TODAY’S GENER AL COUNSEL SPRING 2018
for the Legal Department
C
an your legal department meet the company’s needs during an emergency? What if the emergency involves access to your computer networks during a cyber incident, lack of access to your office during a natural disaster or a pandemic that sidelines most of your legal team? During any of these events, the business line will be calling to seek information about data breach disclosure requirements, to seek a review of contracts for force majeure, or to find out whether the diligence on an important business transaction is complete in time for closing. This combination of external threat and its impact on the legal department’s ability to meet its mission and sustain its business processes during and after a significant disruption is at the heart of business continuity planning. Unfortunately, many companies, and many more legal departments within those companies, have not developed an effective business continuity plan (BCP). Often a BCP gets included in an alphabet soup of resilience programs led by the Chief Information Officer (CIO), such as continuity of operations (COOP), critical infrastructure protection (CIP), disaster recovery plan (DRP) and information system contingency plan (ISCP). For lawyers, the acronyms are enough to make your head spin. Most of those programs are about technological resilience and appropriately led by the CIO. However, the legal department
needs its own BCP, so you know how your team will continue to function during an emergency.
SUSTAINING CRITICAL FUNCTIONS
Continuity planning includes developing the ability to continue critical functions and processes during and after an emergency event. One standards organization defines continuity as “strategic and tactical capability, pre-approved by management, of an organization to plan for and respond to conditions, situations, and events in order to continue operations at an acceptable pre-defined level.” A BCP focuses on sustaining an organization’s mission and business processes during and after a disruption. In this case, the “organization” is the legal department. Four major steps are required for establishing a BCP: (1) risk assessment, (2) business impact analysis, (3) resources/ needs assessment, and (4) business continuity plan. The first step is to conduct a proper risk assessment. This includes identifying internal and external threats that might impact your department’s ability to meet its objectives. For example, catastrophic flooding, tornadoes, fire, active shooter, computer virus, earthquake or other potential threats. You will need to brainstorm a list of threats and then review it in light of probability of occurrence. Although probability is a mathematical concept, frequency rather than probability could be used to describe the risk. Consider the recent
Continuity planning includes developing the ability to continue critical functions and processes during and after an emergency event.
Kevin Collins is a partner at Bracewell LLP. He is a former Assistant United States Attorney, who specializes in corporate responses to major catastrophic accidents and natural disasters. Kevin has focused on process safety since he assisted the Baker Panel in investigating and issuing its report on safety culture and corporate oversight of British Petroleum’s North American refineries in 2005. kevin.collins@ bracewell.com
Jason Hutt is chair of the environmental department at Bracewell LLP. His advice and advocacy are informed by a technical understanding of how energy and key industrial sectors operate, as well as the challenges clients must navigate to achieve their business objectives. jason.hutt@ bracewell.com
51