Listen to this article
By Nanette Moss, S.M., C.I.H., Senior Scientist and Project Executive with Environmental Health & Engineering, Inc.
What is business continuity planning and why it is important?
Emergencies may be infrequent but they can have devastating impacts to all types of organizations. A Business Continuity Plan (BCP) can provide business resiliency; the ability to quickly adapt to serious disruptions while continuing operations and safeguarding staff, assets, and professional reputation. The objective of the BCP is to ensure that vital company operations can continue during or following a disaster or major disruption, minimize the adverse impact and facilitate a timely and efficient return to normal operations.
The types of disruptions might include a severe winter storm (e.g., ice or snow), flood, staff shortage, supply-chain interruption, power failure, loss of water, computer or telecommunications downtime, cyber-attack or security emergency (e.g. violence in the workplace). Such disruptions can result in delays in product launches, clinical trials and regulatory reporting, loss of clients, sponsors or collaborators and patient outcomes or potential societal impact due to drug shortages or delayed diagnostic services.
A Business Continuity Plan vs. an Emergency Action Plan
Organizations should have both an Emergency Action Plan (EAP) and a BCP. An EAP addresses short duration emergencies that are usually immediate, site-specific or incident-specific, such as how to: report and respond to fires, evacuate the building, clean up a chemical spill or get medical attention for personnel accidents. The scope of a BCP typically includes the entire organization, applies to all forms of emergencies and has a long-term focus on the continuation of essential operations for protection of not only personnel and property but also research assets (e.g. biological materials and laboratory animals), products, reputation and investments.
Biomedical and research organizations face unique challenges in resiliency planning because these facilities often include large specialized equipment, vivariums, insectariums, aquatic animal housing or spaces that require continuous environmental control and monitoring. This makes it impractical or impossible to establish temporary operations at an alternative site during a long-lasting disaster. In addition, laboratories that maintain accreditations or licenses from regulatory agencies or organizations may be required to conduct their operations only in the licensed facility. That means that all possible resources must be devoted to bringing the facility back into operation as quickly as possible during or after a crisis.
Biomedical and research organizations may also have unique vulnerabilities. For example, specialized laboratory equipment may require use of vendor-specific consumable products and certain reagents or rare products may only be available from a single vendor or may have long lead-time constraints. Qualifying back-up vendors and off-site warehousing of these critical supplies can serve to off-set these liabilities. Preserving temperature sensitive materials, common to this industry, must be considered as power disruptions are not uncommon and emergency generators cannot always be relied upon for long-term or large-scale regional disasters. Banking or relocating critical biological materials to a cold storage biorepository can assure that these assets are protected and can be readily retrieved once operations are restored.
Staffing issues also present challenges because specialized training and qualifications are usually required to perform critical functions in a high-technology environment. These employees cannot be easily replaced in the event of a staff shortage due to situations such as epidemics or road closures. Some organizations might consider comprehensive cross-training programs to address these types of staffing interruptions.
Finally, biomedical and research organizations require complex information technology services and support including systems to ensure data security, availability, processing integrity, confidentiality, and privacy. Management systems should be developed to provide data backup, cloud storage, virtual desktop infrastructure and redundancies for internet access and other vital system components.
How To Create a Successful Business Continuity Program
- Risk Assessment and Business Impact Analysis
The first step to creating a BCP is to conduct a risk assessment and business impact analysis. This is essentially the foundation for a comprehensive BCP. It involves identifying the types of threats that may impact the organization (e.g. hurricane, cyber-attack, supply-chain disruption) and estimating the probability of an occurrence and the severity of the impact. It will help you to develop strategies for preventing serious incidents that could compromise the facility and its operations, as well as to develop mitigation measures to minimize the consequences and severity of incidents that cannot be prevented.
One must then identify your organization’s:
- Critical functions and operations
- Vulnerabilities (e.g. single-source suppliers, facility location in flood zone, only one emergency generator, etc.)
- Resources needed for recovery (e.g. staff, supplies, equipment, facility, utility systems, technology, finances and vital records)
Next, estimate the impact resulting from recovery delays such as loss of revenue, customers, company reputation, products or investments. Develop and implement prevention and mitigation measures to offset the vulnerabilities.
- Recovery Objectives, Strategies, Tasks and Timeframes
Once the Risk Assessment and Business Impact Analysis is completed, you can now establish recovery objectives, strategies, tasks and timeframes. This may include relocating critical biological materials to a temperature-controlled biorepository, temporarily using a reference laboratory, relocating some operations to an academic core facility, switching production to another company site, using back-up vendors or having staff work remotely. In some situations, it may not be possible or safe for staff to enter the facility or there may be circumstances where staff may be unable or unwilling to come to the worksite (e.g., employees were injured, emotionally affected by the disaster, need to care for family members). If it is possible for staff to work remotely or at temporary alternate locations, it is important to ensure that technology support is available such as VPN access or remote logon capabilities.
An essential component of a BCP includes steps or procedures for internal and external communications. Employees must be notified of the emergency situation and instructed whether to come to work or stay home. These notifications can be accomplished by using mass electronic notification software systems, telephone call trees, group texts and social media platforms. Keeping employees well informed regarding situation developments and providing instructions and expectations is essential to maintain a calm and organized response to disruptions.
Communication with external organizations such as fire departments, police, public health and emergency response units is necessary to obtain critical information regarding the emergency and request assistance if necessary. Other stakeholders may need to be notified such as regulatory agencies, vendors, collaborators and customers. It is advisable to prepare pre-scripted information bulletins, press releases or communication templates in advance and obtain internal approvals with your organization’s legal and public relations departments. Communication within your organization and with external stakeholders is critical to ensure confidence in the organization and to preserve the company’s reputation.
- A Response and Recovery Management System
Determine in advance of an incident, the roles and responsibilities for those who will participate in the continuity and recovery processes and how the activities will be organized. An example would be the Federal Emergency Management Agency (FEMA) National Incident Management System (NIMS) Incident Command (ICS) – a nationally recognized framework used to designate responsibilities and reporting relationships during a crisis. Adoption of such a system can serve to ensure an organized and efficient response and recovery.
- Education, Training and Testing
Employees who have a role in the BCP Program should receive education and training to implement, support and maintain the program relative to their level of involvement. Exercises with clearly defined goals such as table-top drills should be conducted at least annually to ensure that the BCP is consistent with your organization’s business continuity and recovery objectives–and that it effectively applies to likely threat scenarios. These exercises are an excellent means of education and training serving to flesh out gaps in the procedures and identify opportunities for improvement.
Exercise objectives may include:
- Clarifying personnel roles and responsibilities
- Obtaining participant feedback to improve or modify procedures
- Improving coordination among internal and external teams or entities
- Identifying and accessing resources (equipment, supplies, computer technology, personnel) needed for effective response and recovery
- Maintaining the safety of personnel, property, operations, and the environment
All exercises should end with a debrief meeting to discuss strengths and weaknesses in BCP implementation and then followed up with an update or modification to the BCP as a result of findings from the exercise.
- Program Maintenance and Process Improvement
The BCP should be reviewed and updated at least annually to keep pace with the growth and evolution of your organization and the continually changing threat environment. Drivers to update or modify your BCP include changes to any of the following conditions:
- Hazards and potential impacts
- Resource availability including critical vendors and suppliers
- Your organization (such as relocation, merger, expansion) or its operations
- Funding changes
- Infrastructure, including the technology environment
- Economic and geographic stability
Establishing and maintaining a comprehensive BCP will aid biomedical and research organizations in fast and efficient response and recovery when operational disruptions arise – and help minimize the negative impacts to your staff, assets, revenue and professional reputation.
Need More Help with Your BCP?
There are several resources available to assist in developing a BCP including: International Standard ISO 22301: Societal security — Business continuity management systems — Requirements, 2012 and National Fire Protection Association NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs, 2013 Edition.
About the Author
Nanette Moss is a Senior Scientist with Environmental Health & Engineering, Inc. She has a Master’s of Science degree from the Harvard School of Public Health and is a Certified Industrial Hygienist with over 25 years’ experience in life science and healthcare organizations. Nanette provides expert support and guidance for the environmental health and biosafety programs at leading academic research institutions, biotechnology companies and hospitals in Massachusetts. She develops and implements plans and programs for the management of hazardous materials, pharmaceutical waste, laboratory and hospital emergency operations, bloodborne pathogen and infectious disease exposure control, biosafety and occupational health. She has also served on emergency management committees at several area hospitals.