Business continuity planning (BCP) is essential for the success of any enterprise, but it’s particularly crucial for companies in the life sciences industries, where criticality and compliance with FDA regulations may be impacted by a host of factors ranging from cybercrime to natural disasters to disruptions in the supply chain.
BCP: A Four Part Process
BCP is the development of a plan for a business to resume its most essential functions following a disruption. The Ready program, a national initiative that works in tandem with FEMA to help families and businesses prepare for and recover from disaster, breaks BCP down into a four-part process:
- Business Impact Analysis: Identify the possible effects that a disruption to regular business function could precipitate. A Business Impact Analysis aims at establishing two key pieces of information:
- What financial and operational impact could ensue as a result of disruption to individual business processes or functions?
- At what point following disruption to process or function would the organization experience the potential impact?
- This data is then used to prioritize the functions and processes whose disruption could result in the greatest negative impact.
- Recovery Strategies: Determine the resources needed for recovery and conduct a gap analysis to identify the discrepancies between the necessary resources and the organization’s current capabilities. Restoration of regular business function can require internal resources or those obtained from third parties; resources can range from personnel and office space to power sources and technology. This step includes exploring various recovery strategies and selecting the ones most appropriate to your organization.
- Plan Development: Develop plans to implement selected recovery strategies; this step includes assembling a recovery team, documenting the organization’s BCP, writing out protocols for relocation and manual workarounds, and gaining approval from management.
- Testing & Exercises: Establish testing and maintenance procedures for all recovery strategies in the BCP; develop and facilitate training to ensure all employees understand and can support execution of the plan. Test the recovery strategies and update the BCP as needed based on the results of testing.
Risk Assessment & Risk Management
Risk assessment is one step in an overall system of risk management that FEMA, in its Continuity Guidance Circular I, outlines as a five-phase cycle aimed at identifying and mitigating the impact of disruptive events. It closely parallels the process for business continuity planning:
- Strategic Goals, Objectives, and Constraints: Determining how resources should be allocated among leadership, staff, facilities, and communications for the organization’s BCP to be met, who should be involved in the decision making process (stakeholders, those affected by the decisions), and what factors will impact decisions around continuity planning (finances, degree of risk, severity of impact, etc.).
- Risk Assessment: Identify the risk, its likelihood of occurrence, and the potential impact if it does occur. This is achieved by creating an inventory of the business’ essential functions, identifying hazards (natural and man-made) that could compromise the business’ ability to carry out these functions, developing continuity hazard scenarios that take into account the risk to the four main components of continuity (leadership, staff, facilities, and communication), and determining the countermeasures already in place to mitigate risk.
- Evaluating Alternatives to Address Risk: Develop alternate strategies to mitigate risk for those scenarios where existing countermeasures are found to be insufficient. Reevaluate the risk in each scenario based on implementation of the alternative strategy to determine the degree to which risk is further reduced.
- Selecting Appropriate Alternatives: Choose the most suitable alternative strategies based on their potential for risk reduction, as well as the factors identified in phase one. Get buy-in from stakeholders and ensure the chosen strategies are understood by the company.
- Implementation & Analysis of Results: Establish metrics to assess the efficacy of the chosen strategies; implement the strategies and evaluate their performance based on these metrics.
Risk profiles in the life sciences industries
For most companies, a risk profile will run a typical gamut of risks:
- Market risk stemming from fluctuating economic conditions or investment values.
- Operational risk arising from a breakdown of internal processes or systems, or human error.
- Business recovery risk based on the organization’s vulnerability to loss following disruption of its daily operations.
- Catastrophic loss resulting from a highly impactful—and often unpredictable—event.
While these are broad categories and not exclusive to the life sciences industries, there are industry-specific risks that need to be considered in the development of any BCP for pharmaceutical, biologics, combination product, and medical device manufacturers.
FDA regulations and approvals, as well as potential changes in the healthcare industry and in healthcare laws are sure to be listed in the risk profile of any organization in the life sciences. But an increasingly significant area of concern is the integrity of supply chains, not only in resilience to disruption but in compliance with necessary standards.
A recent report cited by Continuity Central notes that life sciences ranks in the top three industries impacted by supply chain events, sharing the spotlight with automotive and high tech. It’s no surprise then that the U.S. Economic Development Administration (EDA), in its Industry Cluster Briefing Series on Biotechnology, Pharmaceutical, and Life Sciences Cluster, advocates the development of a supply chain risk management system that plots out the entire chain to identify interdependencies and potential areas of risk so that organizations can engage with suppliers to integrate their BCP at every point of the supply chain.
Given the life science industry’s reliance on supply chains—often specialized to the point of a series of single source relationships—and its obligation to meet FDA requirements in a continuously evolving technological and regulatory landscape, development of a robust BCP and implementation of a thorough risk management system is critical to organizational resilience and success.