Much is written about the components of an effective strategic plan and how best to develop one. The headlines, filled with debates on pandemic preparedness and potential terrorist threats, highlight the need to define and align key communication and business corridors in the event of a catastrophe. From this debate, Business Continuity Planning has emerged as a central component to overall corporate well-being that all sectors of business recognize.1But with the globalization of our business practices comes greater probability for business disruption, as organizations attempt to align cultures, languages, and customs into cohesive business entities.
Previously, we discussed how current FDA and ICH guidance — and the push to manage risk — has triggered a shift in thinking in terms of product and process development in many business sectors. Yet, despite the use of time-proven methodologies, such as Balanced Scorecards and Strategy Maps for strategic planning, many organizations have not integrated Business Continuity Planning into their overall strategic thinking. While no one hopes for a disaster, defining the problem and taking steps to keep your organization in business can make the difference between surviving to fight another day and becoming a casualty. This column takes a deeper look at laying out a Business Continuity Plan for your organization.
ELEMENTS OF A BUSINESS CONTINUITY PLAN (BCP)
To develop and manage an effective Business Continuity Plan (BCP), we’ve isolated four major activities, each of which focuses on key elements that drive your business (Figure 1).
Business Impact Analysis (BIA)
The first step in moving toward an effective BCP is to conduct a Business Impact Analysis (BIA), based on your organization’s long-term strategic goals that accounts for the key elements of your organization. A BIA will help you focus on identifying the effect of non-specific events on your businessprocesses and customers.
This analysis should not be done in a vacuum. You may integrate this activity with other analysis tools such as a SWOT (Strengths, Weakness, Opportunities, and Threats), Johari window, and market analysis exercises to ensure all critical aspects of the business are addressed.
Consider the categories listed below when calculating your organization’s risk in the face of a catastrophic event. As you evaluate each category, study the possible risk to each organizational element, estimate the maximum time allowable to recover, and analyze the cost of being out of operation. From this analysis, you can articulate a recovery roadmap and set milestones as part of the tactical rollout. While this constitutes the “heavy lifting” of the exercise, the basic components of any organization can be distilled intothe following seven elements:
- Facilities
- People
- Communication (IT)
- Supply Chain
- Equipment
- Vital Records/Documentation
- Intellectual Property
1. Facilities: Identify points of failure within the facility’s design and infrastructure. For instance, if the facility is an aseptic operation, what would be the impact of a breach to the sterile core? Is there a geographically separate facility available that could support the products manufactured in the facility?
2. People: Most pharmaceutical and biotech operations require a highly specialized workforce. What would the impact be if this workforce were disrupted and were not available to support manufacturing (as in the case of Hurricane Katrina)?
3. Communication: More than ever, our industry’s nerve center revolves around its information infrastructure, particularly given the industry’s use of contract manufacturing (CMO) and research (CRO) organizations to support clinical and commercial programs. What would the impact be if these communication ties were lost, or worse, if data were lost? How quickly could the communication corridor be replaced? How will you handle the change management requirements?
4. Supply Chain: The supply chain feeds the organization’s revenue engine. Procurement, warehousing, material handling, and distribution require visibility into the current production stream and forecasted demand stream. Configuration management considerations for all components are central to ensuring quality and regulatory compliance. So what would the impact be in the case of disruption? The availability of qualified alternate suppliers may be critical to ensuring ongoing operations.
5. Equipment: Many processes require customized equipment to support operations. Often Biotech processes, even those with identical fermentation and purification equipment, do not behave the same way when transferred to alternate equipment. What would be the impact of repeating process development studies on new equipment?
6. Vital Records/Documentation: Documentation is the cornerstone of our quality management system. Our internal process and external process (recall, adverse events, etc.) are predicated on access to these documents. An inability to recover critical documentation may not put only future products in jeopardy, but also product currently in the field. The roll-through impacts of withdrawing critical therapies cannot support the current regulatory requirements can greatly affect your business as well as the customers that rely on these products.
7. Intellectual Property: Socio-economic issues, such as pandemic outbreaks, may be raised if an organization is unable to provide the therapies required to support customers who depend on them. For that reason, you may need multiple manufacturers with available capacity to make your product. In such cases, how will you ensure your rights are protected?
Risk Assessment (RA)
The Risk Assessment (RA) phase consists of prioritizing the identified business disruptions based upon severity and likelihood of occurrence, and will have a profound impact on the effectiveness of the final BCP. If the threat scenarios you develop are too narrow, then the resulting BCP may not adequately protect the organization from an undesirable business interruption. The RA should analyze all risks to the business, including its employees, customers, and investors/shareholders: in short, assess all entities which would be affected by a business disruption. If your organization has a legacy BCP, you shouldcompare it against your updated risk assessment summaries.
During the RA, business process and business impact assumptions will be stressed using different threat scenarios, based upon severity and likelihood of occurrence. The result is a series of outcomes, some that have straightforward mitigation requirements and some that require a more involved business continuity plan. Threat scenarios should address both the business disruption and probability of occurrence, ranging from low-impact, high-probability threats, such as a brief power outage, to high-impact, low-probability threats, such as an earthquake or a terrorist attack. While high-probability threats may at first seem like the higher priority, it is the low-probability threats that are the more complex for which to prepare. A balanced perspective in preparation will be essential to avoid following the path of least resistance. When assessing the probability of a threat, the RA should consider geographical location (floodplain, access to water for processing) and proximity to critical infrastructure (power stations, points of national interest, airports, etc.). There is no mandatory toolset required to do this analysis. Classical risk analysis tools such as a Failure Modes and Effects Analysis (FMEA), Fault Tree Analysis, or your own organization’s proprietary analysis methodology may all be used in the assessment. At the conclusion of the exercise, the RA should summarize and prioritize the threatsto the organization’s ability to meet its strategic initiatives.
Risk Management
Now, with a clear picture of the prioritized threats to the organization, the next step is Risk Management itself, which involves developing a business continuity plan to describe the steps necessary to mitigate risk. A wellwritten BCP documents the strategy, policies, and procedures required to maintain, recover, and stabilize critical business operations after a business disruption. While it is impossible to consider all threats to a business’s operation, your plan should be flexible enough to adapt to changing threat scenarios. Your detailed BCP will describe the crisis management organization structure including decision-making and plan-execution processes such as financing,resource management, and communication platforms.
Risk Monitoring
The final step establishes a program that ensures your plan remains relevant as your organization grows Review this plan on an annual basis to ensurethe policies and procedures reflect the current needs of the company. It is prudent to have the plan reviewed by an external consultant or auditor who is experienced both in your industry and in the establishment of BCPs. A word to the wise: choosing a BCP auditor from outside the regulated life sciences industry may add risk to your assessment given the unique regulatory and process constraints associated with manufacturing drug products. Finally, update your plan to reflect changes in key personnel and organizational structure. A BCP Process flow-down chart is shown in Figure 2 and contains all four elements of theprocess we’ve described.
CONCLUSION
A clearly articulated BCP forms the foundation for business performance and is strategic to the long-term health of your organization. As pharmaceuticaland biotech companies leverage contract organizations around the world, interdependence between each piece of the business model increases. An organization’s inability to progress against these strategic objectives can have a profound effect on the organization and its shareholders. More importantly, in the event of life-sustaining therapies, it can have a huge impact on society and the population at large. By following the four phases necessary to develop a comprehensive BCP, an organization can pursue the opportunities presented by emerging countries in terms of manufacturing and clinical expertise aswell as mitigate global threats to their business operations.
1. Recently, the SEC implemented NASDAQ’s rule 3510 and 3520,and the New York Stock Exchange implemented rule 446 specifically to ensure business continuity in the event of an unplanned business disruption, such as a terrorist attack.
Bikash Chatterjee is the president of Pharmatech Associates, Inc. He has been involved in the bio-pharmaceutical, pharmaceutical, medical device and diagnostics industry for over 20 years. His expertise includes site selection, project management, design, and validation of facilities for both U.S. and European regulatory requirements.