One of the more crucial responsibilities of most IT organizations is to ensure that there is an effective disaster recovery and business continuity plan (DR/BCP) in place for their organization which is routinely exercised. While most organizations do have plans in place, these plans should be routinely practiced and reviewed to ensure they remain applicable to scenarios an insurer is likely to face.
An old adage carriers should be mindful of is that their DR plans frequently fall under the umbrella statement that “we are always ready to fight the last war.” For a historical perspective on just how disastrous an approach that can be, one needs look no further than the French military’s focus and dependence on building the Maginot Line between the World Wars.
To avoid potentially expensive undertakings offering a false sense of security, carriers should consider the following key points:
Prepare for the next event, not the last one: Given the range of natural disasters and cyber threats insurers need to be prepared for at any given moment, reviewing recurring as well as new scenarios to be incorporated into plans should become part of a regular planning cycle.
Plan for resiliency beyond core systems and data: In a time when customers expect 24/7 access to their service providers, outages threaten the health of customer relationships often at the very time contractual promises are needed most. Insurer CIOs should focus on building infrastructure that allows traffic to be rerouted or use service providers to augment in-house capabilities during difficult situations.
Consider partner relationships, third-party providers, and external services: Online experiences are often combinations of internally developed capabilities and services delivered by third parties. That means the customer experience is actually the combined function of the availabilities for each of the service providers, thus increasing an insurer’s chance of meeting its customers’ needs in the midst of a natural disaster. That being said, access to third-party providers isn’t guaranteed, especially during a crisis likely to affect myriad insurers—as such, carriers need to incorporate procedures and processes into their own plans and be sure to test effectively end to end.
Question assumptions about ancillary resources: If ancillary resources, such as generator power, do not function as anticipated, the entire plan fails. Insurers should understand exactly how backup power is distributed throughout their facilities as well as how it will need to be used to ensure (to the best of their abilities) smooth application of an effective DR/BCP.
Expect challenges in setting up an alternative data center and coming back from one: Establishing systems, gaining access to production data, and moving network connectivity in a state of emergency is a difficult task, especially given that many companies with third-party data center provider relationships have never actually run a business cycle from the remote location. Additionally, returning from a remote data center after a disaster declaration may be even more disruptive than the initial declaration. Employees may not be practiced in the process of shutting down at the remote site and returning to the company’s facilities.
Remember that it’s also about people: Insurers should weigh theoretical expectations of their staff against realistic ones—in a real event that may threaten their own families, staff may be unable to enact processes and procedures as laid out in even the best of plans. Insurers should think about ways in which a smaller number of key staff members might be relocated in order to prioritize an insurers’ most significant work during times of crisis.
Ensure rapid access to documentation: Plans that are developed, documented, and saved on corporate networks may not be available when they are most needed. This information should be available in as many forms as possible with their locations clearly communicated on a regular basis to ensure access should a disaster strike.
Plan early and practice frequently: Planning both for likely and unlikely scenarios, and practicing these plans on a routine basis, is crucial. Preparing one’s staff to the point where procedures for various events, routine or not, become second nature means they can handle those instances with minimal effort. This will allow them to focus instead on dealing with the array of possible events that may not have been considered when putting the plan together.
Insurer CIOs should consider response options for natural disasters, self-inflicted failures caused by defective equipment in carrier-controlled facilities, and, in today’s context, rapidly moving infectious diseases like SARS and COVID-19. Tolerance by customers, producers, and state regulators for disrupted service is lessening as the standards for performance and stability continue to rise. Creating and maintaining these plans as well as routinely practicing and reevaluating them can allow insurer CIOs to stay a step ahead of the next event.
For more on this topic, see Novarica’s CIO Checklist, Business Continuity Planning and Disaster Recovery.
Add new comment