CIO Checklist: COVID-19 Highlights Need to Revisit Continuity Plans

March 18, 2020 by Mitch Wein

The importance of well-documented business continuity and disaster recovery plans has reached new urgency with insurers.

Natural disasters and cybersecurity issues are on the rise, and new threats continue to emerge. The COVID-19 outbreak in 2020 is, in some ways, reminiscent of the SARS experience of 2002-2003, but both the technical and business environments have changed dramatically. Yet tolerance by customers, producers and state regulators for lack of service is lessening as the standards for performance and stability become increasingly higher.

Even in the face of unknown and emerging threats, it is crucial for plans to evolve dynamically and adapt to new circumstances.

Plan for resiliency beyond core systems and data—including key partners.

Self-service offerings weren’t always the norm, and there was a time when system outages could be masked by employees with mastery of complex manual processes. That’s no longer the case. Customers expect 24/7 access to service providers, and outages call into question the foundation of their relationships. A mobile app that goes dead, a website that is down or a phone that goes unanswered amount to the same thing: a breach of the trust implicit in a policy or contract.

Just because an insurer declares a disaster doesn’t mean it will have access to the services for which executives assume they have contracts in place.
Internal infrastructure to reroute traffic or partnerships to augment in-house capabilities can help insurers control the messaging they put in front of customers. External service partners like SaaS systems, BPO services, website hosting solutions and telecommunication providers contribute to this support fabric. Testing to see what happens when those services are unavailable can lead to some surprising—and surprisingly painful—end-user experiences.

Contracts specify availability, test windows and the procedures for gaining access to a facility such as a remote data center. Yet just because an insurer declares a disaster doesn’t mean it will have access to the services executives believe the insurer is contracted for. This is an especially important consideration as SaaS and XaaS (anything-as-a-service) services continue to increase. A successful approach to third-party services incorporates external service procedures and processes and involves effective end-to-end testing.

Expect challenges moving to and coming back from a remote data center.

Establishing systems, gaining access to production data and moving network connectivity is hard work. Even in the best of circumstances, this can take more than a day. It may be necessary to move key employees into position at an alternative facility before a disaster is even declared. Understanding how employees will travel, what the alternatives are, and whether resources and subject matter experts will be available can make a difference when time is at a premium.

Prioritization of critical versus nice-to-have functionality ahead of time can ease the problem of getting 10 pounds of code into a five-pound bag. Customer-facing capabilities are the highest priority.
Many disaster recovery plans also presume that companies will be able to run on less powerful equipment than they normally do. Prioritization of critical versus nice-to-have functionality ahead of time can ease the problem of getting 10 pounds of code into a five-pound bag. Customer-facing capabilities are the highest priority.

What’s more, the return from a remote data center after a disaster declaration may be harder than the initial declaration itself. Returning home requires shutting down at the remote site and returning to the company facilities, a process that many companies will not have practiced or documented.

Remember that it’s also about people.

Too many plans place unrealistic expectations on what people can do in the event of a disaster. Plans framed as academic exercises may include assumptions about the flexibility of staff during a critical event. In a test exercise, employees may be willing to travel hundreds or thousands of miles from home to visit a business continuity center. Yet when a real event takes place and their own families are threatened, they may react very differently.

Assuming that staff can move quickly when their homes are flooded, burning or washed away may be highly unrealistic. A more feasible alternative may be to establish how key staff members can be divided and permanently located in sites that can back each other up. This approach may forego some short-term economies of scale but can provide significant dividends in times of crisis.

Being able to reflexively handle routine elements of disaster recovery and business continuity plans will help teams think through the implications of new events as they happen in real time. Actively engaging IT resources alongside peer business team resources is essential to ensure smooth transitions to and from recovery states. This strong interaction is also needed to verify support for all critical business processes and that communication is flawless before, during and after a disaster or event.

Ultimately, well-run continuity and recovery plans may be the difference between recovery and simply a disaster.

More advice on preparedness in the face of business interruption and disaster is available in Novarica’s brief Business Continuity Planning and Disaster Recovery.