Contact Us: +254 20 259 77 88   | +254 20 259 77 44 | [email protected]

Steps to creating a firm disaster response plan

You also need to build a detailed firm disaster response plan. When creating your firm disaster response plan, the goal is to be able to jump into action as quickly as possible when needed. Here’s how:

Step 1: Conduct an inventory. 

You should always know exactly what your firm has on hand so that anyone following your plan knows what needs to be recovered or replaced. Your inventory should account for:

  • Software. Make a list of any software your firm uses. How many licenses do you have? Do you need to have passwords or other ways to access it?
  • Hardware: How many computers, servers, or other pieces of physical hardware does your firm have—and where are they located? 
  • Client files. Should a disaster occur, have an inventory of all client files in your firm’s possession so that they can be recovered. 
  • Location. Note the locations of everything. For example, are files stored in the cloud, or a physical location? 

Step 2: Do a risk assessment. 

Account for:

  • Each type of asset in your inventory. Include everything from firm hardware to client files.
  • Possible risks to those assets. Consider natural disasters, hardware failures, service provider failures, or human error.
  • The likelihood of each risk. 
  • The impact of each risk. What would happen to each item if that risk should occur? For example, if the asset was paper client files and the risk was an office fire, the impact would be high and devastating. 
  • Ways to mitigate the risk. Are there ways to mitigate future risks? For example, moving paper files to a secure cloud-based server now could greatly reduce the impact of a fire to a physical office location in the previous example.

Step 3: Identify critical services, systems, and data. 

Group each of the types of information, systems, and services at your firm into the following categories. This allows you to prioritize should a disaster occur. 

  • Critical: For example, any important client data that is located on a single server or has no backup is of critical importance. 
  • Medium: Data or systems that are important to clients or the outcome of a case, but that could be recovered (for example, a file with a backup).
  • Low: Items in the low category can be easily replaced, or are backed up in multiple places and easily recoverable.

Step 4: Define your recovery objectives. 

Determine how long you could reasonably be without each service or application accounted for in your plan after a disaster. For each, determine your:

  • Recovery Time Objective (RTO): The acceptable amount of time any of your data and systems could be unavailable. 
  • Recovery Point Objective (RPO): The acceptable amount of data your firm can afford to lose. 

Step 5: Identify supporting tools. 

Identify any tools, techniques, and procedures that support your recovery objectives.

  • Data backup: Do you backup your data? How often? Where is it located (is the backup site located in the same region as the primary site)? Assess your current situation, and make note of any gaps that could be an issue. In this case, consider ways to mitigate the risk, such as using a cloud-based data storage system.
  • Automation: Could you use automation technology to remove or reduce human error to help protect your firm in case of disaster?
  • Outsourcing: Can you outsource any critical functions (like data-hosting backups) to mitigate risk in case of a physical disaster?
  • Planning for recovery: Make a list of the tangible steps to take to recover specific assets and data. We recommend having copies of insurance policies so that clients can open claims as early as possible. 

Step 6: Assign responsible individuals. 

Should a disaster occur, people should know in advance what their responsibilities are

  • Identify members of your response team and assign roles and responsibilities: Ensure each person is aware of their specific responsibilities. For example, who would declare a disaster and start your disaster plan? Who would be responsible for client communication? 
  • Service providers: Identify any service providers to be contacted (for example, if your firm would need professional data restoration help, who you would contact? Who on your team would contact them?). 
  • Create a contingency plan. Always have a backup plan for if an assigned individual is unavailable in an emergency. 

Step 7: Review SLAs (service level agreements) with vendors. 

For every contract that you have (for example, with SAAS providers, insurance companies, landlords), have a defined service level agreement that includes details on what would happen—and how long it would take—to move forward after a disaster. 

Step 8: Determine how to handle sensitive information. 

Document a plan for handling essential records (like employment records, financials, and client files) in terms of confidentiality, security, and integrity following a disaster. Considerations could include:

  • Hard copy and soft copy documentation: What is the procedure for transferring hard copies of files to another person?
  • Secure communication: Who can access files, and how? 
  • Tracking requests to access: What would be the next steps if a client wants to switch attorneys during a disaster response?

Step 9: Create a communication plan. 

Document a plan for communication in case of disaster, including:

  • How? Detail the specific means of communication your team members will use.
  • When? How and when will your firm communicate with essential personnel, service providers, and clients?
  • Who? Who will be responsible for each type of communication? We recommend planning multiple methods of communication, as you can’t rely on any one method during a disaster. For example, phone networks can drop during hurricanes, but text messaging may remain available despite experiencing significant delays.

Step 10: Document the plan. 

Write it all down. This reduces guesswork and speeds up the resumption of business when disaster strikes. Be sure to:

  • Create a centralized document. We recommend having multiple copies. Store a copy in the cloud for remote accessibility. Also, have a local copy on a phone, laptop, or printed out in case of major disasters like earthquakes and hurricanes, where telecommunications will fail.
  • Share it. Familiarize the whole team with the plan. 

Step 11: Test the plan—annually. 

Test your plan, and test it often. Testing helps ensure that everyone at your firm knows what to do, and also helps account for normal business factors like staff turnover or moving offices.

How will you test your plan? Consider:

  • Types of tests: Will you do a walkthrough, simulation testing, full interruption testing, or parallel testing?
  • What works (and doesn’t): So you can adjust the plan and train staff accordingly.

Step 12: Review and update the plan annually. 


  • The results of your last test. 
  • Any changes to your setup or location. 
  • Any changes to your team. 
  • New software or service providers.