Business Continuity Planning Checklist

Annual business continuity planning workflow for a small-to-mid law firm. The firm administrator coordinates with the managing partner, IT, and practice group leads to assess risks, document recovery procedures, and test the plan against...

1

Risk Assessment and Business Impact Analysis

  1. Inventory critical practice functions
    • List the functions the firm cannot suspend without ethics or client harm: docket and SOL calendaring, IOLTA disbursements, e-filing, conflict checks, privileged-document access in the DMS, and partner-level client communication. Note the maximum tolerable downtime for each — a missed SOL or hearing date is a malpractice event, not an inconvenience.

  2. Score disruption likelihood and impact
    • Score each scenario (ransomware, regional power outage, building inaccessibility, key-person loss, PMS or DMS vendor outage) for likelihood and client-impact severity. Cyberattack on the DMS is the dominant scenario for most firms — Rule 1.6(c) reasonable-safeguards exposure plus state breach-notification timelines.

  3. Set RTO and RPO for each system
    • Document Recovery Time Objective and Recovery Point Objective for the DMS (NetDocuments, iManage), PMS (Clio, Centerbase), trust accounting, email, and the docket/calendar system. RTO under 4 hours is typical for docket; under 24 hours for billing.

    Collects file Collects list Collects paragraph
2

Emergency Response and Operations

  1. Stand up the emergency response team
    • Name a managing partner sponsor, firm administrator (incident commander), IT lead, and practice-group designees for litigation, transactional, and any regulated practice (immigration, family). Each role gets a primary and a backup — a single point of failure during a real incident has caused missed e-filings.

  2. Document evacuation and shelter procedures
    • Cover evacuation routes, shelter-in-place protocol, and lockdown for client-confrontation scenarios (family-law and criminal-defense firms). Address the file-room: paper originals (wills, signed agreements, notarized deeds) are not replaceable and need a documented retrieval-or-abandon decision rule.

  3. Define the docket-coverage protocol
    • If the responsible attorney is unreachable during a disruption, who pulls the docket and files the emergency motion or extension request? Identify backup attorneys for each practice group and confirm CM/ECF and state e-filing portal credentials are accessible to them through the firm's password manager.

3

Communication Plan

  1. Build the stakeholder notification tree
    • Map who notifies whom and on what cadence: attorneys to active-matter clients, firm administrator to opposing counsel and courts for filing extensions, IT to the malpractice carrier if a breach is suspected. Rule 1.4 requires reasonable communication with clients; silence during a multi-day outage is itself a problem.

  2. Maintain offline contact rosters
    • If Microsoft 365 is the disruption, the contact list inside it is useless. Keep an encrypted offline copy (printed sealed envelope in the partner safe, or a secondary cloud) of attorney mobile numbers, court clerks, key client GCs, malpractice carrier hotline, and IT vendor escalation paths.

    Collects file
  3. Pre-draft client and court notices
    • Template a client outage notice, a motion for extension of time citing extraordinary circumstances, and (separately) a state-law breach-notification draft. Drafting these under pressure produces errors; pre-approved templates with blanks for facts and dates are the discipline.

4

Data Protection and Backup

  1. Verify DMS and PMS backup coverage
    • Confirm what the SaaS vendor backs up vs. what the firm must back up itself — most PMS contracts give you operational continuity, not a portable export. For NetDocuments, iManage, and Clio, validate that a third-party backup (Spanning, AvePoint, vendor-native export) covers documents, metadata, and version history.

  2. Confirm IOLTA and billing data redundancy
    • Trust ledger reconstruction is a Rule 1.15 obligation — losing the client-ledger detail behind an IOLTA balance is a disciplinary referral in most states. Verify monthly export of the three-way reconciliation, client ledgers, and bank statements to immutable storage (S3 Object Lock or similar).

  3. Run a restore drill from offsite backup
    • A backup that has never been restored is theory. Pick a sample matter and restore its DMS folder, time entries, and trust ledger to a sandbox; measure the actual time and document gaps. Capture the result as evidence for the malpractice carrier's annual questionnaire.

    Collects list Collects file Collects paragraph
5

Alternative Work Arrangements

  1. Designate a remote-first work posture
    • Document who works from where during a building-loss event. Identify a backup conference space for depositions and client meetings — most boutique firms have a reciprocal arrangement with a co-working provider (Regus, local bar association lounge) or sister firm.

  2. Audit remote access security controls
    • Rule 1.6(c) requires reasonable safeguards. Confirm MFA on the DMS, PMS, email, and password manager; full-disk encryption on firm laptops; and that personal-device access (BYOD) is gated through a managed browser or MAM profile so privileged work product is not synced to a personal iCloud.

  3. Test e-filing access from a remote site
    • Log into PACER/CM-ECF and the relevant state portal (NYSCEF, Texas eFile, File & ServeXpress) from a non-office network. Some courts whitelist office IPs for filer accounts; discovery during a real outage is the wrong time to learn this.

    Collects list
6

Vendor and Client Continuity

  1. Map dependencies on critical vendors
    • List vendors whose outage stops billable work: PMS, DMS, eDiscovery platform (Relativity, Everlaw), court-reporter agency, process server, expert witness, IOLTA bank. Note the contractual SLA and the firm's fallback for each.

  2. Review vendor SOC 2 reports and DR plans
    • For SaaS holding client-confidential data, request the current SOC 2 Type II and the disaster-recovery section. If the vendor cannot produce one, that is itself a Rule 1.6(c) finding the firm should escalate.

  3. Notify active-matter clients of the plan
    • Institutional clients (corporate GCs, insurance panel counsel) increasingly require firms to attest to a continuity plan in their outside-counsel guidelines. Send the executive summary to OCG-governed clients and log acknowledgments.

7

Training, Drills, and Compliance Sign-Off

  1. Run a tabletop with the response team
    • Walk a ransomware scenario start to finish: detection, isolation, carrier notification, client communication, court extensions, restore. The point is to surface decisions nobody had previously owned — who calls the FBI field office, who authorizes a ransom decision, who pauses outgoing wires from operating and trust accounts.

  2. Deliver firm-wide BCP training
    • Cover the plan with all attorneys and staff. Many states allow 1 ethics CLE credit for a BCP/cybersecurity session led by qualified counsel — coordinate with the CLE administrator if you want the hours to count.

    Collects file
  3. Confirm regulatory and carrier alignment
    • Cross-check the plan against state bar trust-accounting rules, state breach-notification statutes, the malpractice carrier's annual questionnaire, and any client OCG attestations. Note any deltas for managing-partner review.

    Collects list
  4. File remediation items for tracked gaps
    • For each gap, log a remediation item with owner and target date in the firm's project tracker. Re-run this checklist's affected sections once gaps close; do not let the annual cycle be the only forcing function.

  5. Obtain managing partner sign-off
    • Final approval and signature on the BCP document, with the next annual review date set. Store the signed plan in the DMS under firm administration with restricted access — it contains sensitive infrastructure detail.

    Collects signature