Lessons from Sandy: Proper Disaster Protocols

One year ago in these pages, several articles explored various aspects of preparing for disaster.  The ABA’s Tort and Insurance Practice Section, led by Seattle attorney Randy Aliment, Dedicated a year to the subject.  Superstorm Sandy drove home the point.

Your firm is your business.  Your clients are hard won, and with ever increasing competition, perhaps even harder to maintain.  Your firm most likely owns or leases real property and spent significant dollars on contents, development of intellectual property, and attracting its human assets.  There’s no question that your firm earns revenue from delivery of its widget, otherwise known as legal advice, to its clients.  A law firm is the same, in many respects and particularly when it comes to protecting itself from manmade or natural disasters, as any other business. However, most firms don’t take the time or energy to protect their assets the same way as other more traditional businesses. This leaves firms at risk for loss of clients and revenue. 

Accordingly, law firms should use critical protocols to protect its assets (both tangible and intangible) from disasters, in the same manner that other businesses use and rely on such protocols.  For instance, board members and executives of publically traded companies are concerned with, and arguably responsible for, ensuring that protocols and risk management is in place to respond to many different types of business risks.  Obviously, the stakes are high as the livelihood and survival of these companies are at risk.  If little or wrong protection is in place, the value of shares is adversely impacted which can lead to a number of negative outcomes including shareholder and other litigation.  When you think about it, while law firms in the United States are not traded on the exchanges, there really is no reason why the partners would not want to protect their assets with the same high standard of care.  With that in mind, this article will provide a summary of some of the critical protocols to consider.

When we consider the topic of risk, we think in terms of what we refer to as “The Asset Protection Circle”.  The Circle consists of three parts:  pre-loss, disaster response, and claim management.  Each part of the circle is equally important to the security of your firm’s assets.  This article will address five protocols in the pre-loss and disaster response sections of the circle.

Five Pre-Loss Protocols 

While there are more than five protocols that make up pre-loss asset protection, the following five are particularly important.  They are: 1) identify your goals; 2) identify your critical path; 3) identify your assets; 4) determine your firm’s risk profile; and finally, 5) audit whether your risks have been transferred.

 Identify Your Goals:   Your firm goals are critical because without knowing what they are say, over the next three to five years, it is impossible to determine the real risks to your firm and if you cannot identify the real risks, then the rest of the protocols will not help protect the firm. The following are some of the areas your firm should consider and work through in identifying its goals.

*Financial benchmarks (revenue, PE).

*Target market.

*Geographic market.

*Expansion plans.

*Technology expansion.

*Shareholder value.

*Good employer.

Identify Your Firm’s Critical Paths:  This is important because it includes topics like how the firm delivers its service, how it get paid, what assets (tangible and intangible) are critical to ensure that the firm can continue to deliver its service to obtain revenue.  Typically for law firms, two of the most important assets are intellectual property and communication to and from your firm to your client or to other counsel.  Consideration should be given to all facets of making sure those paths are not disrupted during a disaster.  This will allow your firm to really think through (and visuals or charts help this process immensely) what must be up and running and accessible in order to provide its service and obtain revenue.  The following are examples of some of those items:

*Process to finished product/service.

*Supplies, storage, IT facilities.

*Communication: to market and incoming.

*Contracts (leases, obligations).

*Client documents (privileged and otherwise).

*Evacuation/key people/emergency response teams.

*Alternative work area.

*Electronic access to information.

*Access to hardware.

Identify Your Assests:  As you determine the critical paths, you will then determine the tangible and intangible parts, as well as the people, that are required to maintain these paths.  The three areas to consider are: tangible, intangilble, and human.

While this seems simple, the real art is to ensure that you have agreement upon your goals and critical paths, and then overlay those goals with your necessary assets.

Determine Your Risk Profile:  This one is very important and always a bit eye-opening as we perceive ourselves one way, while we may actually be another when it comes to risk taking.  The scale runs from those who are risk averse to those who actually court risk and enjoy taking risks.

Different profiles depend on which critical paths and assets you are considering.  Each goal and critical path may lead to a different risk profile.  This is important to understand when you combine the results of all four of these protocols with the fifth – risk transfer.  This will lead you to understand which risks, if any, the firm is willing to keep or handle on its own and which it wants to transfer.

Risk Transfer:  Once you identify the firm risks and the firm risk profile, it is time to determine what the firm wants to do with the risk.

For instance, if you firm depends on international communications and information to advise its clients, do you want to assume (meaning take on) the risk that you may lose business if you cannot get or send the necessary information?  If so, then no precautions are necessary and you will continue on and hope nothing interrupts your communication channels.

If not, you will want to transfer the risk to either a traditional transfer mechanism such as insurance or an alternative risk transfer mechanism.  If your firm owns or leases its building, are you willing to accept the risk that the building and its contents may be destroyed or damaged, or do you want to transfer that risk?  If so, how, to whom and how much is the firm willing to pay for that transfer?

Some other considerations:  If the firm transfers risk to traditional insurers, are premiums being paid for insurance that will respond to disasters affecting the specific critical paths/assets important to your firm? If not, then the firm has not transferred its risks. Are the values accurate on the firm property and assets? If not, the firm has not transferred its risks.  Are professional fee provisions included in your firm property policies? If not, the transfer of risk has been reduced.

There are a number of items that can be done to ensure the transfer of the firm risks meets the firm goals while protecting the firm’s critical paths and assets.  One is to perform an audit of the firm’s insurance contracts to ensure the proper risk is being transferred in a manner that aligns with your firm’s protocols.

Five Protocols for Disaster Response 

 There are five protocols for disaster response: 1) plan; 2) emergency actions; 3) emergency assignments; 4) investigation; and 5) preparation of damage buckets.  Each of these requires some detailed thought and planning and the following outline of items will help guide the process.

 Plan:  Simply put, does your firm have a plan to respond to the types of disasters that may affect your firm.  Remember, the pre-loss section will provide a perspective as to the types of disasters with which your firm should be concerned.   The plan should include a process and team members as well as communication responsibilities. The following items should be addressed in the plan.

*Minimize impact.

*Maximize recovery.

*Maintain client base.

*Maintain communication channels.

*Public relations.

*Critical contacts and their emergency information.

*Insurance documents, valuations, proof of content, etc.

*Who is in charge?

*Who else is needed?

*Meeting with response team.

*Determine the Quarterback (who is in charge).

Emergency Actions:

*Initiate response team.

*Investigate cause,

*Assess damage.

*Address health & safety issues.

*Communicate with press, employees, market, customers.

*Assist the public authorities.

*Control site access.

Determine the Need for Emergency Consultants/Experts/Government; Create Your Recovery Buckets:  These two protocols go hand in glove as the consultants/experts will help investigate to determine the loss and damage and the buckets will work toward ensuring that your firm receives any recovery it may be due from sources such as the insurance industry or government entities.

Depending on the disaster, the firm should assess whether and if it needs consultants, experts and/or government assistance.  The authors recently spoke at an international lawyers’ conference in Dresden, Germany, on the topic of disaster readiness.  It just so happened that the speech occurred a few days after Superstorm Sandy.  One of the questions posed was: what are some of the things a firm affected by the storm should do?  One of the most important things to do is to create separate buckets that track and segregate the firm money spent to respond to the loss.  Whether money is spent to clean up, retain experts, technology support, or monitor the effect of revenue interruption or the loss of a client or contract.  It is important to be able to segregate spending or loss of income or extra expenses in to pre and post-loss buckets.  Firms should also coordinate with an expert in the area of disaster to ensure they are proceeding in a manner that will allow them to obtain recovery that is owed under their insurance contracts.  This area is very precise and one wrong move or misstatement can lead to loss of funds.

Here is a listing of emergency talent that might be needed:

*Building maintenance personnel.

*Security.

*Engineers.

*Architects.

*Public Relations.

*Legal.

*Equipment valuation personnel.

*Business interruption valuation.

*Environmental.

It helps to work with a disaster response group that has this talent at its finger tips should it be needed.  The easiest way is to have a consulting group or law firm that has access to the correct experts so the firm can make one call to companies which work in the disaster arena 365 days a year, so the firm can focus on its business.

Investigation for Critical Path Rebuilding:  The most important aspects of any disaster are, of course the health and safety of personnel, and then the ability to get your firm up and running as quickly as possible.  The following will need to be done.

*Determine extent of loss and damage.

*Coordinate and monitor investigation.

*Identify scope of damage.

*Determine preliminary measure of damage.

*Identify cost of repair/replacement.

*Obtain advances.