2008 Business Continuity & Corporate 2008 Business Continuity & Corporate SecuritySecurity
Crisis Management in Integrated Crisis Management in Integrated Financial Services OrganizationsFinancial Services Organizations
AgendaAgenda
Crisis Management Planning Crisis Management Planning at at Chubb & SonChubb & Son
Crisis Management Planning Crisis Management Planning at New at New York LifeYork Life
Questions & AnswersQuestions & Answers
IntroductionIntroduction
Frederick M. SpinaCorporate VP, Business Continuity & Recovery
New York Life Insurance
Bert WolffBusiness Continuity & Security Manager, VPChubb & Son
Crisis Management Program Crisis Management Program ObjectivesObjectives
The objective of our Crisis Management Program is to ensure that the The objective of our Crisis Management Program is to ensure that the required Corporate Incident Management Teams are in place and trained required Corporate Incident Management Teams are in place and trained to:to:
RespondRespond and and AssessAssess and and MitigateMitigate The impact of an anticipated or unanticipated event that threatens normal operationsThe impact of an anticipated or unanticipated event that threatens normal operations
DeclareDeclare
Communicate the state of the incident internal and external and to mobilize the Communicate the state of the incident internal and external and to mobilize the organization in responseorganization in response
StabilizeStabilize The incident through the invocation of the corporate incident management teams and The incident through the invocation of the corporate incident management teams and
processes designed to rapidly recover work area space and technologyprocesses designed to rapidly recover work area space and technology EnsureEnsure
The appropriate levels of communication inside and outside the organizationThe appropriate levels of communication inside and outside the organization Business interruption is minimizedBusiness interruption is minimized Risk of legal liabilities is minimizedRisk of legal liabilities is minimized Funding and claim payment obligations are metFunding and claim payment obligations are met Compliance with applicable laws, regulations, insurance requirements are metCompliance with applicable laws, regulations, insurance requirements are met
Why is Crisis Management so importantWhy is Crisis Management so important
66
Managing the OverlapManaging the Overlap
Security
BCP DRP
ERP
A
A – Hurricane Disruption
D
B – Main Campus Outage
EC – Simsbury Server Room Fire
F
D – Disabled Data Center
G
E - Cyber Attack
BC
F – International Kidnapping
G – Customer Information Theft
Enterprise ResiliencyEnterprise Resiliency
Resiliency Defined –Resiliency Defined – ““The ability to withstand and The ability to withstand and
bounce back”bounce back”
The ability of Senior management to The ability of Senior management to be prepared for and resilient against be prepared for and resilient against disruptions of any kind that could threaten disruptions of any kind that could threaten the viability of the organization in the the viability of the organization in the immediate and longer term.immediate and longer term.
88
Enterprise Resiliency ProgramEnterprise Resiliency Program
Crisis Management (CIMT/EIMT)Crisis Management (CIMT/EIMT) Responding to Emergencies (ERP)Responding to Emergencies (ERP) Ensuring Continuity of Operations (BCP)Ensuring Continuity of Operations (BCP) Ensuring Continuity of Technology (DRP)Ensuring Continuity of Technology (DRP) SecuritySecurity
– Protecting Corporate Assets & EmployeesProtecting Corporate Assets & Employees– Risk Management & MitigationRisk Management & Mitigation
FacilitiesFacilities IT Infrastructure/SoftwareIT Infrastructure/Software
99
Program ScopeProgram Scope Crisis Management Planning (CMP)Crisis Management Planning (CMP)
– Create tools & training for CIMT/EIMTCreate tools & training for CIMT/EIMT– Direct CIMT and EIMT Testing ActivitiesDirect CIMT and EIMT Testing Activities– Monitor/Track Potential Threats Monitor/Track Potential Threats
Emergency Response Planning (ERP)Emergency Response Planning (ERP)– Prepare/Exercise ER StrategiesPrepare/Exercise ER Strategies– Design/Implement ER PlansDesign/Implement ER Plans– Communicate to Employees ER ProtocolsCommunicate to Employees ER Protocols
1010
Program Scope (continued)Program Scope (continued) Business Continuity Planning (BCP)Business Continuity Planning (BCP)
– Maintain BCP MethodologyMaintain BCP Methodology– Educate/Train/Assist SBU’s in Developing BCP PlansEducate/Train/Assist SBU’s in Developing BCP Plans– Identify/Quantify Business RisksIdentify/Quantify Business Risks– Provide Recovery Strategies and SolutionsProvide Recovery Strategies and Solutions– Conduct Individual and Collective TestsConduct Individual and Collective Tests– Coordinate/Monitor ResponsesCoordinate/Monitor Responses– Communicate Business Area Requirements (via BIA)Communicate Business Area Requirements (via BIA)
Disaster Recovery Planning (DRP)Disaster Recovery Planning (DRP)– Define Schedules & Objectives for DRP Tests Define Schedules & Objectives for DRP Tests – Participate in DRP TestsParticipate in DRP Tests– Review Test ResultsReview Test Results– Adjust Recovery Strategies to Align with SBU RequirementsAdjust Recovery Strategies to Align with SBU Requirements
SecuritySecurity– Manage/Oversee Corporate Security ProgramManage/Oversee Corporate Security Program– Responding to Workplace Violence IssuesResponding to Workplace Violence Issues
1111
Program IntegrationProgram Integration
These 5 program components join These 5 program components join together to form Chubb’s unified together to form Chubb’s unified Enterprise Resiliency ProgramEnterprise Resiliency Program
When integrating these components, When integrating these components, a natural overlap of responsibilities a natural overlap of responsibilities emerges during an incidentemerges during an incident
Incident ResponseIncident Response
The planning, preparation and risk The planning, preparation and risk mitigation management that allows mitigation management that allows us to respond quickly and efficiently us to respond quickly and efficiently to large and small incidents to to large and small incidents to minimize the effect on our business.minimize the effect on our business.
Onset of event DisasterDeclaration
Recovery Transition/‘Return Home’
Restoration
TIME
% O
PE
RA
TIO
N
Technology Disaster Recovery Plan
Emergency Response Plan
Business Continuity Plans (by area)
Incident TimelineIncident Timeline
Confidential & Proprietary – For Internal Use Only
Recovery TeamsRecovery TeamsResponse Teams play a critical role in the Command and Response Teams play a critical role in the Command and Control process. They perform the following functions:Control process. They perform the following functions:
AssessAssess the magnitude of an incident the magnitude of an incident Decide Decide what the response will bewhat the response will be ActivateActivate the firm wide recovery infrastructure the firm wide recovery infrastructure ImplementImplement recovery plans recovery plans ResolveResolve issues impacting rapid recovery issues impacting rapid recovery
Local Incident Management Teams (LIMT)Local Incident Management Teams (LIMT) Consisting of members of the local offices core business areas, for Consisting of members of the local offices core business areas, for
example operations, loss control, claims and human resourcesexample operations, loss control, claims and human resources► Coordinates initial emergency response activitiesCoordinates initial emergency response activities► Provides initial assessment of event to senior Provides initial assessment of event to senior
managers managers ► Provides information critical to the declaration Provides information critical to the declaration
decision decision ► ActivatedActivated during “Incident Response” phase and remains in effect during “Incident Response” phase and remains in effect
up until incident is resolvedup until incident is resolved
Recovery TeamsRecovery TeamsCorporate Incident Management Team (CIMT)Corporate Incident Management Team (CIMT)
Central authority directing the response process from Central authority directing the response process from corporate headquarters. The CIMT is responsible for:corporate headquarters. The CIMT is responsible for:
► Declaring a disasterDeclaring a disaster► Activating all other recovery teamsActivating all other recovery teams► Communicating to senior management, employees and Communicating to senior management, employees and
stakeholders where applicable the incident statusstakeholders where applicable the incident status► Coordinating recovery efforts (i.e. facility and technology)Coordinating recovery efforts (i.e. facility and technology)► Implementing firm wide support recovery plans (i.e. Human Implementing firm wide support recovery plans (i.e. Human
Resources, Corporate Services, Finance, etc.)Resources, Corporate Services, Finance, etc.) Activating Working Group Teams Activating Working Group Teams
Extended Incident Management Team (EIMT) Extended Incident Management Team (EIMT) ► Consisting of key individuals who would be involved in the Consisting of key individuals who would be involved in the
detail of incident resolution, assists the CIMT by responding to detail of incident resolution, assists the CIMT by responding to and activating recovery priorities at time of eventand activating recovery priorities at time of event
Contingency Planning Considerations
March 19, 2008
Keep employees, visitors and customer sites safe
Maintain clear communication with employees and/or customers
Never lose critical communication channels that support customers
Isolate incident for access to critical facilities, inventory/assets and intellectual property
Develop cost effective solutions while turning obstacles into opportunities for greater success
Image or graphic here
Critical Parts of the Survival Puzzle
Failing to anticipate and develop controls for threats to critical/core business functions. (Risk Management/Disaster Plan)
Failing to prevent (or provide advance warning) one or more people from being seriously injured or killed. (Emergency Response Plan/CMT)
Failing to deliver a product or provide a service to a customer. (Business Continuity Plan) Failing to communicate with our employees, visitors or customers about safety, service, billing or revenue collection. (Business Recovery Plan)
Critical Parts of the Disaster Puzzle
The Disaster Life Cycle
AwarenessPreventionAuditing/Training
Risk Management
Self Assessment
Plan
Protect Cash FlowProtect Infrastructure &
CustomerUse Alternate Plans
Business Continuity/Disaster Plans
(48 hours – ?)
Restore FacilitiesResume Normal
OperationsQuery
Customer/Feedback
Customer Retention & Satisfaction
Organized Communication &
Response
Emergency Response Plan - CMT(First 24 – 72 hours)
Definition of Role & Responsibility
Risk Management – Self Assessment Opportunities
Oversight Committees (Pandemic, Finance, International, etc.) Internal Audits & Regulatory Audits Safeguarding Intellectual Property Records Management Creating safety conscious culture
Prompt notification of employees visitors and customers using one of three Crisis Command Centers.
Impact assessment
Rerouting inbound/outbound calls
Physical security
Evacuating/relocating personnel
Employee compassion centers
Voice & data recovery & rerouting
Emergency Response
Definition of Role & Responsibility
Disaster Planning & Business Continuity
Identify and plan for maintaining core business functions Analyze and minimize business impact Identify resource needs Understand how long you can operate on “artificial power” Reroute process, product and delivery Maintain communication, identify gaps and ensure flexible closure Communicate with customer- pre
Contain the impact of the disaster Minimize disruption in cash flow communication & service delivery Deliver alternate ways to service customer Prevent long term loss of market share
Communicate w/customer - post Maintain regulatory compliance Maintain revenue stream and other mission critical success factors
Business Recovery
Observations/Pitfalls to Avoid
Clearly define the role/responsibility of the incident/emergency management team and define the interaction at all levels of the organization, internal and external.
Define assumptions and expectations on how the business will be managed during a significant disruption.
Define levels of outages, accountability and ownership at the local, business unit and corporate crisis management team level.
Provide training and education programs for functional managers. If they understand what is being asked and why it will enhance their understanding when and how to act during and after an emergency.
Alternate operating procedures that sustain vital business functions until the data processing capacity is restored needs to be dialoged prior to an event. Avoid heavy reliance on untested plans of others.
Avoid the use of excessively detailed procedures when guidelines would suffice. Make better use of Quick Plans/KISS principle in a crisis.
Contingency Plan Assumptions
Providing 100% redundancy for all disaster types is not practical
Documenting detailed procedures for infinite alternate plans is not cost effective, while understanding the response elements is.
Functional managers must be the architects of the “what if” scenario’s that have the greatest business impact.
Qualified personnel with back-up are required to execute the plan.
All facilities must have a life safety emergency evacuation plan that is current and tested periodically.
Communications need to be re-established in less than two hours.
Inefficiencies will occur during the stabilization period.
Local authorities will have the capacity to respond. (Fire/Police/Medical)
Local decision making is required for managing a crisis.
Priority Task Considerations
Enterprise Contingency Plan Model:
Develop and communicate vision/mission defining the new/revised roles and responsibilities
CMT & Employee Awareness
Establish global CMT integration for escalation and notification
Test Crisis Management call center support and intranet access
Distribute revised employee quick reference card
Create and distribute quick reference sheet for managers
Risk Management – Self Assessment Opportunities
Develop Contingency Plan Management System that integrates and acts on existing audit protocol and findings
Develop & Deliver Self Assessment Audit with paths to solutions
Develop Governance Model with Compliance Metric and Benchmark for Sr. Mgmt
Looking Back
Did we develop meaningful metrics that support continuous improvement?
Crisis Management – pre-planning Crisis Management – pre-planning is critical but …… is critical but ……
Sometimes we get luckySometimes we get lucky
Questions? Questions?
Thank you!Thank you!