Mid-to-large enterprises in Asia today carry a data protection (DP) and a disaster recovery (DR) strategy as part of their portfolio of services. What has been changing is the impact of emerging technologies such as cloud computing in terms of how internal management view the viability of outsourcing DP and DR to an external party. The rationale behind DP and DR have not changed significantly but the complexities of undertaking and the degree of understanding of the tools available have grown significantly, allowing organizations to focus on what is important – their business.
An interview with Suk-Wah Kwok, Regional Chief Information Officer - Asia Pacific, Lockton Companies (Hong Kong) Ltd provides insight into the business side of DP and DR. Ranked 9th in the world; Lockton Companies is the world’s largest privately owned insurance broker. An outspoken and candid technologist Suk-Wah is a familiar face in Hong Kong’s IT landscape.
How does a financial service company define data protection and disaster recovery?
SWK: In our business, we have two kinds of critical data: corporate data and client data. With data protection we are charged with protecting both data from unauthorised and unintended use and access. Data protection is about recognising the criticality of all data categories, how they are being used, how they should be used, how leakage and misuse can occur, and where the exposure and risks are for the company, and finding ways to mitigate such risks.
For me, disaster recovery is a set of measures designed to ensure reasonable and acceptable recovery IT services to meet business demand. In the insurance industry, our goal is to ensure business exposure is kept to a minimum. In this regard, what IT does has to be related to what the business commits to the client. Our clients are mostly corporate clients who have in-house compliance expertise themselves, hence they will challenge and scrutinize our systems and processes and demand a certain level of service guarantee from us.
Thus in our business, Service Level Agreement or SLA is a common business concept. Before a client signs their business to us, it is common for them to check that we have DR measures in place, and they may ask us about uptime, support level, compensation for outages and things like that. As a result, IT has to develop disaster recovery systems and strategies with full awareness and understanding of what the business has committed to our clients.
What makes these different for a financial service provider like Lockton when compared to a bank or insurance company?
SWK: The average bank deals with consumers as customers – it is retail and as such the transaction volume can be huge. Service demand tends to be consistently high at all times throughout the year. As a consequence demands on IT are generally also consistent, daily in fact, throughout the year. You can just imagine the non-stop demand on DR.
The technology side is relatively simple. As long as you have a CIO or Head of IT who knows what he/she is doing and management is willing to invest in the necessary technology, putting automatic data protection measures in place is relatively straight forward.
The second aspect is about education and awareness and making sure that HR puts in manuals, procedures and processes, including training and regular refresh to ensure that employees understand what data protection and business ethics mean to the company and its clients, and their individual obligations. In Lockton, we have IT, HR and compliance officers working together to set up systems and processes to mitigate the risks that come as part of doing business.
The hardest part to control is actually human behaviour because it is subject to individual discipline. You can get someone trained as much and as frequently as you like, but it is difficult to change habits and control user behaviour. This is where IT can help the business by taking a proactive role to reduce potential damage caused by wrong user behaviour, as well as resorting to automatic monitoring to help identify system detectable non-compliant user behaviours. We are fortunate that at Lockton, our business staff are permanent employees and licensed brokers who are constantly reminded of their corporate and industry responsibilities and obligations. It is more difficult for insurance companies that use self-employed agents whose behaviour and discipline are much harder to control.
In a multi-country operation such as yours, what is the approach you take to ensure compliance with regulations around disaster recovery?
SWK: When you are in a regional position like mine when I have to provide for a business that operates in multiple countries, the best practice and most economical way to ensure we meet regulatory compliance as well as SLA commitments to clients is to centralize our infrastructure including our DR effort. And this is what Lockton has been doing for all wholly owned subsidiaries in Asia Pacific. This means country IT does not have to worry about DR - it is all taken care of at the regional level. And I consider this the most efficient in terms of cost, time, and resources.
Both require significant investment in time, money and resources – do you get asked by the CEO about the payback of such systems? How has cloud computing changed your view or approach to disaster protection and disaster recovery?
Business compliance is strictly speaking outside my jurisdiction as we have a compliance officer (CO) who takes care of it. That said I work very closely with the CO to ensure we are aligned. For an international insurance broker like Lockton, DR and Compliance is a global mandate. Countries won’t pass internal audits unless they have a proven working DR in place.
Because disaster recovery has now become a universally accepted requirement of doing business, I don’t really get asked by management on issues like payback. I am, however, constantly required to find the most cost-effective way of providing DR. Right now, I am exploring newer approaches including the use of public cloud services for our regional infrastructure and DR services. I am obviously required to go through cost and benefit analysis for the various approaches.
What is your advice on the topic of data protection and disaster recovery?
SWK: In my view, data protection and disaster recovery are mainstream IT services. Hence these should already be in the IT service catalogue of all CIOs. Like any IT service, there are so many different ways to achieve similar purposes. I have been in similar capacity for well over a decade and have gone through different ways myself in providing such services. I feel that the vendors have definitely matured enormously and emerging technologies are becoming increasingly affordable and practical. This means CIOs no longer have excuses to keep status quo. They should constantly challenge their old or existing ways of doing things and open their minds to newer and more cost efficient ways of addressing the critical data protection and DR needs.
Over the years, I have personally moved from individual countries doing local DR, covering measures like country redundancy, replication and backup, to taking it to a full blown regional approach combining experience and technology automation. The challenge is to be constantly aware of new technologies and processes and explore their potential. For example, right now, I am exploring cloud DR services.
What is your advice to vendors selling you these technologies and services?
SWK: As a frequent adopter of vendor services, I ask myself a few questions before I decide which vendor to use to support a specific undertaking:
Internal Expertise – Do I have internal expertise to do so, if not, is it more cost effective to hire someone in-house to do so, or should I consider outsourcing?
Efficiency – Even if I have internal resources, will it be more efficient for internal resources to do the job, or should we resort to vendor? Bearing in mind my view of efficiency includes responsiveness to business needs and unplanned problems that arise.
Cost – Will it be cheaper to do it in house or use vendor services?
Value to my customers – Will the business and my stakeholders be more satisfied with using internal IT services or using vendor services?
The pattern is clear – as emerging technologies become mainstream they get cheaper. The other good news is that these days emerging technologies prices are coming down a lot quicker, so we can make practical use of them earlier. One thing I’ve also learned is that if we dig deeper into the real cost base of providing a lot of IT services in-house versus using vendor services, I often find using vendors financially a no brainer.
That said – I am a very open minded CIO who is willing to explore new options.
About Suk-Wah Kwok
Suk-Wah is the Asia Pacific Regional Chief Information Officer at Lockton Companies, largest privately owned independent insurance brokerage firm in the world, and ranked number 9 overall. Worldwide, Lockon operates in over 60 offices in US, Europe, Latin America, Middle East, and Asia Pacific. Prior to Lockton, Suk-Wah worked at Aon, the world’s largest insurance brokerage firm for over 10 years, and was instrumental in leading Aon Hong Kong to be among the first few companies in Asia to successfully migrate key IT services to a public cloud. Suk-Wah is an experienced IT professional well known for her versatility and insightful ideas on many IT areas. Her IT career spans over 20 years, with her early years specializing in application design and development, mainly in banking, finance, and government sectors in Australia. She was then recruited from Australia to return to Hong Kong to lead a development project for the New Chek Lap Kok Airport. After the airport move completed, Suk-Wah joined Sun Microsystems as a Project Manager, and her career focus changed from application development to network architecture and infrastructure. She also held IT management positions such as Head of IT, Asia Pacific for Baring Asset Management, and Operations Director for commercial data centers, before taking up CIO roles in insurance broking firms.