1 / 39

Disaster Recovery Planning Insurance Industry Bharat K Shetty Grant Thornton November 29, 2007

Disaster Recovery Planning Insurance Industry Bharat K Shetty Grant Thornton November 29, 2007. Overview of Presentation. Background Risk Management in Insurance Business Disaster Recovery Plans – concept and structure Disaster Recovery Plans – Insurance policies available

cynthia-salinas
Download Presentation

Disaster Recovery Planning Insurance Industry Bharat K Shetty Grant Thornton November 29, 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Disaster Recovery PlanningInsurance IndustryBharat K ShettyGrant ThorntonNovember 29, 2007

  2. Overview of Presentation • Background • Risk Management in Insurance Business • Disaster Recovery Plans – concept and structure • Disaster Recovery Plans – Insurance policies available • Disaster Recovery Plans in insurance business • Questions

  3. 3 Types of Risk HazardRisk of bad things happening UncertaintyNot meeting expectations OpportunityExploring the upside Enterprise Risk Management Addresses all 3 Types of Risk What is Risk? Definition of “Risk”- Any issue that affects an organization’s ability to meet its objectives.

  4. Risk strategy / policy • Risk organization • Risk process & information Identify Monitor Measure Manage … move towards institutionalizing risk management Building and enabling Risk Management Framework

  5. Strategy • Direction • Objectives • Culture • Language Organisation Structure Infrastructure • Department/Committees • Reporting Lines • Roles/Responsibilities • Skills/resources • Tools • Systems • Management Information • Limit Structure Processes • Risk Identification • Risk Assessment • Risk Measurement • Limit Setting • Risk Monitoring • Issue Escalation Risk Management Framework – The way forward

  6. Risk Management Tools Risk Management Team Insurance Companies have to adopt a structured approach to risk management with various risk management tools in the form of : • Risk Status Control Checklists • Safety level indicators in the form of Ratios and Absolute figures with ‘On-line’-‘Red Flag’ response, on safety level being breached • Periodic comparitive charts and snapshots of key figures focussed on specific risk factors with emphasis in the following areas : • - Underwriting • - Systems Reliability • - Actuarial assumptions - Pricing and Loss Reserving • - Adherence to investment policy and constant review • - Compliance with Solvency regulations • - Compliance with Investment Regulations • - Accounting policies in accordance with regulations • - Industry benchmarking Review of Risk Factors Documenting Review Results and Action

  7. Purpose of Existence – Risk Management INSURANCE Means of Existence - Risk Management Risks in Insurance BusinessRisk - Insurance - Risk Management

  8. Risk Management Basic Conflict & Balance • On one hand it is desirable to have the largest possible amount of capital, as this reduces the risk of total claims exceeding its capital resources • On the other hand, the amount of capital in hand should be kept as small as possible so that the insurer can earn an attractive return on invested capital for its shareholders Risk Return Board

  9. Risk Management in Insurance Business --- Business Process Risks Risk factors under Business Process can be categorised as inherent risk factors and control risk factors • Control Risk Factors • The control risk factors pertain to the operations within individual processes. The potential errors which could result from these risks would generally relate to genuineness/validity, valuation/measurement and cut-off/completeness. • It should be noted that at the commencement of business, specific emphasis should be placed on inherent risk factors by considering the impact of various business characteristics • Inherent Risk Factors • The identification of inherent risk requires a review of the insurance company’s operations during the detailed planning process by taking into account general business characteristics stated below. These are relevant for all the Business processes. • Business Structure • Products • Business Relationships • Company Culture • People

  10. Risk Management in Insurance Business IT Systems Risks • Information Technology (IT) has become a key enabler in improving effectiveness and efficiency of Business Operations. However, use of IT gives rise to risks as well. • These Risks include :- • Inherent risk within Information Technology which could lead to security breaches, hacking, etc. • Weak business controls in IT applications which could lead to fraud, manipulation of data etc. • Lack of availability or change in IT systems leading to adverse impact on reliability of business operations.

  11. AVAILABILITY CONFIDENTIALITY INTEGRITY The Three Pillars of Information Control DATA

  12. Risks and Implications EMBARRASSMENT CREDIBILITY ACCIDENTAL DAMAGE NATURAL DISASTERS INTERCEPTION SOCIAL ENGINEERING ATTACK SCAVENGING AVAILABILITY CONFIDENTIALITY VIRUS ATTACK DATA WIRETAPPING INTEGRITY TROJAN HORSES HARDWARE FAILURE SOFTWARE FAILURE FRAUD & THEFT UNAUTHORISED ACCESS LOSS OF CUSTOMERS COMPETITION

  13. Risk Management in Insurance External Risks Political and Economic Developments Certain decisions could have far reaching implications to the operations, existence and survival of insurance companies. Further, the overall economic condition of other industries directly impacts the growth, stability and survival of insurance companies. : • Rules and regulations for operating in the industry are open to amendments and modifications at the will of the lawmakers • Exposure to particular industries could lead to huge exposures for insurance companies in case of downturn

  14. Risk Management in Insurance External Risks Catastrophic Occurrences Catastrophic occurrences would affect life insurance companies, in so far as they are not included in the exclusions. Insurance companies could be pro-active to face such eventualities • Develop a reserving model (actuarial valuation) which include assumptions considering a probabilistic occurrence of catastrophes and provide for the same on a rational basis • Obtain updates from geological, meteorological and other relevant institutes to prevent underwriting under known circumstances (more relevant to General insurance companies)

  15. Absence of adequate Risk Management Procedures Homeowners Insurance in Florida • The insurance companies in Florida had not factored a hurricane with the loss potential of Hurricane Andrew into their rate calculations. • However, research done after Hurricane Andrew revealed that the pre- Andrew conditions risk evaluation in Florida was a collective misevaluation. The consequences of insurance industry’s failure to foresee Hurricane Andrew and its losses created a property and casualty insurance market which was highly price competitive and where insurers had excessive concentration of policies in coastal counties subject to hurricanes where a significant portion of the home market was located. • Market share rather than prudent underwriting seemed to guide decisions to insure new property. Following Hurricane Andrew in 1992, property and casualty insurance companies in Florida were faced with over $16 billion in insured losses. In reaction, an insurance crisis ensued. This could have been avoided, had the risk evaluation been more effective and consequently the rates could have been adjusted to for this increased risk perception. Absence of adequate Risk Management Procedures

  16. When Disaster strikes • Affects business along the entire value chain • Business revenue/profit drops • Damage to physical assets/loss of critical data • Brand equity takes a beating • Loss of customers (who chose alternatives) • Loss of shareholder value • Existence could be threatened • File timely claims with Insurance Company

  17. What is Disaster Recovery Plan? A Disaster Recovery Plan is an insurance policy; you pray that you'll never need to use it but you'll be glad you have it, if you ever do. It enables an organization to respond efficiently to potential threats that may render all or parts of its operations and resources unavailable. According to Gartner, two out of five enterprises that experience a disaster go out of business within 5 years.

  18. Disaster Recovery Plans -The Trigger • Tragic events of September 11, 2001 – attacks on the World Trade Centre • Serious losses borne by small and medium sized businesses • Lack of adequate disaster recovery plans and/or appropriate insurance policies

  19. Disaster Recovery Plans -Characteristics • Approved set of arrangements and procedures – documented and tested • Insurance against disasters • All risks and threats considered- vital to business operations • Effective response to disaster • Resumption of critical business functions • Minimum downtime • Reduce level of risk, cost and impact to staff, customers and suppliers.

  20. Disaster Recovery Plans -The Structure • Preventive (pre- disaster) • Using mirrored servers for mission critical systems • Maintaining hot sites (fully operational offsite data processing facility equipped with both hardware and system software) • Use of firewalls (hardware and software) – to prevent unauthorized access to private networks • Continuity (during a disaster) • Maintaining core, mission critical systems and resource skeletons (bare minimum assets required to maintain operations) • Initiating secondary hot sites

  21. Disaster Recovery Plans -The Structure • Recovery (post disaster) • Restoration of systems and resources to full operational status • Subscribe to quick ship programs – third party service providers who can deliver pre configured replacement systems within a fixed time frame

  22. Business Continuity Plan Considerations for Business Continuity • Business Continuity Planning (BCP) should be conducted on an enterprise wide basis • Thorough business impact analysis to be done • Asset identification and classification – Not all assets are critical • Risk Analysis and Management – Acceptable risks and identified controls • Emergency response mechanism – plan and detailed procedures • Communication – plan to be shared with stakeholders, employees, etc.

  23. Business Continuity Plan Considerations for Business Continuity • Testing of plan and training to staff on usage • The BCP and test results should be subjected to independent audit • Periodic review to meet changing business needs • Balance between risk management cost and disaster recovery cost • Appropriate insurance coverage- no under insurance

  24. Business Continuity Plans Barriers • Cost of Business Continuity Plans – redundancy costs • Attitude - top down approach – management needs to be convinced • Lack of awareness about consequences • Lack of awareness about benefits of Business Continuity Plans

  25. Disaster Recovery Plans Insurance policies available • Liability insurance policies - might include endorsements for personal injury, host liquor liability, fiduciary liability or fire legal liability • Business interruption insurance – a form of insurance that pays a benefit to a small business following a disaster when a business is unable to resume operations • Commercial auto insurance – vehicle insured for physical damage and third party liability • Non owned automobile coverage – insurance for vehicles not owned by the Company but used by the employees or others for business purposes • Hired automobile coverage

  26. Disaster Recovery Plans Insurance policies available • Leasehold insurance, property casualty insurance, Flood insurance, etc. • Boiler and machinery insurance • Business owner's policy • Director's and officer's liability insurance • Keyman insurance policies – covering key employees of the organisation • In case operations are carried out from home - consider insurance coverage for the home office especially office equipment used at home and business liability coverage for business carried out at home • In case of laptops or mobile phones issued to employees, consider covering the same as part of the commercial policy

  27. Disaster Recovery Plans Insurance policies available • Workers' compensation insurance and disability benefits insurance • Generally mandatory for businesses - state requirement • Protects employees against the risk of sustaining a job related injury • Covers medical expenses, disability income benefits and death benefits • Beneficiary - dependents of an employee whose death is related to the job. • Premiums are assessed according to payroll and depend on industry classification of business for eg. Advertising firm pays lesser premium than a construction company reflecting the relative risks of injury to employees

  28. Disaster Recovery Plans Insurance – Key factors • Self participation in the loss by way of deductibles- either as a fixed amount or % of sum insured • Co insurance deductibles – deductibles against each and every loss (for eg earthquake insurance) • Risk adjusted premiums based on risk level • Liability limits – cap on insured amount. • Strike a balance between loss prevention and acceptability by customers (adequate market penetration)

  29. Disaster Recovery Plans Insurance policies - precautions • Avoid ambiguity in the insurance policy else there could be disagreements during claims settlement • Resolving insurance disputes with insurance surveyors and insurance companies • Revise insurance programs annually to consider changes in business and growth • Consider economics of the insurance cycle • Avoid captive insurance – risks stay within the group • Insurance policies cover only financial risks. They are not protection plans. The aim of a complete disaster recovery plan is to ensure survival by ensuring continuous flow and availability of data.

  30. DRP/BCP in Insurance companies The anomaly • Though these companies insure us, do they have systems guaranteeing that they themselves are safeguarded from natural disasters? Do they have ready databases available at other sites, or for that matter, do they have a disaster recovery (DR) site?Do they have the infrastructure in place to deal with such calamities in future? And for those who do not, are they on their way to planning for future emergencies?

  31. DRP/BCP in Insurance companiesRisk Mitigation • Charge technically adequate rates • Applying appropriate underwriting guidelines • Establishing reserves for natural perils • Limiting liability using reinsurance protection (ceding insurance) • Balancing risk over time and regions • Controlling and limited liabilities • State as a reinsurer of the last resort for extraordinary losses (beyond the capacity of the private sector) • State can grant tax exemption for catastrophe reserves of private insurers

  32. DRP/BCP in Insurance companies • LIC and GIC, the older insurance companies are in the process of getting their DRP infrastructure in place – initiatives include warehousing with WIPRO and Teradata at a cost of Rs.35 crores spread over 3 years • HDFC Standard Life • Multiple UPS system (main and back up) – for power supply • Restricted physical access to server room using access control system • Back up for critical systems • Redundancy for routers, switches, etc. • Redundancy for WAN links at critical locations

  33. DRP/BCP in Insurance companies • ICICI Lombard General Insurance • Core insurance applications configured on multiple servers • Network load balancing service to ensure even distribution of transaction load during peak hours • Database for core applications kept on storage area network – ensures data integrity in case of error on the database servers • Regular back ups of database or application servers based on predefined policies • Dedicated systems for urgent restoration on site • Copy of back up media kept at an offsite location

  34. DRP/BCP in Insurance companies • Metlife Inc. • Development, testing and maintenance of Metlife Business Continuity Plans • Covers all business locations and production IT systems and applications • The plans are routinely updated by business units and IT risk and Business Recovery department – annual review • Continuous review of internal controls relating to continuity plans • The database is replicated between two sites that are several hundred miles apart • Business impact analysis – to align BCP with business requirements. • Contracted with a recovery services vendor for use of a remote alternate site to support critical business operations. • 48 hours required to resume critical business operations

  35. DRP/BCP in Insurance companiesKey Aspects • Crisis management and incident response • Data back up, data and system recovery • Recovery of all mission critical business functions and supporting systems • Equivalent hardware and sufficient capacity to switch over entire production load • Alternate recovery sites, if primary location is unavailable • Communication with customers, employees and other stakeholders • Assurance to customers of continued service

  36. DRP/BCP in Insurance companiesThe grind • Business Impact Analysis and Risk Assessment – to be performed every year • Proper Disaster Recovery (DR) software for back up and replication (Veritas, Tivoli, etc.) • Applications and production data to be backed up to the DR site • Test DRP applications and plans alteast once in six months • Business Continuity Plan (BCP) – written plan for all critical functions • BCP review and update – performed atleast annually • BCP exercises – performed atleast annually • Monitor events (including regulatory changes) and adjust plans accordingly

  37. Disaster Recovery Plans/Business Continuity PlansThe essence Impending disasters cannot be prevented but business exposures and financial risks can be minimized. DRP/BCP is a tall order The essence of DRP/BCP is continuous monitoring and supervision activities.

  38. Disaster Recovery PlansBusiness Continuity Plans Any Questions??

  39. Accounting Standards 26 Thank you for a patient listening!

More Related