disaster recovery planning insurance industry bharat k shetty grant thornton november 29, 2007

© 2007 Grant Thornton

Disaster Recovery PlanningInsurance Industry

Bharat K ShettyGrant ThorntonNovember 29, 2007


• Background

• Risk Management in Insurance Business

• Disaster Recovery Plans – concept and structure

• Disaster Recovery Plans – Insurance policies available

• Disaster Recovery Plans in insurance business

• Questions

Overview of Presentation


What is Risk?

Definition of “Risk”-

Any issue that affects an organization’s ability to meet its objectives.

HazardRisk of bad things happening

UncertaintyNot meeting expectations

OpportunityExploring the upside

Enterprise Risk Management Addresses all 3 Types of Risk

3 Types of Risk


Building and enabling Risk Management Framework

Identify

Measure

Manage

Monitor

Risk strategy / policy

Risk organization

Risk process & information

… move towards institutionalizing risk management


Risk Management Framework – The way forward

• Direction• Objectives• Culture• Language

• Department/Committees• Reporting Lines• Roles/Responsibilities• Skills/resources

Infrastructure

• Tools• Systems• Management Information• Limit Structure

Processes

• Risk Identification• Risk Assessment• Risk Measurement• Limit Setting• Risk Monitoring• Issue Escalation

Organisation Structure

Strategy


Risk Management Tools

Insurance Companies have to adopt a structured approach to risk management with various risk management tools in the form of :

Risk Status Control Checklists

Safety level indicators in the form of Ratios and Absolute figures with ‘On-line’-‘Red Flag’ response, on safety level being breached

Periodic comparitive charts and snapshots of key figures focussed on specific risk factors with emphasis in the following areas :

- Underwriting - Systems Reliability - Actuarial assumptions - Pricing and Loss Reserving - Adherence to investment policy and constant review - Compliance with Solvency regulations - Compliance with Investment Regulations - Accounting policies in accordance with regulations - Industry benchmarking

Risk Management

Team

Review of Risk Factors

Documenting Review Results and Action


Risks in Insurance Business Risk - Insurance - Risk Management

INSURANCE

Purpose of Existence – Risk Management

Means of Existence - Risk Management


Risk Management

Risk Return

Board

Basic Conflict & Balance

On one hand it is desirable to have the largest possible amount of capital, as this reduces the risk of total claims exceeding its capital resources

On the other hand, the amount of capital in hand should be kept as small as possible so that the insurer can earn an attractive return on invested capital for its shareholders


Risk Management in Insurance Business --- Business Process Risks

Risk factors under Business Process can be categorised as inherent risk factors and control risk factors

Inherent Risk FactorsThe identification of inherent risk requires a review of the insurance company’s operations during the detailed planning process by taking into account general business characteristics stated below. These are relevant for all the Business processes.

Business Structure

Products

Business Relationships

Company Culture

People

Control Risk Factors The control risk factors pertain to the

operations within individual processes. The potential errors which could result from these risks would generally relate to genuineness/validity, valuation/measurement and cut-off/completeness.

It should be noted that at the commencement of business, specific emphasis should be placed on inherent risk factors by considering the impact of various business characteristics


Risk Management in Insurance Business IT Systems Risks

• Information Technology (IT) has become a key enabler in improving effectiveness and efficiency of Business Operations. However, use of IT gives rise to risks as well.

• These Risks include :-

– Inherent risk within Information Technology which could lead to security breaches, hacking, etc.

– Weak business controls in IT applications which could lead to fraud, manipulation of data etc.

– Lack of availability or change in IT systems leading to adverse impact on reliability of business operations.


The Three Pillars of Information Control

DATA


Risks and Implications

DATA

COMPETITION

CREDIBILITY EMBARRASSMENT

FRAUD& THEFT

SCAVENGING

VIRUSATTACK

ACCIDENTALDAMAGE

WIRETAPPING

UNAUTHORISED ACCESS

INTERCEPTION

TROJAN HORSES

SOFTWARE FAILURE

HARDWAREFAILURE

SOCIAL ENGINEERING

ATTACK

NATURAL DISASTERS

LOSS OF CUSTOMERS


Risk Management in Insurance External Risks

Political and Economic Developments

Certain decisions could have far reaching

implications to the operations, existence and

survival of insurance companies. Further, the

overall economic condition of other industries

directly impacts the growth, stability and survival of

insurance companies. :

Rules and regulations for operating in the industry are open to amendments and modifications at the will of the lawmakers

Exposure to particular industries could lead to huge exposures for insurance companies in case of downturn


Risk Management in Insurance External Risks

Catastrophic Occurrences

Catastrophic occurrences would affect life

insurance companies, in so far as they are not

included in the exclusions. Insurance companies

could be pro-active to face such eventualities Develop a reserving model (actuarial

valuation) which include assumptions considering a probabilistic occurrence of catastrophes and provide for the same on a rational basis

Obtain updates from geological, meteorological and other relevant institutes to prevent underwriting under known circumstances (more relevant to General insurance companies)


Absence of adequate Risk Management Procedures

Absence of adequate Risk Management Procedures

Homeowners Insurance in Florida The insurance companies in Florida had not factored a hurricane with the loss

potential of Hurricane Andrew into their rate calculations.

However, research done after Hurricane Andrew revealed that the pre- Andrew conditions risk evaluation in Florida was a collective misevaluation. The consequences of insurance industry’s failure to foresee Hurricane Andrew and its losses created a property and casualty insurance market which was highly price competitive and where insurers had excessive concentration of policies in coastal counties subject to hurricanes where a significant portion of the home market was located.

Market share rather than prudent underwriting seemed to guide decisions to insure new property. Following Hurricane Andrew in 1992, property and casualty insurance companies in Florida were faced with over $16 billion in insured losses. In reaction, an insurance crisis ensued. This could have been avoided, had the risk evaluation been more effective and consequently the rates could have been adjusted to for this increased risk perception.


When Disaster strikes

• Affects business along the entire value chain

• Business revenue/profit drops

• Damage to physical assets/loss of critical data

• Brand equity takes a beating

• Loss of customers (who chose alternatives)

• Loss of shareholder value

• Existence could be threatened

File timely claims with Insurance Company


What is Disaster Recovery Plan?

A Disaster Recovery Plan is an insurance policy; you pray that you'll never need to use it but you'll be glad you have it, if you ever do. It enables an organization to respond efficiently to potential threats that may render all or parts of its operations and resources unavailable.

According to Gartner, two out of five enterprises that experience a disaster go out of business within 5 years.


Disaster Recovery Plans -The Trigger

• Tragic events of September 11, 2001 – attacks on the World Trade Centre

• Serious losses borne by small and medium sized businesses

• Lack of adequate disaster recovery plans and/or appropriate insurance policies


Disaster Recovery Plans -Characteristics

• Approved set of arrangements and procedures – documented and tested

• Insurance against disasters

• All risks and threats considered- vital to business operations

• Effective response to disaster

• Resumption of critical business functions

• Minimum downtime

• Reduce level of risk, cost and impact to staff, customers and suppliers.


Disaster Recovery Plans -The Structure

Preventive (pre- disaster)

• Using mirrored servers for mission critical systems

• Maintaining hot sites (fully operational offsite data processing facility equipped with both hardware and system software)

• Use of firewalls (hardware and software) – to prevent unauthorized access to private networks

Continuity (during a disaster)

• Maintaining core, mission critical systems and resource skeletons (bare minimum assets required to maintain operations)

• Initiating secondary hot sites


Disaster Recovery Plans -The Structure

Recovery (post disaster)

• Restoration of systems and resources to full operational status

• Subscribe to quick ship programs – third party service providers who can deliver pre configured replacement systems within a fixed time frame


Business Continuity Plan Considerations for Business Continuity

• Business Continuity Planning (BCP) should be conducted on an enterprise wide basis

• Thorough business impact analysis to be done

• Asset identification and classification – Not all assets are critical

• Risk Analysis and Management – Acceptable risks and identified controls

• Emergency response mechanism – plan and detailed procedures

• Communication – plan to be shared with stakeholders, employees, etc.


Business Continuity Plan Considerations for Business Continuity

• Testing of plan and training to staff on usage

• The BCP and test results should be subjected to independent audit

• Periodic review to meet changing business needs

• Balance between risk management cost and disaster recovery cost

• Appropriate insurance coverage- no under insurance


Business Continuity Plans Barriers

• Cost of Business Continuity Plans – redundancy costs

• Attitude - top down approach – management needs to be convinced

• Lack of awareness about consequences

• Lack of awareness about benefits of Business Continuity Plans


Disaster Recovery Plans Insurance policies available

• Liability insurance policies - might include endorsements for personal injury, host liquor liability, fiduciary liability or fire legal liability

• Business interruption insurance – a form of insurance that pays a benefit to a small business following a disaster when a business is unable to resume operations

• Commercial auto insurance – vehicle insured for physical damage and third party liability

• Non owned automobile coverage – insurance for vehicles not owned by the Company but used by the employees or others for business purposes

• Hired automobile coverage



• Leasehold insurance, property casualty insurance, Flood insurance, etc.

• Boiler and machinery insurance

• Business owner's policy

• Director's and officer's liability insurance

• Keyman insurance policies – covering key employees of the organisation

• In case operations are carried out from home - consider insurance coverage for the home office especially office equipment used at home and business liability coverage for business carried out at home

• In case of laptops or mobile phones issued to employees, consider covering the same as part of the commercial policy



Workers' compensation insurance and disability benefits insurance

• Generally mandatory for businesses - state requirement

• Protects employees against the risk of sustaining a job related injury

• Covers medical expenses, disability income benefits and death benefits

• Beneficiary - dependents of an employee whose death is related to the job.

• Premiums are assessed according to payroll and depend on industry classification of business for eg. Advertising firm pays lesser premium than a construction company reflecting the relative risks of injury to employees


Disaster Recovery Plans Insurance – Key factors

• Self participation in the loss by way of deductibles- either as a fixed amount or % of sum insured

• Co insurance deductibles – deductibles against each and every loss (for eg earthquake insurance)

• Risk adjusted premiums based on risk level

• Liability limits – cap on insured amount.

• Strike a balance between loss prevention and acceptability by customers (adequate market penetration)


Disaster Recovery Plans Insurance policies - precautions

• Avoid ambiguity in the insurance policy else there could be disagreements during claims settlement

• Resolving insurance disputes with insurance surveyors and insurance companies

• Revise insurance programs annually to consider changes in business and growth

• Consider economics of the insurance cycle

• Avoid captive insurance – risks stay within the group

• Insurance policies cover only financial risks. They are not protection plans. The aim of a complete disaster recovery plan is to ensure survival by ensuring continuous flow and availability of data.


DRP/BCP in Insurance companies The anomaly

Though these companies insure us, do they have systems guaranteeing that they themselves are safeguarded from natural disasters? Do they have ready databases available at other sites, or for that matter, do they have a

disaster recovery (DR) site? Do they have the infrastructure in place to deal with such calamities in future? And for those who do not, are they on

their way to planning for future emergencies?


DRP/BCP in Insurance companiesRisk Mitigation

• Charge technically adequate rates

• Applying appropriate underwriting guidelines

• Establishing reserves for natural perils

• Limiting liability using reinsurance protection (ceding insurance)

• Balancing risk over time and regions

• Controlling and limited liabilities

• State as a reinsurer of the last resort for extraordinary losses (beyond the capacity of the private sector)

• State can grant tax exemption for catastrophe reserves of private insurers


DRP/BCP in Insurance companies

• LIC and GIC, the older insurance companies are in the process of getting their DRP infrastructure in place – initiatives include warehousing with WIPRO and Teradata at a cost of Rs.35 crores spread over 3 years

• HDFC Standard Life

• Multiple UPS system (main and back up) – for power supply

• Restricted physical access to server room using access control system

• Back up for critical systems

• Redundancy for routers, switches, etc.

• Redundancy for WAN links at critical locations



• ICICI Lombard General Insurance

• Core insurance applications configured on multiple servers

• Network load balancing service to ensure even distribution of transaction load during peak hours

• Database for core applications kept on storage area network – ensures data integrity in case of error on the database servers

• Regular back ups of database or application servers based on predefined policies

• Dedicated systems for urgent restoration on site

• Copy of back up media kept at an offsite location



• Metlife Inc.

• Development, testing and maintenance of Metlife Business Continuity Plans

• Covers all business locations and production IT systems and applications

• The plans are routinely updated by business units and IT risk and Business Recovery department – annual review

• Continuous review of internal controls relating to continuity plans

• The database is replicated between two sites that are several hundred miles apart

• Business impact analysis – to align BCP with business requirements.

• Contracted with a recovery services vendor for use of a remote alternate site to support critical business operations.

• 48 hours required to resume critical business operations


DRP/BCP in Insurance companiesKey Aspects

• Crisis management and incident response

• Data back up, data and system recovery

• Recovery of all mission critical business functions and supporting systems

• Equivalent hardware and sufficient capacity to switch over entire production load

• Alternate recovery sites, if primary location is unavailable

• Communication with customers, employees and other stakeholders

• Assurance to customers of continued service


DRP/BCP in Insurance companiesThe grind

• Business Impact Analysis and Risk Assessment – to be performed every year

• Proper Disaster Recovery (DR) software for back up and replication (Veritas, Tivoli, etc.)

• Applications and production data to be backed up to the DR site

• Test DRP applications and plans alteast once in six months

• Business Continuity Plan (BCP) – written plan for all critical functions

• BCP review and update – performed atleast annually

• BCP exercises – performed atleast annually

• Monitor events (including regulatory changes) and adjust plans accordingly


Disaster Recovery Plans/Business Continuity PlansThe essence

Impending disasters cannot be prevented but business exposures and financial risks can be minimized.

DRP/BCP is a tall order The essence of DRP/BCP is continuous monitoring and supervision activities.


Disaster Recovery PlansBusiness Continuity Plans

Any Questions??


Accounting Standards 26

Thank you for a patient listening!

disaster recovery planning insurance industry bharat k shetty grant thornton november 29, 2007

Documents