Business Continuity Program

Verisk employs a Business Continuity Program (“BC Program”) as required by its Information Security Policy Framework document (“Policy”). The Policy states that critical business processes are required to have formally developed contingency plans in the event of a business disruption. The BC Program defines a set of standards for Verisk that include the responsibilities, methodology, and processes Verisk employs to design, implement, and maintain Business Continuity Management Systems (“BCMS”) compliant with ISO 22301:2019 requirements.

Program Structure

Verisk’s BC Program structure consists of a Crisis Management team (also referred to as the “Crisis Communication” team or “CCT”) led by the head of Global Protection Services, an Emergency Management team, a Business Continuity team, and a Disaster Recovery team. When the Crisis Communication team is made aware of a potential incident, it will evaluate whether the potential incident is an event that requires action. In the case that an event requires action, the CCT will coordinate with each of the teams mentioned above to determine the appropriate response.

The Crisis Communication team provides oversight to steer the strategic decision making and communicate with key stakeholders. They will also be responsible to oversee and coordinate the deployment of all firm resources for agreed emergency management (e.g., life safety), respond and guide the business to recover, (e.g., Business Continuity/Disaster Recovery Plan actions), and resume and restore business to normal operations (e.g., deactivation) once the event is resolved.

Crisis Management

Plan Activation

Plan activation is both strategic and tactical. From a strategic perspective, the CCT will work with local crisis teams to understand current business impacts, priorities, and appropriate communications. From a tactical perspective, they ensure the appropriate funding and resources are available for recovery.

Verisk Business Continuity Management Systems Standards

Verisk Business Continuity Management Systems Standards set a minimum acceptable level of business continuity requirements for critical processes and functions. These procedures should be used in conjunction with other regulatory and business requirements (e.g., customer contract).

The Business Continuity Program comprises four phases:

1. Business Impact Analysis (BIA): the process of analyzing activities and the effect that a business disruption or interruption might have on them.
2. Recovery Strategy Review, Approval, and Prioritization: the process of determining, approving, and prioritizing alternative methods for workforce, facilities, and system operations in the event of a disaster.
3. Business Continuity Plans: the documented procedures that guide business areas to respond, recover, resume, and restore to a predefined level of operation following a disruption.
4. Testing of the Business Continuity Plans (Exercise): the process to train for, assess, practice, and improve business continuity recovery protocols and procedures.

The BIA methodology identifies process dependencies and people skills required to maintain operations, processes, and functions and ensure that these operations are appropriately protected, resulting in resiliency. The Recovery Strategy Review allows the business continuity plan owner to review and approve the process recovery times and strategies before the BCP is created.

Verisk’s BCP allows continuity of critical business processes in the event of an incident that renders facilities and computer systems inoperable and/or employees unavailable. The provisions of the BCP can be used as the basis for providing guidance, preparing for, and effecting recovery activities in conjunction with senior management’s direction. The business continuity plan is a cumulation of the BIA(s) and Recovery Strategy session with the business process owner.

The Business Continuity Management System components (i.e., CM, ER, BIA, BCP, DRP, DR/BC Exercise) are reviewed and updated at a minimum annually or when significant business changes occur (e.g., changes to service, merger, technology) and are approved and authorized by Verisk senior management.