HIAA Forum 2003

1
HIAA Forum 2003
This presentation was given at the AAHP / HIAA
National Forum on November 11, 2003. HIAA
Health Insurers Association of America and AAHP
- American Association of Health Plans members
were attendees. These two associations members
provide health care insurance to over 200 million
Americans nationwide. Presentation attendees
included CEOs, line managers and operations and
technology executives. The presenters, John
Schladweiler David Adolphson, provided case
study results and steps to take to ensure
recoverability in the event of a disaster. If
you would like to discuss this presentation,
contact information is provided on page 26.
Feedback is welcome.
2
Planning for the UnthinkableDisaster Recovery
Business Continuity Las Vegas, Nevada November
11, 2003
2003
HIAA
FORUM
tomorrows SOLUTIONS
INNOVATIONS
todays
3
Agenda

• Introductions
• John Schladweiler
• Dave Adolphson
• Planning for the Unthinkable
• Why Listen?
• Traditional Approach
• Business Issues
• Best Practices
• Business Impact Analysis
• What Should You Do?
• Questions / Discussion

i
4
Planning for the Unthinkable Why Listen?

• John Schladweiler
• IT Strategy Consultant
• Former SVP of leading recovery services company
• Networked Recovery Solutions when Chicago Tunnel
  Flooded
• CNN Business Insight Program after ATT Cable Cut
• WTC Bombing in 1991 Workarea Recovery
• Top 3 Global Bank Plan for Addressing RTO

• Dave Adolphson
• IT Consultant
• Former VP of IT Planning for major insurance
  company
• Designed and Implemented Business Resumption
  Plans for Insurance
• Tracked 911 resumption efforts
• Directed virus disinfection and recovery efforts

Experience
1
5
Planning for the Unthinkable Why Listen?

• Basic ways enterprises have addressed business
  resumption planning without overspending
• Fortress
• Redundancy
• Business Interruption Insurance

But I already have a Disaster Recovery Plan
2
6
Planning for the Unthinkable Why Listen?
CEO Survey (April 2003)
Terrorism, Disaster
On-Time, On-Budget
Spend Right Amount
IT Management
CIO Informs CEO
IT Supports Change
IT Strategically Aligned
Competitive Advantage
Info Security/Privacy
Investment Value
4
0
3
2
1
Confident/Good
Concerned/ Not Good
3
Source CEO Counselors, Inc. www.ceocounselors.co
m
7
Planning for the Unthinkable Why Listen?

• Impacts
• Payors
• Brokers
• Employers
• Providers
• Insureds

Real Time
IT now supports external business processes
New
Old
Batch
Front Office
Back Office
Changing Business Model
4
8
Traditional Approach

• Components
• Data Centers
• Mainframes
• Servers
• Infrastructure
• Network - Internal
• Network - External
• Offices/Call Centers

Alternate Sites
5
9
Traditional Approach

• Data Center
• Hot Site
• Cold Site
• Redundant Site
• Load Balanced Site
• Remote Management
• Network
• Alternate Routes
• Dial Back Up
• Self Healing
• Remote Management

• Data Back Up
• Electronic / Not Paper
• Weekly, Incrementals
• Real Time by Transaction
• Mirrored at Alternate Site
• Remote Management
• Office
• Workstations
• Infrastructure
• Call Centers
• Safe Distance Away

Implementation Choices
6
10
Traditional Approach
The Norm Back Ups Weekly Incrementals Daily
Recovery Time Objective How quickly must the business be back up and operational? Not all businesses are the same.
Recovery Point Objective When data is restored for use, how current is the data? Is it to the point of the last transaction posted? Or is it to the last back up taken? Is it synchronized across computing platforms?
Data Protection Recovery Criteria
7
11
Traditional Approach

• Disaster Recovery Plan
• Proceduralized Plan
• Multiple Contingencies / What Ifs
• Tested at Least Annually
• Jointly Owned IT User Departments
• Disaster Recovery Budget
• IT Expenses Identified
• Subset of Actual Total Cost for Recovery

Recovery Plan Tested Regularly
8
12
Business Issues

• Shortcomings of some existing disaster recovery
  plans
• Network takes too long to recover has less
  capacity
• Hot sites back up Mainframes, but dont cover
  Servers
• Timeline to re-build Server infrastructure is
  long
• Data recovery is too slow, and requires
  re-entering transactions
• Still dependent upon paper files
• Call Centers are lacking
• People
• Availability for daily operations v. recovery
  efforts
• Location of interruption may require staff to
  travel

Why it doesnt Work in Real Life
9
13
Business Issues

• Bunker Model
• Centralized business processes for Selling
  Tickets, Scheduling Flights Crews
• Resumption Time greater than 3 days Bankruptcy

Case 1 Major Airline
10
14
Business Issues
Recovery Timeline
Business Process Outage
Resume Business Process
Su Mo Tu We Th Fr Sa Su Mo
Tu We Th Fr Sa Su Mo
F I I I
F
Backup Schedule
Restore Environment
- F F I, I I
Process Missed Days
ThFr SSMo TuWe Th Fr Sa
Best Case 12 Days!
Legend F Full backup I Incremental
Case 2 Top Money Center Bank
11
15
Business Issues

• What would be Benefits of Improving Recovery
  Strategy?
• from to
• Mainframe 4 days 24 hrs
• Server infrastructure - rebuild 4 days 24 hrs
• (400 servers)
• Server data synchronization 14 days 5-7 days
• (To 11 pm night before)

Case 3 Major Insurance Company
12
16
Best Practices
Elements
Jewels

• Redundant Working Sites
• Data mirroring
• Network self healing
• Call Centers / Other Support
• Varying RTOs according to business service line

• Data - Electronic Paper
• Data - Recovery Point
• Network Data Voice
• People
• who know the business

Best Practices Approach
13
17
Best Practices
Network Design Redundancy provides continuity for
key processes
Within region
Out of region
Data Mirror
....
Data Mirror
Data Mirror
DC2
DC3
DC1
Redundant technology
WS1
....
WS3
WS2
Best Practices Architecture
14
18
Business Impact Analysis
Business Impact Justification
Recovery Solution Design Funding
Implementation Choices
Cost Estimates
Architecture Feasibility
15
19
Business Impact Analysis
Step 1 Determine the needs of the business

• Stakeholders Impacts
• Payors Cost of resumption, overpayment
  of claims
• Brokers Lost sales
• Employers Add to costs, dissatisfaction
• Providers Slower receipt of payments
• Insureds Slower receipt of claims

Determine RTO RPO - Design to provide varying
RTOs by service category
16
20
Business Impact Analysis
Step 2 Define Architecture Options

• Best Practice vs. Traditional Compromise
• Dedicated Facilities Infrastructure vs. Shared
• Mirrored / Load Balanced Sites vs. separate
  Production Backup sites
• Self Healing Network vs. Dial Back Up
• Multiple Offices Capable of Backing Up One
  Another vs. Centralized Office
• Real time data backup vs. daily incrementals

Determine Benefit Cost Tradeoffs if affordable,
adopt best practice
17
21
Business Impact Analysis
Step 3 Look at Implementation Alternatives

• Source
• In-house Outsource Off-shore
• Elements
• Mainframes X
• Servers X
• Network X X
• Offices/Call Centers X X
• Client workstations X
• Redundant Sites X
• Data mirroring X X

Sourcing Alternatives
18
22
Business Impact Analysis
Step 4 Summarize RTO Cost by Service Line and
Compare to Cost of Outage

• 1 day 3 days 14 days
• Mainframe
• Server infrastructure
• Server data synch
• Network
• Call Center ______ _______ _______
• TOTAL RTO COST ()
• COST OF OUTAGE ()

Determine Costs for RTOs
19
23
Case Illustration
Business Impact Analysis
IT Traditional Near Budget Recovery Best
Practices 30,000 Entprs Site 500 Hot
Site 500 Hot Site 450
Vault Data 150 Servers
200 Mirror Data 50 Work
Area _______ __________ __________ 30,000 500
lt2 1,350 5 Exposures RTO Not
perfect shared RPO shared risk for MF
All costs in 000s, exclude staff
Representative Costs of moving toward Best
Practices Scenario
20
24
What Should You Do?

• First steps
• Identify elements of the Business Model that are
  likely to change due to enterprise direction
• Determine evaluate implications of business
  model changes for Business Impact Analysis

Implications of changing Business Model
21
25
What Should You Do?
RPO
Adding Recovery Functions
Better Architecture
I
RTO
Understand Options for Implementation
22
26
What Should You Do?
Current/Future Implementation Needs
Cost of Current/Future Implementations
Adequacy of Existing DR Plan
Cost of Existing DR Plan
Balance Needs/Costs of Implementation
Considerations
23
27
What Should You Do?
Implement justifiable increments for key business
lines

• Determine evaluate implications of business
  model changes

Identify Business Model elements likely to change
Worksteps toward a Best Practices Vision
24
28
Planning for the Unthinkable
Questions/Discussion
25
29
Planning for the Unthinkable
Dave Adolphson Management Champion Objective-AIM
Automation/Innovation/Management 483 East Oxford
Road North Barrington, IL 60010 (847)
381-1516 dwa_at_objective-aim.com
John Schladweiler Innovation Champion Schladweiler
Associates, Inc. 1630 Sheridan Road, Suite
8E Wilmette, IL 60091 (847) 853-6190 John_at_Schladwe
iler.com
It was a pleasure discussing Disaster Recovery
Business Continuity with you today
26
30
Planning for the Unthinkable
Speaker biographies
Dave Adolphson a business-oriented information
technology consultant and executive, Dave has
focused his career on transforming enterprises
through linking information technology, with
enterprise objectives. He has a strong track
record of reducing total costs, delivering to
demanding schedules and budgets, and achieving
tangible benefits. Currently a principal of
Objective-AIM, Dave has Big Five consulting
experience with KPMG, and he has also held senior
IT executive roles with Aon, C N A Financial, and
Harris Bank. He has spoken and written on
related business and information technology
topics such as acquiring and retaining profitable
customers, justifying investments in information
technology, and extending the application of
methodology to Expert Systems and web-based
implementation projects. 
John Schladweiler with 35 years of experience
in the IT industry and a blend of vendor, client
and consulting experience, he also brings a
strong financial background to the assessment of
business operations, including his understanding
of the economics of existing and emerging
technologies and how they can positively impact
business opportunities and costs. His experience
includes executive management roles with debis IT
Services N. A., Realtors Information Network, and
Harris Bank as well as engagements with financial
services companies including The Equitable,
Central Reserve, Chase Bank, and the Board of
Trade Clearing Corporation, and also with leading
and emerging technology companies, ASPs, and
start-up eCommerce and application integration
software companies. He serves on the Executive
Committee of the Information Systems Management
Forum, an organization focused on information
exchange among CIOs.
CEO Counselors does research on the relationship
a chief executive has with his or her direct
reports.  And, we provide a process that a CEO
can use to understand the root cause of what is
happening. Our current research project explores
the value that a business gets from investments
in Information Systems and Technology.  A copy of
the Survey Report is available at
www.ceocounselors.com.
27