5 Lessons I’ve Learned About Business Continuity in Legal IT

Paul Riley – April 11, 2025  – 6 mins read

Business continuity planning always sounds like one of those big, strategic things that’ll matter someday. But in legal IT, it matters every day — especially when “someday” becomes today, and suddenly, you’re the person everyone’s waiting on to keep the firm running.

I’ve been through my fair share of incidents — server meltdowns, vendor outages, data centre hiccups, and one particularly memorable Monday when our entire UK region lost access to the DMS for half a day. Fun times.

Here are the five biggest lessons I’ve learned (mostly the hard way) about what makes or breaks a business continuity and disaster recovery strategy in legal.

1. DR Isn’t an Infrastructure Problem — It’s a Workflow Problem

Early in my career, I treated DR like a purely technical problem: replicate servers, back up databases, mirror storage. It worked — sort of — until we realised that when something breaks, it’s not just about uptime, it’s about user access and function.

Now we build our continuity plans around workflows — litigation, document production, client meetings — and ask: “What does this person need to keep doing their job within 30 minutes of a failure?”

That question changed everything. It moved us from generic backups to function-first resilience.

2. No One Cares About the Plan If They Don’t Know the Script

It’s easy to file a BC plan in SharePoint and call it done. But in a real event, most people won’t read a document — they’ll wait for instructions. That’s why we’ve built a response playbook, not just a policy.

• Who communicates what (and to whom)?
• What do users do while systems recover?
• Who makes the call to switch to backups?

This kind of scripting makes a massive difference when you’re three hours into an outage and partners are pacing.

3. Your RTOs Should Scare You a Little

When we first mapped Recovery Time Objectives (RTOs), they were… optimistic. Every team wanted everything back immediately. Over time, we worked with stakeholders to set more realistic (but still ambitious) targets — and then pressure-tested them.

If you say your DMS can recover in 60 minutes, prove it. Run the scenario. See what breaks.

Our motto now? “If you haven’t tested it, it doesn’t count.”

4. Cloud Helps — But It’s Not a Free Pass

We’ve shifted many of our systems to the cloud — Microsoft 365, backups, some case management. That’s improved availability, but it’s created new dependencies. If Azure AD stutters or Teams goes offline, hybrid workers are stuck.

We learned this the hard way after a regional cloud authentication outage. Since then, we’ve implemented:

• Redundant access paths for key users
• Offline access policies for critical documents
• A separate comms channel outside of Teams (yes, including SMS)

Cloud gives you flexibility, but you still need to own the continuity plan.

5. Continuity Is a Team Sport, Not Just IT’s Job

Legal BC isn’t just servers and switches — it’s people, policies, and expectations. We now run firm-wide tabletop exercises twice a year, including partners and business units.

These aren’t just “what if” chats. We simulate scenarios (ransomware, building outage, data breach), walk through our response live, and adjust based on gaps.

The result? Better coordination, more realistic plans, and leadership that understands the stakes — and backs us when we invest in resilience.

Final Thought: You Don’t Get a Mulligan in Legal

In this profession, downtime isn’t just inconvenient — it’s reputational. Clients won’t wait, courts won’t pause, and opposing counsel certainly won’t play fair.

Business continuity isn’t a tech project — it’s a core part of delivering legal services. If you’re not preparing now, you’ll be reacting later — and that’s the worst seat in the house.