Q: What have insurers learned from the 9/11 and Hurricane Katrina disasters, and how have their business continuity/disaster recovery programs evolved as a result?
A: Kelley Okolita, Hanover Insurance: After Sept. 11, 2001, many insurance companies began to take their business continuity more seriously. Most insurers had limited recovery plans in place to protect their data centers but had not taken a hard look at the needs of the business in a recovery. Like most industries, when they began to look at disaster preparedness, it always started with the recovery of the business technology. It takes time for companies to understand that it does not really matter if you bring back the technology if there are no business people to use it.
Enterprisewide business continuity required the insurance industry to look not only at technology and alternate sites for business operations, but also at their own risk management practices. They looked at how they manage records, control access to both physical spaces and logical access to information, and how they manage operational risk issues, etc., to try to reduce the potential of an event impacting their ability to continue their business operations.
Katrina introduced a whole range of issues about large-scale catastrophe response. These include spreading of risk in geographical locations and how to take care of policyholders who have losses, and employees and their families in the impacted region.
A: Michael Croy, Forsythe Solutions Group: Insurers are investing in a number of technology solutions in parallel paths. In support of their core business, insurers are continually assessing their risk and building out resiliency in their technology, reducing exposure to risk and the impact of incidents. They also are encouraging clients to become more proactive and elevate their state of readiness, especially in high-risk locales. If the insured is unwilling or unable to mitigate through proper disaster preparedness, they are rated accordingly, and the risk they present is reflected in their premiums.
A: Steve Ross, Deloitte & Touche: There has been a growing awareness of the need for out-of-region resources, including data, servers and personnel. Only recently has business continuity/disaster recovery management become one of the top five priorities for senior management. This is no less applicable to insurers than banks, brokerage firms, or manufacturers and retailers. However, the regulatory environment for some industries has pushed resilience - even more than recoverability - into the forefront more so than for insurance.
A: John Lindeman, SunGard Availability Services:Disaster victims often turn to their insurance companies when there is nowhere else to turn. The very nature of this business requires insurance companies to be extremely reliable and available. Recent disasters have taught insurance companies that they need highly advanced data recovery techniques focusing on both employee and IT preparedness. In addition, insurance companies have learned the value of having data stored or replicated in a remote location, so that if/when a disaster hits, data is safe and available in an unaffected area.
Q: What information is critical to protect in the face of a disaster to assure business continuity?
A: Okolita, Hanover Insurance: Most companies are very good about traditional vital records. Policyholder and claims information, for example, is backed up routinely and sent off-site to ensure availability following a disaster. What most insurance companies don't think about are the nontraditional vital records. I tell people to look at their desks and identify things they use every day to do their jobs - things such as procedure manuals, forms, letterhead and check stock. These should be sent off-site as well so they would be available immediately following a disaster.
A: Ross, Deloitte & Touche: Transactional data, especially from direct online sources, cannot be lost. Not very long ago, the key determinant was management's tolerance for downtime. Today, equally important, if not more so, is management's tolerance for data loss. If system interruptions result in irreversible financial or market share losses, the data involved is by definition critical.
A: Lindeman, SunGard Availability Services: From a customer-service perspective, the protection of claims management and policy data is absolutely critical, especially when you consider that the disaster may cause extensive claims submissions. Similarly, insurance companies must maintain continuity for customer- and supplier-facing systems, to expedite claims, ensure efficient replenishment of lost goods and identify valuable opportunities for cost-savings through supplier consolidation.
Insurance companies also need to protect information about their employees so they can quickly and efficiently determine employees' whereabouts and safety, and also so they can understand who may be most readily available post-disaster (for appraisals, for example). Finally, insurance companies must protect all data needed for compliance purposes, including e-mail records and financial data.
Q: In what key technologies and services should insurers invest to ensure that they can get back up and running quickly after a disaster?
A: Croy, Forsythe Solutions Group: Asynchronous data replication enables long-distance replication with little data loss. New technologies maintain compacted copies of server images, so test or development servers can be quickly repurposed for production in a disaster. Virtualization technologies, such as VMware (Palo Alto, Calif.), also do this with more-flexible utilization of server resources. For business recovery, Internet VPNs let workers relocate nearly anywhere and access applications securely, even from home. Outsourcing services, such as application hosting, provide dedicated recovery sites to customers with no capital investment.
A: Ross, Deloitte & Touche: In recent years, the technology for continuous availability of information systems has become more practical and affordable. In order to achieve their availability and resilience goals, insurers need to invest in data replication hardware and software, increased bandwidth, and secondary (or even tertiary) data centers housing servers, storage and network termination equipment.
Q: How are insurers handling workforce issues, including communications, following a disaster? How do mobile computing and remote work arrangements affect business continuity/disaster recovery plans?
A: Okolita, Hanover Insurance: It is important that not only are there various ways to communicate to employees about office closures and events impacting the business but that employees also have a way to reach us and tell us they are OK and let us know if they need help and how to contact them.
Mobile computing is increasingly used in the field. Work-at-home strategies are a key part of contingency plans even for short-lived events like snow storms that impact travel. It will become critical in events like a global pandemic when traditional contingency plans will not work, as it is not the building or the data center with a problem but your workforce.
A: Croy, Forsythe Solutions Group: Mobile communications technologies allow key executives to meet and make crucial decisions through a virtual command center, rather than having to gather at a physical emergency operations center. This enables organizations to respond more quickly.
Beyond incident management, more-strategic use of mobile technologies is needed for more cost-effective investments and more-secure, robust communications. Critical success factors in making mobile solutions more strategic include a high level of executive commitment and oversight in mandating mobile communications policy, and cross-functional collaboration between business units and the IT department.
A: Ross, Deloitte & Touche: Insurers are recognizing that, even more than disasters that have already occurred, the prospect of a pandemic will affect their ability to operate. A pandemic will create a highly focused, widespread workforce issue. Companies are considering automated notification systems, remote access for teleworking solutions, and significantly increased bandwidth to support remote workers and collaboration systems.
Peggy Bresnick Kendler has been a writer for 30 years. She has worked as an editor, publicist and school district technology coordinator. During the past decade, Bresnick Kendler has worked for UBM TechWeb on special financialservices technology-centered ... View Full Bio