Insurance & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Channels

07:30 PM
Connect Directly
Facebook
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Redefining BC Best Practices

Almost two years after the 9/11 attacks, experts say a sound business continuity plan relies on testing, testing ... and more testing.

Q: IT has been almost two years since the events of September 11, 2001. How have business continuity plans changed or adapted, given the new realities that companies face?

A: Don Leipprandt, Allstate: Formalized crisis management plans have been reviewed, updated, tested and communicated. In regard to building evacuation, we worked on the ability to more closely monitor who is in the facility at any given time. There have been alternate communications tools developed and purchased to ensure employees can access key information during a critical event. However, our plan policies and standards did not require any changes due to the events of 9/11.

A: Michael Galvin, Empire BCBS: We combined business continuity (BC) and disaster recovery (DR) into one concept and it is a concept that management and the employees have adapted to. We have in-depth plans from the business organizations. When things happen that require action, everyone in the organization has to know what their roles are. We lived through the 9/11 disaster, so we have first-hand experience. DR and BC is about people, execution of the plan and partnerships. We have already tested it, so to speak.

Any good plan starts with its people. Everyone has to know their roles and responsibilities. Each employee's role ties directly into the relationships that we have with our business partners.

A: Elaine Price, CYA Technologies: In our experience, many companies still do not have the technology in place to handle another catastrophic attack. They are still not organized enough to leverage their existing infrastructure or information base to ensure that they are properly protected. They are having a hard time deciphering the necessary planning and products from the unnecessary bells and whistles. We are beginning to see companies more aggressively focus on business continuity as they realize that it is not simply another IT initiative, but rather a new way of life for all businesses.

A: David Purdy, EMC: Deficiencies in an organization's readiness have been revealed-either through experience or examination. Organizations have been revising their plans and ability to achieve objectives.

Q: From an IT perspective, if you were to highlight the three most important things that a sound business continuity/disaster recovery plan should have, what would they be?

A: Leipprandt, Allstate: A proven back up strategy, a proven recovery strategy and a proven communication strategy.

A: Galvin, Empire: I believe there are four: The first is how you design the environment from technology, to applications, to redundancy. The second is making sure that the business continuity plan puts the organization in a position so they have the ability to execute and implement.

The third area is your partnerships with business partners and suppliers. They have to be with people you trust. For instance, on 9/11, one employee was empowered to go out and order 250 replacement servers and 500 workstations and laptops. Good partnerships helped us and it allowed us to get up and running. The person who made the decision made it hours after the towers fell and he knew he didn't need paperwork right away. All of that would be sorted out later. The fourth thing is people. They have to know in advance what their responsibilities are. The person who made that call for the desktops and servers made a decision to call the business partner and made the call almost immediately.

A: Price, CYA: Three words: Redundancy, Integrity, Simplicity.

Companies must have redundant systems and people in place at strategic locations. But redundancy doesn't matter if the information does not have integrity. Mirrors of corruption have no value. Companies need to realize they have a false sense of security if they have not taken data integrity into account when developing a business continuity plan. In some instances personnel may be lost. If this happens, the technology must be easy to use. This is especially important because employees may need to execute the plan while under extreme duress.

A: John Butler, LiveVault: Three important things are data protection, replacement of physical resources that are actually accessible to people under emergency conditions, and regular realistic testing of all aspects of the plan.

Q: A recurring theme seems to be testing. How does a company go about evaluating a business continuity/disaster recovery plan?

A: Leipprandt, Allstate: We began by creating and publishing policies and standards. We have created policies and standards for both BC and DR plans. The BC plans can be reviewed programmatically to determine whether they contain the basic content that a solid BC plan would need. To truly proof a plan it needs to be tested, which our policy states needs to be done annually. Our DR plans are tested on a regular basis.

A: Galvin, Empire: There is a BC team that is constantly updating the plans and making sure the notifications are issued for the players who are identified and that their roles are clearly defined. We also do a lot of testing and we are testing the procedures all the time. The testing is now part of our day-to-day environment and all of the engineers are trained to do it. It is a mindset.

A: Purdy, EMC: The insurance industry mirrors other industries in its desire to establish a factual baseline for continuity expectations. Assessing the ability to deliver previously committed BC service levels usually involves the use of outside auditors and/or consultants.

A: Butler, LiveVault: Across all industries, some companies seek outside evaluation of their plans and others don't. Usually those that seek outside evaluation are those where there is a very high level (CEO or CIO) concern about the subject. At top levels there is a recognition that, 1) the expertise is not easily gained and may not be internal, and, 2) it is too easy to make optimistic assumptions, even unintentionally, about recovery plans, and that optimism is more characteristic of insiders.

Q: What is the most significant change you are seeing when it comes to business continuity? Are C-level executives now more involved?

A: Leipprandt, Allstate: We've noted higher levels of awareness in the marketplace. The CEO and Board of Directors were involved previously in our business continuity planning and continue to be a part of the discussions.

A: Galvin, Empire: Everyone is thinking about it and everyone is now aware of it. My feeling was that there was not as much emphasis on DR and BC, but now the programs are fully funded. From a senior management perspective, there is accountability. Previously, it was never viewed as a major issue. Now it is part of the day-to-day living.

A: Price, CYA: Everyone is trying to make a buck in this space. The market is being muddied up with classes, seminars, etc. Yet, almost none of these people have ever had any practical experience, and they certainly did not have their plans tested by 9/11 because they started becoming "Business Continuity Experts" after the disaster. So, the biggest change I have seen is the commercialization of the disaster recovery and business continuity space.

From a client perspective, no, there is not more CEO involvement. Our clients are large, Fortune 1,000 companies, and while directives may come from the CEO level, the day-to-day decision making is being done by the CIO/COO. However, I fully expect this to change, as CEOs become more liable for their company and their shareholders' interests.

A: Butler, LiveVault: The biggest change is the persistence of concern. For some reason we used to have regional concern "we could have an earthquake" and short-lived concern "the year after the hurricane". Neither the regional nature nor the fading of concern was rational, but it was common. Now elevated concern seems national and persistent. But when it comes to C-level involvement, I'm not sure if "becoming involved" is the right phrase. "Concerned" and "aware" are probably accurate and new. "Involved" still remains the province of CIO and COO.

THIS MONTH'S EXPERTS

DON LEIPPRANDT
Information Security Manager
Allstate Insurance Co. (Northbrook, IL)

MICHAEL GALVIN
Chief Infrastructure Officer
Empire Blue Cross Blue Shield (New York)

ELAINE PRICE
President & CEO
CYA Technologies, Inc. (Trumbull, CT)

DAVID PURDY
Director of Business Continuity
EMC Corp. (Hopkinton, MA)

JOHN BUTLER
Founder
LiveVault (Marlborough, MA)

Greg MacSweeney is editorial director of InformationWeek Financial Services, whose brands include Wall Street & Technology, Bank Systems & Technology, Advanced Trading, and Insurance & Technology. View Full Bio

Register for Insurance & Technology Newsletters
Slideshows
Video