2008 Business Continuity & Corporate 2008 Business Continuity & Corporate SecuritySecurity

Crisis Management in Integrated Crisis Management in Integrated Financial Services OrganizationsFinancial Services Organizations

AgendaAgenda

Crisis Management Planning Crisis Management Planning at at Chubb & SonChubb & Son

Crisis Management Planning Crisis Management Planning at New at New York LifeYork Life

Questions & AnswersQuestions & Answers

IntroductionIntroduction

Frederick M. SpinaCorporate VP, Business Continuity & Recovery

New York Life Insurance

Bert WolffBusiness Continuity & Security Manager, VPChubb & Son

Crisis Management Program Crisis Management Program ObjectivesObjectives

The objective of our Crisis Management Program is to ensure that the The objective of our Crisis Management Program is to ensure that the required Corporate Incident Management Teams are in place and trained required Corporate Incident Management Teams are in place and trained to:to:

RespondRespond and and AssessAssess and and MitigateMitigate The impact of an anticipated or unanticipated event that threatens normal operationsThe impact of an anticipated or unanticipated event that threatens normal operations

DeclareDeclare

Communicate the state of the incident internal and external and to mobilize the Communicate the state of the incident internal and external and to mobilize the organization in responseorganization in response

StabilizeStabilize The incident through the invocation of the corporate incident management teams and The incident through the invocation of the corporate incident management teams and

processes designed to rapidly recover work area space and technologyprocesses designed to rapidly recover work area space and technology EnsureEnsure

The appropriate levels of communication inside and outside the organizationThe appropriate levels of communication inside and outside the organization Business interruption is minimizedBusiness interruption is minimized Risk of legal liabilities is minimizedRisk of legal liabilities is minimized Funding and claim payment obligations are metFunding and claim payment obligations are met Compliance with applicable laws, regulations, insurance requirements are metCompliance with applicable laws, regulations, insurance requirements are met

Why is Crisis Management so importantWhy is Crisis Management so important

66

Managing the OverlapManaging the Overlap

Security

BCP DRP

ERP

A

A – Hurricane Disruption

D

B – Main Campus Outage

EC – Simsbury Server Room Fire

F

D – Disabled Data Center

G

E - Cyber Attack

BC

F – International Kidnapping

G – Customer Information Theft

Enterprise ResiliencyEnterprise Resiliency

Resiliency Defined –Resiliency Defined – ““The ability to withstand and The ability to withstand and

bounce back”bounce back”

The ability of Senior management to The ability of Senior management to be prepared for and resilient against be prepared for and resilient against disruptions of any kind that could threaten disruptions of any kind that could threaten the viability of the organization in the the viability of the organization in the immediate and longer term.immediate and longer term.

88

Enterprise Resiliency ProgramEnterprise Resiliency Program

Crisis Management (CIMT/EIMT)Crisis Management (CIMT/EIMT) Responding to Emergencies (ERP)Responding to Emergencies (ERP) Ensuring Continuity of Operations (BCP)Ensuring Continuity of Operations (BCP) Ensuring Continuity of Technology (DRP)Ensuring Continuity of Technology (DRP) SecuritySecurity

– Protecting Corporate Assets & EmployeesProtecting Corporate Assets & Employees– Risk Management & MitigationRisk Management & Mitigation

FacilitiesFacilities IT Infrastructure/SoftwareIT Infrastructure/Software

99

Program ScopeProgram Scope Crisis Management Planning (CMP)Crisis Management Planning (CMP)

– Create tools & training for CIMT/EIMTCreate tools & training for CIMT/EIMT– Direct CIMT and EIMT Testing ActivitiesDirect CIMT and EIMT Testing Activities– Monitor/Track Potential Threats Monitor/Track Potential Threats

Emergency Response Planning (ERP)Emergency Response Planning (ERP)– Prepare/Exercise ER StrategiesPrepare/Exercise ER Strategies– Design/Implement ER PlansDesign/Implement ER Plans– Communicate to Employees ER ProtocolsCommunicate to Employees ER Protocols

1010

Program Scope (continued)Program Scope (continued) Business Continuity Planning (BCP)Business Continuity Planning (BCP)

– Maintain BCP MethodologyMaintain BCP Methodology– Educate/Train/Assist SBU’s in Developing BCP PlansEducate/Train/Assist SBU’s in Developing BCP Plans– Identify/Quantify Business RisksIdentify/Quantify Business Risks– Provide Recovery Strategies and SolutionsProvide Recovery Strategies and Solutions– Conduct Individual and Collective TestsConduct Individual and Collective Tests– Coordinate/Monitor ResponsesCoordinate/Monitor Responses– Communicate Business Area Requirements (via BIA)Communicate Business Area Requirements (via BIA)

Disaster Recovery Planning (DRP)Disaster Recovery Planning (DRP)– Define Schedules & Objectives for DRP Tests Define Schedules & Objectives for DRP Tests – Participate in DRP TestsParticipate in DRP Tests– Review Test ResultsReview Test Results– Adjust Recovery Strategies to Align with SBU RequirementsAdjust Recovery Strategies to Align with SBU Requirements

SecuritySecurity– Manage/Oversee Corporate Security ProgramManage/Oversee Corporate Security Program– Responding to Workplace Violence IssuesResponding to Workplace Violence Issues

1111

Program IntegrationProgram Integration

These 5 program components join These 5 program components join together to form Chubb’s unified together to form Chubb’s unified Enterprise Resiliency ProgramEnterprise Resiliency Program

When integrating these components, When integrating these components, a natural overlap of responsibilities a natural overlap of responsibilities emerges during an incidentemerges during an incident

Incident ResponseIncident Response

The planning, preparation and risk The planning, preparation and risk mitigation management that allows mitigation management that allows us to respond quickly and efficiently us to respond quickly and efficiently to large and small incidents to to large and small incidents to minimize the effect on our business.minimize the effect on our business.

Onset of event DisasterDeclaration

Recovery Transition/‘Return Home’

Restoration

TIME

% O

PE

RA

TIO

N

Technology Disaster Recovery Plan

Emergency Response Plan

Business Continuity Plans (by area)

Incident TimelineIncident Timeline

Confidential & Proprietary – For Internal Use Only

Recovery TeamsRecovery TeamsResponse Teams play a critical role in the Command and Response Teams play a critical role in the Command and Control process. They perform the following functions:Control process. They perform the following functions:

AssessAssess the magnitude of an incident the magnitude of an incident Decide Decide what the response will bewhat the response will be ActivateActivate the firm wide recovery infrastructure the firm wide recovery infrastructure ImplementImplement recovery plans recovery plans ResolveResolve issues impacting rapid recovery issues impacting rapid recovery

Local Incident Management Teams (LIMT)Local Incident Management Teams (LIMT) Consisting of members of the local offices core business areas, for Consisting of members of the local offices core business areas, for

example operations, loss control, claims and human resourcesexample operations, loss control, claims and human resources► Coordinates initial emergency response activitiesCoordinates initial emergency response activities► Provides initial assessment of event to senior Provides initial assessment of event to senior

managers managers ► Provides information critical to the declaration Provides information critical to the declaration

decision decision ► ActivatedActivated during “Incident Response” phase and remains in effect during “Incident Response” phase and remains in effect

up until incident is resolvedup until incident is resolved

Recovery TeamsRecovery TeamsCorporate Incident Management Team (CIMT)Corporate Incident Management Team (CIMT)

Central authority directing the response process from Central authority directing the response process from corporate headquarters. The CIMT is responsible for:corporate headquarters. The CIMT is responsible for:

► Declaring a disasterDeclaring a disaster► Activating all other recovery teamsActivating all other recovery teams► Communicating to senior management, employees and Communicating to senior management, employees and

stakeholders where applicable the incident statusstakeholders where applicable the incident status► Coordinating recovery efforts (i.e. facility and technology)Coordinating recovery efforts (i.e. facility and technology)► Implementing firm wide support recovery plans (i.e. Human Implementing firm wide support recovery plans (i.e. Human

Resources, Corporate Services, Finance, etc.)Resources, Corporate Services, Finance, etc.) Activating Working Group Teams Activating Working Group Teams

Extended Incident Management Team (EIMT) Extended Incident Management Team (EIMT) ► Consisting of key individuals who would be involved in the Consisting of key individuals who would be involved in the

detail of incident resolution, assists the CIMT by responding to detail of incident resolution, assists the CIMT by responding to and activating recovery priorities at time of eventand activating recovery priorities at time of event

Contingency Planning Considerations

March 19, 2008

Keep employees, visitors and customer sites safe

Maintain clear communication with employees and/or customers

Never lose critical communication channels that support customers

Isolate incident for access to critical facilities, inventory/assets and intellectual property

Develop cost effective solutions while turning obstacles into opportunities for greater success

Image or graphic here

Critical Parts of the Survival Puzzle

Failing to anticipate and develop controls for threats to critical/core business functions. (Risk Management/Disaster Plan)

Failing to prevent (or provide advance warning) one or more people from being seriously injured or killed. (Emergency Response Plan/CMT)

Failing to deliver a product or provide a service to a customer. (Business Continuity Plan) Failing to communicate with our employees, visitors or customers about safety, service, billing or revenue collection. (Business Recovery Plan)

Critical Parts of the Disaster Puzzle

The Disaster Life Cycle

AwarenessPreventionAuditing/Training

Risk Management

Self Assessment

Plan

Protect Cash FlowProtect Infrastructure &

CustomerUse Alternate Plans

Business Continuity/Disaster Plans

(48 hours – ?)

Restore FacilitiesResume Normal

OperationsQuery

Customer/Feedback

Customer Retention & Satisfaction

Organized Communication &

Response

Emergency Response Plan - CMT(First 24 – 72 hours)

Definition of Role & Responsibility

Risk Management – Self Assessment Opportunities

Oversight Committees (Pandemic, Finance, International, etc.) Internal Audits & Regulatory Audits Safeguarding Intellectual Property Records Management Creating safety conscious culture

Prompt notification of employees visitors and customers using one of three Crisis Command Centers.

Impact assessment

Rerouting inbound/outbound calls

Physical security

Evacuating/relocating personnel

Employee compassion centers

Voice & data recovery & rerouting

Emergency Response

Definition of Role & Responsibility

Disaster Planning & Business Continuity

Identify and plan for maintaining core business functions Analyze and minimize business impact Identify resource needs Understand how long you can operate on “artificial power” Reroute process, product and delivery Maintain communication, identify gaps and ensure flexible closure Communicate with customer- pre

Contain the impact of the disaster Minimize disruption in cash flow communication & service delivery Deliver alternate ways to service customer Prevent long term loss of market share

Communicate w/customer - post Maintain regulatory compliance Maintain revenue stream and other mission critical success factors

Business Recovery

Observations/Pitfalls to Avoid

Clearly define the role/responsibility of the incident/emergency management team and define the interaction at all levels of the organization, internal and external.

Define assumptions and expectations on how the business will be managed during a significant disruption.

Define levels of outages, accountability and ownership at the local, business unit and corporate crisis management team level.

Provide training and education programs for functional managers. If they understand what is being asked and why it will enhance their understanding when and how to act during and after an emergency.

Alternate operating procedures that sustain vital business functions until the data processing capacity is restored needs to be dialoged prior to an event. Avoid heavy reliance on untested plans of others.

Avoid the use of excessively detailed procedures when guidelines would suffice. Make better use of Quick Plans/KISS principle in a crisis.

Contingency Plan Assumptions

Providing 100% redundancy for all disaster types is not practical

Documenting detailed procedures for infinite alternate plans is not cost effective, while understanding the response elements is.

Functional managers must be the architects of the “what if” scenario’s that have the greatest business impact.

Qualified personnel with back-up are required to execute the plan.

All facilities must have a life safety emergency evacuation plan that is current and tested periodically.

Communications need to be re-established in less than two hours.

Inefficiencies will occur during the stabilization period.

Local authorities will have the capacity to respond. (Fire/Police/Medical)

Local decision making is required for managing a crisis.

Priority Task Considerations

Enterprise Contingency Plan Model:

Develop and communicate vision/mission defining the new/revised roles and responsibilities

CMT & Employee Awareness

Establish global CMT integration for escalation and notification

Test Crisis Management call center support and intranet access

Distribute revised employee quick reference card

Create and distribute quick reference sheet for managers

Risk Management – Self Assessment Opportunities

Develop Contingency Plan Management System that integrates and acts on existing audit protocol and findings

Develop & Deliver Self Assessment Audit with paths to solutions

Develop Governance Model with Compliance Metric and Benchmark for Sr. Mgmt

Looking Back

Did we develop meaningful metrics that support continuous improvement?

Crisis Management – pre-planning Crisis Management – pre-planning is critical but …… is critical but ……

Sometimes we get luckySometimes we get lucky

Questions? Questions?

Thank you!Thank you!