Standard Life Canada sounds the alarm

Pandemic. Terrorist attack. Massive data breach. These are the words that strike fear into the hearts of IT managers everywhere, and have spurred on the Canadian arm of the Edinburgh-based insurance company Standard Life to purchase an emergency response system.

The interest of Elaine Comeau, business continuity and emergency procedures manager at Montreal-based Standard Life Canada, was first sparked when she attended the 2007 Continuity Insight conference in New Orleans, where the aftermath of the Hurricane Katrina disaster made for a fitting backdrop to the vendor and customer presentations of emergency alert and mass communication systems. “I really saw the impact of communication after a disaster,” she said.

She was fed up with the decidedly low-fi solution of traditional call trees, where one person would call 10 others to start a chain of communication going post-incident. Comeau instead started thinking about an automated solution that could get out a tailor-made message lot of people at once via different platforms.

In terms of enterprise usage, Comeau said that she has seen huge uptake in the States, but Canada, while starting to ask questions about such products, has yet to catch on as much.

According to Los Angeles-based mass notification solution provider 3n (National Notification Network) vice-president of global marketing Marc Ladin, the interest in such systems subsided in Canada somewhat following the end of the Ontario SARS scare. “But now in a post-Virginia Tech time, (demand is) rapidly increasing as people see the need for massive communication (technology),” he said.

Info-Tech Research Group senior analyst Ross Armstrong said that these types of systems are seeing increased interest from enterprises. “For the most part, enterprises are interested in emergency notification systems more from the business continuity/disaster recovery aspect. The most widely-cited concerns I’ve been hearing from clients are for pandemics (e.g. avian flu) and activation of disaster recovery plans (i.e. notifying who needs to do what in order to resume business processes quickly and efficiently).”

However, Armstrong said that the technology is still predominantly sticking to certain sectors. “While emergency notification systems are gaining traction in the areas of health care, education, and public administration, there is the tendency to view them as niche products, to some degree,” he said. “However, a sound business continuity/disaster recovery plan should take into account proper procedures and methods for communicating to staff, employees, customers, and stakeholders during a crisis situation. This has more to do with policy than with software, mind you.”

Comeau’s team put out the call for RFPs, and had five contenders, including three American companies, one Canadian company, and one British company, who were chosen on the basis of their high-profile, long-term clients. The winner was 3n, with whom it entered a three-year contract. (Standard Life would not disclose the dollar amount of the contract, but the average price of a year’s subscription to the service is between US$20,000 and $75,000, with a range of between $10,000 and $1-million per year, according to Ladin.) The implementation went down in April 2007.

He said the system requirements are very simple—a database of the recipients’ contact details, and a Web browser that can access the software-as-a-service (SaaS)-based interface for inputting the notification information. (In Standard Life’s case, it used its PeopleSoft database as a contact repository; it is updated daily.)

The software-as-a-service model was one of 3n’s selling points, said Comeau. “We like that it was Web-based and having our data on their server because if our systems went down, we couldn’t reach that information,” she said.

The message can be routed to a variety of outlets, including telephones, mobile devices, e-mail, text message, and pagers. The actual message can come in the form of a pre-recorded message (or text converted to voice), or in a text-based format.

To aid with efficiency, the system can save templates for certain incidents that can be sent out automatically to a pre-set recipient lists. It’s important to make sure that the information is specific, targeted, and verifiable, said Armstrong. “Emergency notifications should contain only known details and quantitative facts. The content of each notification should be proof positive that management is using validated information based on confirmed reports and actions taken,” he said.

Messages can also be sent in timed cycles, or until a reply has been sent. According to Ladin, the system can be further integrated with a company’s own systems and alert systems so that a specific event could automatically trigger a message being sent out, such as an IT malfunction alert then triggering a notification routed to the IT team.

Recipients can also send replies to the messages, which can be routed appropriately, whether it’s to a specific team or to the Web site. Comeau has, for example, set up a template for a pandemic situation. Not only could the system send out warnings and notifications, but responses could be sent back, such as a ‘1’ for sick, ‘2’ for home with family, and ‘3’ for away from the affected area.

Comeau said that she hasn’t had to use the system for a real-live emergency yet, but has found 3n’s product helpful in the company’s annual disaster recovery exercise, and for small alerts to things like building evacuations.

Sending out a mass communication can trigger privacy issues, however, which is why users can choose to not enter private or personal contacts, said Comeau. (The system did encounter a snag when the first few attempts resulted in the notifications being sent to recipients’ spam folder. Subsequently, the sender was added to their whitelists, which solved the problem.)

“Privacy is somewhat of a concern. But at the end of the day, I don’t think anybody would complain about being notified at home or via private e-mail that a negative event has occurred,” said Armstrong. “That said, anybody considering (or implementing) an emergency notification system should ensure that no individually identifiable references to persons should be present in the message sent by the system, especially if the message is being sent to a broad audience. This includes surname, e-mail address, personal Web address, street address, or telephone number. In some places, giving out personal information like this, even in an emergency situation, is a violation of privacy.”

Ladin said that some Canadian customers were troubled by the Patriot Act privacy angle. “So we made the decision to have (in Canada) separate, multiple, dispersed data centres for the Canadian market,” he said.