Re/insurers' business continuity plans were tested in the Cayman Islands when Hurricane Ivan hit the region in September 2004 Mark Brockmeier says it proves the point that disaster recovery planning is an essential business tool.
Many regard the Caribbean Islands as akin to paradise, not just from the aspect of the quality of life but also because many island governments have passed regulatory frameworks over the last 20 years that make them very attractive domiciles for banking and re/insurance companies. But while there are the virtues of warm climate, abundant recreation and tax advantages, every decade or so between July and November a significant drawback can emerge - in the form of a direct hit from a hurricane.
Of course, every location has its share of natural disaster risk: tornado, earthquake, flood, volcanic eruption, or snow and ice storm. But few natural disasters can compare with both the ferocity and destruction wrought over an entire nation, as in the case of the Caribbean island nations and protectorates. This summer's storms were particularly devastating, with Frances, Charley and Ivan taking their toll on the Caribbean basin normally impacted by no more than a single storm every other year.
Long an overlooked risk, hurricane hits have brought new focus to both consumers and business, and not just in Florida. Businesses are taking a wholesale look at their plans for business recovery, not only trying to determine what to do if their facilities are blown down or unable to be occupied for an extended period, but also how to conduct business in the event of breakdown of critical island infrastructure.
Much of that contingency is contained in long obscure planning documents known as 'disaster recovery', or more optimistically 'business continuity'. However, all too many people do not know what their business continuity plan contains - or even whether it exists.
What are the essential tenets of business continuity plans, and how can an enterprise protect essential data and records to continue its business within a day or two of a hurricane's direct hit, no matter what the severity? Essentially, there are a few main things to keep in mind to develop an effective business continuity plan.
- Look at the plan on an enterprise-wide basis. How does the disaster impact the firm as a whole, not just its operations?
- Business continuity is not just IT and data (although that's a big part of a business in the electronic/internet age). It's also recovery of the business itself, as some firms learned all too well on 9/11.
- Planning, risk analysis and impact assessments are the necessary cornerstones of an effective business continuity plan.
- Test the plan periodically. Like a fire drill, a practice run will make things a little smoother when (not if) the disaster hits. Remember, corporations outlive your and others' employment tenure and take on a life decades after they are founded.
- Update the plan as business conditions change.
Without embarking on a fullscale discussion of the complete scope of business continuity planning, it is worth reviewing each of these factors individually.
Strategy is key
Business continuity is more than facilities loss. From a strategic view, business continuity plans:
- mitigate financial loss;
- continue to service customers, policyholders, banks, and other financial interests; and
- reduce damage to the firm's continuing operations, liquidity, credit, markets and market share, and regulatory compliance.
Directors and senior management play a principal role in laying out the plan, personnel responsible, and objectives/response in a business continuity plan. After all, the board's key responsibility in risk assessment and mitigation is paramount to the business' very survival, and business continuity planning is part of fulfilling that mission. The plan should name key persons to implement the plan and also develop contingencies if those responsible are injured, killed or otherwise unavailable (as was the case, for example, in 2003 when many key executives were in Monte Carlo during Bermuda's hit).
Teams are the name of the game
We hear more and more about forming teams, but in the context of business continuity planning the concept takes on crucial meaning. Each area of the business should be examined and assigned for crucial needs and infrastructure. Some areas which require teams include:
- IT (hardware, software and data);
- human resources; and
- account/client management.
On an island with limited resources, be certain to outsource where possible but always have internal accountability. Other areas, like the departmental structures such as claims, may not require immediate response but should nonetheless be integrated into a team within a few days of the disaster. Vendor management and support (such as offsite data backup) should also be integrated into the plan.
Planning, risk and impact
Impact analysis includes reviewing how any event (not just a hurricane, but other events on-shore and off-island) can affect a re/insurer's business and customers. There should also be some sort of assessment for the maximum probable and maximum possible downtime that is acceptable. What is the result to the business if the disaster occurs during the renewal season? Is business lost to competitors, are submissions not lost but heavily backlogged, and does management anticipate how customers will react? What are the critical systems that need attention and immediate recovery?
Companies find that business process analysis, so common to most projects, plays a role here as well. In examining which business processes drive the business and regulatory framework, those systems can be prioritised as crucial to the business. What are the crucial recovery points? How can the environment and process be quickly replicated, and at the same site or an alternate site? While many questions need to be addressed if a business has not done this kind of analysis before, the resultant matrix will be transferable to other planning and projects as well.
Of course, it is not just enough to identify any disaster. The famous case of Munich Re's actuaries postulating that the industry should begin collecting fractional cents per policy over time to guard against the theoretical risk of meteor collision with the earth garnered some debate after 9/11. My opinion is that, if a meteor collides with the earth, the resulting reinsurance claim is the least of the financial markets' and ultimately the earth's environment's concerns! In business continuity planning, prioritising the events, their likelihood and the resulting impact is crucial.
Not every event has catastrophic severity. Hurricanes, for example, vary widely in destructive power, and a Category 1 or 2 will do vastly different damage than a Category 4 or 5 to the Cayman Islands. Yet it is far more likely that a Category 1 or 2 storm will hit Cayman regularly, simply because there are more of them.
A gap will almost certainly exist between the impact analysis and risk assessment. The likelihood of an event often drives the business continuity plan and the types of services engaged. Catastrophe modelling is common as an adjunct to this kind of assessment and provides a more scientific approach than the 'do I feel lucky?' school of thought. This kind of analysis and risk assessment are essential and ultimately must be accepted by senior management when weighing mitigation risk and costs.
As the business conditions change, business process, locations, technology, regulatory frameworks and many other items, both internal and external to the re/insurer, change as well. It is therefore necessary to 'dust off' the business continuity plan at least annually, review it for relevance, adjust it to new threats and delete outdated risks. For example, where once storage space was the key driver in data recovery, it is rather ubiquitous now and not nearly as costly as it was 20 years ago. So while companies have vastly more electronic records than before, adjustments in the risk assessment may lead to a different decision in the plan, based on new technology or affordability. Testing should ideally be well-defined from the start and should answer:
- what systems are being tested?
- what will qualify as a successful test?
- will the test disrupt normal business operations?
- are the test scripts defined, and were they judged as relevant?
- what adjustments need to be made, and what lessons can be incorporated into the plan?
It is sometimes useful to use external organisations to conduct the testing since they can advise on what method and size of the test should be done and share their experience with similar companies (size or industry) to assist in making adjustments going forward. Be sure to include at least some of the responsible persons in the stated plan in the annual testing cycle.
Like any project, business continuity planning is a process that does not end with the creation, testing and successful completion of a test. It is a constant struggle of planning, impact, risk analysis, gap analysis, testing and adjustments for a day which hopefully won't happen this year. But like an insurance policy, when disaster strikes it is a small price to pay for what is at the end of the day essential protection.
Can anyone doubt that those companies in the Cayman Islands that managed to continue operating with little or even no interruption after the 2004 hurricanes consider their investment in continuity planning was money well spent? For an industry driven by risk, going without an updated, complete and tested business continuity plan is one risk that should not be easily retained.
BCPs prove their worth
Many Cayman Islands financial companies' business continuity plans functioned successfully following Hurricane Ivan, according to the Cayman Islands Financial Services Association (CIFSA). The association reported that, as a result of business continuity plans and the use of servers and temporary facilities elsewhere, client services were only interrupted for a few days for many companies while some had virtually uninterrupted service.
Because of their vulnerability, most Cayman financial institutions have post-storm strategies that include backing up files and moving operations temporarily to other offshore financial hubs like the Bahamas or the Channel Islands in Europe, said Eduardo D'Angelo P Silva, director of the Cayman Islands Financial Services Association and president of the Cayman Islands Bankers Association.
Mark C Brockmeier is Americas vice president of sales for CSC's reinsurance division.