Migrating a global law firm’s document system without a minute of downtime

The challenge

What I walked into.

• A global law firm does not get to pause. Fee earners in one office draft at deadline while another office sleeps; a document system unavailable for an hour is billable work, client commitments, and court filings that don’t happen. The migration had to be invisible to the people doing the work.
• The estate was not clean. A decade-plus of matters, precedents, and email had accumulated across ten offices on a legacy platform, with local naming conventions and inconsistent metadata that had to survive the move intact — nothing orphaned, nothing reattributed to the wrong matter.
• Regulation left no margin. Under legal professional privilege, confidentiality rules, and information-barrier (ethical wall) obligations across jurisdictions, every document had to keep its access controls, retention rules, and chain of custody through cutover. A privilege break was not a defect — it was a reportable event.
• Ten offices meant ten overlapping working days. There was no single quiet window; any cutover that took a fixed system down globally would land in the middle of someone’s business hours.
• Rollback could not be theoretical. With privileged client data in motion, “we think we can revert” was unacceptable. We needed a tested, timed, rehearsed path back to the last known-good state for every office, signed off before anyone touched production.

The approach

I treated this as a reliability program, not a data-move project. The premise: assume any single cutover could fail, and make failure survivable everywhere before allowing it anywhere. We sequenced the ten offices into waves by region and risk, starting with a lower-volume office as the reference cutover and ending with the highest-complexity London estate once the playbook had earned trust. Each office got its own rehearsal cycle against a production-shaped staging copy — full-volume data, real metadata, real access controls — run until the cutover was routine. We rehearsed 38 times, and rehearsal is where we found the expensive problems cheaply: a metadata-mapping edge case that would have mis-filed a class of matters, a permissions-inheritance gap that would have widened access, a retention rule that rounded the wrong way. Each cutover ran inside the office’s own overnight window, in its own local time — no global blackout, ever. Every wave had a written runbook with a named go/no-go gate, a pre-staged rollback timed to fit the same window, and source-to-target reconciliation before we declared an office live. Governance sat in the room for each gate with the evidence in front of them, so compliance was a live control during the migration, not an audit performed on it afterward.

What it taught me

1. When the system cannot pause, you don’t schedule downtime — you engineer it out. Time-zone sequencing turned a global blackout into ten quiet local windows nobody noticed.
2. Rehearsal is the cheapest place to fail. Every problem found on a production-shaped staging copy was a problem we did not find live, in front of privileged client data, at the worst possible hour.
3. Rollback is a precondition, not a contingency. If the revert isn’t written, timed, and proven to fit the window, the cutover is not ready — regardless of how confident the team feels.
4. In a regulated environment, governance belongs in the room with the evidence, not in a memo afterward.
5. Sequence by trust. Run the lowest-risk office first so the playbook earns credibility before it meets the hardest estate.
6. Chain of custody is the real deliverable. Moving the documents is easy; moving them with access controls, retention, and privilege intact across jurisdictions is the entire job.