Contingency Planning Considerations
Download
Report
Transcript Contingency Planning Considerations
2008 Business Continuity & Corporate
Security
Crisis Management in Integrated
Financial Services Organizations
Agenda
Crisis
Management Planning at
Chubb & Son
Crisis Management Planning at New
York Life
Questions & Answers
Introduction
Bert Wolff
Business Continuity & Security Manager, VP
Chubb & Son
Frederick M. Spina
Corporate VP, Business Continuity & Recovery
New York Life Insurance
Crisis Management Program
Objectives
The
objective of our Crisis Management Program is to ensure that the
required Corporate Incident Management Teams are in place and trained
to:
Respond and Assess and Mitigate
The impact of an anticipated or unanticipated event that threatens normal operations
Declare
Communicate the state of the incident internal and external and to mobilize the
organization in response
Stabilize
The incident through the invocation of the corporate incident management teams and
processes designed to rapidly recover work area space and technology
Ensure
The appropriate levels of communication inside and outside the organization
Business interruption is minimized
Risk of legal liabilities is minimized
Funding and claim payment obligations are met
Compliance with applicable laws, regulations, insurance requirements are met
Why is Crisis Management so important
Millstone Nuclear
Power Station
Indian Point Nuclear
Power Plant
Meadowlands
Sports Complex
Port Newark/
Elizabeth
Oyster Creek
Nuclear Power
Plant
Empire State Building
Times Square
Rockefeller Center
Madison Sq. Garden
Grand Central Station
Managing the Overlap
A – Hurricane
Disruption
Security
B – Main
Campus
Outage
F
C – Simsbury
Server Room
Fire
D – Disabled
Data
Center
G
E
DRP
D
B
BCP
A
C
E - Cyber
Attack
F – International
Kidnapping
ERP
G – Customer Information
Theft
6
Enterprise Resiliency
Resiliency Defined –
“The ability to withstand and
bounce back”
The ability of Senior management to be
prepared for and resilient against
disruptions of any kind that could threaten
the viability of the organization in the
immediate and longer term.
Enterprise Resiliency Program
Crisis Management (CIMT/EIMT)
Responding to Emergencies (ERP)
Ensuring Continuity of Operations (BCP)
Ensuring Continuity of Technology (DRP)
Security
– Protecting Corporate Assets & Employees
– Risk Management & Mitigation
Facilities
IT
Infrastructure/Software
8
Program Scope
Crisis Management Planning (CMP)
– Create tools & training for CIMT/EIMT
– Direct CIMT and EIMT Testing Activities
– Monitor/Track Potential Threats
Emergency Response Planning (ERP)
– Prepare/Exercise ER Strategies
– Design/Implement ER Plans
– Communicate to Employees ER Protocols
9
Program Scope (continued)
Business Continuity Planning (BCP)
–
–
–
–
–
–
–
Maintain BCP Methodology
Educate/Train/Assist SBU’s in Developing BCP Plans
Identify/Quantify Business Risks
Provide Recovery Strategies and Solutions
Conduct Individual and Collective Tests
Coordinate/Monitor Responses
Communicate Business Area Requirements (via BIA)
–
–
–
–
Define Schedules & Objectives for DRP Tests
Participate in DRP Tests
Review Test Results
Adjust Recovery Strategies to Align with SBU Requirements
Disaster Recovery Planning (DRP)
Security
– Manage/Oversee Corporate Security Program
– Responding to Workplace Violence Issues
10
Program Integration
These
5 program components join
together to form Chubb’s unified
Enterprise Resiliency Program
When
integrating these components,
a natural overlap of responsibilities
emerges during an incident
11
Incident Response
The planning, preparation and risk
mitigation management that allows
us to respond quickly and efficiently
to large and small incidents to
minimize the effect on our business.
Incident Timeline
% OPERATION
Emergency
Response Plan
Onset of event
Business Continuity Plans (by area)
Technology
Disaster
Recovery
Plan
Disaster
Declaration
Recovery
Restoration
TIME
Confidential & Proprietary – For Internal Use Only
Transition/
‘Return Home’
Recovery Teams
Response
Teams play a critical role in the Command
and Control process. They perform the following
functions:
Assess the magnitude of an incident
Decide what the response will be
Activate the firm wide recovery infrastructure
Implement recovery plans
Resolve issues impacting rapid recovery
Local Incident Management Teams (LIMT)
Consisting of members of the local offices core business
areas, for example operations, loss control, claims and
human resources
Coordinates initial emergency response
activities
► Provides initial assessment of event to senior
managers
► Provides information critical to the declaration
►
Recovery Teams
Corporate
Incident Management Team (CIMT)
Central authority directing the response process from
corporate headquarters. The CIMT is responsible for:
►
►
►
►
►
Declaring a disaster
Activating all other recovery teams
Communicating to senior management, employees and
stakeholders where applicable the incident status
Coordinating recovery efforts (i.e. facility and technology)
Implementing firm wide support recovery plans (i.e. Human
Resources, Corporate Services, Finance, etc.)
Activating Working Group Teams
Extended
►
Incident Management Team (EIMT)
Consisting of key individuals who would be involved in the
detail of incident resolution, assists the CIMT by responding to
and activating recovery priorities at time of event
Contingency Planning Considerations
March 19, 2008
Critical Parts of the Survival Puzzle
Keep employees, visitors and customer sites safe
Maintain clear communication with
employees and/or customers
Image or graphic here
Never lose critical communication
channels that support customers
Isolate incident for access to critical
facilities, inventory/assets and
intellectual property
Develop cost effective solutions while
turning obstacles into opportunities for greater success
Critical Parts of the Disaster Puzzle
Failing to anticipate and develop controls
for threats to critical/core business functions.
(Risk Management/Disaster Plan)
Failing to prevent (or provide
advance warning) one or more people from
being seriously injured or killed.
(Emergency Response Plan/CMT)
Failing to deliver a product or provide
a service to a customer.
(Business Continuity Plan)
Failing to communicate with our employees,
visitors or customers about safety, service,
billing or revenue collection.
(Business Recovery Plan)
The Disaster Life Cycle
Awareness
Prevention
Auditing/Training
Risk Management
Self Assessment
Plan
Organized
Communication &
Response
Restore Facilities
Resume Normal Operations
Query Customer/Feedback
Emergency Response
Plan - CMT
(First 24 – 72 hours)
Customer Retention &
Satisfaction
Protect Cash Flow
Protect Infrastructure & Customer
Use Alternate Plans
Business Continuity/Disaster Plans
(48 hours – ?)
Definition of Role & Responsibility
Risk Management –
Self Assessment Opportunities
Oversight Committees (Pandemic,
Finance, International, etc.)
Internal Audits & Regulatory Audits
Safeguarding Intellectual Property
Records Management
Creating safety conscious culture
Emergency Response
Prompt notification of employees
visitors and customers using one of
three Crisis Command Centers.
Impact assessment
Rerouting inbound/outbound calls
Physical security
Evacuating/relocating personnel
Employee compassion centers
Voice & data recovery & rerouting
Definition of Role & Responsibility
Disaster Planning &
Business Continuity
Identify and plan for maintaining
core business functions
Analyze and minimize business impact
Identify resource needs
Understand how long you can operate
on “artificial power”
Reroute process, product and delivery
Maintain communication, identify gaps
and ensure flexible closure
Communicate with customer- pre
Business Recovery
Contain the impact of the disaster
Minimize disruption in cash flow
communication & service delivery
Deliver alternate ways to service
customer
Prevent long term loss of market
share
Communicate w/customer - post
Maintain regulatory compliance
Maintain revenue stream and other
mission critical success factors
Observations/Pitfalls to Avoid
Clearly define the role/responsibility of the incident/emergency management
team and define the interaction at all levels of the organization, internal and
external.
Define assumptions and expectations on how the business will be
managed during a significant disruption.
Define levels of outages, accountability and ownership at the local, business
unit and corporate crisis management team level.
Provide training and education programs for functional managers. If they
understand what is being asked and why it will enhance their understanding
when and how to act during and after an emergency.
Alternate operating procedures that sustain vital business functions until the
data processing capacity is restored needs to be dialoged prior to an event.
Avoid heavy reliance on untested plans of others.
Avoid the use of excessively detailed procedures when guidelines would
suffice. Make better use of Quick Plans/KISS principle in a crisis.
Contingency Plan Assumptions
Providing 100% redundancy for all disaster types is not practical
Documenting detailed procedures for infinite alternate plans is not cost
effective, while understanding the response elements is.
Functional managers must be the architects of the “what if” scenario’s that
have the greatest business impact.
Qualified personnel with back-up are required to execute the plan.
All facilities must have a life safety emergency evacuation plan that is
current and tested periodically.
Communications need to be re-established in less than two hours.
Inefficiencies will occur during the stabilization period.
Local authorities will have the capacity to respond. (Fire/Police/Medical)
Local decision making is required for managing a crisis.
Priority Task Considerations
Enterprise Contingency Plan Model:
Develop and communicate vision/mission defining the new/revised roles and
responsibilities
CMT & Employee Awareness
Establish global CMT integration for escalation and notification
Test Crisis Management call center support and intranet access
Distribute revised employee quick reference card
Create and distribute quick reference sheet for managers
Risk Management – Self Assessment Opportunities
Develop Contingency Plan Management System that integrates and acts
on existing audit protocol and findings
Develop & Deliver Self Assessment Audit with paths to solutions
Develop Governance Model with Compliance Metric and Benchmark for Sr.
Mgmt
Looking Back
Did we develop meaningful metrics that support
continuous improvement?
Crisis Management – pre-planning
is critical but ……
Sometimes we get lucky
Questions?
Thank you!