Now What?

Within insurance, there are two components that have to be addressed in business continuity–customer-facing areas and back-end processing, points out Prasad Balakrishnan, a director in the advisory practice for PricewaterhouseCoopers. "There is a lot more maturity in the front end in terms of where the technology is, how much it is being used, and how much has been completed," he says.

"The front end is the bread and butter and affects revenue coming in," says David Holtzman, managing director of PwC's advisory practice. Because of the transaction levels within insurance, carriers must have their systems up at all times. "When systems go down, it can mean some major issues," he says. "[Business continuity plans] need to make sure they take care of that first. There has been a transition to more of the IT areas now to get their arms around [the back end], as well. Companies need to address customer-facing first and then the back-end applications."

PANDEMIC ANYONE?

At Penn National, the carrier is focused on developing the ability for employees to work from home in the event a crisis takes place. The carrier went to its vendors first to explore what they plan to do in case of a pandemic. "We're trying to bite off pieces that make sense for us," says Todoroff.

If a carrier is serious about people working from their home, Todoroff advises the company has to make sure connecting with the network and working with the business applications are as secure as they would be if the employees were working in the company headquarters. "Companies have to figure out how to architect that with security in mind," she says. Penn National has worked through that stage, and Todoroff explains the carrier has a secure portion of its network that is disconnected from the rest of the network but hosts significant applications so people can work from home.

Not surprisingly, workers love it, reports Todoroff. "If I need to work from home for whatever reason, I easily can do that now," she says. Penn National separated the business applications from the main production network and had set up security to make sure the people coming in are Penn National employees and can verify that. "We have more security [for those working at home] than if we were working directly with the corporate network," she says.

Penn National employees download a Citrix application to their home computer that allows them into the carrier's network. "They don't even have to have high-speed Internet," notes Todoroff. "Performance might not be as good without [broadband], but they can work over a telephone line if that's all they have."

The carrier always had a significant number of people working out of their homes, she remarks, and it saw a natural progression toward working outside the office. "It made logical sense to have a way for them to do that effectively," she says, adding, "9/11 sort of said to us this was the right direction to take, but it wasn't the thing that initially pushed us."

One of the first tests of the system came when a snowstorm last winter in the Harrisburg, Pa., area made traveling difficult, so Penn National closed the home office for a day. "We gave people the option to work from home or take a personal day," she says. "Those who needed to do work could do it. The good thing was our systems were all up; it just was the roads that were impassable."

A lot of organizations have found technology has enabled the concept of being virtual, allowing companies to put aside beliefs that having individuals bound to a single site is the only way to operate. "There is so much flexibility you can have people working from a third-party remote site as well as out of their home," says Emerson. "For the most part, there is no differentiation from the client's point of view between [workers] in a home or those in a call center somewhere. [Remote workers] still have to have access to the data as a reference during their interface with customers. You also have to have voice communication."

Security is a key issue when companies look to make their network available to employees who may need to work at home, contends Balakrishnan. "Security is so much a part of what companies are doing these days," he says. "It's part of their virtual enterprise. It's part of day-to-day business."

Carriers also need to address the following question: Is the infrastructure sufficient to provide some framework for a business continuity program environment? Balakrishnan feels the answer is yes but adds there are a lot of moving parts in making that happen. "If [companies] realize this is a problem and they need a solution, making it work is less of an issue," he says.

TESTS PERFORMED

"Market conditions have changed and customer expectations have changed, so what was acceptable [in outages] five years ago simply isn't acceptable today," says Steven Ross, head of the global business continuity management practice at Deloitte. "Tolerance for downtime has shrunk almost to the point of zero. Most companies that take the threat of interruption seriously revisit their business impact analysis regularly to see whether there is any need for change."

Part of Penn National's disaster recovery plan is to have the customer-facing applications and the most important business applications up and ready to go within four hours. "We contract with IBM to make sure that happens," says Todoroff. Penn National tests the system with IBM annually and performs a second test in-house for less critical applications also on an annual basis.

One area a carrier needs to look at is equipment, such as laptops. Balakrishnan relates a client he works with expressed a need for at least 35 key people on the business side to keep operations running in a crisis but has just five laptops available. "The question was whether that's enough," says Balakrishnan. "Those are the kind of gaps that exist."

Companies need to give laptops to employees performing those key business processes, advises Balakrishnan. "Traditionally, laptops have been seen as a high-end, nice-to-have tool only executives or mid-level management had, not the people who actually were doing the work," he says. "IT people are a little different. A lot of them have laptops and are well coordinated when it comes to managing a response. But in the business process side, there is some way to go."

ACCEPTABLE LEVEL

With customer-facing systems such as Web sites and call centers, customers have an expectation they always will be there, explains Ross. "I use the term the 'killer click,'" he says. "If I wanted to buy a policy from Company A and couldn't get to its Web site, I'd say no problem and go to Company B. Not only has Company A lost a sale, it has lost a customer because I probably won't come back."

When the cause of a carrier's Web site outage is hacking or viruses, it typically is described as a security problem. But when it's something physical, such as fire, flood, or storm, it's described as a business continuity issue, comments Ross. But he suggests it is of small importance to customers which one caused the outage. "The point is an outage occurred, and systems need to be resilient enough that either there is no downtime or whatever downtime is experienced is within the considered judgment of management to be an acceptable level," he says. "Trying for zero downtime may be good for hospitals, but for most commercial enterprises, some downtime is acceptable."

Companies have developed some tolerance because the cost of ensuring zero tolerance for outages can be staggering. Data replication is fairly commonplace today, Ross points out. It is possible for a company to have zero data loss, but most companies have determined if they lose 20 minutes' worth of data, they can live with that. As a result, they back up every 20 minutes.

"The closer you get to zero data loss, the cost goes up exponentially," Ross says. "The question is, before you spend a large amount of money for zero data loss, you better make some determination and analysis on the impact to the business as to whether that investment is justified or whether you can stand a little bit of loss on occasion so you use that money for something else."

Risk analysis is a key issue in building a business continuity plan, according to Emerson. "What are the bad things that can happen, and how likely are they to occur?" he asks.

The second area to focus on is a business impact analysis, which details the key processes a company has, who supports those processes, and how quickly they need to get functional after an interruption. "That decision has a number of elements, but the financial impact, the brand impact, and the regulatory impact are considered in deciding which process has to be back first, second, or third, and what is the time frame? No downtime? Hours? Minutes? Days?" Emerson continues. "A combination of what's the risk and what's the impact drive the strategies."The technical options, facilities options, and process options are studied to determine the best combination to meet management's tolerance for downtime, the customers' tolerance for downtime, and protection for shareholder value, he indicates.

"There is no general rule you can use to determine an appropriate level of downtime," Emerson says. "That's something management reviews and accepts when it has been given adequate information to evaluate the risk. It invests in the area that has the highest impact and the solutions to reduce that impact."

PERSONNEL ISSUES

Planning for disasters such as Katrina–where a single event could wipe out an entire component of your business or the employees who go with it–is more difficult for organizations. "If you are talking something of that magnitude, it becomes a completely different crisis management plan," says Balakrishnan. You have to keep the business up, but how do you take care of your people during this time? That can be a big PR disaster if the company doesn't do it well."

PwC has seen companies pay more attention to crisis planning. "You plan to the best of your ability for how you are going to do this based on sound business continuity management principles, but with something such as 9/11, everything came to a standstill," says Balakrishnan. "It didn't matter whether you had a laptop; you weren't going to go to work. You are more worried about much bigger things."

If you examine the bigger event and the decisions companies had to make, such as a loss of personnel, Balakrishnan believes the planning needs to be more centered around people. "Everything you've done around sound business continuity management will take care of the business," he says.

Companies are doing a better job of disaster recovery than what they've done with business continuity, he adds, citing a lack of end-to-end scenarios that have been proven out. "We work with clients that have expressed the concern: How do I manage in a crisis going from disaster recovery to business continuity to almost crisis management?" he indicates.

All three are interrelated, so the question involves the maturity level of each of these functions. "Crisis management is not just technology," says Balakrishnan. "It's much more than that. How do you handle the media? How do you handle executive security? There are so many pieces to it; I think there is a lack of coordinated response."

ON BOARD

Holtzman contends public companies and larger mutual insurers have taken a more aggressive approach to business continuity and invested more money in their plans because of the push they have received from their board. "Over the last 18 months, we're seeing companies address business continuity in a more holistic fashion," he says. "I think people are taking steps in the right direction. It's the level of detail that is different. More aggressive companies have built an area within IT around business continuity and have tested their policies and procedures."

KPMG and Continuity Insights magazine publish an annual survey on business continuity management issues, and Emerson feels every year an increasing number of companies see the light and understand the threat they face or their fiduciary responsibility to their shareholders and clients, but not everyone is on board. "In a number of surveys that have occurred recently, you still have about 30 percent of companies that just haven't started anything, and maybe 40 to 50 percent that are much more mature," he says. "And then there is a whole range of organizations that are in the middle area."

Business continuity continues to filter down from the large companies to the midtier and smaller, Ross observes. "I think it's just recognition if you're not there for your customers or policyholders at any given point in time, the mobility of the marketplace is such that [customers] take their business someplace else," he says. "It's very difficult in a 24/7/365 news cycle to say, 'We had a problem, but we fixed it.' It wasn't that long ago it was commonplace for insurance companies, particularly life insurance, to have the ability to withstand a five-day outage. That's no longer the case. Business tolerance for outage or data loss is much more tightly defined."