Insurance & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News

07:23 PM
Anthony O'Donnell
Connect Directly
Facebook
Google+
Twitter
RSS
E-Mail
50%
50%

9-11 Musings: Business Continuity Readiness Today

Where do financial services and, in particular, insurance companies' capabilities stand at this six year remove from the day when devastating attacks closed down lower Manhattan, presenting firms with unprecedented business continuity challenges? I turned to Mike Hager, enterprise security advisor and senior security architect at Unisys, for insight.

Probably the anniversary of 9/11 was observed more or less this year the same way it was last year. However, it felt different to me because I happened to be in New York, where I worked at the time of the attacks. The memories lasted beyond the date since the dull, humid weather of this year's 11th gave way on the 12th to conditions very similar to those on the day of the terrorist authorities.

My industry-related memories went back to stories of business continuity efforts, some of which we wrote about. Overall the financial services industry got mixed reviews for its response, which was likely much better than it otherwise would have been if the World Trade Center itself had not been attacked in 1993.Where do financial services and, in particular, insurance companies' capabilities stand at this six-year remove from the day when devastating attacks closed down lower Manhattan, presenting firms with unprecedented business continuity challenges? For insight into that question, I turned to Mike Hager, enterprise security advisor and senior security architect at Unisys.

The insurance industry has done somewhat better than others, according to Hager, but he claims that there remain shortcomings associated with the difficulty of keeping track of the continually changing profile of mission critical systems and processes.

"Many companies today do not have a business continuity management process that provides for current up to date information about the critical business functions needed to continue their critical operations, nor up-to-date information about the mission-critical systems that support these operations," Hager said. "Also the level of risks associated with their company not being able to recover are not formally identified and considered in the BCM process."

Because companies are undergoing constant change, Hager recommended performing a business impact analysis at least every two years. However, he cautioned, "if you don't have an effective change control process and a good system development life cycle process in place, the BCP [business continuity planning] and DR [disaster recovery] plans quickly become out-of-date and incapable of providing recoverability should something go wrong."

Insurers also need to improve on training employees to be ready for their disaster event roles and on testing how plans function, Hager said. Without demonstrating the adequacy of a plan through testing, a company can't really know whether the plan will really keep it going in the event of disaster. "While some companies, such as USAA, do an excellent job at making their exercises realistic, many do not provide adequate training and testing of their plans," Hager asserted.

Insurance carriers share with their financial services counterparts the problem of maintaining the availability of data across geographically dispersed facilities, Hager noted - all face the challenge of ensuring that data is recovered within the period predetermined within their business continuity plans.

"Today many are looking at replicating data between facilities and locations to ensure that data is available when needed, however I would caution that that data/technology is only one of the key elements of an effective recovery plan - people and facilities must also be considered," Hager concluded.

To summarize Hager's critique:

First, while the insurance industry may be first-rate in its business continuity/disaster recovery efforts, BC/DR is not a once-and-done task - at a minimum, analysis and re-planning should be done on a two-year cycle, and at best, some kind of change management process should track mission-critical changes as they happen. After all, disasters can hit anywhere within the refresh cycle.

Second, when all is said and done, planning is a theoretical exercise. As with most extreme situations, one never knows how one might perform until the day of reckoning. However, prudence demands thorough testing of BC/DR plans, preceded by initiatives to keep employees updated as to their BC/DR responsibilities.

Finally, BC/DR is far from simply a technology challenge; it is a people, process and technology problem, and one, moreover, that must pay special attention to the physical facility within which those people, processes and technology elements are located.

I encourage those who agree, disagree or have other observations than Hager to share them with me.

Posted by Anthony O'DonnellWhere do financial services and, in particular, insurance companies' capabilities stand at this six year remove from the day when devastating attacks closed down lower Manhattan, presenting firms with unprecedented business continuity challenges? I turned to Mike Hager, enterprise security advisor and senior security architect at Unisys, for insight.

Anthony O'Donnell has covered technology in the insurance industry since 2000, when he joined the editorial staff of Insurance & Technology. As an editor and reporter for I&T and the InformationWeek Financial Services of TechWeb he has written on all areas of information ... View Full Bio

Register for Insurance & Technology Newsletters
Slideshows
More Slideshows
Video
All Videos