Implementing a Business Continuity Plan Lab
| January 2, 2020
It is not a matter of if disasters will occur, but when will they occur. According to the Business Continuity Institute – 2019 Horizon Scan Report the top five threats of greatest concern for 2020 are:
- Cyber-attack or data breach
- IT and telecom outage
- Adverse weather or natural disaster
- Critical infrastructure failure (e.g. power disruption)
- Reputation incident (e.g. product quality problem or recall)
Other top threats include staff shortages, regulatory changes and supply-chain disruptions.
All institutions are at risk; however, the research and commercial laboratory environment presents unique risk management challenges. Laboratory centered organizations have significant funds invested in research materials, laboratory animals, specialized equipment and environmental controls. Examples of disruptions to research can include loss of biological samples and research animals as a result of power outages or flooding. It is vital that laboratories have an effective business continuity plan for protecting these assets and for minimizing disruption and potential financial loss in the event of a disaster.
Workplace Violence: How to Prevent, Prepare and React to an Armed Intruder
What is Business Continuity Planning?
Creating and maintaining a business continuity plan (BCP) helps ensure that an organization has the resources and information needed to deal with emergencies. This goes beyond the scope of an OSHA mandated Emergency Action Plan. The scope of a BCP typically includes the entire organization (including multiple sites), applies to all forms of emergencies and has a long-term focus on the continuation of essential operations for protection of not only personnel and property but also research assets (e.g. biological materials and laboratory animals), products, reputation and investments. Business continuity planning comprises the steps, policies and procedures that are activated once a disaster has occurred. The objective is to ensure that critical services or products are delivered during a disruption and to recover as quickly as possible to minimize downtime and financial loss.
Laboratory Environment Presents Unique Challenges
Research and commercial laboratory organizations face unique challenges in resiliency planning because these facilities often include large specialized equipment, vivariums, insectariums, aquatic animal housing or spaces that require continuous environmental control and monitoring. This makes it impractical or impossible to establish temporary operations at an alternative site during a long-lasting disaster. In addition, laboratories that maintain accreditations or licenses from regulatory agencies or organizations may be required to conduct their operations only in the licensed facility. That means that all possible resources must be devoted to bringing the facility back into operation as quickly as possible during or after a crisis.
The Importance of Tabletop Exercises — and How to Do Them Properly
In addition, specialized laboratory equipment may require use of vendor-specific consumable products and certain reagents or rare products may only be available from a single vendor or may have long lead-time constraints. Qualifying back-up vendors and off-site warehousing of these critical supplies can serve to off-set these liabilities. Preserving temperature sensitive materials, common to this industry, must be considered as power disruptions are not uncommon and emergency generators cannot always be relied upon for long-term or large-scale regional disasters. Banking or relocating critical biological materials to a cold storage biorepository can assure that these assets are protected and can be readily retrieved once operations are restored.
Staffing issues also present challenges because specialized training and qualifications are usually required to perform critical functions in a high-technology environment. These employees cannot be easily replaced in the event of a staff shortage due to situations such as epidemics and school or road closures. Some organizations might consider comprehensive cross-training programs to address these types of staffing interruptions. Another option is to temporarily relocate willing staff to alternate locations within the organization to conduct their work. This would involve logistical planning for transportation and lodging accommodations.
Finally, laboratory centered organizations require complex information technology services and support including systems to ensure data security, availability, processing integrity, confidentiality and privacy. Management systems should be developed to provide data backup, cloud storage, virtual desktop infrastructure and redundancies for internet access and other vital system components.
How to Investigate and Prevent Accidents in Research Laboratories
Key Steps in Business Continuity Planning
Risk Assessment and Business Impact Analysis
The first step to creating a BCP is to conduct a risk assessment and business impact analysis. This is essentially the foundation for a comprehensive BCP. It involves identifying the types of threats that may impact the organization (e.g., hurricane, cyber-attack, supply-chain disruption) and estimating the probability of an occurrence and the severity of the impact. It will help you to develop strategies for preventing serious incidents that could compromise the facility and its operations, as well as to develop mitigation measures to minimize the consequences and severity of incidents that cannot be prevented.
Questions a laboratory organization must address include:
- What are our critical functions and operations?
- What are our essential assets? For example, in vivo animal models, transgenic animals, cell lines, primary tissue, genetically engineered vectors, compound libraries, scientific and/or clinical data.
- Who are the key personnel and vendors?
- Where are our vulnerabilities? This could include single-source suppliers, facility location in a flood zone, only one emergency generator, etc.
- What resources are needed for recovery? For example, staff, supplies, equipment, facility, utility systems, technology, finances and vital records.
Next, estimate the consequences or impact resulting from recovery delays such as loss of revenue, customers, company reputation, products or investments. Develop and implement prevention and mitigation measures to off-set the vulnerabilities.
An important factor to successful business continuity planning is ensuring that you have included all the relevant stakeholders in the planning process and in developing the written business continuity plan. This helps ensure that all research operations are taken into account when developing the business continuity plan. In a research environment this can include personnel such as:
- Scientific research community
- Vivarium operations personnel
- Facility operations personnel
- Environmental health and safety professionals
- Legal
- Human resources
- Information technology
- Communications
- Purchasing/Procurement
Recovery Objectives, Strategies, Tasks and Timeframes
Once the Risk Assessment and Business Impact Analysis are complete, you can establish and prioritize recovery objectives, strategies, tasks and timeframes. This may include relocating critical biological materials to a temperature-controlled biorepository, temporarily using a reference laboratory, relocating some operations to an academic core facility, switching production to another company site, using back-up vendors or having staff work remotely. In some situations, it may not be possible, or safe, for staff to enter the facility or there may be circumstances where staff may be unable or unwilling to come to the worksite (e.g., employees were injured, emotionally affected by the disaster, need to care for family members). If it is possible for staff to work remotely or at temporary alternate locations, it is important to ensure that technology support is available such as VPN access or remote logon capabilities.
Communications
An essential component of a BCP includes steps or procedures for internal and external communications. Employees must be notified of the emergency situation and instructed whether to come to work or stay home. These notifications can be accomplished by using mass electronic notification software systems, telephone call trees, group texts and social media platforms. Keeping employees well informed regarding situation developments and providing instructions and expectations is essential to maintain a calm and organized response to disruptions.
Communication with external organizations such as fire departments, police, public health and emergency response units is necessary to obtain critical information regarding the emergency and request assistance if necessary. Other stakeholders may need to be notified such as regulatory agencies, vendors, collaborators and customers. It is advisable to prepare pre-scripted information bulletins, press releases or communication templates in advance and obtain internal approvals with your organization's legal and public relations departments. Communication within your organization and with external stakeholders is critical to ensure confidence in the organization and to preserve the company's reputation.
Many laboratories depend on specialized equipment and supplies. It is important to develop and maintain lists of equipment, supplies, and vendors so that the information is readily available during a crisis. Consider the needs of specialized environments, such as vivariums and aquaculture facilities. Work out specific steps and procedures such as when to activate the BCP, who will conduct the tasks and in what order; and when to return to normal operations. A recovery checklist is a useful tool to ensure that all systems are re-established and calibrated. Ensure that the following items are addressed:
- Damaged and contaminated materials, supplies and equipment have been removed
- All utility systems are operational including water, sanitary sewer, HVAC, gas and electric supply.
- Equipment is calibrated; running validation samples may be required
- Environmental control and monitoring, fire suppression, security and hazardous materials systems are restored
- Par levels of supplies and reagents are replenished
- IT and telecom systems are operational
- Insurance assessments and financial impacts have been documented
A Response and Recovery Management System
Determine in advance of an incident, the roles and responsibilities for those who will participate in the continuity and recovery processes and how the activities will be organized. An example would be the Federal Emergency Management Agency (FEMA) National Incident Management System (NIMS) Incident Command (ICS) – a nationally recognized framework used to designate responsibilities and reporting relationships during a crisis. Adoption of such a system can serve to ensure an organized and efficient response and recovery.
Education, Training and Testing of the Plan
Employees who have a role in the BCP Program should receive education and training to implement, support and maintain the program relative to their level of involvement. Business continuity plans are not complete until you can demonstrate that they work. Tabletop exercises using various real-life scenarios (e.g., flood, hurricane) should be conducted at least annually to ensure that the BCP is consistent with your organization's business continuity and recovery objectives – and that it effectively applies to likely threat scenarios. These exercises are an excellent means of education and training serving to flesh out gaps in the procedures and identify opportunities for improvement. Exercise objectives may include:
- Clarifying personnel roles and responsibilities
- Obtaining participant feedback to improve or modify procedures
- Improving coordination among internal and external teams or entities
- Identifying and accessing resources (equipment, supplies, computer technology, personnel) needed for effective response and recovery
- Maintaining the safety of personnel, property, operations and the environment
All exercises should end with a debrief meeting to discuss strengths and weaknesses in BCP implementation including gaps in the BCP. This should be followed by an update or modification to the BCP as a result of findings from the exercise.
The BCP should be reviewed by all relevant stakeholders and updated at least annually to keep pace with the growth and evolution of your organization and the continually changing threat environment. For example, emergency call lists must be updated as personnel responsibilities change in the organization. Drivers to update or modify your BCP include changes to any of the following conditions:
- Regulations
- Hazards and potential impacts
- Resource availability including critical vendors and suppliers
- Your organization (relocation, merger, expansion) or its operations
- Funding
- Infrastructure, including the technology environment
- Economic and geographic stability
- Personnel
Resources
There are a number of resources available to help you get started with developing your BCP including the National Fire Protection Association (NFPA) 1600 Standard on Continuity, Emergency, and Crisis Management, 2012 and the International Organization for Standards (ISO) 22301 Security and resilience — Business continuity management systems — Requirements, 2019.
Turn a Crisis into an Opportunity
Every crisis presents an opportunity to review the effectiveness of the BCP and to determine if modifications are necessary. When the crisis has passed, the Crisis Management Team (usually comprised of key leadership position holders within an organization) should convene to assess its performance and to determine ways in which the institution's response could be improved. For example, did the planned measures appropriately address the situation and help alleviate disruption to operations? Did personnel understand their role in implementing the measures? Is additional training needed?
Process documentation is key to evaluating the response post-incident, including a narrative of events, emergency response actions, communication efforts, receipts for costs, etc. This documentation should be maintained by an appropriate member of senior management (e.g., operations, research, environmental health and safety).
No institution is immune from the losses that can result from a crisis. Laboratory organizations need to take precautions in order to protect staff and their assets, many of which are unique and irreplaceable. The process does not end with the development of the plan. The plan must continually be reviewed and tested to ensure its effectiveness and to keep up with the ever-changing laboratory environment.
Implementing a comprehensive business continuity program will undoubtedly improve your organization through resiliency – you will be more able to quickly respond to serious disruptions while continuing operations and safeguarding staff, assets and your organization's professional reputation.
If you need expert guidance and support to help develop – or test – your business continuity plan, contact us today!
Source: https://eheinc.com/blog/business-continuity-planning/
0 Response to "Implementing a Business Continuity Plan Lab"
Publicar un comentario