© 2007 Grant Thornton Disaster Recovery Planning Insurance Industry Bharat K Shetty Grant Thornton November 29, 2007
Dec 30, 2015
© 2007 Grant Thornton
Disaster Recovery PlanningInsurance Industry
Bharat K ShettyGrant ThorntonNovember 29, 2007
© 2007 Grant Thornton
• Background
• Risk Management in Insurance Business
• Disaster Recovery Plans – concept and structure
• Disaster Recovery Plans – Insurance policies available
• Disaster Recovery Plans in insurance business
• Questions
Overview of Presentation
© 2007 Grant Thornton
What is Risk?
Definition of “Risk”-
Any issue that affects an organization’s ability to meet its objectives.
HazardRisk of bad things happening
UncertaintyNot meeting expectations
OpportunityExploring the upside
Enterprise Risk Management Addresses all 3 Types of Risk
3 Types of Risk
© 2007 Grant Thornton
Building and enabling Risk Management Framework
Identify
Measure
Manage
Monitor
Risk strategy / policy
Risk organization
Risk process & information
… move towards institutionalizing risk management
© 2007 Grant Thornton
Risk Management Framework – The way forward
• Direction• Objectives• Culture• Language
• Department/Committees• Reporting Lines• Roles/Responsibilities• Skills/resources
Infrastructure
• Tools• Systems• Management Information• Limit Structure
Processes
• Risk Identification• Risk Assessment• Risk Measurement• Limit Setting• Risk Monitoring• Issue Escalation
Organisation Structure
Strategy
© 2007 Grant Thornton
Risk Management Tools
Insurance Companies have to adopt a structured approach to risk management with various risk management tools in the form of :
Risk Status Control Checklists
Safety level indicators in the form of Ratios and Absolute figures with ‘On-line’-‘Red Flag’ response, on safety level being breached
Periodic comparitive charts and snapshots of key figures focussed on specific risk factors with emphasis in the following areas :
- Underwriting - Systems Reliability - Actuarial assumptions - Pricing and Loss Reserving - Adherence to investment policy and constant review - Compliance with Solvency regulations - Compliance with Investment Regulations - Accounting policies in accordance with regulations - Industry benchmarking
Risk Management
Team
Review of Risk Factors
Documenting Review Results and Action
© 2007 Grant Thornton
Risks in Insurance Business Risk - Insurance - Risk Management
INSURANCE
Purpose of Existence – Risk Management
Means of Existence - Risk Management
© 2007 Grant Thornton
Risk Management
Risk Return
Board
Basic Conflict & Balance
On one hand it is desirable to have the largest possible amount of capital, as this reduces the risk of total claims exceeding its capital resources
On the other hand, the amount of capital in hand should be kept as small as possible so that the insurer can earn an attractive return on invested capital for its shareholders
© 2007 Grant Thornton
Risk Management in Insurance Business --- Business Process Risks
Risk factors under Business Process can be categorised as inherent risk factors and control risk factors
Inherent Risk FactorsThe identification of inherent risk requires a review of the insurance company’s operations during the detailed planning process by taking into account general business characteristics stated below. These are relevant for all the Business processes.
Business Structure
Products
Business Relationships
Company Culture
People
Control Risk Factors The control risk factors pertain to the
operations within individual processes. The potential errors which could result from these risks would generally relate to genuineness/validity, valuation/measurement and cut-off/completeness.
It should be noted that at the commencement of business, specific emphasis should be placed on inherent risk factors by considering the impact of various business characteristics
© 2007 Grant Thornton
Risk Management in Insurance Business IT Systems Risks
• Information Technology (IT) has become a key enabler in improving effectiveness and efficiency of Business Operations. However, use of IT gives rise to risks as well.
• These Risks include :-
– Inherent risk within Information Technology which could lead to security breaches, hacking, etc.
– Weak business controls in IT applications which could lead to fraud, manipulation of data etc.
– Lack of availability or change in IT systems leading to adverse impact on reliability of business operations.
© 2007 Grant Thornton
Risks and Implications
DATA
COMPETITION
CREDIBILITY EMBARRASSMENT
FRAUD& THEFT
SCAVENGING
VIRUSATTACK
ACCIDENTALDAMAGE
WIRETAPPING
UNAUTHORISED ACCESS
INTERCEPTION
TROJAN HORSES
SOFTWARE FAILURE
HARDWAREFAILURE
SOCIAL ENGINEERING
ATTACK
NATURAL DISASTERS
LOSS OF CUSTOMERS
© 2007 Grant Thornton
Risk Management in Insurance External Risks
Political and Economic Developments
Certain decisions could have far reaching
implications to the operations, existence and
survival of insurance companies. Further, the
overall economic condition of other industries
directly impacts the growth, stability and survival of
insurance companies. :
Rules and regulations for operating in the industry are open to amendments and modifications at the will of the lawmakers
Exposure to particular industries could lead to huge exposures for insurance companies in case of downturn
© 2007 Grant Thornton
Risk Management in Insurance External Risks
Catastrophic Occurrences
Catastrophic occurrences would affect life
insurance companies, in so far as they are not
included in the exclusions. Insurance companies
could be pro-active to face such eventualities Develop a reserving model (actuarial
valuation) which include assumptions considering a probabilistic occurrence of catastrophes and provide for the same on a rational basis
Obtain updates from geological, meteorological and other relevant institutes to prevent underwriting under known circumstances (more relevant to General insurance companies)
© 2007 Grant Thornton
Absence of adequate Risk Management Procedures
Absence of adequate Risk Management Procedures
Homeowners Insurance in Florida The insurance companies in Florida had not factored a hurricane with the loss
potential of Hurricane Andrew into their rate calculations.
However, research done after Hurricane Andrew revealed that the pre- Andrew conditions risk evaluation in Florida was a collective misevaluation. The consequences of insurance industry’s failure to foresee Hurricane Andrew and its losses created a property and casualty insurance market which was highly price competitive and where insurers had excessive concentration of policies in coastal counties subject to hurricanes where a significant portion of the home market was located.
Market share rather than prudent underwriting seemed to guide decisions to insure new property. Following Hurricane Andrew in 1992, property and casualty insurance companies in Florida were faced with over $16 billion in insured losses. In reaction, an insurance crisis ensued. This could have been avoided, had the risk evaluation been more effective and consequently the rates could have been adjusted to for this increased risk perception.
© 2007 Grant Thornton
When Disaster strikes
• Affects business along the entire value chain
• Business revenue/profit drops
• Damage to physical assets/loss of critical data
• Brand equity takes a beating
• Loss of customers (who chose alternatives)
• Loss of shareholder value
• Existence could be threatened
File timely claims with Insurance Company
© 2007 Grant Thornton
What is Disaster Recovery Plan?
A Disaster Recovery Plan is an insurance policy; you pray that you'll never need to use it but you'll be glad you have it, if you ever do. It enables an organization to respond efficiently to potential threats that may render all or parts of its operations and resources unavailable.
According to Gartner, two out of five enterprises that experience a disaster go out of business within 5 years.
© 2007 Grant Thornton
Disaster Recovery Plans -The Trigger
• Tragic events of September 11, 2001 – attacks on the World Trade Centre
• Serious losses borne by small and medium sized businesses
• Lack of adequate disaster recovery plans and/or appropriate insurance policies
© 2007 Grant Thornton
Disaster Recovery Plans -Characteristics
• Approved set of arrangements and procedures – documented and tested
• Insurance against disasters
• All risks and threats considered- vital to business operations
• Effective response to disaster
• Resumption of critical business functions
• Minimum downtime
• Reduce level of risk, cost and impact to staff, customers and suppliers.
© 2007 Grant Thornton
Disaster Recovery Plans -The Structure
Preventive (pre- disaster)
• Using mirrored servers for mission critical systems
• Maintaining hot sites (fully operational offsite data processing facility equipped with both hardware and system software)
• Use of firewalls (hardware and software) – to prevent unauthorized access to private networks
Continuity (during a disaster)
• Maintaining core, mission critical systems and resource skeletons (bare minimum assets required to maintain operations)
• Initiating secondary hot sites
© 2007 Grant Thornton
Disaster Recovery Plans -The Structure
Recovery (post disaster)
• Restoration of systems and resources to full operational status
• Subscribe to quick ship programs – third party service providers who can deliver pre configured replacement systems within a fixed time frame
© 2007 Grant Thornton
Business Continuity Plan Considerations for Business Continuity
• Business Continuity Planning (BCP) should be conducted on an enterprise wide basis
• Thorough business impact analysis to be done
• Asset identification and classification – Not all assets are critical
• Risk Analysis and Management – Acceptable risks and identified controls
• Emergency response mechanism – plan and detailed procedures
• Communication – plan to be shared with stakeholders, employees, etc.
© 2007 Grant Thornton
Business Continuity Plan Considerations for Business Continuity
• Testing of plan and training to staff on usage
• The BCP and test results should be subjected to independent audit
• Periodic review to meet changing business needs
• Balance between risk management cost and disaster recovery cost
• Appropriate insurance coverage- no under insurance
© 2007 Grant Thornton
Business Continuity Plans Barriers
• Cost of Business Continuity Plans – redundancy costs
• Attitude - top down approach – management needs to be convinced
• Lack of awareness about consequences
• Lack of awareness about benefits of Business Continuity Plans
© 2007 Grant Thornton
Disaster Recovery Plans Insurance policies available
• Liability insurance policies - might include endorsements for personal injury, host liquor liability, fiduciary liability or fire legal liability
• Business interruption insurance – a form of insurance that pays a benefit to a small business following a disaster when a business is unable to resume operations
• Commercial auto insurance – vehicle insured for physical damage and third party liability
• Non owned automobile coverage – insurance for vehicles not owned by the Company but used by the employees or others for business purposes
• Hired automobile coverage
© 2007 Grant Thornton
Disaster Recovery Plans Insurance policies available
• Leasehold insurance, property casualty insurance, Flood insurance, etc.
• Boiler and machinery insurance
• Business owner's policy
• Director's and officer's liability insurance
• Keyman insurance policies – covering key employees of the organisation
• In case operations are carried out from home - consider insurance coverage for the home office especially office equipment used at home and business liability coverage for business carried out at home
• In case of laptops or mobile phones issued to employees, consider covering the same as part of the commercial policy
© 2007 Grant Thornton
Disaster Recovery Plans Insurance policies available
Workers' compensation insurance and disability benefits insurance
• Generally mandatory for businesses - state requirement
• Protects employees against the risk of sustaining a job related injury
• Covers medical expenses, disability income benefits and death benefits
• Beneficiary - dependents of an employee whose death is related to the job.
• Premiums are assessed according to payroll and depend on industry classification of business for eg. Advertising firm pays lesser premium than a construction company reflecting the relative risks of injury to employees
© 2007 Grant Thornton
Disaster Recovery Plans Insurance – Key factors
• Self participation in the loss by way of deductibles- either as a fixed amount or % of sum insured
• Co insurance deductibles – deductibles against each and every loss (for eg earthquake insurance)
• Risk adjusted premiums based on risk level
• Liability limits – cap on insured amount.
• Strike a balance between loss prevention and acceptability by customers (adequate market penetration)
© 2007 Grant Thornton
Disaster Recovery Plans Insurance policies - precautions
• Avoid ambiguity in the insurance policy else there could be disagreements during claims settlement
• Resolving insurance disputes with insurance surveyors and insurance companies
• Revise insurance programs annually to consider changes in business and growth
• Consider economics of the insurance cycle
• Avoid captive insurance – risks stay within the group
• Insurance policies cover only financial risks. They are not protection plans. The aim of a complete disaster recovery plan is to ensure survival by ensuring continuous flow and availability of data.
© 2007 Grant Thornton
DRP/BCP in Insurance companies The anomaly
Though these companies insure us, do they have systems guaranteeing that they themselves are safeguarded from natural disasters? Do they have ready databases available at other sites, or for that matter, do they have a
disaster recovery (DR) site? Do they have the infrastructure in place to deal with such calamities in future? And for those who do not, are they on
their way to planning for future emergencies?
© 2007 Grant Thornton
DRP/BCP in Insurance companiesRisk Mitigation
• Charge technically adequate rates
• Applying appropriate underwriting guidelines
• Establishing reserves for natural perils
• Limiting liability using reinsurance protection (ceding insurance)
• Balancing risk over time and regions
• Controlling and limited liabilities
• State as a reinsurer of the last resort for extraordinary losses (beyond the capacity of the private sector)
• State can grant tax exemption for catastrophe reserves of private insurers
© 2007 Grant Thornton
DRP/BCP in Insurance companies
• LIC and GIC, the older insurance companies are in the process of getting their DRP infrastructure in place – initiatives include warehousing with WIPRO and Teradata at a cost of Rs.35 crores spread over 3 years
• HDFC Standard Life
• Multiple UPS system (main and back up) – for power supply
• Restricted physical access to server room using access control system
• Back up for critical systems
• Redundancy for routers, switches, etc.
• Redundancy for WAN links at critical locations
© 2007 Grant Thornton
DRP/BCP in Insurance companies
• ICICI Lombard General Insurance
• Core insurance applications configured on multiple servers
• Network load balancing service to ensure even distribution of transaction load during peak hours
• Database for core applications kept on storage area network – ensures data integrity in case of error on the database servers
• Regular back ups of database or application servers based on predefined policies
• Dedicated systems for urgent restoration on site
• Copy of back up media kept at an offsite location
© 2007 Grant Thornton
DRP/BCP in Insurance companies
• Metlife Inc.
• Development, testing and maintenance of Metlife Business Continuity Plans
• Covers all business locations and production IT systems and applications
• The plans are routinely updated by business units and IT risk and Business Recovery department – annual review
• Continuous review of internal controls relating to continuity plans
• The database is replicated between two sites that are several hundred miles apart
• Business impact analysis – to align BCP with business requirements.
• Contracted with a recovery services vendor for use of a remote alternate site to support critical business operations.
• 48 hours required to resume critical business operations
© 2007 Grant Thornton
DRP/BCP in Insurance companiesKey Aspects
• Crisis management and incident response
• Data back up, data and system recovery
• Recovery of all mission critical business functions and supporting systems
• Equivalent hardware and sufficient capacity to switch over entire production load
• Alternate recovery sites, if primary location is unavailable
• Communication with customers, employees and other stakeholders
• Assurance to customers of continued service
© 2007 Grant Thornton
DRP/BCP in Insurance companiesThe grind
• Business Impact Analysis and Risk Assessment – to be performed every year
• Proper Disaster Recovery (DR) software for back up and replication (Veritas, Tivoli, etc.)
• Applications and production data to be backed up to the DR site
• Test DRP applications and plans alteast once in six months
• Business Continuity Plan (BCP) – written plan for all critical functions
• BCP review and update – performed atleast annually
• BCP exercises – performed atleast annually
• Monitor events (including regulatory changes) and adjust plans accordingly
© 2007 Grant Thornton
Disaster Recovery Plans/Business Continuity PlansThe essence
Impending disasters cannot be prevented but business exposures and financial risks can be minimized.
DRP/BCP is a tall order The essence of DRP/BCP is continuous monitoring and supervision activities.