How the Insurance & Continuity Lifecycle Works
Information coming out of the insurance industry is that there will be an increase cost of premiums and in some instance, an inability to get coverage. The thought of not being able to get insurance for most businesses, must be unthinkable. Unfortunately, we may see just that from 2019 onwards.
Therefore, it’s necessary to start looking where insurance plays a part in your current resilience capability, and when and where you should be reviewing it in your Business Continuity Lifecyle.
What the ‘Good Practice Guide’ says:
A holistic management process that identifies potential threats to an organisation and the impacts to business operations those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.
There are four core phrases to BC, and RiskLogic summarised it the best way we knew how; in a lifecycle diagram. If you’re not already doing it, it might be time to bring insurance into the mix!
Step 1: Analyse
Assessing vulnerabilities and understanding the impacts of a disruption to your organisation.
The most important part of this step in your business continuity journey, is to ensure that all key stakeholders have buy-in on the process. This means that the implementation of the Business Continuity (BC) journey for your organisation is backed by the people from the top.
Policy and Framework
Intentions and directions of an organisation that sets out the scope and governance of the BC program and reflects the reason why it’s being implemented.
Business Impact Analysis (BIA)
The main technique used for the analysis of an organisations business functions.
Insurance check point: During the BIA process, when you are identifying the resources required to deliver a critical product and services, highlight the specialist equipment or facilities that would be part of the current insurance policy. At this stage it’s just a case of making a note of these resources which then can be transferred to a list that will require further investigation and confirmation of current loss policy.
The process of evaluating threats using risk-assessment techniques to identify an acceptable concentration of risks and single points of failure.
Insurance check point: Check your current insurance policy and risk matrix’s for a comparison.
Step 2: Plan
“Documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruption” – Good Practice Guide.
Strategic plans define how strategic issues resulting from a major incident should be addressed and managed by Top Management.
Recovery Strategies will provide a step-by-step guide for recovering your Critical Business Functions ensuring that functions are recovered to meet the Maximum Allowable Outage (MAO) expectations.
Insurance check point: If you develop a new recovery strategy, could it now mean a reduction in insurance cover?
Ex. Manufacturing plant 1 is in the North Island and is insured for 1 million. Manufacturing plant 2 is in the South Island is insured for 1 million. Both plants have the same setup and can manage extra capacity if either is out of action. Should you be paying the same premium for both sites? Talk to your broker.
A business resumption strategy contains a series of actions and steps designed to return the affected business to its preinterruption status and includes restoration or relocation of facilities and resumption of operations to maximum capacity.
Insurance check point: The faster you recover, the less assistance you need from your insurance company. You should be getting rewarded for that! Talk to your Broker.
IT Disaster Recovery
A task orientated document designed to provide the IT disaster recovery team with the tools to identify, assess and respond to company-wide incidents effecting IT infrastructure, software or hardware systems.
Insurance check point: Do you have cyber security plan? Do you really know what you are covered for?
Step 3: Validate
“Build capability, rehearse and test your program to demonstrate your level of preparedness”.
It is essential that all individuals undertaking BC related tasks at any level have the appropriate level of competence for the role through:
Crisis Leadership Training
Suitable for senior leadership with overall crisis management responsibilities. Training specifically designed to build awareness, critical skills and crisis leadership capabilities of your team using the latest experiential learning techniques and real-world case studies.
A testing regime to provide appropriate coverage of all agreed business continuity recovery activities. This includes defining performance indicators and establishing test scripts to validate the recovery of critical business functions as identified in the Business Impact Analysis.
Rehearsing an organisations Business Continuity Program via realistic, hands-on scenario exercises is critical to:
- Build familiarisation with staff roles, responsibilities, processes and available tools
- Identify practical program improvements
- Provide a high level of stakeholder assurance in an organisations recovery capability
Insurance check point: Invite your broker to your scenario exercises. Get immediate feedback on potential outages and how you will be covered or not covered by your current policy. Provide your broker with your exercise report, demonstrate you are resilient, negotiate a new premium.
Step 4: Maintain
Review and rehearse your program to build resilience and ensure continual improvement through:
- Reviews & updates of your entire program
- Annual training for your response teams
- Annual exercising for your response teams and staff
Insurance check point: Make insurance check part of your annual Maintenance program.
In summary, Business Continuity needs to be a business as usual activity preparing for extreme events. Your organisation should plan for the worst but hope for the best. If you have put the time in and demonstrated you are resilient, you should be reward for that. You’re a low-risk organisation and that should count for something in these drastically changing times.