DRJ's Spring 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 31, Issue 4

Full Contents Now Available!

While many organizations have built recovery programs for their data centers and key application platforms, the balance of their enterprises, including front-line and internal service departments, are increasingly at risk. These departments, often dispersed across wide geographic areas, rely on distributed computing environments as well as traditional legacy systems to deliver services to customers and employees.

Just how widespread is the risk? The Comdisco Vulnerability Index, an independent study of the business continuity practices among leading companies, found that only 12 percent of organizations have an effective business continuity program in place for their enterprise-wide operations.

Many companies are acutely aware of the risk and recognize the necessity of protecting these functions, but they’re faced with a Catch-22: They need to build recovery programs for their multi-location distributed systems environments, but they’re uncertain of exactly where to start: where are their critical applications and where do they reside throughout the many locations? And, they can’t wait until they figure it out to make sure they have coverage.
Moving from Risk to Effective Recovery

That’s the situation that CIGNA, a leading provider of insurance and related financial services, found itself facing. With hundreds of locations throughout North America as well as abroad and more that 42,000 employees, CIGNA already had built a successful data center recovery program. But the company knew that wasn’t enough.

"As we began to take advantage of client/server technology, more and more of our critical business functions were taking place in a distributed environment," said Tim Low, assistant vice president of CIGNA Systems. "But we didn’t have recovery procedures to adequately protect these environments."

CIGNA had even gone as far as to develop data security policies that required managers to have business continuity programs for critical functions. "The managers were aware of the policy, but they didn’t have the expertise, they didn’t have time and they didn’t know how to start. As a result, we recognized a different approach was required," said Low.

The company turned to Comdisco’s Enterprise Coverage Program to help it both build business continuity programs for these critical distributed functions as well as to provide interim protection for its various locations.

The program emphasized the AIM – Assess, Implement and Manage – methodology, designed specifically for recovery of distributed business and technology environments. In addition to providing the support required to develop CIGNA’s enterprise recovery program, Enterprise Coverage also provides immediate recovery services, including disaster avoidance and recovery support as well as access to recovery centers, should any of a company’s key locations experience a disaster prior to their program being put in place.

Conducting the Assessment

As part of the assessment phase, CIGNA’s organizational vulnerabilities were identified and the criticality of business functions, applications and locations were ranked. This information is used to better prioritize and balance the subsequent implementation and program management resources.

Some of the critical business needs CIGNA identified included protecting revenue and complying with regulatory requirements. Customer service was also a major concern. "One of our key areas of operations is healthcare," said Low. "If a person requires medical assistance and needs to see a doctor today, he or she can’t wait until next week to receive authorization. As a result, any function that provides customer service was something we had to ensure was protected," said Low.

Developing Strategies

To help determine which functions at which locations were the most critical, members of CIGNA’s enterprise recovery team held meetings with management in each of CIGNA’s ten divisions, including healthcare, property/casual and international insurance groups. CIGNA divisions identified key business functions that were most critical to the organization’s operations.

"Our goal was to focus on those locations that — if for some reason were suddenly unable to operate — would have a major impact on the division or the overall firm’s ability to stay in business. We also wanted to make certain that functions being performed in high-risk geographical areas, such as our operations in California and Florida, were adequately protected," said Low. In all, CIGNA has identified approximately 75 key locations that fit these two criteria.

According to Low, it’s essential to focus first on developing strategies that will identify manageable costs and consistent recovery expectations at the divisional level before working with each location. "If the divisional strategy is not in place, local managers will be inclined to set their own priorities, and these may not be the same priorities as those of senior management," said Low.

Gaining Local Buy-In

While senior management at the corporate and divisional levels must support an enterprise recovery program, buy-in from local managers is also essential. These business unit contacts, both local technical and business managers, must ultimately take ownership of their programs.

Low particularly emphasizes the importance of getting the local information technology and voice and data network groups involved. "They need to be part of the process from the outset, because they’re typically an integral part of the solution," said Low.

CIGNA’s enterprise recovery team began working with senior divisional management and local management nearly two years ago. "For the most part, these individuals recognize the importance of an enterprisewide recovery program, and it’s now a matter of providing them with the tools and support to build their programs," said Low.

Piloting the Project

To help strengthen buy-in and to refine its enterprise recovery process, CIGNA first piloted the program at one of its key locations. The site includes operations for four CIGNA divisions and employs about 1,000 people. "We used this location to show management throughout the organization that it could be done and how to go about doing it," said Low.

The pilot also provided CIGNA the opportunity to hone its recovery program process and develop models, templates and tools. "With more than 70 critical sites, we don’t want to reinvent the wheel at each location. Once the divisional recovery strategies and key sites were identified, we wanted to be able to apply the same process at every location, with minor alterations to address site-specific issues," said Low.

With the central recovery team facilitating the process, local management at the pilot site developed multiple plans to support each of the critical business operations performed at the site, as well as a central site recovery plan encompassing common services for all occupants for the enabling technology, including LAN operations and voice and data communications.

Once the plans were complete, it was time to test the pilot. Working together with Comdisco, a test program was developed and a structured walk-through completed. A 16-hour test to validate the pilot was then conducted. The test objectives included restoring the LAN operations and applications, providing access to CIGNA’s mainframe, switching telephone circuits and recovering a PBX configuration.

"The pilot program was a success. It allowed us to validate our approach and gain management commitment to roll-out the program to critical sites throughout the U.S.," said Low.

Implementing the Program

To help meet a goal of having recovery plans in place for all of its critical locations, CIGNA and Comdisco are developing a business continuity training program for CIGNA’s HealthCare division. "HealthCare is one of our critical divisions, and we want to make certain that each of the individuals responsible for business continuity on a local level have the foundation they need to build their programs," said Low.

CIGNA’s enterprise recovery group and Comdisco business continuity consultants will work with the local managers to support the development of the program plans, including recovery plans for critical desktop technology, servers, networks, and business functions.

Depending upon the requirements that are identified at each location, coverage options can include both internal and external solutions. For example, the best solution for some locations may be for them to provide back up for one another. For certain high priority functions, such as those at the CIGNA pilot site, a traditional hot site approach is most appropriate. And for other locations, for example, those that provide a service within their community and need to keep a presence locally even in the event of a disaster, a mobile recovery solution may be the best option.

Once each locations’ business continuity plans are developed, they will each be tested to make certain they meet the company’s objectives.

Ongoing Program Management

While many of CIGNA’s locations are still in the assessment or early stages of implementation, ongoing management of the program also has to be planned. This includes measurement of the program and continuous improvement services to ensure updated recovery plan documents as well as to identify new recovery requirements or skills that may be required as the organization’s needs evolve.

While each of the site plans are created and maintained locally, it’s also important to have a central function for ongoing management of the overall process.

For example, CIGNA places all plans in a central business continuity database. "In many cases, there are multiple divisions operating out of one location. Each of the divisions at a location has a plan and all the plans need to be rolled together to review the site recovery," said Low.

Additionally, by centrally monitoring the location plans, CIGNA’s enterprise recovery team knows when the plans have been updated and is able to remind managers that haven’t updated their plans to do so.

Realizing Returns

CIGNA has worked through the initial phases of its Enterprise Coverage program and Low believes the company has made great strides in significantly lowering its vulnerability to disaster. "We’ve been able to reduce our risk, we’ve educated more individuals about the program and empowered many to take an active role in the planning, and we’ve implemented programs for three critical locations and assessed dozens of sites," said Low. "And we’ve done all of this while continuing to maintain and test the corporate disaster recovery plans already in place."

With programs for several of the other locations currently underway, one of the lessons that Low has learned is patience. "An enterprisewide recovery program for a company the size of CIGNA can’t be developed overnight," said Low. "It takes time. That’s why the interim coverage is so important. It offers you the ‘safety net’ you need to focus your effort up-front on building an effective recovery program, rather than rushing to put something in place that ultimately may not be the best solution."


Laura Willumstad is a director for Comdisco, Inc., Rosemont, IL. Comdisco, a technology services company, is one of the world’s leading providers of solutions that help organizations reduce technology cost and risk.