Transcript Contingency Planning Considerations

2008 Business Continuity & Corporate
Security
Crisis Management in Integrated
Financial Services Organizations
Agenda
 Crisis
Management Planning at
Chubb & Son
Crisis Management Planning at New
York Life
 Questions & Answers
Introduction
Bert Wolff
Business Continuity & Security Manager, VP
Chubb & Son
Frederick M. Spina
Corporate VP, Business Continuity & Recovery
New York Life Insurance
Crisis Management Program
Objectives
The
objective of our Crisis Management Program is to ensure that the
required Corporate Incident Management Teams are in place and trained
to:
 Respond and Assess and Mitigate

The impact of an anticipated or unanticipated event that threatens normal operations
 Declare

Communicate the state of the incident internal and external and to mobilize the
organization in response
 Stabilize

The incident through the invocation of the corporate incident management teams and
processes designed to rapidly recover work area space and technology
 Ensure

The appropriate levels of communication inside and outside the organization

Business interruption is minimized

Risk of legal liabilities is minimized

Funding and claim payment obligations are met

Compliance with applicable laws, regulations, insurance requirements are met
Why is Crisis Management so important
Millstone Nuclear
Power Station
Indian Point Nuclear
Power Plant
Meadowlands
Sports Complex
Port Newark/
Elizabeth
Oyster Creek
Nuclear Power
Plant
Empire State Building
Times Square
Rockefeller Center
Madison Sq. Garden
Grand Central Station
Managing the Overlap
A – Hurricane
Disruption
Security
B – Main
Campus
Outage
F
C – Simsbury
Server Room
Fire
D – Disabled
Data
Center
G
E
DRP
D
B
BCP
A
C
E - Cyber
Attack
F – International
Kidnapping
ERP
G – Customer Information
Theft
6
Enterprise Resiliency


Resiliency Defined –
“The ability to withstand and
bounce back”

The ability of Senior management to be
prepared for and resilient against
disruptions of any kind that could threaten
the viability of the organization in the
immediate and longer term.
Enterprise Resiliency Program
Crisis Management (CIMT/EIMT)
 Responding to Emergencies (ERP)
 Ensuring Continuity of Operations (BCP)
 Ensuring Continuity of Technology (DRP)
 Security

– Protecting Corporate Assets & Employees
– Risk Management & Mitigation
 Facilities
 IT
Infrastructure/Software
8
Program Scope

Crisis Management Planning (CMP)
– Create tools & training for CIMT/EIMT
– Direct CIMT and EIMT Testing Activities
– Monitor/Track Potential Threats

Emergency Response Planning (ERP)
– Prepare/Exercise ER Strategies
– Design/Implement ER Plans
– Communicate to Employees ER Protocols
9
Program Scope (continued)



Business Continuity Planning (BCP)
–
–
–
–
–
–
–
Maintain BCP Methodology
Educate/Train/Assist SBU’s in Developing BCP Plans
Identify/Quantify Business Risks
Provide Recovery Strategies and Solutions
Conduct Individual and Collective Tests
Coordinate/Monitor Responses
Communicate Business Area Requirements (via BIA)
–
–
–
–
Define Schedules & Objectives for DRP Tests
Participate in DRP Tests
Review Test Results
Adjust Recovery Strategies to Align with SBU Requirements
Disaster Recovery Planning (DRP)
Security
– Manage/Oversee Corporate Security Program
– Responding to Workplace Violence Issues
10
Program Integration
 These
5 program components join
together to form Chubb’s unified
Enterprise Resiliency Program
 When
integrating these components,
a natural overlap of responsibilities
emerges during an incident
11
Incident Response

The planning, preparation and risk
mitigation management that allows
us to respond quickly and efficiently
to large and small incidents to
minimize the effect on our business.
Incident Timeline
% OPERATION
Emergency
Response Plan
Onset of event
Business Continuity Plans (by area)
Technology
Disaster
Recovery
Plan
Disaster
Declaration
Recovery
Restoration
TIME
Confidential & Proprietary – For Internal Use Only
Transition/
‘Return Home’
Recovery Teams
Response
Teams play a critical role in the Command
and Control process. They perform the following
functions:
 Assess the magnitude of an incident
 Decide what the response will be
 Activate the firm wide recovery infrastructure
 Implement recovery plans
 Resolve issues impacting rapid recovery
Local Incident Management Teams (LIMT)
 Consisting of members of the local offices core business
areas, for example operations, loss control, claims and
human resources
Coordinates initial emergency response
activities
► Provides initial assessment of event to senior
managers
► Provides information critical to the declaration
►
Recovery Teams
Corporate
Incident Management Team (CIMT)
 Central authority directing the response process from
corporate headquarters. The CIMT is responsible for:
►
►
►
►
►
Declaring a disaster
Activating all other recovery teams
Communicating to senior management, employees and
stakeholders where applicable the incident status
Coordinating recovery efforts (i.e. facility and technology)
Implementing firm wide support recovery plans (i.e. Human
Resources, Corporate Services, Finance, etc.)
 Activating Working Group Teams
Extended
►
Incident Management Team (EIMT)
Consisting of key individuals who would be involved in the
detail of incident resolution, assists the CIMT by responding to
and activating recovery priorities at time of event
Contingency Planning Considerations
March 19, 2008
Critical Parts of the Survival Puzzle





Keep employees, visitors and customer sites safe
Maintain clear communication with
employees and/or customers
Image or graphic here
Never lose critical communication
channels that support customers
Isolate incident for access to critical
facilities, inventory/assets and
intellectual property
Develop cost effective solutions while
turning obstacles into opportunities for greater success
Critical Parts of the Disaster Puzzle




Failing to anticipate and develop controls
for threats to critical/core business functions.
(Risk Management/Disaster Plan)
Failing to prevent (or provide
advance warning) one or more people from
being seriously injured or killed.
(Emergency Response Plan/CMT)
Failing to deliver a product or provide
a service to a customer.
(Business Continuity Plan)
Failing to communicate with our employees,
visitors or customers about safety, service,
billing or revenue collection.
(Business Recovery Plan)
The Disaster Life Cycle
Awareness
Prevention
Auditing/Training
Risk Management
Self Assessment
Plan
Organized
Communication &
Response
Restore Facilities
Resume Normal Operations
Query Customer/Feedback
Emergency Response
Plan - CMT
(First 24 – 72 hours)
Customer Retention &
Satisfaction
Protect Cash Flow
Protect Infrastructure & Customer
Use Alternate Plans
Business Continuity/Disaster Plans
(48 hours – ?)
Definition of Role & Responsibility
Risk Management –
Self Assessment Opportunities
 Oversight Committees (Pandemic,
Finance, International, etc.)
 Internal Audits & Regulatory Audits
 Safeguarding Intellectual Property
 Records Management
 Creating safety conscious culture
Emergency Response
 Prompt notification of employees
visitors and customers using one of
three Crisis Command Centers.
 Impact assessment
 Rerouting inbound/outbound calls
 Physical security
 Evacuating/relocating personnel
 Employee compassion centers
 Voice & data recovery & rerouting
Definition of Role & Responsibility
Disaster Planning &
Business Continuity
 Identify and plan for maintaining
core business functions
 Analyze and minimize business impact
 Identify resource needs
 Understand how long you can operate
on “artificial power”
 Reroute process, product and delivery
 Maintain communication, identify gaps
and ensure flexible closure
 Communicate with customer- pre
Business Recovery
 Contain the impact of the disaster
 Minimize disruption in cash flow
communication & service delivery
 Deliver alternate ways to service
customer
 Prevent long term loss of market
share
 Communicate w/customer - post
 Maintain regulatory compliance
 Maintain revenue stream and other
mission critical success factors
Observations/Pitfalls to Avoid
Clearly define the role/responsibility of the incident/emergency management
team and define the interaction at all levels of the organization, internal and
external.
Define assumptions and expectations on how the business will be
managed during a significant disruption.
Define levels of outages, accountability and ownership at the local, business
unit and corporate crisis management team level.
Provide training and education programs for functional managers. If they
understand what is being asked and why it will enhance their understanding
when and how to act during and after an emergency.
Alternate operating procedures that sustain vital business functions until the
data processing capacity is restored needs to be dialoged prior to an event.
Avoid heavy reliance on untested plans of others.
Avoid the use of excessively detailed procedures when guidelines would
suffice. Make better use of Quick Plans/KISS principle in a crisis.
Contingency Plan Assumptions
Providing 100% redundancy for all disaster types is not practical
Documenting detailed procedures for infinite alternate plans is not cost
effective, while understanding the response elements is.
Functional managers must be the architects of the “what if” scenario’s that
have the greatest business impact.
Qualified personnel with back-up are required to execute the plan.
All facilities must have a life safety emergency evacuation plan that is
current and tested periodically.
Communications need to be re-established in less than two hours.
Inefficiencies will occur during the stabilization period.
Local authorities will have the capacity to respond. (Fire/Police/Medical)
Local decision making is required for managing a crisis.
Priority Task Considerations
Enterprise Contingency Plan Model:
Develop and communicate vision/mission defining the new/revised roles and
responsibilities
CMT & Employee Awareness
Establish global CMT integration for escalation and notification
Test Crisis Management call center support and intranet access
Distribute revised employee quick reference card
Create and distribute quick reference sheet for managers
Risk Management – Self Assessment Opportunities
Develop Contingency Plan Management System that integrates and acts
on existing audit protocol and findings
Develop & Deliver Self Assessment Audit with paths to solutions
Develop Governance Model with Compliance Metric and Benchmark for Sr.
Mgmt
Looking Back

Did we develop meaningful metrics that support
continuous improvement?
Crisis Management – pre-planning
is critical but ……
Sometimes we get lucky
Questions?
Thank you!