communication. VoiceShot allows the team to populate a distribution list and send a voicemail or text message to everyone affected. A member of the marketing department should immediately post a message on the landing page of the firm’s website. It is recommended that members of the DRT should practice using VoiceShot or a similar communicator.

Normally, a member of the human resources department would be a good choice to maintain this list with one or two DRT members as secondary.

The second list should include main phone numbers of business partners. This list may be maintained electronically and in hard copy by each member of the DRT. There is no need to send test emails to these entities via VoiceShot or similar messaging software. This list should include:

• Building Management for every location. Even if a disaster occurs in one location, all management companies should be notified.
• IT Providers: this should include providers for the cloud, time & billing, document management, the website, outsourced help desks, and internet and phone providers.
• Other Providers: this includes your offsite storage, accountants, and all insurance brokers.
• Emergency Entities: this may vary depending on location, but the team should include: the American Red Cross, area hospitals for all locations, the FBI, FEMA, local police departments, local fire departments, and poison control centers.

This is a good start to a comprehensive disaster recovery plan. In subsequent writings, we will address:

• Staging Areas for each location which includes identifying wardens and detailing the training that is ongoing for all personnel.
• Identifying Alternate Facilities, which will include working from home and what is involved.
• Shelter in Place. What is involved when an active shooter may be present. What to do and not do.
• Educating Employees, which is an ongoing initiative.
• Website: What and where to publish current events as necessary.
• Clients: How best to communicate with clients and when.
• Potential Lawsuits: How best to document activities to mitigate any confusion with malpractice and workers’ compensation claims.

Written by CARET Legal partner, Gail Ruopp. Gail Ruopp has acquired more than 25 years of professional experience in senior law firm management, initiating best practices in administrative operations, including: financials, accounting, lateral recruiting, personnel, day-to-day operations, systems management, and firm marketing.