Avoiding An IT Disaster

Protecting clients against disasters may be the bread and butter of many insurance companies. But many carriers have only just begun to take a hard look at their own business continuity strategies, especially when it comes to information technology systems."Insurers are there to protect and indemnify individuals against disasters and unforeseen accidents, but they have not really invested as aggressively-or at least thought about it as much-as banks and financial services have done," observes Bill Pieroni, general manager for IBM Corp.'s global insurance industry practice.

"I don't think insurers have invested enough in this space in terms of money, time, resources, and management talent. It's an oftentimes neglected area of an IT plan."

Many insurance executives clearly understand the need to enhance their business continuity and disaster recovery plans. However, industry observers say such planning often takes a back seat in budget priorities-except immediately after a shock jolts managers into thinking about the residency of their systems." Indeed, many carriers continue to rely on outdated disaster recovery plans-retrieving back-up tapes, shipping them to a back-up site, and waiting for their operations to spring back to life-a process that can take up to four days. In an age when many carriers are increasingly relying on online channels and highly automated workflow systems, such a delay may be too costly to bear in terms of lost business.

Erratic spending

A recent TowerGroup study concludes that within the financial services sector overall, spending on disaster recovery/business continuity planning has been "erratic" at best in recent years. Between 2000 and 2001, spending grew by about 5%. Just one year later, investments soared 19% as a result of the September 11 terrorist attacks.

However, the recent economic slowdown dampened such spending to a 6% growth rate in the years thereafter. Tower-Group estimates that financial services firms are spending close to $4 billion a year for continuity and disaster recovery, and project it will top $5 billion by 2007.

Two major influences are reshaping businesses' approaches to disaster recovery and business continuity.

For starters, disaster recovery and business continuity increasingly are being perceived as a business problem, and no longer exclusively as an IT problem.

And, a new generation of technologies, led by broadband networks and inexpensive hardware, is shrinking the back-up and recovery window to a matter of minutes for some companies. "Business continuity is not purely an IT issue," says Matthew Josefowicz, manager of the insurance group for Celent Communications, Boston.

"Rather, it is a broad organizational issue that must be considered by every department. Although IT plays a critical role, it's role in business-continuity planning, like its role in the organization at large, must be tightly integrated with the rest of the organization in order to be successful," he says.

In the hands of IT

A survey by Strohl Systems, a King of Prussia, Pa.-based provider of disaster recovery and business continuity services, finds that although the largest share of insurance companies (37%) continue to place business continuity in the hands of IT, another 22% report having specific business continuity offices or teams to oversee the process.

Many of these business continuity functions are cross-organizational, but many carriers still place IT in the leadership role.

Such is the case at Harleysville Insurance, which assigns key business continuity roles to the IT department.

"The function here bounced around through a lot of different areas-facilities, risk, and audit," says John Nones, continuity consultant with Harleysville Insurance Cos., Harleysville, Pa. "But no mater how they sliced it, they recognized that IT is a big part of business continuity."

Business involvement in the process is important, stresses Deborah Smallwood, insurance practice leader for TowerGroup, Needham, Mass. "What insurance companies learned from both September 11 and the great blackout (Northeast, summer of 2003) was that even if you can get your computer systems up, you sometimes can't get people back into the office.

"In New York during the blackout, insurers were able to shift their call centers to the Midwest, and they were able to route calls," she says.

"From a customer perspective, things were okay, but the carriers couldn't get people back into the office. They either didn't have transportation, or they didn't want to leave their homes, because their homes didn't have electricity. As a result, insurance companies are looking for ways to make people a little bit more mobile, and this calls for continuity planning from both the IT side and the business side."

Business resiliency

Leading vendors and analysts are defining the practice as "business resiliency," in which systems are kept at highly available-and therefore recoverable-levels at all times.

The costs and capabilities of technology have evolved to the point where companies can achieve a relatively rapid resumption of business operations in the event of a disaster or disruption.

General Casualty, a unit of Winterthur North America, is pursuing an approach in which data and applications will be mirrored at a back-up site. However, rather than replicate its entire center at a second site, only selected mission-critical applications will be deployed at a co-location facility, says Tim Bremer, technology and support manager at Sun Prairie, Wis.-based General Casualty.

In addition, the mirrored back-up site will only support the company's distributed applications.

"Several years ago, we had a mainframe-centric environment," Bremer says. "Disaster recovery in a mainframe world is a pretty straightforward exercise. We do an annual disaster recovery test, in which we declare a disaster on a certain date, pull back-up tapes, move to an offsite facility, run a test, and bring our systems up. The new challenges come in with these middle-tier or Intel server environments, where there's a lot more data involved."

As a result, General Casualty intends to "split" its data center functions between the mainframe and distributed applications, each with its own recovery approaches.

Is it worth the cost?

The ability to mirror or replicate data on an ongoing basis to remote hot sites is a key strategy to achieving business resiliency. Previously, companies loaded back-up data onto a tape, which was then physically shipped to a back-up or hot site.

Now, electronic delivery of data can make such recovery almost instantaneous, if a company is willing to pay for such a capability. The question is, is high availability worth the price?

"If you're talking about highly available from a hardware perspective, almost 100% availability is now available to you," says Mark Vanston, program director for enterprise data center strategies at Meta Group, a Stamford, Conn.-based IT research and consulting firm.

"But it really comes back to a costing issue. Can I afford it? Do I have those types of systems in place? And do I want to keep having those types of systems in place? And do I want to keep having those types of systems in place?"

A business impact analysis (BIA) is the first step in answering these questions, and determining exactly how available an application should be to an organization. Strohl Systems found that seven out of 10 insurance companies now undertake a BIA at least once a year. Such a process is instrumental in helping carriers determine the true value in rapidly recovering specific applications.

Harleysville's Nones say that the process helped his company identify the true costs of losing specific applications, which helps in prioritizing recovery plans.

Pragmatic and quantified

"With the BIA, we're putting money behind why we bring certain applications up within 24 hours, 48 hours, or 72 hours," he explains. "We look at the regulatory reasons, the revenue reasons, the loss of customer reasons, and the legal reasons for recovering applications.

"We may find, for example, that an application has to be up in 24 hours, or we lose $2.6 million," Nones explains. "The process is now very pragmatic and quantified. Now, I can tell you exactly why CICS has to be up in 24 hours. Before, it was just, 'Everyone knows it's the most important application, it has to be up and running.'"

Similar questions are included in General Casualty's BIA process, relates Ted Bleifuss, business continuity consultant at General Casualty.

"We really ask for downtime cost from a financial standpoint, from a legal standpoint, and from an operational standpoint," he says. "What's the business reason?"

Although not all of General Casualty's applications have measurements yet, Bleifuss states that key applications are documented in the business impact analysis.

"If our underwriting system is down, how much premium is not going to be coming in the door for one day? That assists us in determining the restoration strategy that's going to be needed if we can't bring up the billing system, or if we can't pay our claims within a certain period of time."

Stan Quintana, vice president of business continuity and security services for AT&T, has also seen this process underway among his financial services customers as well.

"They have to show a business value. Does it make sense to put $10 million to put this resilient and high-availability platform in place, when you're only supporting an exposure level of $2 million to the corporation?," he explains.

"That's why it's important that you do the business impact analysis to show that you have this certain platform that you're going to put in place," Quintana says. That's the business-level approach that IT managers have to take to show their executives to justify putting into place this resilient platform."

Cost of downtime

The business impact analysis addresses the cost of downtime, Celent's Josefowicz explains.

"How much does each hour of downtime cost the firm? For trading floors and transactional customer Web sites, any downtime has a clear cost measured in volume of activity. For customer service centers, any downtime can have a significant impact on customer satisfaction and retention. For some operational systems, like accounts receivable or HR systems, limited downtime might have less impact, if any."

The business impact analysis also serves to help set recovery time objectives, which typically range from zero to 48 hours.

Insurance companies are also in a unique position to understand and disseminate knowledge on business continuity, given the nature of the business. Since insurance companies are in the business of protecting clients against unforeseen disasters, the industry can benefit from the knowledge shared in the normal course of business, says Byron Spruell, national director of Deloitte and Touche's business insurance consulting group.

"Both the insured and the insurance companies are sharing information to protect each other. The sharing and education around the exposures helps both sides."

Joe McKendrick is a freelance writer based in Doyletown, Pa.

For reprint and licensing requests for this article, click here.
Policy adminstration Workforce management
MORE FROM DIGITAL INSURANCE