Business Continuity and Disaster Recovery

Final Exam Questions for Class IS505–SUMMER I–2018.docx

FINAL EXAM QUESTIONS FOR CLASS IS505—BUSINESS CONTINUITY/DISASTER RECOVERY—SUMMER I—2018

NOTE: FOR ALL DOCUMENTS IN THE EXAM, YOU SHOULD PRINT THEM OUT OR VIEW THEM IN PRINT PREVIEW MODE. THE REASON IS THAT THERE ARE FOOTNOTES IN THE DOCUMENTS THAT YOU CANNOT VIEW UNLESS YOU DO THIS. THUS, YOU WILL MISS CRUCIAL INFORMATION YOU NEED TO COMPLETE YOUR STRATEGIES.

ANSWER TWO (2) QUESTIONS THAT ARE DOCUMENTED ON THE FOLLOWING PAGES. AS WITH PREVIOUS ASSIGNMENTS, ENSURE THAT YOU JUSTIFY YOUR ANSWERS FOR EACH OF THE QUESTIONS. YOU HAVE ALL OF THE APPENDICES THAT YOU NEED TO PROVIDE YOUR JUSTIFICATION(S) FOR YOUR ANSWERS!!!

EXPECTATIONS FOR THE FINAL EXAM:

Since the Final Exam is structured the same as Homework 3 and 4, ALL CONTENT OF YOUR FINAL EXAM MUST BE ORIGINAL TEXT with one exception. The one exception is as follows:

1. You can only copy your DEFINITIONS FOR YOUR ALTERNATIVE STRATEGIES that you documented in Homework 3 and 4. IN FACT, YOU MUST COPY YOUR DEFINITIONS FROM HOMEWORK 3 AND 4 INTO YOUR FINAL EXAM since it will save you time working on your Exam and will also save the Instructor time spent reviewing each Exam.

2. If you had errors in your DEFINITIONS, YOU MUST MAKE THE APPROPRIATE CORRECTIONS WHEN WORKING ON YOUR FINAL EXAM! If you do NOT make the corrections indicated on your Homework 3 and 4, additional points will be deducted on your Final Exam.

NO OTHER TEXT CAN BE COPIED FROM YOUR HOMEWORK 3 or 4 SUBMISSIONS AND USED IN YOUR FINAL EXAM.

IF YOU COPY TEXT NOT NOTED ABOVE, YOU WILL EARN 0 POINTS ON YOUR FINAL EXAM SINCE THIS IS PLAGIARISM.

YOUR ABILITY TO JUSTIFY/SUPPORT YOUR RECOMMENDATIONS REVEALS IF YOU UNDERSTAND THE MATERIAL. THEREFORE, YOUR THOROUGHNESS IS ONE CRITERION ON WHICH YOUR GRADE WILL BE DETERMINED!!!!

The following guidelines apply to writing your Final Exam:

1. Use Word for your document.

a. Any size typeface is acceptable.

2. Write in a businesslike manner:

a. Be thorough and use complete sentences.

b. Use bullet points throughout your exam.

c. DO not USE contractions since this would not be used in any type of a FORMAL REPORT. This especially applies to consulting reports that would be provided at the end of a project.

d. Run Spell and Grammar Check feature in Word to lessen chance of having such errors in your final exam.

3. If I pointed out any issue(s) in your Homework 3 or 4 submissions, be sure to correct this in your Final Exam.

a. I will deduct points for any issue not corrected on your Final Exam that appeared in your Homework 3 or 4 submissions.

4. DO NOT USE THE SAME JUSTIFICATION/REASONS WHY STRATEGIES ARE NOT RECOMMENDED as you did in your homework assignments!!!! This is because the environment is totally different in the Final Exam’s case study as well as the fact that this is considered plagiarism.

The above issues are crucial to earning a passing grade, since your Final Exam submission should be a compilation of what you learned during the quarter.

Note: Some of the above issues deal with PLAGIARISM. For further information, go to the DePaul University Home Page, which is your first screen after you log into D2L. At the lower portion of the screen on the right, look under Student Support. Click on the “Academic Integrity” listing for more information.

Again, remember to write this in a professional/businesslike manner. I do not grade on volume of information; rather, I grade on the level of accuracy and thoroughness throughout your exam. Also, it is possible to be thorough and brief at the same time!!!

HIPAA (Health Insurance Portability and Accountability Act)

Since ABC is a health insurance company, the privacy rules that are legislated under the Health Insurance Portability and Accountability Act (HIPAA), are a concern. There is a potential that ABC might incur fines because of HIPAA!

BONUS POINTS: You can earn up to a MAXIMUM of 3 additional Bonus Points if you include HIPAA in the appropriate areas of the Exam. These Bonus Points will be added directly on top of your total points computed for your Exam.

HINT: There are three areas of the Exam where HIPAA should be included.

1. This applies to 3 of the strategies that you are NOT recommending as follows:

a. This applies to 1 strategy not recommended in Question 1 for a maximum of 1 point.

b. This applies to 2 strategies not recommended in Question 2 for a maximum of 2 points.

c. For each CORRECT MENTION of HIPAA, you will earn 1 point out of a total of 3 MAXIMUM possible points.

Also, while you should NOT provide pages of explanations regarding what HIPAA is, you do need to give an idea WHAT this Act involves!

QUESTION #1 (WORTH 50 OUT OF 100 POINTS)

QUESTION #1 IS ABOUT DISASTER RECOVERY. SEE THE FOLLOWING QUESTIONS YOU NEED TO ANSWER:

Question 1: DOCUMENT YOUR RECOVERY STRATEGY FOR THE HARDWARE/SOFTWARE USED BY THE “JACKSONVILLE REGIONAL OPERATIONS” DOCUMENTED IN “APPENDIX 2—RTOs and RPOs FOR APPLICATIONS BY DEPARTMENT.” (NOTE: The Departments Included in Jacksonville Regional Operations are: a) Customer Relations; b) Claim Pmt. Activities; c) Customer Phone Contact; and d) Utilization Mgmt.).

Even though the ENTIRE DATA CENTER is SMOKE AND RUBBLE, you are to PROVIDE A DISASTER RECOVERY STRATEGY ONLY FOR THE FOLLOWING 3 SOFTWARE APPLICATIONS (AND RELATED HARDWARE) THAT ARE HIGHLIGHTED IN YELLOW ON THE APPENDIX 2 SPREADSHEET:

1. CAS

2. PCS

3. WORKFLOW ROUTING

DO NOT PROVIDE A STRATEGY FOR ANY OTHER HARDWARE/SOFTWARE ITEMS IN APPENDIX 2. As with Homework 3, only recommend ONE STRATEGY for all three applications.

Even though we are concerned about Jacksonville’s operation, we also need to consider the operations in Mesa, Arizona and San Antonio, Texas (as well as other departments in other locations that may use the SAME HARDWARE/ SOFTWARE and have a LOWER RTO/RPO) when we design our Disaster Recovery Strategy. The reason is that these two offices perform the SAME EXACT FUNCTIONS as the Jacksonville Regional Operations, with employees using the same hardware and software as those in the Jacksonville Regional Operations. In fact, the 3 hardware and software items reside in the Jacksonville Technology/Image Center and are accessed by employees in these 3 locations.

Your recovery strategy should be designed for the “Worst Case Scenario,” which means a complete destruction of the Jacksonville Technology/Image Center. Justify your recommendation(s) using any information in the description of the client, appendices, etc. (HINT: the documents that will help you answer this question are listed on page 5 of this document.)

As with your homework assignment, use the following as a guideline to ensure that you cover all of the points documented below:

1. LIST HARDWARE/SOFTWARE AND RTOs AND RPOs INDICATED. (Remember to use the lowest RTO and RPO used by all other departments/offices. If any other department/office uses a lower RTO or RPO, always USE THE LOWEST RTO OR RPO. To ensure your figures are correct, validate with the instructor before you start work on this part of your Exam.)

2. CHOOSE THE TECHNOLOGY STRATEGY(IES) AND DOCUMENT THE NAME OF THE STRATEGY. You may choose one strategy or more than one strategy, ONLY if this applies.

3. DESCRIBE YOUR STRATEGY BY DOCUMENTING THE FOLLOWING:

a. How Strategy Will Work: Describe how your strategy will work in detail. (Example, if you recommend Warm Site, describe HOW it will work in the company’s environment.) NOTE THAT THIS MUST BE ORIGINAL TEXT AND CANNOT BE COPIED FROM HOMEWORK 3.

b. Vendor/Internal Strategy: Document if you will use a vendor facility (external strategy) to house your equipment or one of your internal locations (the latter is an internal strategy).

i. INTERNAL LOCATION: Remember that this Company has multiple facilities in which you may locate your hardware/software for your strategy. If you choose an INTERNAL location you must also provide the following information:

1. Select the facility that you will use and document its location.

2. You must discuss WHY you selected that specific location. For example, if you selected a facility in Pennsylvania instead of Kansas, ONE OF YOUR REASONS might be that Pennsylvania is NOT in Tornado Alley while Kansas is right in the middle of it!!! Of course, this is only one reason of which there should be SEVERAL REASONS. (This is similar to a Risk Assessment which would be completed before you select the location.)

c. Justify Vendor/Internal Strategy: Also, explain WHY you are selecting an internal or external location, which means provide detailed justification.

4. EVALUATE STRATEGIES NOT RECOMMENDED IN COMPARISON TO YOUR RECOMMENDED STRATEGY:

a. Evaluate Each Strategy NOT Recommended: Document the following for each strategy NOT recommended:

i. A THOROUGH description of the Strategy (this is the definition). REMEMBER TO COPY YOUR STRATEGY DESCRIPTION FROM YOUR HOMEWORK 3 SUBMISSION, ENSURING THAT YOU MAKE ANY CORRECTIONS THAT WERE INDICATED BY THE INSTRUCTOR.

AND

ii. REASON WHY YOU DID NOT RECOMMEND STRATEGY: As in Homework 3, this is WHY each strategy is inappropriate for THE HARDWARE/ SOFTWARE USED BY THE JACKSONVILLE REGIONAL OPERATIONS. (This is NOT the disadvantages of the strategy. Rather, document WHY EACH ONE IS INAPPROPRIATE FOR THE HARDWARE/SOFTWARE USED BY THE JACKSONVILLE REGIONAL OPERATIONS.)

NOTE: YOU MUST EVALUATE EACH STRATEGY BY USING RTOs/RPOs AS YOU DID IN HOMEWORK 3.

YOU MUST NOT COPY YOUR EXACT WORDS FROM HOMEWORK 3 SINCE THIS IS SELF-PLAGIARISM; multiple points will be deducted if you do this! INSTEAD, YOU MUST USE DIFFERENT WORDS WHEN YOU EXPLAIN WHY YOU DID NOT RECOMMEND EACH STRATEGY.

Remember that HIPAA might be an appropriate reason(s).

5. WRAP-UP OF ANALYSIS

a. What advantages would there be for your recommended strategy? What are the disadvantages for this strategy???

b. Document any other reason for choosing the strategy.

REMEMBER, DO NOT INCLUDE WORK AREA RECOVERY STRATEGIES IN YOUR ANSWER TO QUESTION #1.

REFERENCE DOCUMENTS TO USE FOR THIS QUESTION:

The documents you want to refer to are in Week 3 of D2L:

1. “Develop Disaster Recovery (Technology) StrategiesV17”

2. “How to Select Technology Recovery Strategies”

Page 6

QUESTION #2 (WORTH 50 OUT OF 100 POINTS)

QUESTION #2 IS ABOUT WORK AREA RECOVERY. SEE THE FOLLOWING QUESTIONS YOU NEED TO ANSWER:

Question 2: FOR EMPLOYEES IN “JACKSONVILLE REGIONAL OPERATIONS” ONLY, WHAT WORK AREA RECOVERY APPROACH DO YOU RECOMMEND FOR THE REQUIREMENTS DOCUMENTED IN THE FOLLOWING DOCUMENT “FINAL—APDX1—WORK AREA RECOVERY REQUIREMENTS.” AGAIN, JUSTIFY YOUR RECOMMENDATION(S) BASED UPON INFORMATION IN THE DESCRIPTION OF THE CLIENT, APENDICES, ETC. (NOTE: The Departments Included in Jacksonville Regional Operations are: a) Customer Relations; b) Claim Pmt. Activities; c) Customer Phone Contact; and d) Utilization Mgmt.)

THESE DEPARTMENTS ARE HIGHLIGHTED IN YELLOW IN APPENDIX 1. ONLY PROVIDE A WORK AREA RECOVERY STRATEGY FOR THESE DEPARTMENTS ONLY.

ADDRESS THE FOLLOWING:

1. DOCUMENT THE RTO FOR WORK AREA RECOVERY. To gather the Work Area Recovery Requirements, refer to Appendix 1.

I. What is the RTO for Work Area? How many seats do you need at that time??

2. CHOOSE THE WORK AREA RECOVERY STRATEGY AND DOCUMENT THE NAME OF THE STRATEGY.

3. DESCRIBE YOUR STRATEGY BY DOCUMENTING THE FOLLOWING:

I. How Strategy Will Work: Describe how your strategy will work in detail. (Example, if you recommend a Vendor Strategy, describe HOW it will work in the company’s environment.) NOTE THAT THIS MUST BE ORIGINAL TEXT AND CANNOT BE COPIED FROM HOMEWORK 4.

MAKE SURE THAT YOU DISCUSS HOW THEY WILL MEET THEIR 4 HOUR RTO!!!

a. Vendor/Internal Strategy: Document if you will use a vendor facility (external strategy) for Work Area Recovery or one of your internal locations (the latter is an internal strategy).

i. INTERNAL LOCATION(S): Remember that this Company has multiple facilities that might be used for your Work Area Recovery Strategy. If you choose an INTERNAL location(s) you must also provide the following information:

1. Select the facility(ies) that you will use and document its location.

2. LOCATION SELECTION: You must discuss WHY you selected that specific location(s). For example, if you selected a facility in Pennsylvania instead of Kansas, ONE OF YOUR REASONS might be that Pennsylvania is NOT in Tornado Alley while Kansas is right in the middle of it!!! Of course, this is only one reason of which there should be SEVERAL REASONS. (This is similar to a Risk Assessment which would be completed before you select the location.)

3. HOW EMPLOYEES WILL BE ACCOMMODATED: Where will the employees work in the location(s) specified above? You must be specific and state HOW they will be accommodated.

4. WHEN PCs WILL BE ACQUIRED: Discuss if you will acquire PCs now or ATOD. If you will acquire now, will you install now or later? Discuss this in detail.

b. Justify Vendor/Internal Strategy:Also, explain WHY you are selecting an internal or external location, which means provide detailed justification.

4. EVALUATE STRATEGIES NOT RECOMMENDED IN COMPARISON TO YOUR RECOMMENDED STRATEGY:

I. Evaluate Each Strategy NOT Recommended: Document the following for each strategy NOT recommended:

ii. A THOROUGH description of the Strategy (this is the definition).REMEMBER TO COPY YOUR DESCRIPTION FROM YOUR HOMEWORK 4 SUBMISSION, ENSURING THAT YOU MAKE ANY CORRECTIONS THAT WERE INDICATED BY THE INSTRUCTOR.

AND

iii. REASON(S) WHY each strategy is inappropriate for THE JACKSONVILLE REGIONAL OPERATIONS AND THEIR REQUIREMENTS (REFER TO PAGES 18 AND 19 OF THE BIA FOR INFORMATION ON DEPARTMENTS INCLUDED IN THE JACKSONVILLE REGIONAL OPERATIONS). (This is NOT the disadvantages of the strategy. Rather, document WHY EACH STRATEGY IS INAPPROPRIATE FOR THE WORK COMPLETED BY THE JACKSONVILLE REGIONAL OPERATIONS.)

IF YOUR REASONS ARE THE SAME AS HOMEWORK 4, YOU MUST NOT COPY YOUR EXACT WORDS FROM HOMEWORK 4 SINCE THIS IS SELF-PLAGIARISM; multiple points will be deducted if you do this! INSTEAD, YOU MUST USE DIFFERENT WORDS WHEN YOU EXPLAIN WHY YOU DID NOT RECOMMEND EACH STRATEGY.

Remember that HIPAA might be an appropriate reason(s).

5) WRAP-UP OF ANALYSIS

I. What advantages would there be for your recommended strategy? What are the disadvantages for this strategy???

Remember, do NOT include the technology strategy documented in Question 1 as that is for Disaster Recovery and NOT Work Area Recovery. This question is for Work Area Recovery ONLY!!!!

REFERENCE DOCUMENTS TO USE FOR THIS QUESTION:

The documents to refer to are in Week 5 of D2L:

1. “Business Recovery (Work Area Recovery) Strategies”

2. “Work Area Recovery Strategy Decisions”

Final Business Impact Analysis Case Study SUMMER I–2018.docx

Final Business Impact Analysis Case Study SUMMER I–2018

I. Project Summary

Introduction

The ABC Corporation (ABC) is a Federal Business Unit of MAIN COMPANY Insurance that acts as a Federal Government subcontractor. Headquartered in Rockville, Maryland, ABC administers the second largest plan in the Federal Government. The MAIN COMPANY is committed to providing comprehensive health benefits and freedom of choice to over 1 million federal employees.

ABC employs approximately 1,050 ABC employees among its offices in the following cities: Rockville, Maryland; Jacksonville, Florida; San Antonio, Texas; Mesa, Arizona; and Chicago, Illinois. ABC decentralized operations in 1995, distributing support to the Jacksonville, San Antonio, and Mesa regional offices, then establishing a data center in Jacksonville in 1997.

To ensure ongoing customer service from its distributed operating offices, ABC decided to implement a business recovery program that includes documented business recovery plans. When the plans are fully implemented, ABC will be in a position to continue operating if and when a disruption occurs. Without plans and accommodations for contingencies, ABC may not be able to fully recover from a significant disruption since critical information needed for its business may not be available. Listed below are areas that ABC is interested in accommodating:

· LAN servers and midrange systems to house critical applications

· PCs for employees to access third party and LAN applications

· Connectivity to the mainframe for critical applications and transfer protocols to/from Chicago MAIN COMPANY Home Office

· Mail sorters and other mail handling equipment

· Work space for key employees

· Voice communications

· Data transmission

· Vital records

· Various office automation mechanisms and supplies (printers, copiers, fax machines, etc.)

To better understand the impact of a business disruption to ABC and how this would affect its constituents, ABC engaged the XYZ Consulting Company (XYZ) to conduct a Business Impact Analysis (BIA). The BIA focuses on ABC’s computer systems and work area recovery, and addresses two major objectives:

· Determine operational impacts to ABC that would result from a worst case scenario business disruption – the complete loss of a regional office or of the Jacksonville Technology Center.

· Assist ABC in the development of a recovery strategy that will satisfy ABC’s Recovery Time Objectives (RTOs), which is the length of time from disaster declaration to full information system functionality.

Objectives

This study obtained business and system information to assess the impact to ABC’s operations from the sudden and unplanned loss of the Rockville headquarters, a regional office (Mesa, San Antonio, and Jacksonville) or the Jacksonville Technology Center. This study is essential to developing an effective business continuity strategy for ABC, since it outlines all of the background information required to justify further plan development. A recovery/continuity strategy will ensure that critical company functions and supporting systems will be restored within acceptable time frames after a disruption. The study was designed to answer the following questions:

· How well prepared is ABC to recover from an interruption that would affect employees’ access to their information systems?

· How would these interruptions impact ABC’s operations?

· What are ABC’s requirements for work areas and vital records during restoration?

· What preventative and recovery strategies can be employed to mitigate the impacts of a business disruption?

· Which strategies are most costly to implement, and which best suits ABC’s recovery requirements and RTOs?

Scope

ABC’s Request for Proposal (RFP) identified the following “critical” business functions that were the focus of our study, although a review of other business functions was necessary because they were integral components of the ABC business process flow:

· Customer Service

· Mail and Print Services

· Underwriting/Pricing

· Claims

· Eligibility and Enrollment

· Utilization Management

· Payroll and Human Resources Processing

· Facilities

· Purchasing

· Accounts Payable

· Financial Reporting

· Cash Management

· Treasury Services

As a result of our discussions, we conducted 32 interviews, gathering information from employees representing both business and technical/operations support functions. Four major steps were performed in this study:

· Assessed the impact on ABC’s employees and customers if claims administration capabilities are lost or severely interrupted.

· Recommended target RTOs, which represent the amount of time a company function can operate without computer or business function support while recovery efforts are underway.

· Summarized the hardware and work areas required to support critical company operations during recovery.

· Recommended appropriate recovery strategies that supply required resources within acceptable time frames to support critical operations in an economical manner.

Computer Systems/Locations Included

The following computer systems were included in the project scope:

· Mainframe

· LAN servers and midrange systems

· Electronic Data Interchange (EDI) systems

· Selected applications provided by third parties that were determined to be “critical” to the aforementioned business functions. (MetraHealth, DRG Pricing, Multi-Plan, FACETS, PHCS, etc.)

· Scanning systems and OCR

· CAS, CRW, and all supporting systems

· Mail preparation systems

· Mainframe interface protocols (file transfer, application access, and other communications)

The following locations were included in the project scope:

· Rockville Headquarters (163 employees)

· Jacksonville Regional Office (311 employees)

· Jacksonville Technology Center (146 employees)

· San Antonio Regional Office (215 employees)

· Mesa, Arizona Regional Office (215 employees)

· Chicago MAIN COMPANY Group Operations Home Office and Data Center (MAIN COMPANY Plaza) (NOTE: The number of employees in Chicago is irrelevant since less than 10 employees in this office have responsibilities that relate to ABC. Rather, the Chicago office is headquarters for another large company that is related to the insurance industry.)

Note: XYZ Consulting Company visited all of the above sites except for San Antonio and Mesa. It was assumed that the business functions performed at Jacksonville were similar to both San Antonio and Mesa and that our recommendations would be valid and apply to all three offices.

Assumptions

The following assumptions were made in the execution of the project:

· Data on the network, database and application mid-range servers are backed up, even though some systems do not have an off-site tape rotation methodology in place.

· The primary business disruption scenario that XYZ Consulting Company used, occurs either at one of ABC’s regional offices, the Jacksonville Technology Center, or the Rockville HQ. Because of the distance between the regional offices, it is assumed multiple regional offices will not be affected simultaneously by a disruption. By using this realistic scenario as our model, the recovery plan recommendation can include the use of ABC branch offices.

· ABC’s need for restoring computer systems and other supporting processes are the basis for selecting appropriate continuity strategy, since the primary ABC business processes are critically dependent on technology and technology-related entities.

Organization

Interviewees/Survey Participants

All of the following employees completed project surveys; those with asterisks next to their names were interviewed by XYZ Consulting Company:

Employee(s) who Completed the Form or Was Interviewed Department Location
Janet L. * Planning and Reporting Rockville
Dave R.* Technology Center Jacksonville
Carolyn R.* Customer Service Jacksonville
Bill S.* Customer Service Jacksonville
Kevin V.* Imaging Center Jacksonville
Greg N.* Imaging Center Jacksonville
Margaret L.* Imaging Center Operations Jacksonville
Gary F.* Technology Center Jacksonville
Ron H.* Systems Security/Help Desk Rockville
Harriet G.* Audit Services Rockville
Gene R.* Marketing Rockville
Mike S.* Facilities Rockville
Cyndi J.* Mail/Retrieval Rockville
Linda O.* Human Resources Rockville
Angie G.* Accounting/Treasury Services Rockville
Denise H.* Purchasing Rockville
Debbie Y.* Corporate Training & Development Rockville
Debbie H.* Payroll Rockville
Gloria G.* Exception Processing

Eligibility/Eligibility Reconciliations

Rockville
Nancy M.* Accounts Payable Rockville
Bonnie V.* Unix Chicago
Steve P.* Unix Chicago
Howie P.* Unix Chicago
Mary P.* EDI Chicago
June S.* CAS Chicago
Ben L.* CAS Chicago
Nate P.* Corp. Recovery/CSC Chicago
Terry C.* Capacity Planning Chicago
John B.* Print Management Chicago
Dave G.* Cash Management Chicago
Kelly F.* Underwriting and Reporting Chicago
Vicki H.* PCS, G/L Interfaces Chicago

Project Team Members

Project team members from ABC and XYZ Consulting Company included the following:

· Jim B., Project Lead, MAIN COMPANY

· Jim H., Project Manager, MAIN COMPANY

· Ron H., ABC, Rockville

· Jack S., Assistant Vice President, ABC, Rockville

· Mary S., Project Manager, XYZ Consulting Company

· Henry G., Sr. Consultant, XYZ Consulting Company

· Michael A., Managing Consultant, XYZ Consulting Company

Methodology/Approach

The XYZ Consulting Company project team completed the following tasks for the BIA:

· Conducted a project kickoff session with ABC senior managers to discuss the project and the information that would be collected.

· Distributed interview questionnaires to the ABC departmental key contacts for gathering information.

· Conducted interviews with key ABC employees to validate the information on the questionnaires and to discuss critical continuity-related issues.

· Evaluated the recovery capability of ABC’s current environment, outlining issues and risks.

· Analyzed and documented ABC’s information systems.

· Mapped systems and applications to ABC’s critical business processes.

· Analyzed business impacts, resource requirements, existing capabilities, and risks.

· Recommended Recovery Time Objectives (RTOs) and documented them in Section IV, Impact Analysis.

· Recommended appropriate recovery strategies capable of meeting ABC’s requirements.

II. Impact Analysis

Introduction

A Recovery Strategy is based on the fact that when “critical” computer and support systems are not available to users; important company processes cannot be performed in a timely and efficient manner. The length of time from declaring a disaster until computer resources are operational to support the most “critical” business processes is commonly referred to as Recovery Time Objective (RTO). “Critical” is defined as anything (process, computer or resource) required to continue operations (even in a “degraded” mode) should a business area, computer, or company facility be destroyed or inaccessible for a period of time as deemed unacceptable to ABC. The result of an interruption is generally a financial and/or operational impact to the business function that is affected. When a business function is unable to complete its work, ABC’s ability to support enrollees and providers is at risk.

Longer RTO time frames are frustrating to everyone especially since they will have significant impact on enrollee/provider service. Recovery time and data integrity requirements were developed by analyzing the impact information supplied by the business managers we interviewed. Major systems were assigned RTO time frames from four hours to greater than one month. RTOs were assigned based on analysis of the following criteria:

· Governmental/regulatory requirements

· System availability to regional offices (Mesa, San Antonio, Jacksonville, Rockville)

· Timeliness of providing financial information (the letter of credit, etc.) to the government and ABC corporate, while meeting reporting deadlines to regulatory agencies

· Timeliness of customer claims resolution

· Existence and effectiveness of alternate processing procedures.

In addition to RTOs, we also examined Recovery Point Objectives (RPOs), which is the amount of data that departments are willing to lose if a disruption occurs. The information in this section will show that the RPO for most of the departments we interviewed is 1 day. This means that they would like to have the previous day’s backup restored on the system if a disruption occurs. In this situation, data that was entered during the time between when the backup was taken to the point of the disruption is lost and would need to be re-entered into the system to be current. This assumes that data is backed up daily and that tapes are being sent to an offsite storage vendor every day.

The above-noted information was gathered by surveying and interviewing resources identified by ABC’s project team.

Financial Impacts

We gathered financial data by survey and interviews. We asked employees to estimate losses by category, over eight points in time ranging from four hours to one month. Dollar losses were expressed in 14 loss ranges extending from zero to $50+ million. These are ABC’s estimates developed by line managers and reviewed by CH. Listed on the following page are the financial categories along with their descriptions:

FINANCIAL IMPACT CATEGORY DESCRIPTION
Revenue Loss
Dollar impact of revenue that results from the inability to take and process new customer orders, need to direct customers to other insurance providers, loss of opportunity to sell/provide insurance.
Asset Loss Dollar impact of ABC’s assets that would result from a business disruption such as, work in progress, systems development, proprietary systems, etc.
Regulatory/Legal Dollar impacts from contractual agreements, suits brought by members/providers/U.S. Office of Personnel Management, sanctions, fines, penalties for failure to properly provide services or fulfill obligations, not fulfilling service level agreements, etc.
Human Resources Dollar impact that would result from idle employees’ payroll, health or profit sharing benefits which, if not provided, may result in employee hardship, the loss of employee support, penalties, strikes, etc.
Control Dollar impact that would result from: the use of alternate manual procedures; the lack of information related to cash management, investment management; the inability to manage risk; or the inability to determine quantities within inventory.
Additional Expense Dollar impact that would result from any additional expenses incurred with the start-up and continuation of business or company operations: necessity to purchase supplies; expenses incurred with the start-up and operation of a manual system; “stop gap” equipment and staff; and overtime to recover backlogged transactions.

Total Financial Losses for the entire company are on the next page. HOWEVER, IT DOES NOT CONTAIN FINANCIAL LOSSES FOR THE DIVISION/DEPARATMENTS THAT ARE INCLUDED IN THE CASE STUDY. AS A RESULT, DO NOT USE ANY OF THE FINANCIAL LOSS INFORMATION ON THE NEXT PAGE FOR JUSTIFYING ANY OF YOUR STRATEGIES IN THE CASE STUDY.

THE FOLLOWING LOSSES DO NOT INCLUDE LOSSES FOR THE DIVISION AND ITS DEPARTMENTS IN THE CASE STUDY. THUS, YOU CANNOT USE THE FIGURES BELOW FOR ANY JUSTIFICATION.

Financial Impacts of a Disruption to ABC
Type of Loss 4 Hours 8 Hours 1 Day 2 Days 3 Days 1 Week 2 Weeks 1 Month
Revenue Loss $0 $0 $0 $0 $0 $200,000 $450,000 $812,500
Asset Loss $75,000 $75,000 $75,000 $75,000 $75,000 $75,000 $75,000 $77,500
Regulatory/Legal $0 $0 $0 $0 $0 $208,000 $510,000 $925,000
Human Resources $207,500 $210,000 $220,000 $220,000 $1,320,000 $1,355,000 $1,385,000 $1,450,000
Control $0 $0 $0 $0 $2,500 $202,500 $452,500 $802,500
Additional Expenses $7,500 $17,500 $17,500 $23,500 $27,000 $79,000 $153,000 $373,500
Total $290,000 $302,500 $312,500 $318,500 $1,424,500 $2,119,500 $3,025,500 $4,441,000

In addition to the detailed loss information shown above, the figure below shows the same data in chart format.

The information in the above charts indicate that financial losses are minimal at the beginning of a business disruption. However, the financial losses increase and continue to do so the longer the disruption continues.

Impacts of an Outage for “Critical” Departments

This section summarizes the findings associated with the loss of key business functions and support systems for ABC; it provides a detailed summary of the departments where XYZ interviewed key contacts or from whom we received questionnaires. This information is also detailed in Appendix 3, Department RTOs, which is NOT included in this packet.

The analysis of each department’s criticality was based upon the information in Appendix 3. The third column of the chart in Appendix 3 titled “Department RTOs” indicates the RTOs requested by the listed departments. The RTO is the amount of time from disaster declaration to the moment when required information system resources are operational.

As is normally the case in projects of this nature, ABC departments often listed unrealistic, financially impracticable, and unattainable RTOs. Departments will occasionally lose perspective and fail to view their contribution to the organization in the proper context. Objective evaluation of a department – the relative importance of its business processes, interconnectivity/ interdependencies with other areas of the organization, and the formation of an acceptable RTO is imperative to the success of a business impact analysis.

To objectively determine RTOs, the team analyzed several components. First, we studied the effect of a sustained loss of the department on the future operations of ABC. For example, the following may have significant affects on the company:

· Delayed revenue should the letter of credit not reach the appropriate government contacts.

· Significant impact on customer service during a prolonged loss of communications and/or claims resolution abilities.

· A profound impact on ABC’s competitive edge resulting from a loss of underwriting capabilities if a disaster prevents calculation of proposal pricing information during the May-August time period.

The team also analyzed the relative functionality of a given department to determine the criticality of its business processes. Consequently, the departments that demonstrated the most profound impacts on ABC were those that affected revenue and customer service.

With this in mind, the team evaluated the criticality of a department’s functionality not only by the RTOs requested by the department representatives, but also by the relative importance assigned to the department based on business continuity standards and professional expertise. Our analysis showed that the key business, given the nature of ABC’s revenue source and the stability of its constituency, customer service/support-related functions are the most critical. ABC derives its revenue from a letter of credit submitted to the Office of Personnel Management (OPM) based upon cleared claim checks. Sustaining efficient operations and maintaining a high-level of customer service are the two primary business objectives, as customer (the Mail Handler’s Union) satisfaction results in ABC contract renewal, which in turn drives revenue. With this in mind, the most critical functions are those directly affecting ABC operations and customer relationships (communications and the timely/accurate payment of claims), such as:

· Customer Relations

· Claim Payment Activities

· Customer Phone Contact

· Operations/Administrative Services

These departments and their ancillary-service providers were rated highest and assigned lower RTOs. Other departments were assigned RTOs based upon:

· How their services impact the customer base

· How their functionality affects core operations

· Regulatory restrictions (financial reporting, government regulations, etc.)

· Revenue lost, penalties, etc.

The departments assigned still higher RTOs do not directly affect operations or customer service. Such departments include:

· Accounts Payable

· Eligibility Reconciliations

· Exception Processing

· Payroll (ABC has the ability to run payroll using the previous period’s data, so the effect on operations is minimal)

· Mail/Retrieval

· Corporate Training and Development

Consequently, this section contains a brief discussion of each business function that XYZ determined to be “critical” in this way (and not all business functions reviewed). A summary of each business function’s criticality is documented in Appendix 3, Department RTOs (this is NOT included in this document) and a list of the applications that are critical to the business functions are detailed in Appendix 2, RTOs and RPOs for Applications by Department.

Following is a brief discussion of the business functions that were determined to be “Critical” business functions: (NOTE: Appendix 3 was documented and discussed with ABC management prior to documenting the BIA. It was not until ABC and XYZ companies agreed to the RTOs in the fourth column that we started documenting this BIA.)

Rockville

Eligibility, Corporate Finance

The Eligibility Department performs two major functions: Enrolling and Disenrolling members. As a result, this area is critical in keeping CAS information current with regards to who is covered and who is not. Peak volumes begin in October and continue through February since enrollment begins and ends on the fiscal year. Maintenance of eligibility information occurs throughout the year.

If a business disruption were to occur, this area would be unable to keep membership records current. The greatest risk in this is that ABC may overpay or underpay claims. If ABC makes overpayments, money can be lost since it may never determine that the overpayment was made. On the other hand, if ABC makes underpayments, not only will this result in enrollee/provider dissatisfaction, but it will also result in creating extra work since claims may need to be reexamined and checks reissued. Because of the repercussions that overpayment and underpayments can create, the RTO of this area is 4 hours.

Planning and Reporting, Corporate Finance

This department performs financial planning and reporting business functions. Not unlike other accounting areas, its work is ‘time’ dependent in that there are regular cycles by which financial reports must be completed. ABC Planning and Reporting examples would include annual financial statements to the Office of Personnel Management, and quarterly tax schedule submissions.

MAS 90, an accounting software package that runs on a LAN server, is used regularly to prepare financial reports to ABC and ABC executive management. Journal entries are recorded in this application. Data is then extracted and fed to MS Excel for population into spreadsheet workbooks. These are used to do preliminary budgeting and financial forecasting. The data from this process is then sent back to the MAS 90 application for further detailed analysis. Financial reports for all five regional offices are prepared in this manner by the Rockville Office.

The MAS 90 application is also part of the process used to prepare and track cash management for ABC. Cash requests from the Government and ABC are recorded in MAS 90 as if they were real checks. Once recorded in this application, the data is extracted and placed in Excel spreadsheet format. Using a standalone, modem-equipped PC, ABC then accesses the First Bank of Maryland via bank provided software (First Facts), and uploads the Excel spreadsheet. The Bank applies monies pursuant to the cash requests. They also provide daily statements on clearings and balances back to ABC and the MAS 90 application.

In the event of disruption, Planning and Reporting indicated that it would experience a “major disruption” within 3 days of an outage. This is based upon the fact that the cash flow in ABC is daily, and any interruption would affect the Government, vendors, and ABC employees.

This 3 day RTO takes on added criticality based on the time of year in which it occurs. For example, it would be significant if it occurred in proximity to the fiscal year audit, September-October or if it occurred close to the required annual (calendar) report to the Office of Personnel Management (OPM).

The OPM data noted above, is backed up to tape on a daily basis but is not stored off-site. Instead, the tapes are stored on top of employees’ desks in the Rockville office. The LAN server on which MAS 90 runs, is backed up nightly. These tapes are sent offsite once each week to Data Resources, Inc.

Planning and Reporting has been assigned new tasks that are related to the clearing of claim checks at Wachovia Bank (assembling & forwarding information to Chicago Treasury Services for the daily LOC draw) and are critical because this enables ABC to receive its revenue. Because of this function, Planning and Reporting’s RTO is 3 days. Their hardware and software also has an RTO of 3 days along with an RPO of 0 due to Sarbanes-Oxley regulations.

Treasury Services, Corporate Finance

The Treasury Services Department is responsible for the daily cash management, which includes: bank reconciliations; addition of claim expenses to the Letter of Credit; and daily deposit of incoming checks. Each day, the Treasury Services Department provides claim expense summary information for the Letter of Credit, which is submitted to the government (Office of Personnel Management) for revenue and acceptance.

The Letter of Credit is the primary revenue mechanism for ABC, as the government reimbursement for claims paid is a key component of the company’s core financial sustenance. Daily cash deposits/reconciliations made to the First National Bank of Maryland are also critical, since the loss of investment income represents a vast opportunity cost should the deposit mechanisms fail. In general, proper cash flow is crucial to the financial well-being of a corporation, and ABC is no exception. For these reasons, the department’s RTO is 1 day and all hardware/software used has an RTO of 1 day and an RPO of 0.

Human Resources

This department performs the basic human resource functions, such as:

· Data entry changes in payroll for changes to employee status and pay rate.

· Data entry of changes to employee benefits status and elections.

· Weekly, monthly, quarterly, annual and ad hoc reporting of corporate personnel statistics.

· Recruiting.

Each region maintains its own paper personnel files, except for Chicago ABC employees. The latter files are stored in Rockville. Human Resources will experience a major disruption to its business functions depending on when, in the payroll cycle, an outage occurs since it is responsible for entering any changes to status, pay or benefits. This process typically begins the Monday preceding the first Friday of a 2-week pay period.

Human Resources maintains paper-based personnel files which are critical. Each region maintains its own personnel files except for the Chicago ABC files, which are maintained in Rockville. However, benefit files for all ABC employees are in Rockville. This poses a risk in that if the Rockville facility is destroyed, all of these files are destroyed as well. Even so, it may be sufficient that the same data is also maintained on the HR software on ABC’s computer system, which would enable the information to be recreated.

HR is critical because it will be heavily involved in restore activities in such areas as communications, staffing issues, etc. As a result, the RTO for HR is 4 hours.

Facilities

Facilities is responsible for all basic building operations for the Rockville building which includes, but is not limited to, the following: security; HVAC; office moves; construction, etc.

In the event of a disruption, Facilities indicated that they would experience a “major disruption” within two days of an outage. Facilities indicated that it has an RTO of 2 days since it would not have access to scheduled maintenance files and related shared files.

Because of the inherent nature of contemporary infrastructure support systems, Facilities indicates that its application data must be current within the last completed daily application cycle, or an RPO of 1 day.

Facilities has a well written contingency plan for evacuation of its Rockville office. An addendum to this plan includes handling of inclement weather situations in the Rockville area. There is also a Standard Operating Procedures manual detailing Facilities’ security procedures for Rockville. These plans include call-up lists, and are current within six months. Similar plans exist for the Jacksonville, Mesa and San Antonio Regional Offices.

Non-financial impacts of a business outage are expressed by Facilities as somewhat minimal through the first day of an outage. They become somewhat to very significant on the second day and thereafter.

In order to perform its business functions outside of the existing ABC office environment, Facilities indicates a need for a variety of ‘vital records.’ These would include vendor logs, emergency contact records, floor plans, etc. Most of these records exist in both electronic and hardcopy format. All are currently stored onsite at Rockville with no off-site backups.

Facilities will be instrumental in restoring ABC if it experiences a business disruption. Even though Facilities requested an RTO of 2 days, ABC agreed to our recommendation of an RTO of 4 hours since they will be heavily involved in restoration activities.

Administration Services, Operations

The Administration Services Department oversees the ABC operations support help desk and all system security. ABC Headquarters maintains a help desk to assist employees who utilize the distributed and mainframe technology, from the desktop to the corporate repositories. Each regional office also operates a help desk to provide onsite support for technology-related problems.

System security is important to ABC’s technical, operational, and financial well-being, as vital company data needs to be protected from “hackers” and internal access to sensitive information needs to be regulated. Administration Services maintains a matrix for each internal position outlining the specific accessible functions based on job description and executive input.

Availability of the Help Desk and Security functions is mission-critical when a disruption occurs for several reasons:

· A support mechanism must become fully operational before different information systems are restored.

· A liaison between executive management and the technical experts restoring the information systems is a must.

· Data security is imperative during a disruption, and system order must be maintained.

· In order to restore proper desktop functionality, system access and function restrictions must be administered and security policies enforced.

Since the Administration Services business units are so vital to the system recovery process at its early stages, a 4 hour RTO is required. This area’s RTO for its hardware/software is 4 hours and its RPO is 1 day.

ABC Home Office

Underwriting and Reporting, Operations

Located in ABC Home Office, Underwriting and Reporting is responsible for researching, strategizing and pricing ABC’s health insurance plan for the proposal that ABC submits to the U.S. Government. The process is as follows:

1. Each year this process begins March 31, when ABC receives a call letter for providing health insurance to the National Postal Mail Handlers Union.

2. ABC must respond with its proposal by May 31.

3. In June, the government allows ABC to reprice its proposal which is due back to the government in August.

To complete the proposal, volumes of claims experience reports are run; “what if” scenarios are generated on various pricing and benefit models. These are COBOL reports generated from the CAS system in the Jacksonville Technology Center. Looking for trends, these reports and “what if” scenarios are produced for the sole purpose of being able to price ABC’s insurance plans. Without accurate information, ABC would not be able to price accurately which could result in a revenue loss. Additionally, pricing also affects ABC’s ability to compete with other plans. The importance of the latter cannot be underestimated since many enrollees not only base their decisions on what the plans cover, but also on the monthly plan costs. If priced incorrectly, ABC would lose its ability to compete with other plans.

April, May, July and November are critical times for this area. Technically, if ABC misses the May 31 submission date, the government can eliminate ABC as a provider. If this were to occur, ABC would be out of business since its sole purpose is to provide health, dental and prescription insurance to government employees. Even though the RTO would be 1 day if the disaster were to occur during April, May, July or November and 2 weeks at all other times during the year, we always assume worst case scenario in BC planning. Consequently, we assume that the disaster occurs during these crucial months, meaning that the RTO for this department is 1 day. This department also relies upon the mainframe in the Jacksonville Technology Center. The RTO and RPO for this hardware and software is 1 day as well.

Jacksonville Image Center—Jacksonville Technology Center

Paper claims and correspondence are scanned into ABC’s computer system and stored as images. Approximately 162,600 documents are received and scanned each week. Since 60% of total claims are scanned into the image system, a disruption of this system would affect ABC’s ability to start the claims paying process. A delay in inputting claims would result in a delay in revenue receipts since ABC is paid when checks, paid to enrollees and providers, are cashed and cleared. Enrollee and provider satisfaction would also be affected from the claims being paid late.

The process is comprised of multiple steps which are discussed below in the following sections:

· Incoming Mail Prep

· Claims Scanning

· OCR/Repair

· Claims Processing Including EDI

· Mail Out.

All of these components are located in the same building as the Jacksonville Technology Center and are discussed below.

Incoming Mail Prep

This is the start of the Imaging process. With this step, all incoming mail is organized and sorted for further handling. Approximately 150,000 individual paper documents are received each week. This process starts at approximately 7:30 a.m. every day, Monday through Friday, which is when the courier delivers the mail to the Jacksonville Technology Center.

Ten Opex machines are used to open and sort incoming paper claims by claim type and number of pages. Employees batch their work in stacks of approximately 100 pages. A header sheet is added to each batch and placed in one of two tubs in the staging area. The batches are then ready to be scanned into the computers.

Since the incoming mail preparation process is integral to the successful completion of the Image scanning life cycle, it has a 2 day RTO. The Image systems are critically dependent upon the mail preparation process, as claims/correspondence documents need to be received, sorted, scanned, and stored before entry into the CAS system.

Claims Scanning

After the claims are batched and placed into tubs, they are sent to Claims Scanning. On a batch-by-batch basis, employees feed claims into 8 Kodak 990 scanners which scan the documents into images on the computers. Without this process, paper claims, correspondence, etc. cannot be scanned into the computer and saved in image format. Alternative methods, such as microfilm (which was used by ABC prior to its conversion to Image in 1998), would need to be used if this process were not available. This may be less accurate because of the manual processes involved. This may result in late claims which could cause a loss of new and existing enrollees. Because of these consequences, the RTO of this function should be reduced from 3 to 2 days.

OCR/Repair

This process involves the use of OCR technology along with a more “manual” process to correct unreadable information on a scanned document. OCR technology is faster since it automatically highlights unreadable characters, which the operator then corrects from the paper document. Quick Data Input (QDI), which is more of a “manual” process than OCR, involves the operator reviewing the scanned document on the screen and correcting information that appears unreadable. After this process, data is transferred to the Electronic Data Interchange (EDI) application on the mainframe. It is then uploaded and updates CAS on a nightly basis.

An Optical Jukebox stores the scanned images. On a nightly basis, image updates are transmitted nightly to local servers in Mesa and San Antonio to speed retrieval and access. However, this is not required in the Jacksonville regional office since it is connected to the Jacksonville Technology Center via an NMLI connection.

OCR/Repair is an important step in the image process since unreadable material is corrected; without this step, information may be missing, illegible or incorrect, which can affect the ability to process a claim correctly. This could actually lead to a loss of revenue since a large number of claims may be reimbursed incorrectly and since claims may be approved even though they should have been denied.As a result of such risks, the RTO of this function is 2 days.

Imaging Center

80% of incoming claims are EDI based. These claims are received in a variety of electronic and tape formats. EDI claims bypass the entire Image process which is approximately three days from paper to EDI format. Therefore, it could be said that EDI claims “hit” the system quicker than those that come in via paper.

These claims generally have a greater opportunity to complete the adjudication process in a timely manner. Recovery of the basic ability to receive EDI claim transactions would have a priority over the recovery of the Image process since EDI directly feeds into the CAS system and eliminates the need to convert from paper to image to EDI, which is a three day process. Additionally, the Image process requires that additional equipment be installed (Kodak scanners, Sybase server, Optical Jukebox, etc.), whereas EDI does not.

We understand that ABC’s goal is to continue to increase the percent of EDI to more than 90% of total volume. By increasing the percent of claims received in EDI format, it will become easier for ABC to recover from a disruption because of decreasing dependence upon Image. This is because Image is a “people” and equipment intensive process. Thus, the RTO for this department is 2 days.

Mail Out

The primary print load consists of EOBs, checks and, during open enrollment season, various customer mailings. EOBs and checks are generated as a result of claims processing activities that are heavily dependent upon both internal and external claim systems. This type of outbound mail and the internal transactional processing activity that generates the checks/EOBs have specific time/service requirements that are contractually mandated by OPM. The RTO of this area is dependent upon when the ability to generate checks, EOBs, mailings, etc., since this function provides the output. The RTO of this function is 1 day since this follows the generation of checks.

Regional Operations

Note:Each of the following 4 departments reside in the Jacksonville Regional Operations. Additionally, each of these departments also reside in the following locations: San Antonio, Texas and Mesa, Arizona. The same tasks are completed at each of these offices.

Call Routing is used among the three Regional Offices in Jacksonville, San Antonio and in Mesa. If Jacksonville has a short-term outage, they route their incoming calls to Mesa and/or San Antonio where they are answered by the appropriate department. Calls from any of the other two regional offices can also be rerouted similarly. As a result, calls can be answered by any of these offices since they reside in the CRW application which is stored on LAN Servers. NOTE THAT CALL ROUTING IS NOT AN AUTOMATIC FUNCTION; RATHER, IT MUST BE ACTIVATED WHEN/AS NEEDED.

Customer Relations

Jacksonville is one of three regional offices. It encompasses Claim Payment Activities and Customer Phone Contact (each is discussed below) which includes incoming calls, correspondence and electronic and Image claims. This is a priority area since this is the service that ABC provides its customers. If the regional office is not available, there is a possibility that new and existing enrollees may be lost. This will impact ABC’s revenue and its contribution to the Corporation’s bottom line. Customer Relations incorporates the following departments that are documented in this section: Claim Payment Activities; Customer Phone Contact; and Utilization Management. The RTO of this department and all of the previously-mentioned departments in this section is 4 hours.

Customer Phone Contact

Incoming customer calls are handled in each of the three regional offices. These claims-related calls are made by providers and enrollees and are answered by CRAs. All questions are entered into CRW and remain in the system along with the claim information. The Jacksonville office answers an average of 6,000 incoming calls each week. Communications with ABC’s providers and enrollees via telephone is critical during a disruption. Not only is this important in maintaining enrollees and providers, but it is also important in maintaining an environment of stability in spite of a business disruption that may be communicated publicly through the media. The RTO of this function is 4 hours.

Utilization Management (Precertification)

This function is performed by nurses in the three regional offices by accessing OptiMed, a proprietary system operated by PHCS. This function provides precertification for hospital stays, surgical procedures, diagnostic procedures, etc. Precertification, mandated by the OPM, can be performed manually; however, additional personnel would be required to accommodate the volume of calls. If not available, ABC may be liable for procedures that they would not have authorized but were performed because precertification could not be contacted. The RTO of this function is 4 hours.

Claim Payment Activities

Claims that are not self-adjudicated are processed by employees in the regional offices using CAS, which operates on multiple midrange systems (see Appendix 2) located in the Jacksonville Technology Center. Workflow routing software automatically routes claims to regions based on zip codes. Claims then appear on the Customer Relations Workstations by date; the oldest claims appear first for claims payment. If this process is not available, claims may not be processed in a timely manner. This may affect enrollee satisfaction as well as the potential loss of existing and new enrollees. Therefore, the RTO of this area is 4 hours.

III. Additional Information Related to Final Exam

Jacksonville Technology/Image Center

The Jacksonville Technology/Image Center is the Primary Data Center for ABC. It is TOTALLY SEPARATE from the Jacksonville Regional Operations even though it is in Jacksonville, Florida.

The following offices use hardware and software that are located in that facility:

–Jacksonville Regional Operations

–Mesa, Arizona Regional Operations

–San Antonio, Texas Regional Operations

All of the applications for which you are recommending a Disaster Recovery Strategy reside in the Jacksonville Technology/Image Center. As a result, none of the applications reside in any of the Regional Operations offices noted above.

Number of Employees in Each Facility/Location

See Page 4 of this Case Study for this information.

Notation for Location of Disaster Recovery and Work Area Recovery Strategies

A Home Office in Chicago is mentioned in this Case Study. You cannot use this facility/location for a Hot Site or Work Area since it belongs to and is occupied by the Parent Company. Additionally, they have no space for additional equipment in their Data Center nor do they have any space in their offices for employees for Work Area Recovery.

HIPAA (Health Insurance Portability and Accountability Act)—UP TO THREE (3) BONUS POINTS ADDED TO YOUR FINAL EXAM GRADE IF YOU INCLUDE THIS IN APPROPRIATE AREAS!!!

Since ABC is a health insurance company, the privacy rules that are legislated under the Health Insurance Portability and Accountability Act (HIPAA), are a concern. This is because ABC could incur fines if patient healthcare information is not kept private.

HINT: Since this applies to ABC, students should spend a few minutes investigating this important Act.

AN EVEN BIGGER HINT: HIPAA should be referred to in 3 APPROPRIATE AREAS of your Final Exam. Also, while you do not need to provide pages of explanations regarding what HIPAA is, you do need to give an idea WHAT this Act involves! If you do NOT, YOU WILL NOT EARN UP TO 3 BONUS POINTS THAT WILL BE ADDED TO YOUR FINAL EXAM GRADE!!!

Total Financial Losses (All Departments Combined)

Revenue Loss 4 Hours 8 Hours 1 Day 2 Days 3 Days 1 Week 2 Weeks 1 Month 0 0 0 0 0 200000 450000 812500 Asset Loss 4 Hours 8 Hours 1 Day 2 Days 3 Days 1 Week 2 Weeks 1 Month 75000 75000 75000 75000 75000 75000 75000 77500 Regulatory/Legal 4 Hours 8 Hours 1 Day 2 Days 3 Days 1 Week 2 Weeks 1 Month 0 0 0 0 0 208000 510000 925000 Human Resources 4 Hours 8 Hours 1 Day 2 Days 3 Days 1 Week 2 Weeks 1 Month 207500 210000 220000 220000 1320000 1355000 1385000 1450000 Control 4 Hours 8 Hours 1 Day 2 Days 3 Days 1 Week 2 Weeks 1 Month 0 0 0 0 2500 202500 452500 802500 Additional Expenses 4 Hours 8 Hours 1 Day 2 Days 3 Days 1 Week 2 Weeks 1 Month 7500 17500 17500 23500 27000 79000 153000 373500 Total 4 Hours 8 Hours 1 Day 2 Days 3 Days 1 Week 2 Weeks 1 Month 290000 302500 312500 318500 1424500 2119500 3025500 44410001

Final–Apdx1–Work Area Recovery Requirements.xls

Appendix5

Workarea Requirements by Recovery Time Objectives Rockville, Maryland Client Home Office Jacksonville Technology/Image Center Jacksonville Regional Operations Work Area Requirement Totals
Corporate Finance Human Resources & Facilities Marketing Operations Underwriting and ReportingA Imaging Center OCR/Repair Claims Scanning Incoming Mail Prep Mail Out Customer Relations Claim Payment Activities Customer Phone Contact Utilization Management
Audit Services Accounts Payable Eligibility Eligibility Reconciliations Exception Processing Payroll Planning & Reporting Purchasing Treasury Services Human Resources Mail/Retrieval Corporate Training & Dev. Facilities Administration Services/Help Desk/Claim Team Rockville, Maryland Jacksonville, Florida Data Center Jacksonville, Florida Regional Office
Total # Employees in Department 26 6 4 7 22 7 7 3 6 12 8 2 3 21 29 NAA 86 NAB 10 43 7 311C 163 146 311
<4 HOURS
-Items Needed at Work Space
–Number of PCs 15 6 4 0 0 0 0 0 0 4 0 0 3 0 10 0 0 0 0 311 42 0 311
–Number of Desks 26 6 4 0 0 0 0 0 0 4 0 0 3 0 10 0 0 0 0 311 53 0 311
–Number of Phones 26 6 4 0 0 0 0 0 0 4 0 0 3 0 10 0 0 0 0 311 53 0 311
Total # Desks @Alt Site, 4 Hours 26 6 4 0 0 0 0 0 0 4 0 0 3 0 10 0 0 0 0 311 53 0 311
Total # PCs @Alt Site, 4 Hours 15 6 4 0 0 0 0 0 0 4 0 0 3 0 10 0 0 0 0 311 42 0 311
8 HOURS
-Items Needed at Work Space
–Number of PCs 15 6 4 0 0 0 0 0 0 4 0 0 3 0 20 0 0 0 0 311 52 0 311
–Number of Desks 26 6 4 0 0 0 0 0 0 4 0 0 3 0 20 0 0 0 0 311 63 0 311
–Number of Phones 26 6 4 0 0 0 0 0 0 4 0 0 3 0 20 0 0 0 0 311 63 0 311
Total # Desks @Alt Site, 8 Hours 26 6 4 0 0 0 0 0 0 4 0 0 3 0 20 0 0 0 0 311 63 0 311
Total # PCs @Alt Site, 8 Hours 15 6 4 0 0 0 0 0 0 4 0 0 3 0 20 0 0 0 0 311 52 0 311
1 DAY
-Items Needed at Work Space
–Number of PCs 20 6 4 0 0 0 0 1 6 4 0 0 3 0 29 0 0 0 2 311 73 2 311
–Number of Desks 26 6 4 0 0 0 0 1 6 4 0 0 3 0 29 0 0 0 2 311 79 2 311
–Number of Phones 26 6 4 0 0 0 0 1 6 4 0 0 3 0 29 0 0 0 2 311 79 2 311
Total # Desks @Alt Site, 1 Day 26 6 4 0 0 0 0 1 6 4 0 0 3 0 29 0 0 0 2 311 79 2 311
Total # PCs @Alt Site, 1 Day 20 6 4 0 0 0 0 1 6 4 0 0 3 0 29 0 0 0 2 311 73 2 311
2 DAYS
-Items Needed at Work Space
–Number of PCs 20 6 4 0 0 0 0 1 6 12 0 0 3 0 29 32 10 43 5 311 81 90 311
–Number of Desks 26 6 4 0 0 0 0 1 6 12 0 0 3 11 29 32 10 43 5 311 98 90 311
–Number of Phones 26 6 4 0 0 0 0 1 6 12 0 0 3 11 29 32 10 43 5 311 98 90 311
Total # Desks @Alt Site, 2 Days 26 6 4 0 0 0 0 1 6 12 0 0 3 11 29 32 10 43 5 311 98 90 311
Total # PCs @Alt Site, 2 Days 20 6 4 0 0 0 0 1 6 12 0 0 3 11 29 32 10 43 5 311 81 90 311
3 DAYS
-Items Needed at Work Space
–Number of PCs 20 6 4 0 0 0 1 3 6 12 2 0 3 0 29 32 10 43 7 311 86 92 311
–Number of Desks 26 6 4 0 0 0 1 3 6 12 8 0 3 11 29 32 10 43 7 311 109 92 311
–Number of Phones 26 6 4 0 0 0 1 3 6 12 8 0 3 11 29 32 10 43 7 311 109 92 311
Total # Desks @Alt Site, 3 Days 26 6 4 0 0 0 1 3 6 12 8 0 3 11 29 32 10 43 7 311 109 92 311
Total # PCs @Alt Site, 3 Days 20 6 4 0 0 0 1 3 6 12 2 0 3 11 29 32 10 43 7 311 86 92 311
1 WEEK
-Items Needed at Work Space
–Number of PCs 26 6 4 0 0 7 7 3 6 12 2 0 3 0 29 32 10 43 7 311 105 92 311
–Number of Desks 26 6 4 0 0 7 7 3 6 12 8 0 3 11 29 32 10 43 7 311 122 92 311
–Number of Phones 26 6 4 0 0 7 7 3 6 12 8 0 3 11 29 32 10 43 7 311 122 92 311
Total # Desks @Alt Site, 1 Week 26 6 4 0 0 7 7 3 6 12 8 0 3 11 29 32 10 43 7 311 122 92 311
Total # PCs @Alt Site, 1 Week 26 6 4 0 0 7 7 3 6 12 2 0 3 11 29 32 10 43 7 311 105 92 311
2 WEEKS
-Items Needed at Work Space
–Number of PCs 26 6 4 0 10 7 7 3 6 12 2 0 3 0 29 86 10 43 7 311 115 146 311
–Number of Desks 26 6 4 0 10 7 7 3 6 12 8 0 3 11 29 86 10 43 7 311 132 146 311
–Number of Phones 26 6 4 0 10 7 7 3 6 12 8 0 3 11 29 86 10 43 7 311 132 146 311
Total # Desks @Alt Site, 2 Weeks 26 6 4 0 10 7 7 3 6 12 8 0 3 11 29 86 10 43 7 311 132 146 311
Total # PCs @Alt Site, 2 Weeks 26 6 4 0 10 7 7 3 6 12 2 0 3 11 29 86 10 43 7 311 115 146 311
1 MONTH
-Items Needed at Work Space
–Number of PCs 26 6 4 7 10 7 7 3 6 12 2 2 3 0 29 86 10 43 7 311 124 146 311
–Number of Desks 26 6 4 7 10 7 7 3 6 12 8 2 3 11 29 86 10 43 7 311 141 146 311
–Number of Phones 26 6 4 7 10 7 7 3 6 12 8 2 3 11 29 86 10 43 7 311 141 146 311
Total # Desks @Alt Site, 1 Month 26 6 4 7 10 7 7 3 6 12 8 2 3 11 29 86 10 43 7 311 141 146 311
Total # PCs @Alt Site, 1 Month 26 6 4 7 10 7 7 3 6 12 2 2 3 11 29 86 10 43 7 311 124 146 311
&C&”Arial,Bold”&16Final–Apdx1–Work Area Recovery Requirements&R&8Page &P
&L&XA&XNot applicable; This is in Chicago and out of scope. &XB&XNot applicable; Numbers for this department are included in Imaging Center. &XC&XIncludes employees in all 4 departments in Jacksonville Regional Operations. (c)Mary Sandy, CBCP, 2018

Sheet2

Sheet3

Final–Apdx2–RTOs and RPOs for Applications by Department.xls

Appendix6

Applications Function Platform/Location Rockville, Maryland Client Home Office Jacksonville Technology/Image Center Jacksonville Regional Operations
Corporate Finance Human Resources & Facilities Marketing Ops Underwriting and Reporting
Location Midrange, Mainframe, LAN Server, External Provider or Other External Provider/Svc Bureau Audit Services Accounts Payable Eligibility Eligibility Reconciliations Exception Processing Payroll Planning & Reporting Purchasing Treasury Services Human Resources Mail/Retrieval Corp. Trng. & Dev. Facilities Admin Svcs/Help Desk/Claims Team Imaging Center OCR/Repair Claims Scanning Incoming Mail Prep Mail Out Customer Relations Claim Pmt. Activities Customer Phone Contact Utilization Mgmt.
Access Database software Rockville LAN 4hB 3dA 3dB 4hB
ADP Payroll Processing Rockville Cloud Computing Vendor X 1wA
AutoCAD Lite Blueprint Reading Software Rockville LAN 4hB
Bank of Maryland Rockville Cloud Computing Vendor X
BRASS Claims Clearing Info. For the Letter of Credit Jacksonville Midrange 1dA
CAS Claims Adjudication System Jacksonville 40 Midrange 4hB 2wB 1dA 3dB 1dB 4hB 1dB 2dB 2dB 4hB
CHS Eligibility Jacksonville Midrange 4hB 1mB
Claims EDI Electronic Data Interchange Jacksonville Midrange 2dB
CRW Customer Relations Workstation Jacksonville LAN 4hB 2wB 1dB 4hB
Disease Management Part of PHCS Unknown Cloud Computing Vendor X
DRG Pricing Over 65 w/o Medicare Information Jacksonville Cloud Computing Vendor X 4hB
EDIM Imaging System Jacksonville Other 4hB 4hB 4hB
E-mail (MS Exchange) Internal/External Communication Rockville LAN 1mB 2wB 3dA 1dA 3dB 4hB 4hB
FACETS Pre-Certification Jacksonville Cloud Computing Vendor X 4hB
FileNet OCR Sybase DB with Scanned Images Jacksonville LAN 2dB 2dB
First Money Mover Electronic Data Interchange (EDI) (ACH) with First Maryland Bank Rockville Cloud Computing Vendor X 4hA 1wA 3dA 1dA
Goldman Sachs FILM Investment account Chicago Cloud Computing Vendor X 1dA
HRIS Human Resources Tracking Rockville Midrange 4hB
KCMG Security/Help Desk Rockville LAN 4hB
KMS Rockville Unknown 3dB
SharePoint Document Management Rockville LAN 3dA
MAS 90 Accounting, Financial Information Rockville LAN 4hA 3dA 3dB
MetraHealth Medicare Claims Pricing/Information Jacksonville Cloud Computing Vendor X 4hB
Multi-Plan Secondary PPO with Fee Schedules Jacksonville Cloud Computing Vendor X 4hB
Office Products Spreadsheet/Word Processing All LAN 1mB 2wB 3dA 1dA 4hB 3dB 1mB 4hB 1dB 2dB 2dB 1dB
PCS Prescription Drug System Jacksonville 4 Mainframes 4hB
PHCS – Optimed Pre-Certification Jacksonville Cloud Computing Vendor X 4hB
QDI/OCR/Indexing Imaging – Paper Claims to a CD Jacksonville LAN 2dB
Sales Control Marketing Rockville Mainframe 1dB
SAS enterprise Statistical Reporting Jacksonville Mainframe 4hB 1dB
Scanning Systems Scanning – General Jacksonville Other 2dB
TSO Security/Help Desk Jacksonville Mainframe 4hB
Wachovia Dial-up EDI functions Rockville Cloud Computing Vendor X 2wB 1dA
Workflow Routing Claims Routing Jacksonville 15 LAN 4hB
&C&”Arial,Bold”&16Final–Appendix 2–RTOs and RPOs for Applications by Department&R&8Page &P
&LNOTE: The number in each Cell represents the RTO; the superscript represents the RPO as indicated below.&X A&XRPO is 0. &XB&XRPO is 1 day. h = Hour; d = Day; w = Week; m = Month. (c) Mary Sandy, CBCP, 2018

Sheet2

Sheet3

SUMMER I 2018 Final Exam Notes and Bonus Point Information-Updated June 28.docx

SUMMER I 2018 Final Exam Notes and Bonus Point Information—Updated June 28

EXAM METHOD

Take-home Case Study.

“DROP DEAD” DUE DATE

9:00 AM (Morning, Chicago Time), WEDNESDAY, JULY 11, which is our Final Class. This is the ON-TIME SUBMISSION since this is the formal due date/time of your Final Exam. Any submission after this date/time is considered LATE.

SUBMISSION REQUIREMENTS

1. Final Due Date is WEDNESDAY, JULY 11 at 9:00 AM.

2. 10% Penalty deducted for LATE submissions after MIDNIGHT, JULY 14.

3. Cutoff Date is SATURDAY, JULY 14 AT MIDNIGHT. ALL EXAMS MUST BE SUBMITTED BY THIS DATE/TIME since grades are due the following week.

BONUS POINT INFORMATION FOR ALL STUDENTS

BONUS POINTS IF SUBMITTED EARLIER THAN “DROP DEAD” DUE DATE:

(THE BONUS POINTS ONLY APPLY TO YOUR FINAL EXAM GRADE AND NOT TO YOUR TOTAL GRADE)

· 8% Bonus of Final Exam Grade if Submitted by NOON (CHICAGO TIME) ON SATURDAY, JULY 7.

· 4% Bonus of Final Exam Grade if Submitted by 6:00 AM (MORNING, CHICAGO TIME) ON MONDAY, JULY 9.

· NO BONUS POINTS IF SUBMITTED ANY TIME AFTER 6:00 AM ON MONDAY, JULY 9.

BONUS POINTS ARE ONLY AVAILABLE IF THE FOLLOWING CRITERIA ARE ALSO MET

1. ALL COURSE HOMEWORK IS COMPLETED AND SUBMITTED BY 6:00 AM ON TUESDAY, JULY 3.

2. IN CLASS STUDENTS MUST ALSO ATTEND CLASSES ON THE FOLLOWING DATES IN THEIR ENTIRETY: JULY 2, 9 and 11.