1 / 28

Agenda

2008 Business Continuity & Corporate Security Crisis Management in Integrated Financial Services Organizations. Agenda. Crisis Management Planning at Chubb & Son Crisis Management Planning at New York Life Questions & Answers. Introduction. Bert Wolff

iden
Download Presentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2008 Business Continuity & Corporate SecurityCrisis Management in Integrated Financial Services Organizations

  2. Agenda • Crisis Management Planning at Chubb & Son • Crisis Management Planning at New York Life • Questions & Answers

  3. Introduction Bert Wolff Business Continuity & Security Manager, VP Chubb & Son Frederick M. Spina Corporate VP, Business Continuity & Recovery New York Life Insurance

  4. Crisis Management Program Objectives • The objective of our Crisis Management Program is to ensure that the required Corporate Incident Management Teams are in place and trained to: • Respond and Assess and Mitigate • The impact of an anticipated or unanticipated event that threatens normal operations • Declare • Communicate the state of the incident internal and external and to mobilize the organization in response • Stabilize • The incident through the invocation of the corporate incident management teams and processes designed to rapidly recover work area space and technology • Ensure • The appropriate levels of communication inside and outside the organization • Business interruption is minimized • Risk of legal liabilities is minimized • Funding and claim payment obligations are met • Compliance with applicable laws, regulations, insurance requirements are met

  5. Why is Crisis Management so important

  6. Managing the Overlap Crisis Management A – Hurricane Disruption Security B – Main Campus Outage F G C – Simsbury Server Room Fire E DRP D BCP D – Disabled Data Center B A C E - Cyber Attack ERP F – International Kidnapping G – Customer Information Theft 6

  7. Enterprise Resiliency • Resiliency Defined – • “The ability to withstand and bounce back” • The ability of Senior management to be prepared for and resilient against disruptions of any kind that could threaten the viability of the organization in the immediate and longer term.

  8. Enterprise Resiliency Program Crisis Management (CIMT/EIMT) Responding to Emergencies (ERP) Ensuring Continuity of Operations (BCP) Ensuring Continuity of Technology (DRP) Security Protecting Corporate Assets & Employees Risk Management & Mitigation Facilities IT Infrastructure/Software 8

  9. Program Scope Crisis Management Planning (CMP) Create tools & training for CIMT/EIMT Direct CIMT and EIMT Testing Activities Monitor/Track Potential Threats Emergency Response Planning (ERP) Prepare/Exercise ER Strategies Design/Implement ER Plans Communicate to Employees ER Protocols 9

  10. Program Scope (continued) Business Continuity Planning (BCP) Maintain BCP Methodology Educate/Train/Assist SBU’s in Developing BCP Plans Identify/Quantify Business Risks Provide Recovery Strategies and Solutions Conduct Individual and Collective Tests Coordinate/Monitor Responses Communicate Business Area Requirements (via BIA) Disaster Recovery Planning (DRP) Define Schedules & Objectives for DRP Tests Participate in DRP Tests Review Test Results Adjust Recovery Strategies to Align with SBU Requirements Security Manage/Oversee Corporate Security Program Responding to Workplace Violence Issues 10

  11. Program Integration These 5 program components join together to form Chubb’s unified Enterprise Resiliency Program When integrating these components, a natural overlap of responsibilities emerges during an incident 11

  12. Incident Response • The planning, preparation and risk mitigation management that allows us to respond quickly and efficiently to large and small incidents to minimize the effect on our business.

  13. Incident Timeline Emergency Response Plan Business Continuity Plans (by area) Technology Disaster Recovery Plan % OPERATION Restoration Disaster Declaration Recovery Transition/ ‘Return Home’ Onset of event TIME Confidential & Proprietary – For Internal Use Only

  14. Recovery Teams • Response Teams play a critical role in the Command and Control process. They perform the following functions: • Assess the magnitude of an incident • Decide what the response will be • Activate the firm wide recovery infrastructure • Implement recovery plans • Resolve issues impacting rapid recovery • Local Incident Management Teams (LIMT) • Consisting of members of the local offices core business areas, for example operations, loss control, claims and human resources • Coordinates initial emergency response activities • Provides initial assessment of event to senior managers • Provides information critical to the declaration decision • Activated during “Incident Response” phase and remains in effect up until incident is resolved

  15. Recovery Teams • Corporate Incident Management Team (CIMT) • Central authority directing the response process from corporate headquarters. The CIMT is responsible for: • Declaring a disaster • Activating all other recovery teams • Communicating to senior management, employees and stakeholders where applicable the incident status • Coordinating recovery efforts (i.e. facility and technology) • Implementing firm wide support recovery plans (i.e. Human Resources, Corporate Services, Finance, etc.) • Activating Working Group Teams • Extended Incident Management Team (EIMT) • Consisting of key individuals who would be involved in the detail of incident resolution, assists the CIMT by responding to and activating recovery priorities at time of event

  16. Contingency Planning Considerations March 19, 2008

  17. Critical Parts of the Survival Puzzle • Keep employees, visitors and customer sites safe • Maintain clear communication with employees and/or customers • Never lose critical communication channels that support customers • Isolate incident for access to critical facilities, inventory/assets and intellectual property • Develop cost effective solutions while turning obstacles into opportunities for greater success Image or graphic here

  18. Critical Parts of the Disaster Puzzle • Failing to anticipate and develop controls for threats to critical/core business functions. (Risk Management/Disaster Plan) • Failing to prevent (or provide advance warning) one or more people from being seriously injured or killed. (Emergency Response Plan/CMT) • Failing to deliver a product or provide a service to a customer. (Business Continuity Plan) • Failing to communicate with our employees, visitors or customers about safety, service, billing or revenue collection. (Business Recovery Plan)

  19. The Disaster Life Cycle Awareness Prevention Auditing/Training Risk Management Self Assessment Plan Organized Communication & Response Emergency Response Plan - CMT (First 24 – 72 hours) Restore Facilities Resume Normal Operations Query Customer/Feedback Customer Retention & Satisfaction Protect Cash Flow Protect Infrastructure & Customer Use Alternate Plans Business Continuity/Disaster Plans (48 hours – ?)

  20. Definition of Role & Responsibility Risk Management – Self Assessment Opportunities Emergency Response • Prompt notification of employees visitors and customers using one of three Crisis Command Centers. • Impact assessment • Rerouting inbound/outbound calls • Physical security • Evacuating/relocating personnel • Employee compassion centers • Voice & data recovery & rerouting • Oversight Committees (Pandemic, Finance, International, etc.) • Internal Audits & Regulatory Audits • Safeguarding Intellectual Property • Records Management • Creating safety conscious culture

  21. Definition of Role & Responsibility Disaster Planning & Business Continuity Business Recovery • Identify and plan for maintaining core business functions • Analyze and minimize business impact • Identify resource needs • Understand how long you can operate on “artificial power” • Reroute process, product and delivery • Maintain communication, identify gaps and ensure flexible closure • Communicate with customer- pre • Contain the impact of the disaster • Minimize disruption in cash flow communication & service delivery • Deliver alternate ways to service customer • Prevent long term loss of market share • Communicate w/customer - post • Maintain regulatory compliance • Maintain revenue stream and other mission critical success factors

  22. Observations/Pitfalls to Avoid • Clearly define the role/responsibility of the incident/emergency management team and define the interaction at all levels of the organization, internal and external. • Define assumptions and expectations on how the business will be managed during a significant disruption. • Define levels of outages, accountability and ownership at the local, business unit and corporate crisis management team level. • Provide training and education programs for functional managers. If they understand what is being asked and why it will enhance their understanding when and how to act during and after an emergency. • Alternate operating procedures that sustain vital business functions until the data processing capacity is restored needs to be dialoged prior to an event. Avoid heavy reliance on untested plans of others. • Avoid the use of excessively detailed procedures when guidelines would suffice. Make better use of Quick Plans/KISS principle in a crisis.

  23. Contingency Plan Assumptions • Providing 100% redundancy for all disaster types is not practical • Documenting detailed procedures for infinite alternate plans is not cost effective, while understanding the response elements is. • Functional managers must be the architects of the “what if” scenario’s that have the greatest business impact. • Qualified personnel with back-up are required to execute the plan. • All facilities must have a life safety emergency evacuation plan that is current and tested periodically. • Communications need to be re-established in less than two hours. • Inefficiencies will occur during the stabilization period. • Local authorities will have the capacity to respond. (Fire/Police/Medical) • Local decision making is required for managing a crisis.

  24. Priority Task Considerations • Enterprise Contingency Plan Model: • Develop and communicate vision/mission defining the new/revised roles and responsibilities • CMT & Employee Awareness • Establish global CMT integration for escalation and notification • Test Crisis Management call center support and intranet access • Distribute revised employee quick reference card • Create and distribute quick reference sheet for managers • Risk Management – Self Assessment Opportunities • Develop Contingency Plan Management System that integrates and acts on existing audit protocol and findings • Develop & Deliver Self Assessment Audit with paths to solutions • Develop Governance Model with Compliance Metric and Benchmark for Sr. Mgmt

  25. Looking Back • Did we develop meaningful metrics that support continuous improvement?

  26. Crisis Management – pre-planning is critical but ……

  27. Sometimes we get lucky

  28. Questions? Thank you!

More Related