Tag Archives: business continuity

BCPP Proposal: Summary, Key Risks

On May 21, the National Association of Mutual Insurance Companies (NAMIC), the American Property Casualty Insurance Association (APCIA) and the Independent Insurance Agents & Brokers of America (Big “I”) released their proposal to address future pandemics: the Business Continuity Protection Program (BCPP).

The attached document summarizes this proposal and identifies several key risks to consider as this proposal is debated and compared with other concepts.

The Proposal

In a nutshell, insurance agents and brokers may elect to sell a FEMA-administered protection agreement to businesses and nonprofits. If a business purchased this protection and its industry was later ordered closed due to a pandemic, the business would receive an immediate payout of a previously determined amount. 

See also: PRIA: A Tale of 2 Policyholders  

The payout amount is a percentage (e.g., 80%) of three months of the business’s payroll and operating expenses as reported in its last tax returns filed prior to purchasing the protection agreement. At the time it buys the protection agreement, the business would promise to spend any payouts on retaining its employees and covering other business expenses.

Key Risks

The BCPP concept raises several risks to consider in this and any other proposal intended to compensate businesses during pandemic lockdowns.

  • Risk to State Role in Pandemic Response –The BCPP would require lockdown orders to either come from the federal government or follow an approach dictated by the federal government. In contrast, the states have taken responsibility to shape their own COVID-19 lockdown orders based on local needs and metrics subject to high-level guidance from the federal government.
  • Basis Risk – Because payouts under the BCPP are based on out-of-date financial metrics, businesses face a significant risk that payouts would not match their actual needs. Failing businesses would tend to get more than their current expenses while successful businesses would get less.
  • Moral Risk – The BCPP would pay out based on a business’s self-assigned NAICS industry classification code. Businesses could improve their chances of receiving a payout by selecting a higher-risk code before a pandemic or lobbying for the inclusion of their NAICS code in a lockdown order during a pandemic.
  • Regulatory Risk – Although state licensed insurance agents and brokers would sell the BCPP product, it is not an insurance contract. Accordingly, insurance agents and brokers would face the risk of having to obtain an appropriate license and implement additional training, processes and controls.

Business Continuity During COVID-19

Potential business disruptions are part of a company’s regular continuity plan. Still, few were prepared for the impact of a global pandemic that has shut down businesses around the world. Many companies have faced challenging decisions like laying off or furloughing employees for an extended period, while others have had to shift to a fully remote workforce quickly. 

Four leading CEOs in our industry joined us for our special edition Out Front Ideas COVID-19 Briefing Webinar Series to discuss the challenges their businesses are facing and how they are adapting: 

  • Keith Newton – CEO of Concentra
  • Dave North – CEO of Sedgwick
  • Tom Warsop – CEO of One Call
  • Mark Wilhelm – CEO of Safety National

The Carrier Perspective

The insurance companies are facing an onslaught of regulators seeking a myriad of information. Carriers are inundated with data requests, receiving hundreds of bulletins and directives covering most territories, states and Canada. Some states have issued moratoriums on cancellations for non-payments of premiums, while others have requested that carriers make it clear to the public how they will treat premium leniency. Carriers are being asked to provide a COVID-19 readiness plan, including the impact on the business, both operationally and the impact on investment income. The National Association of Insurance Commissioners (NAIC) has stepped in, asking states to pause on data requests, so carriers can focus on servicing their insureds.

Regulators and legislators are seeking to expand the compensability of claims beyond what was planned during the  underwriting and pricing phases. Many legistlators are passing laws stating that COVID-19 claims are presumptions, especially for healthcare workers and first responders, meaning it is presumed they contracted the virus while on the job and it should be covered accordingly. Some states are even looking to expand this to all essential workers. 

As far as the financial impact on carriers, there are a few items to consider. Carriers could see a decrease in premiums due to employer payrolls decreasing. There are also credit risks due to non-payments on premiums, and there may be portfolio devaluations in the future due to lowered interest rates. However, with specific industries, like healthcare, seeing more claims, many sectors will see a decrease in claims because of shelter-in-place enforcements.

The Third-Party Administrator (TPA) Perspective

Initially, TPAs saw a surge in paid leaves in the U.S., but that has now shifted to unpaid leaves because of the programs that employers have in place. With federal programs, like paid leave extensions, being evaluated, we do not yet know the direct impact they will have on injured workers. It may mean shifting an injured worker off workers’ compensation and on to one of those programs in the future if it is more beneficial.

Many employers are reaching out for planning for a future catastrophe. For example, if a natural disaster like a hurricane or tornado occurred during this time (a “cat” within a “cat”), employers want to know that their business would have a continuity plan in place. Everyone is considering the “what-if” scenarios right now, so many are overly preparing for the next big event. 

See also: Keeping Businesses Going in a Crisis  

In the workers’ compensation industry, there has been a drastic decrease in the number of new claims due to some businesses shutting down completely. However, some industries are growing significantly in the current state of the economy, which is noticeable with a more-diversified customer base. Pending claims in workers’ compensation have not seen the same drastic decrease, meaning the injured workers who received our attention before COVID-19 still need assistance, but now are less likely to obtain the care they need. Some patients have no idea how the change will affect their recovery or return to work.  

Due to the pent-up demand for healthcare during the COVID-19 crisis, there will be a backlog of post-pandemic patient needs. This demand may put injured workers at a disadvantage because elective surgeries will not be prioritized above other significant needs like trauma surgeries. Actuaries will have to learn how to adjust to this uncontrollable shift. For example, will a lack of litigation be considered a trend, or will litigation rebound based on the high consumption of healthcare upon a return to normalcy?

There is a balance right now of taking care of the injured workers’ needs and also maintaining communication with them. As a workforce, all partners should be ready to embrace the injured workers when the industry returns to normal, readying resources and preparing to handle the increase of needs.

The Ancillary Program Provider Perspective

The most considerable impact has been an unwillingness for injured workers to get the treatment they need because of COVID-19 risks. Because patients do not want to come into contact with others, the frequency of demand is affected and delays their care. Provider access has also seen an impact. While most are still accessible, industries like dentistry have been advised not to continue treatment. The extension of telehealth has also made accessibility to care much better. 

Referrals for ancillary services have decreased significantly. Specifically, transportation service requests are suffering, but well-established services like home health do not see the same drop in requests. Some ancillary program providers are seeing furloughs of their workforce due to a decline in demand. Some companies are providing advanced paid time off and healthcare coverage for furloughed employees. 

Expect new operating models to emerge from this crisis. There will most likely be a significant increase in remote work employees, now that work from home opportunities have proven to be an adaptable method. The issues surrounding telemedicine use will likely not disappear after this crisis, now that there is a sustained demand for it. Rescheduling technology will also change due to the current number of requests. Shifting to a text-based rescheduling program has seen a much higher response rate from injured employees due to its ease of use, potentially guaranteeing future care for those who cannot currently access it.

The Occupational Health Provider Perspective

Because the occupational health workforce is patient-facing, at occupational medicine centers, employer worksites and primary care facilities, the industry is facing many challenges. These challenges include regulatory directives, limited personal protective equipment (PPE) for front-line healthcare providers and a significant drop in patient volume. However, the industry has dealt with a substantial reduction in patient volume before. During the 2008 recession, there was a significant decrease, but demand rebounded over the months following.

See also: Rethinking Risk Management in a COVID-19 World  

Opportunities have developed from the crisis, including testing assistance and telehealth expansion. While limitations on PPE do not allow for occupational health employees to run testing for COVID-19, they are instead managing fit tests for the frontline providers, like those working the drive-through testing sites, to make sure their gear fits properly. Telehealth has provided an incredible opportunity for occupational health providers to expand their services for injured workers. Many providers that were not interested before have now been working quickly through an approval process, so their patients can receive the care they need. However, most occupational health practices are still open for business, but, to reduce exposure, they have reduced hours and staff in facilities.

While most of the industries within workers’ compensation had the ability to move to a fully remote workforce, declines in patient volume and referrals have forced some to furlough employees until there is a rebound. This crisis has forced all our CEOs to use disaster task forces within their organizations and learn how to readily adapt to changes in their businesses, both financially and operationally. COVID-19 will certainly breed many advances in patient care and opportunities for growth in the workers’ compensation industry, as all of our CEOs are continuously learning from the experiences this has created. 

To listen to the full Out Front Ideas with Kimberly and Mark webinar on this topic, click here. Stay tuned for more from the Out Front Ideas COVID-19 Briefing Webinar Series, every Tuesday in April. View the full list of coming topics here.

The Best Tools for Disaster Preparation

If the COVID-19 pandemic has taught the world anything, it’s that each event is different from the last. It’s not enough to have an abstract plan in place when disaster strikes. The most effective disaster recovery and business continuity (DR/BC) plans are those that organizations practice routinely. Insurers and companies across all industries should be prepared to stay online during a range of natural and man-made disasters, from earthquakes to pandemics and cyber-attacks. 

Modern consumers have come to expect 24/7 accessibility from their service providers. A weak infrastructure that can’t reroute traffic or a third-party partner’s lapsed platform causing an entire system to go down are not just inconveniences—they’re threats to customer relationships. DR/BC plans should take such liabilities into account and be tested end-to-end. 

Most insurers created DR/BC plans with hurricanes, winter storms or other natural disasters in mind—not terrorist attacks or pandemics. Organizations should consider these plans as living documents for precisely this reason. The impact of contagious illnesses (e.g., COVID-19) on company staff and leadership may not be present in existing plans. If so, organizations may need to put social distancing into effect, especially in key departments with high concentrations of knowledge or ability. 

Preparation Is the Best Prevention

Even the best-informed DR/BC plan is unlikely to cover every scenario. Preparing the entire organization for emergencies, however, drills in responses to create a form of muscle memory that makes employees ready to respond when new threats emerge. Pressure testing or refining a system is better done when an organization is running at full capacity rather than after a disaster has emerged. 

See also: Coronavirus: What Should Insurers Do?  

Plans may attempt to cover a broad range of known issues and look to incorporate reasonable fail-safe provisions to address contingencies if partner systems go down, but they should still follow two rules.

1. Documentation should be easily—and immediately—accessible. 

Even if plans establish clear lines of communication, explain how to access critical systems and lay out how to frame decision protocols, they do no good if employees can’t access them when the time comes.

Organizations should store DR/BC plans somewhere that is easy to locate, and there should be multiple instances of the plans. If an entire grid is down, for example, SharePoint is not a convenient place to house emergency instructions. Insurers should also encourage their employees to take information home with them. Corporate networks should not be the only storage space for emergency documentation—and demonstrating knowledge of DR/BC plan access points should be covered as part of employees’ test exercises. 

Employees are only able to act in a crisis if they have the hardware they need. Laptops or tablets should be available to take home; bringing these devices with employees should be part of regular training exercises. Equipment is not useful during a test or a “live fire” event if it stays at the office overnight. 

2. Plans should be created early and practiced often. 

The greatest key to a successful DR/BC plan is preparing long before precipitating events are on the horizon, when the organization can consider all scenarios. Employees will know what to expect and how to behave when disaster drills are routine (like fire drills), no matter if the employees are part of IT or serve as a member of a business unit. 

The events that teams practice for are seldom the ones that happen in real life, but preparing for a wide array of scenarios can help management and associates to stay calm and focus on understanding what is new or unusual about the emerging situation. When rational responses to crises become second nature, individuals and organizations can survive a wide array of incidents with lower stress and less negative impact on the people who depend on them most—their customers. 

If possible, employees should undergo regular online training in these emergency protocols with certification available. That way, newer employees or those less familiar with DR/BC plans and procedures can receive updated experience until the whole team is on the same page about where and how to access the information they need during an emergency. 

See also: How Coronavirus Is Cutting Connections  

No insurer can prepare for every possible emergency, especially when the future is uncertain, as it is with COVID-19. But maintaining a well-thought-out DR/BC plan that exists as a living document can help any organization keep a cool head when people need to make big decisions quickly. Creating a plan early and making sure employees know how to access it are foundational to keeping the lights on (and customers satisfied) when disasters and other unexpected events occur. My motto as a CIO in insurance and banking was, “Prepare for the worst; hope for the best,” while remembering that hope is not a plan on its own.

Realities of Post-Disaster Data Recovery

The construction industry’s dependence on information technology systems continues to expand with the dramatic shift from document management to data management. With this reliance comes an increased vulnerability to business disruption. Data management, business continuity and post-disaster data recovery requires a shift in mindset from firefighting to fire prevention. Zero disruptions is a bold strategic imperative that provides a competitive advantage by enhancing field productivity, increasing office efficiency, reducing downtime and preventing data losses. Effective data backup and post-disaster recovery protocols are the essential steps to minimize business disruptions.

Data management today requires an enterprise view integrating a company’s increasingly complex networks. Data must be construed to encompass all information generated, received, transmitted, stored and retrieved throughout the organization. Additionally, data must be incorporated from its various physical and virtual locations, including mobile devices. Following are IT trends affecting AEC companies:

  • expansion of email as the predominant form of intra- and inter-company communication;
  • growth of online data mobility project management tools using smartphones and tablets to access and transmit data;
  • increased adoption of document imaging to replace paper recordkeeping files;
  • growth of enterprise resource planning (ERP) platform systems and integration with best-in-class specialty software programs;
  • estimators’ use of the same database to work from multiple locations on complex projects;
  • increased adoption of, and massive data files generated by, BIM;
  • emergence of hosted and cloud-based data recovery systems;
  • expansion of e-discovery in litigation, which raises expectations for (and increases the risks of ) record retention; and
  • proliferation of social media networks combined with bring-your-own-device policies, which creates new portals for hacking, malware and viruses.

The severity of natural disasters and the escalating number of man-made emergencies and technological disruptions compounds the construction industry’s dependence on IT systems. Many of these disruptions “only” result in temporary IT system shutdowns, while others pose a threat to the viability of the business.

A company’s vulnerability to data loss can be increased or decreased by the actions taken (or not taken) with regard to data backup and recovery. A robust business continuity plan is the first step. Companies have many choices when selecting the best way to back up their vital information and mission-critical data.

The Need for a Comprehensive Business Continuity Strategy

Automatic offsite (hosted or cloud-based) data backup protocols at regular intervals are the best prevention for data loss. These backups must be set for every type of data and for every type of device accessing, transmitting or storing information.

Another data recovery strategy is imaging the company’s server and running the restored replica image from a new server in a remote location. However, this strategy requires pre-planning. In a large-scale disaster, obtaining replacement servers may not be possible.

Causes, Costs and Consequences of Data Loss

Data disruption is a reality of the modern work environment. Causes of data loss include:

  • failure to initiate or maintain regular data backups;
  • hardware failure;
  • human error resulting in accidental deletion, overwriting of data or forgetting to add new IT systems/devices to backup protocols;
  • failure to test the backup and data recovery restoration process to determine adequacy;
  • software or application corruption;
  • power surges, brownouts and outages;
  • computer viruses, malware or hacking;
  • theft of IT equipment; and
  • hardware damage or destruction from vandalism, fire and water (rain, flood or sprinkler system discharge).

The consequences of lost data include direct loss of revenue from missing bid submissions or customer orders, direct expenses to pay for technical specialists to help recover data, decreased productivity during the shutdown and costs to re-key or obtain replacement data. For contractors selling directly to consumers, the loss of Internet connection for any extended time could prove costly. Lost data also can result in litigation for breach of confidential information plus adverse publicity.

A 2012 study commissioned by cloud-based data backup company Carbonite revealed 45% of small businesses (defined as fewer than 1,000 employees) had suffered a data loss. Fifty-four percent of the data losses were attributed to hardware failure, and the average cost for data recovery was $9,000.

Real-World Data Loss Scenarios

  • Laptop motherboard failure. A project estimator was working offline when the motherboard crashed. Because of a tight deadline, he had to restart the estimate from scratch. Although the bid was successfully submitted on time, the estimator fell behind on pricing other jobs that the company failed to win.
  • Lost iPhone. Pictures of a project safety incident with documentation of a mismarked “one-call system” utility spot were lost. The photo documentation had not been transmitted to the office, and the contractor lost the request for damages against the utility locating service. Moreover, the smartphone was not properly password-secured, allowing unauthorized access to contacts, client information and company data.
  • Desktop computer backup location not properly mapped to server. When a workstation was upgraded with a new desktop computer, it was not mapped to the server for automatic backup. The computer hard drive crashed, and no files were backed up. Recovery using the old desktop computer was slow, and data created on the new computer was lost.
  • New database not added to the nightly backup protocol. A company purchased a new customer relationship management database and, after a power outage, realized it had not been added to the nightly data backup protocol.
  • Onsite data backup location destroyed. The building housing an onsite backup server was struck by lightning, which started a fire and resulted in a total loss of all current and historical data.
  • Disaster recovery software not properly configured. While conducting a test of a company’s disaster recovery plan, it was discovered that some critical data was not being captured in the backup files.
  • Laptop and tablet stolen from a jobsite trailer. The field equipment had not been backed up for several weeks, resulting in the loss of key project documentation.

Best Practices for Data Management

Data management and IT network administration is a strategic, unique function for all companies. It is not possible to delineate all data management best practices, but the following guidelines should help enhance most companies’ post-disaster data recovery efforts:

  • Determine the company’s recovery-time objectives, and plan and budget accordingly. Identify which functions and systems must remain operational at the time of a disruption or disaster. This requires advance planning and budgeting for necessary systems and technical support services. It also helps prioritize risk-reduction strategies, including investments in data management backup system and security upgrades.
  • Develop a written business continuity plan that outlines specific responsibilities for protecting vital information and mission-critical data. The business continuity plan should include protocols for backup and synchronization of all office systems and virtual/mobile devices. It also should address the frequency and format for testing data management integrity and security, as well as how gaps will be identified and addressed.
  • Inventory the company’s vital information and mission-critical data, and verify it is being backed up. Key considerations include how the data is being backed up, by whom and how frequently, as well as where the backup data is stored. It is important to ensure the data backup and restoration process work as designed.
  • Initiate automatic scheduled backups, ensure the backup data is stored offsite, and test the adequacy of the data backup and restoration methods. Consider the added benefits of imaging the company’s servers to achieve a complete restoration of the data management system
  • Develop a comprehensive diagram of the company’s integrated data management network, including all physical and virtual/mobile subsystems. Ideally, this will be an “as built” blueprint of the company’s configuration consisting of the hardware, operating systems, software and applications that make up the data management network.
  • Institute policies regarding the use of the company’s Internet, including security protocols. Implement policies for user authentication, password verification, unacceptable personal devices and reporting of lost equipment. It is essential to communicate these policies and security protocols to all users and to train new employees.
  • Establish proactive management of the company’s data and IT network. Ensure the company’s network administrator has state-of-the-art tools, including remote access, help desk diagnostics and anti-spam and malware protection. Request periodic updates on all software licensing audits and verification that all security patch updates have been installed on a timely basis. Establish a fixed replacement schedule for hardware and software.

There is good news and bad news regarding business data management and recovery. The bad news is that the need for post-disaster data recovery can no longer be ignored. The increasingly complex and connected business world demands pre-planning for business continuity. The good news is that data management and recovery services are scalable to meet the custom needs of every business regardless of the size and scope of the operation and its degree of data dependence.

Reprinted with permission from Construction Executive, January 2014, a publication of Associated Builders and Contractors Services Corp. Copyright 2014. All rights reserved.