Disaster Recovery Strategy Assessment and Validation

Client: A Large Auto and Homeowners Insurance Company

Business Challenge


A large auto and homeowners insurance company had engaged a Big Four accounting firm to help with its business continuity/disaster recovery planning.  The firm had already performed a business impact analysis (BIA) and suggested some broad recovery target requirements. Based on these, several of the insurer’s vendors had outlined technical strategies.

 

Now the insurer wanted hands-on guidance in creating a detailed, customized disaster recovery (DR) plan from the broad requirements they had been given.  They were also anxious to have an independent expert validate and implement the overall solution.  Finally, they wanted a vendor-neutral second opinion on the architecture recommendations. So, they turned to Forsythe.

 

Solution


First, Forsythe worked to validate and refine the insurer’s requirements and asses its current recovery capabilities.  This was done by collecting specific details about business processes, systems, and how the organization worked via a group-wide meeting and a series of interviews with key business and IT managers. Forsythe then helped the insurer develop a specific roadmap for achieving stated recovery objectives for data restoration, system and network performance, security during alternate site operations, change management, disaster notification, and communications.  For example, Forsythe took the range of data recovery point and time objectives the Big Four firm had defined for three primary mission-critical applications and identified several optimal recovery points within the range, presenting the cost-benefits for each option.

 

Forsythe also validated the overall recovery architecture design, making some revised recommendations.  For instance, Forsythe identified—and outlined the steps required to fix—a network performance gap, with regard to DNS failover, that could result in failure of mission-critical applications at the alternate recovery facility.

 

On a higher level, Forsythe was asked to create a template that would enable the insurer to build its overall disaster recovery plan in-house.  Forsythe provided a comprehensive plan template that called for a DR overview (mission, objectives, scope, disaster declaration authorization, and key disaster recovery planning assumptions); the BIA results; a data recovery strategy; disaster recovery emergency management procedures; workflow and other diagrams and forms to facilitate reporting and management of the DR processes; and much more.  In a separate project, Forsythe also created a telecommunications-specific disaster recovery plan template.

 

Finally, Forsythe helped plan a disaster recovery test exercise for the company’s IT operations, observed a dry-run of the exercise, and evaluated the formal recovery test to ensure that the actual IT recoverability met expectations.  The insurer’s IT group used the dry-run not only as a benchmark, but also as an opportunity to improve its time tracking and event logging processes for recovery activities.  The insurer’s IT group then used the process documents as a tool for troubleshooting and fixing problems prior to the formal test.  As a result, the test was a terrific success, improving upon the dry-run recovery times by 50% and exceeding the recovery time objective by 66%.

 

Results


Forsythe provided the insurer with a much better, more detailed understanding of their underlying requirements and why those requirements dictated the recommended strategy.  Even more important, the insurer gained a deeper understanding of what a comprehensive DR program entails and began moving toward completion of an integrated DR plan.  By validating and refining its disaster recovery strategy, and offering unbiased, vendor-neutral technical recommendations to meet the strategy, Forsythe enabled the insurer to move confidently forward with its implementation. Finally, Forsythe helped the company perform a valuable dry-run DR testing exercise that led to a highly successful test of its technical recovery capabilities.

 

The company’s ability to recover its data and resume operability well within its required time frame is crucial to meeting its audit requirements. This new level of recoverability also greatly mitigates risk by reducing the recovery window from approximately four weeks (at an estimated loss of $115 million in revenue) to less than 8 hours (approximately $1.9 million).  As part of a comprehensive DR plan, the company will also decide how best to address that exposure from a financial standpoint.