Disaster Planning for Legal Services
Hello everyone! I hope you’re all still (literally and figuratively) above water after Hurricane Sandy last week. In her wake, you might be thinking about your organization’s emergency preparedness plan and how you would deal with a disaster like Sandy. You can check out our Tech Library for some basics, or just keep reading!
With the help of my wonderful friend June (currently working on a Master’s in Emergency Management) and the good people of the Legal Services Tech email listserv (run by LSNTAP; click here to join), I’ve put together a step-by-step for creating (or updating) your organization’s emergency plan, some tips, and resources on the subject. I’ve mostly covered the ways in which you can return your organization to full operations in the wake of a disaster, but I’m planning to cover ways in which your organization can assist with the community’s recovery effort later this week.
Before going on, it’s worth noting the difference between the terms “disaster recovery” and “business continuity.” Disaster recovery refers to the “process that takes place during and after a crisis, which is established to minimize interruption and help the organization recover by restoring some of its normal functioning as quickly and seamlessly as possible.” Business continuity, on the other hand, is “the comprehensive process of planning for, and retooling the organization’s best practices so that the nonprofit can function successfully after the crisis has passed, getting back quickly to where it was before the interruption.” In other words, business continuity focuses on getting your organization up and running again as soon as possible, and can involve changing the way you operate to better meet your mission in a changed environment for a short period of time. Disaster recovery is a more long-term return to normalcy. (See “Disaster Planning and Business Continuity for Nonprofit Organizations: Planning for Disruption” by Ron Matan and Bridget Hartnett for more).
Much of the information in the following step-by-step is from an article titled “Continuity Planning for Nonprofits,” by Nancy Meyer-Emerick and Mehnaaz Momen. It was published in the fall of 2003 in Nonprofit Management & Leadership (vol. 14, no. 1) by Wiley Periodicals. Unfortunately, it’s password protected in academic databases, so I can’t share it with you, but I will share other resources where possible.
If your organization already has a disaster plan and you only need to update it, just jump in to the step-by-step where appropriate.
Step 1: Put together an emergency planning team. You will probably need to assign someone the role of overseeing the disaster plan (or, in industry terms, the continuity plan). Ideally this person has some project management experience and the authority to gather necessary information from throughout the organization. Depending on their other job duties, this person may or may not be the one to actually take over leadership in the event of an emergency.
The lead continuity planning person should also have a team to work with. Team members should be drawn from all parts of the organization: accounting, IT, attorneys, human resources, administration, and so on. If something goes wrong, all of these jobs will be essential to continuity, so they all need to be involved in the planning process. According to the Meyer-Emerick and Momen article, it’s also a good idea to give each member on the team specific information to gather: about insurance coverage, finances, information storage and restoration, and the particulars of the building and grounds itself.
Step 2: Document EVERYTHING. Your end goal in creating an emergency plan is basically to have everything that responders or those who continue the organization’s operations need to know all together in a place that is easily accessible. In this excellent webinar hosted by TechSoup (which has lots of disaster-planning articles available, by the way, if you search their site), one of the presenters recommends having all of the information in your disaster plan in three places: a three-ring binder (hard copy), on a USB flash drive (a secure, encrypted flash drive from IronKey is available on Amazon), and stored online (encrypted/password-protected, of course).
That said, what information do you need to gather? You should record information about your organization (such as any rules governing operations in emergency situations and legal obligations to provide services) as well as the building (such as lease information, what the landlord’s responsibilities and rent policies are in the event of an interruption to the building’s usability, permits, fire codes, and environmental regulations). It’s important to also include an inventory (with photos, if possible) of everything valuable that your organization has: computers, other equipment, and so on. Consult local emergency response agencies and your insurance, if you have it, for relevant information.
As far as insurance goes: if you don’t have it, are you sure you don’t need it? A careful analysis of your organization’s vulnerability (based largely on geographic factors) is, according to Meyer-Emerick and Momen, “simply sound management practice.” Are you located in an area prone to tornadoes, hurricanes, or earthquakes? Simply because these occurrences are rare is not a reason to dismiss the need for insurance out of hand. Understanding terms such as “hundred-year floodplain,” for example, is critical; the term does not mean that the plain floods only once every hundred years, but rather that in any given year it has a one-in-one-hundred chance of flooding. Do research on your area and make an informed decision about whether or not you need disaster insurance of some kind. Then document what your policy says.
You may also want to create phone trees for procedures in different circumstances. You may need to get in touch with all of your staff to tell them not to come into the office, or you may only need to contact a few people so that they can come to the site off-hours to talk with police or emergency responders (in the event of a theft, for example).
To sum it up, here’s some documentation you should include:
- Warranties and receipts for major pieces of technology or other valuables (inventory)
- Contact information for everyone in the office, job titles included
- Instructions for how to restore data or install software and where backups and installation CDs are stored
- A list of critical passwords and usernames
- Phone tree(s)
- Map(s) of the area, with escape routes highlighted and a place for staff to regroup
- Organizational bylaws with relevant sections highlighted
- A copy of the building or office space’s lease with relevant sections highlighted
- A copy of your insurance policy
Step 3: Conduct an impact analysis. This is the “meat” of your disaster plan; the part that will really call for some ingenuity and creative thinking. Essentially, it’s a “description of workflow processes and operational procedures and the identification of the impacts of very broad types of interruptions” to your operations. You’ll be asking yourself what can go wrong and how you’ll deal with it.
Instead of listing all potential disasters (fire, flood, hurricane, etc), the disaster planning team should make a list of potential impacts in broad terms. According to the Matan and Hartnett article I mentioned at the beginning of this post, “most experts agree that there are four basic scenarios that must be considered:
- There is a temporary disruption of services, such as an electric outage
- The office is rendered unusable for a period of time
- The entire building is destroyed
- The entire area around the building is unusable (due to major flooding, storms, earthquake, terrorist bombings or the like)”
What matters here is not so much the particular emergency, but the emergency’s effect on your normal operations. Think about drastic things, like the facility being destroyed and all records gone, but don’t forget smaller events like a break-in, riot, or computer crash.
Be as detailed as you’d like (you can get into the difference between what happens following a fire versus a flood, and so on) and make a plan for what to do in each situation (if anything can be done). Meyer-Emerick and Momen are big fans of checklists as a way to make sure procedure is followed. Prepare a series of checklists and include some blank ones as well, so that new procedures can be created on the fly. Templates and sample policies for this part of the process are widely available on the Internet.
By the end of the exercise, the team should have identified the most critical systems to your organization’s operations (and therefore, those that should be prioritized in the event of an emergency), as well as the financial and personal costs of various types of disasters. They should have a sense of what to do even in scenarios not listed in the disaster plan, which can be invaluable.
In a 1995 study cited by Meyer-Emerick and Momen, researchers found that a majority of small organizations did not cease their operations in the face of disaster, but made “valiant efforts” to return to normal operations. However, because they didn’t recognize what was actually possible for them to accomplish due to their changed environment, many of their efforts were ineffective. If you know what is possible (financially, logistically, etc) ahead of time, you will be able to focus your organization’s efforts more efficiently in the wake of a disaster.
It’s also worth noting that the same study revealed that in most cases, the loss of lifeline services like electricity is a much more significant problem than the actual disaster (for example, they physical flooding of an office). Don’t neglect planning for the potential long-term effects of a disaster, such as loss of communications or electricity. Part of that planning may include buying an Uninterruptible Power Supply (UPS); that is, an emergency generator with enough power (rule of thumb is 30 minutes’ worth) to allow you to shut down equipment and save data properly.
You should also come up with some kind of communications plan. Frequently in the wake of a disaster, normal phone and/or Internet service becomes unavailable just when it’s most needed. Depending on what services are still functional and what you have access to, you can plan to use social media, VoIP services (voice over IP services include things like Skype and Google Hangouts), radios, and satellite phones (purchase those last two ahead of time and have them on hand with other emergency supplies). You might look into unified communications, defined as “a large family of technologies and organizational practices that simplify and integrate multiple forms of communications like phone conversations, email, video and Web conferencing, instant messaging (IM), voicemail, fax, and SMS messages.” In the midst of disaster, it’s important to let stakeholders know what your status is, what your needs are, and what services you can/cannot offer.
Once the immediate crisis is over, you’ll also need to have a safe, secure space in which to continue your work. Consider working out a deal with other nonprofits in the area to share space should the need arise, or talk to board members, donors, or the city government so that you have a backup plan. The space you select should be far enough away from your office that it’s unlikely to be affected by the same disaster and should have phone/fax/Internet connections and enough space and furniture for your staff.
Step 4: Minimize risk. Once you’ve identified everything that could go wrong, a natural next step is to try to minimize that potential. This can involve developing evacuation routes, buying emergency equipment to keep in the office (first aid kits, flashlights, fire extinguishers, etc), setting up a data backup plan, and protecting any critical equipment and data as much as possible. Consider (if it’s financially possible) creating a “rainy day fund” (pun intended) for your organization.
In the long term, data backups are arguably the most important thing on the above list. If you’re not already doing it, start backing up your information and do it often (ideally, at the end of every business day). Store information both on- and off-site, and try to locate the off-site storage far away from the on-site storage. This way, if a tornado wipes out your city, your data is still safe in a server across the state. One nonprofit (mentioned in the TechSoup webinar I talked about earlier) called Freestore Food Bank has two locations, each of which stores backups of the other’s information. If your organization has multiple offices, this might be a good way to go about it; remote (i.e. online) backups might also be worth a look (you might want to check out something like Paragon Software’s Hard Disk Manager). Watch this webinar from TechSoup for more great information.
As far as what to back up, presenters at the webinar suggest, among other things, your website, all user documents and files, your emails (not such an issue with web-based email services like Gmail), any data that you only have in hard copy (such as contracts or government forms), and – oddly enough – your Internet browser bookmarks. If you have sites stored that would take you awhile to find again, use a site like delicious to back them up.
Protecting your equipment and data can include everything from buying fire- and waterproof safes to making sure that valuable equipment isn’t located under, say, an air conditioning unit that can leak all over it (as happened to one unfortunate organization mentioned in the TechSoup webinar). If you can, and especially if you live in a hurricane- or flood-prone area, make sure that electronics are raised several inches off the floor and that storage containers are plastic and watertight. Also, to secure against potential human-made disasters or breaches of security, use different passwords for everything, especially “nuisance” logins (such as logging on to your favorite news site) versus important ones (those that protect client data, etc).
Step 5: Practice, evaluate, repeat. This is the step by which everyone in the office needs to be involved in the disaster plan, if they weren’t already. Consider hosting a training to make everyone aware of emergency evacuation routes and the plans for various occurrences. You can practice the emergency plan with either a tabletop exercise, in which a leader describes a situation and the group talks through what to do about it; or, through a simulation like a fire drill (though more extensive; you’re trying to find gaps in the plan and hopefully salvage some important data or equipment, not just get people out of the building).
Once you’ve talked through it and hopefully practiced a few times, evaluate the plan. Make any changes you need to, and do it again. And again.
Step 6: Share your plan with stakeholders. Stakeholders may include clients, the board of directors, funders, neighboring or similar businesses/residents, and even elected officials. If you also share your plan with related organizations in the community, you may be able to collaborate and/or share space and equipment if the need arises.
Stakeholders definitely include local emergency management personnel such as fire and police departments and potentially also hazardous material responders. The more involved that emergency responders are before there’s an emergency, the more they’ll be able to help you in the event of one. Look into creating a Mutual Aid Agreement with local emergency response agencies or government to secure a response (in the form of personnel, equipment, etc) in the immediate aftermath of a disaster. Having the Mutual Aid Agreement in place ahead of time can dramatically reduce your wait for a response in the wake of disaster.
Step 7: Prepare a plan maintenance schedule. Remember that once the plan’s created, you shouldn’t just put it on a shelf and forget about it. You aren’t finished. The plan needs regular updates to be useful; Meyer-Emerick and Momen suggest scheduling plan maintenance to coincide with another reporting period, like a quarterly financial report.
Updates to the plan can include new contact information as employees are fired or hired, changes to the building or location, new inventories of equipment and computers, or procedural changes based on new environmental or social conditions. The same person who was in charge of creating the plan can be in charge of updates, or you can pick a new person. Whoever it is should also make sure that there is regular refresher training on procedures, and training for new employees.
For more reading on disaster planning, see these resources:
- National Disaster Legal Aid website
- Disaster Manuals from National Disaster Legal Aid
- Continuity Guidance for Non-Federal Entities guide from FEMA
- Introduction to Continuity of Operations free online course from FEMA
- Continuity of Operations Awareness Course free online course from FEMA
- Disaster Planning and Recovery Toolkit, an extensive compilation of resources from TechSoup
- Disaster Recovery (short) article from TechSoup
- Business Recovery & Continuity webinar sign-up from Paragon Software
- Backup and Disaster Recovery Tools webinar sign-up from Paragon Software
And once again, here are some of the resources that I mentioned repeatedly above:
I hope this article and the resources listed are helpful to you and your organization. If there’s one essential lesson that I’ve learned, it’s how essential it is for you to be backing up your information regularly and often. Please start doing it if you aren’t already.
Thank you to June and to the LSTech listserv for contributing your knowledge, experience, and resources! If you have questions or more to add to the conversation, please do it in the comments section! Good luck everyone!