Workflow Templates for Business Continuity: Business Continuity Planning Checklist

Risk Assessment and Business Impact Analysis

Inventory critical practice functions

List the functions the firm cannot suspend without ethics or client harm: docket and SOL calendaring, IOLTA disbursements, e-filing, conflict checks, privileged-document access in the DMS, and partner-level client communication. Note the maximum tolerable downtime for each — a missed SOL or hearing date is a malpractice event, not an inconvenience.

Score disruption likelihood and impact

Score each scenario (ransomware, regional power outage, building inaccessibility, key-person loss, PMS or DMS vendor outage) for likelihood and client-impact severity. Cyberattack on the DMS is the dominant scenario for most firms — Rule 1.6(c) reasonable-safeguards exposure plus state breach-notification timelines.

Set RTO and RPO for each system

Document Recovery Time Objective and Recovery Point Objective for the DMS (NetDocuments, iManage), PMS (Clio, Centerbase), trust accounting, email, and the docket/calendar system. RTO under 4 hours is typical for docket; under 24 hours for billing.

Emergency Response and Operations

Stand up the emergency response team

Name a managing partner sponsor, firm administrator (incident commander), IT lead, and practice-group designees for litigation, transactional, and any regulated practice (immigration, family). Each role gets a primary and a backup — a single point of failure during a real incident has caused missed e-filings.

Document evacuation and shelter procedures

Cover evacuation routes, shelter-in-place protocol, and lockdown for client-confrontation scenarios (family-law and criminal-defense firms). Address the file-room: paper originals (wills, signed agreements, notarized deeds) are not replaceable and need a documented retrieval-or-abandon decision rule.

Define the docket-coverage protocol

If the responsible attorney is unreachable during a disruption, who pulls the docket and files the emergency motion or extension request? Identify backup attorneys for each practice group and confirm CM/ECF and state e-filing portal credentials are accessible to them through the firm's password manager.

Communication Plan

Build the stakeholder notification tree

Map who notifies whom and on what cadence: attorneys to active-matter clients, firm administrator to opposing counsel and courts for filing extensions, IT to the malpractice carrier if a breach is suspected. Rule 1.4 requires reasonable communication with clients; silence during a multi-day outage is itself a problem.

Maintain offline contact rosters

If Microsoft 365 is the disruption, the contact list inside it is useless. Keep an encrypted offline copy (printed sealed envelope in the partner safe, or a secondary cloud) of attorney mobile numbers, court clerks, key client GCs, malpractice carrier hotline, and IT vendor escalation paths.

Pre-draft client and court notices

Template a client outage notice, a motion for extension of time citing extraordinary circumstances, and (separately) a state-law breach-notification draft. Drafting these under pressure produces errors; pre-approved templates with blanks for facts and dates are the discipline.

Data Protection and Backup

Verify DMS and PMS backup coverage

Confirm what the SaaS vendor backs up vs. what the firm must back up itself — most PMS contracts give you operational continuity, not a portable export. For NetDocuments, iManage, and Clio, validate that a third-party backup (Spanning, AvePoint, vendor-native export) covers documents, metadata, and version history.

Confirm IOLTA and billing data redundancy

Trust ledger reconstruction is a Rule 1.15 obligation — losing the client-ledger detail behind an IOLTA balance is a disciplinary referral in most states. Verify monthly export of the three-way reconciliation, client ledgers, and bank statements to immutable storage (S3 Object Lock or similar).

Run a restore drill from offsite backup

A backup that has never been restored is theory. Pick a sample matter and restore its DMS folder, time entries, and trust ledger to a sandbox; measure the actual time and document gaps. Capture the result as evidence for the malpractice carrier's annual questionnaire.

Alternative Work Arrangements

Designate a remote-first work posture

Document who works from where during a building-loss event. Identify a backup conference space for depositions and client meetings — most boutique firms have a reciprocal arrangement with a co-working provider (Regus, local bar association lounge) or sister firm.

Audit remote access security controls

Rule 1.6(c) requires reasonable safeguards. Confirm MFA on the DMS, PMS, email, and password manager; full-disk encryption on firm laptops; and that personal-device access (BYOD) is gated through a managed browser or MAM profile so privileged work product is not synced to a personal iCloud.

Test e-filing access from a remote site

Log into PACER/CM-ECF and the relevant state portal (NYSCEF, Texas eFile, File & ServeXpress) from a non-office network. Some courts whitelist office IPs for filer accounts; discovery during a real outage is the wrong time to learn this.

Vendor and Client Continuity

Map dependencies on critical vendors

List vendors whose outage stops billable work: PMS, DMS, eDiscovery platform (Relativity, Everlaw), court-reporter agency, process server, expert witness, IOLTA bank. Note the contractual SLA and the firm's fallback for each.

Review vendor SOC 2 reports and DR plans

For SaaS holding client-confidential data, request the current SOC 2 Type II and the disaster-recovery section. If the vendor cannot produce one, that is itself a Rule 1.6(c) finding the firm should escalate.

Notify active-matter clients of the plan

Institutional clients (corporate GCs, insurance panel counsel) increasingly require firms to attest to a continuity plan in their outside-counsel guidelines. Send the executive summary to OCG-governed clients and log acknowledgments.

Training, Drills, and Compliance Sign-Off

Run a tabletop with the response team

Walk a ransomware scenario start to finish: detection, isolation, carrier notification, client communication, court extensions, restore. The point is to surface decisions nobody had previously owned — who calls the FBI field office, who authorizes a ransom decision, who pauses outgoing wires from operating and trust accounts.

Deliver firm-wide BCP training

Cover the plan with all attorneys and staff. Many states allow 1 ethics CLE credit for a BCP/cybersecurity session led by qualified counsel — coordinate with the CLE administrator if you want the hours to count.

Confirm regulatory and carrier alignment

Cross-check the plan against state bar trust-accounting rules, state breach-notification statutes, the malpractice carrier's annual questionnaire, and any client OCG attestations. Note any deltas for managing-partner review.

File remediation items for tracked gaps

For each gap, log a remediation item with owner and target date in the firm's project tracker. Re-run this checklist's affected sections once gaps close; do not let the annual cycle be the only forcing function.

Obtain managing partner sign-off

Final approval and signature on the BCP document, with the next annual review date set. Store the signed plan in the DMS under firm administration with restricted access — it contains sensitive infrastructure detail.