Credit & Political Risk Insurance Provider
The Client
Our client is at the forefront of the credit and political risk insurance (CPRI) industry, representing many of the largest buyers of CPRI globally. A major player in the risk sphere, our client recognised the value of bringing in a specialist consultancy to explore their own risk and threats from a business continuity perspective.
The Challenge
When Teed was first engaged by the client, pre-Covid, a recent denial of access situation showed that work needed to be done to put them in a better position to weather adverse situations. The client was looking for cost-effective solutions, whilst acknowledging it was important to understand what the business needed to achieve continuity.
A full business continuity management (BCM) project was initiated taking the organisation through the business impact analysis, recovery strategy and business continuity (BC) plan development stages, finishing with a tabletop exercise.
David Teed’s experience in the insurance industry paid dividends in his understanding of how the business operates. He ascertained that there were crossovers between the broking teams who are client facing and manage the fee generating elements of the business. Therefore, it was decided that by taking sample teams through the process and understanding their needs, then by default this would translate to other broking teams. Global offices and their dependence on head office had to be taken into account.
At the time, the client also needed to contract for business recovery workspace to allow for displacement of critical personnel from the office. Technology was not sufficiently flexible then to allow for the remote working we have adapted to since the pandemic, additionally a stable communications environment was key to facilitating business transactions. Teed’s consultant facilitated analysis, planning and strategy discussions with key business representatives to assess priorities, feasible contingencies and minimum resource requirements if faced with the loss of premises, IT, phones and/or people.
During the project, the client’s dependence on an external IT specialist was identified. Now, knowledge spread across the team means this is no longer the case thus ensuring greater resilience overall.
Since the initial project, the client has expanded the BCM scope to incorporate IT disaster recovery (DR), third party dependencies and consideration of other risks or threats that could impact reputation.
The Solution
In discussion with representatives, it became clear that technology-wise, part of the solution was to spread IT services across two different data centre locations, amend the replication technology and resolve single points of failure (for example, a dependence on VDI machines in a single location resolved via a redistribution of devices). In this way, an isolated event would not have disastrous consequences for the business. Improvements to comms were identified by establishing the capability to transfer calls to an alternative location.
A tabletop exercise to test and validate the planning strategies and assumptions was undertaken with individuals likely to be involved in the response and recovery process following an incident, being taken through evolving scenarios.
Subsequently, a project was devoted to the development of an IT DR plan and associated technology recovery procedures.
The Result
The client was satisfied that now they had workable plans in place subject to taking identified improvements forward. This provided comfort to the business and clients that risks had been addressed. Teed’s point of contact, the Compliance Director, has put steps in place to keep the system alive and promote awareness of business continuity at an appropriate level.
Teed is brought in regularly to run both BC and DR exercises and work with internal project representatives to support the linking of the cyber security response with BCM. Methods have been expanded to drill down into further detail for the international offices and their broking teams, taking on board regional aspects including geopolitical risk.
The scope has widened in recent years beyond typical BC threats, with these being considered during incident management exercises to challenge individuals, capabilities and processes. For example, reputational and business threats relating to errors and omissions, cyber security and market issues. Often the significance of the impact justifies the focus on taking the necessary steps to avoid the situation arising.
The work undertaken is a fine example of how the business continuity discipline can act as an effective framework for considering a wider range of risks and threats to help achieve organisational resilience.