1/23/2013

Business Continuity Planning Vs. ERM: A Superstorm Sandy Case Example

Losses arising from a catastrophe like Sandy may be mitigated in part by both a strong business continuity plan or disaster recovery program, and an effective enterprise risk management program.

By Denise R. Tessier

While trying to manage an unprecedented volume of claims from Sandy, many insurers with local claims offices and staff experienced extensive power, phone, and computer outages, not to mention property damage from flooding. Staff had limited access to transportation to both their offices and their clients. The logistics of just getting adjusters out to policyholders was a major issue for most companies, and companies also incurred significant additional expenses that they would not otherwise have had to deal with in other types of storms, such as extended lodging costs for on-the-ground adjusters due to shortage of hotel rooms because of either property damage, or full occupancy by displaced residents.

From a claims operations perspective, Superstorm Sandy had both significant immediate and long-term operational and financial impacts. Losses arising from such a catastrophe in the future may be mitigated in part by both a strong business continuity plan (BCP) or disaster recovery program, and an effective enterprise risk management (ERM) program.

Business continuity planning is the process of identifying internal and external threats and establishing specific plans to continue operations under adverse conditions, such as a fire or severe weather emergency. It recommends alternate routes on the insurer’s business roadmap. Creating a business continuity plan is particularly crucial for smaller to mid-sized insurers that may not have the physical or human resources on hand to respond to an immediate crisis. 

Even for companies that had an existing BCP, however, Sandy was an unusual challenge. Some weaknesses in company BCPs included:

  • Underestimation of the potential size of a “bad” storm, and the wide area it could impact. “Worst case scenarios” in current plans weren’t  the worst case;
  • Failure to plan for adjustment and recovery efforts over a sufficiently extended period of time;
  • Failure to appreciate the degree of interaction between risks. For example, transportation difficulties combined with telecommunications outages made some staff totally inaccessible by “normal” alternate methods.

In light of Sandy’s “lessons learned,” claims departments are likely to update their business continuity plans to: 

  • Better respond to the need for location changes. This may include more pre-contracted arrangements for a quick move to temporary space, ensuring that the company has one or more alternative office locations for a region, or a pre-determined strategy for adjusters to work remotely with several different kinds of technology;
  • Invest in resources for back-up power and telecommunications, such as generators;
  • Focus on alternative IT system resources, such as a back-up server physically housed offsite, preferably in a location far enough away that it would not have a chance of being impacted by the same emergency;
  • Ensure that detailed protocols are drafted and frequently updated to communicate with key staff, through several alternative methods (calls/emails/in person), for providing instructions and to conduct strategic planning; and
  • Pre-contract with companies and individuals for a larger pool of emergency local third-party adjusters, and take related preparation steps such as licensing them to act on behalf of the company on a regular basis, in advance of an emergency.

Claims departments may increase their focus on reviewing, auditing, or revising their BCP based upon the results of the practices and significant changes in the organizational infrastructure. In addition, Sandy highlights the need to “stress test” a BCP periodically by doing a mock-emergency exercise, running through the BCP protocols for a realistically staged scenario with all key claim staff as if a real disaster were to occur.

In contrast to business continuity planning, enterprise risk management is the process of identifying internal and external threats across the organization, ensuring the effectiveness of controls, and using enterprise-wide risk information as key input for strategic planning. ERM is much broader than, but should function as supporting framework for, a solid business continuity plan. ERM includes planning for contingencies affecting other functional departments beyond claims.

In addition to post-Sandy updating of BCPs, insurers may benefit from taking the following types of actions around their enterprise risk management plans:

  • Reviewing capital assets, cash flow,  and claims reserve estimates in a new light ,considering, again a worse “worst-case” scenario potential for future losses;
  • Ensure underwriting, operational, and compliance resources are robust and flexible enough to respond to fast-moving regulatory mandates such as (a) Emergency orders issued by state insurance departments prohibiting cancellation of policies for non-payment of policies during the disaster recovery period, or (b) new policy underwriting rate and form filing requirements;
  • Running mock scenario or “stress testing” exercises beyond what would be needed to document the BCP from an operational perspective. Such a stress testing exercise would include underwriting, legal, accounting, and other company impacts from a storm, and the exercise would ultimately be carried through to an actuarial analysis of losses through to an evaluation of capital adequacy and solvency.


Denise R. Tessier is a senior regulatory specialist, insurance risk and compliance, at Wolters Kluwer Financial Services. She has been a CLM Fellow since 2012 and can be reached at (781) 907-6662, www.wolterskluwerfs.com.

Top Industry News



windstorm