(Image credit: Gerd Altmann.)
Planning for recovery and business continuity during a business continuity event is one of the most important responsibilities of any IT organization. To be effective, the plans need to be updated and practiced frequently. What should organizations be considering when they are amending these plans? Are there particular steps they should take to prepare for pandemics, as opposed to disasters like storms, fires, and earthquakes? Here is a sampling of tips from Novarica’s most recent report on disaster recovery and business continuity planning.
Prepare for the next event, not the last one.
Hindsight is 20/20, so it’s unsurprising that lessons learned from previous events tend to flow into planning for future ones. It’s not a bad thing to let experience guide future actions, but it is important to remember that the next event is likely to be different. New threats may require different responses. Events like severe flu outbreaks or COVID-19 can impact employees but leave structures intact. Plans that assume availability of key staff may therefore mask a potentially fatal flaw. For those employees able to work, telecommuting may present unexpected challenges in terms of bandwidth crunches or hiccups with technology novel to employees used to more face-to-face or phone-based interaction.
It’s also important not to forget other types of threats amidst the current concerns around pandemics. Along with hurricanes, fires, storms, earthquakes, and blackouts, cyber threats in and around the data center are always a concern. The most common creator of such events is human error. That error could be the actual cause of a crisis, or it could simply open the door to one (e.g., in the event of a phishing attack). This is another reason why constant training and practice are necessary for business continuity.
Consider partner relations, third-party providers, and external services.
Testing to see what happens when third-party services are unavailable can lead to some surprising, and surprisingly painful, end-user experiences. When a carrier fails to meet customers’ expectations, they don’t care whether it was an in-house failure or one at a third party. If a service provider is experiencing a pandemic, no matter where that provider is in the world, the insurer is, too. Insurers need to understand what trigger events will cause them to declare a disaster (and what the decision process will be). It’s a good idea to incorporate external service procedures and processes into plans and test effectively end to end. As SaaS and XaaS services increase, coordination of timing, reconfiguration of traffic patterns, and process timings can become complex. Most importantly, anything that impacts the external customer or agent/broker experience is the area to focus on first. This includes, claims, call centers and critical operational processes. Everything is not equally important.
The entire plan fails if assumptions about ancillary resources are wrong.
DR and BC plans may be built to presume that generator power will be available and that a ready stockpile of fuel can be accessed. This may prove problematic, however, when the power fails, roads are impassable, and the local stockpile of diesel is limited.
Understanding how backup power is distributed throughout the facility can also be vital. It is not only the data center and call center that need power; critical IT support personnel also need power at workstations to perform operations. One carrier discovered this problem during a winter storm that left most of New England without power for days and even weeks. The carrier had to quickly implement designated charging stations for laptops once it discovered that standard IT workstations were not included on the generator support power grid.
Luckily, novel events do not require completely novel DR/BC plans. What they do require is a hard look at existing plans and amendments to take new circumstances into account. The current situation with COVID-19, with researchers discovering new information about the disease and governments and companies around the world reacting to it, is constantly changing. Insurers’ DR/BC plans need to change constantly along with these updates.