Business Continuity and Disaster Planning

Transcription

1 WHITE PAPER Business Continuity and Disaster Planning A guide to preparing for the unexpected Robert Drewniak Director, Strategic & Advisory Services

2 Disasters are not always the result of high winds and rain. In the past two years, 52% of businesses experienced an unforeseen interruption, and the vast majority (81%) of these interruptions caused the business to be closed for one or more days. Source: 2009 Disaster Recovery & Business Continuity Survey As healthcare s reliance on technology increases, so does the need to ensure that critical systems and processes can be recovered quickly after operational interruption and/or disaster. As a result, Business Continuity Planning (BCP) is becoming a priority. This is not just an IT issue. CEOs, CIOs, risk managers, compliance officers and security officers are becoming more aware of the need to take strategic and proactive actions to protect their organizations. By developing and implementing a comprehensive Business Continuity Plan (BCP), the organization can minimize its overall risk of outages, operational down time and loss, resulting in improved patient care reliability and operational stability. Industry Semantics There are various industry terms to describe the effort to mitigate the negative effect of interruptions on operations: Business Resumption Planning, Disaster Recovery Planning, Crisis Management and Business Continuity Planning. Although each is a bit different as outlined below, all require a plan, a process and ongoing training to be effective. A Business Resumption Plan typically describes how to resume operations after a disruption or critical event. A Disaster Recovery Plan primarily deals with recovery of information technology and services assets after a disastrous interruption. Both plans imply an outage in critical operations or services and are essentially reactive in nature. Crisis Management refers to how an organization will deal with the emergency, disaster or catastrophe during the event. The focus at this stage is to carry on through the crisis, and to mitigate its effects during it. Recently there has been a move from Business Resumption Planning to Business Continuity Planning, acknowledging that in the healthcare environment, it s not sufficient to resume critical services; they must be provided continuously. Disaster Recovery and Crisis Management focus on rebuilding or alleviating the effects of a disaster, emergency or catastrophe. Business Continuity Planning focuses on sustaining the delivery of services for ongoing operations. If your healthcare organization has a well-structured BCP, it can continue to provide mission-critical services, regardless of the nature of the interruption. The Business Continuity Plan A Business Continuity Plan (BCP) is a collection of policies, procedures, protocols and information that is developed and maintained for use in the event of a business interruption. The BCP outlines the steps the organization will be required to take to quickly carry on business and operations. The BCP should 2

3 clearly describe the enabling processes required for operations, safety and workflow. The benefits of the BCP are far reaching: from patient safety, compliance and risk avoidance to employee and patient confidence. The basic elements of a well-planned BCP include a set of practical and realistic steps that begin with the identification of mission-critical systems and processes, and are followed by the actions needed to effectively continue the operations from an interruption/disaster to normal operations. Since most interruptions are isolated to specific areas geographies, departments, facilities, etc., the BCP should not be focused solely on organization-wide scenarios. Plans need to be developed and maintained for the huge variety of interruptions that may occur. Lastly, the BCP involves more than restoring information technology. It is a plan for operational continuity and should ensure that all critical operations are maintained when faced by an interruption. Developing a Plan The process in the development and maintenance of a BCP includes the five steps identified in the diagram to the right: Analysis, Solution Design, Implementation, Testing and Acceptance and Maintenance. Although the names for these steps may vary from organization to organization, each is critical for the successful development and implementation of a BCP. 1. Impact Analysis Maintenance Testing and Acceptance Analysis Business Continuity Planning Processes Implementation There are a few specific analyses that need to be performed prior to developing a BCP: Solution Design Business Impact Analysis (BIA): The objective of the BIA is to identify and distinguish between critical and non-critical operational functions, activities and/or processes. (In healthcare, functions related to patient safety would be considered critical, for example.) The results of the BIA will include recovery requirements for each critical function. Threat Analysis: This is a list of potential threats to ongoing operations and the recommended steps to recover from each. Threats include fire, flood, earthquake, sabotage, cyber attack, hurricane, utility outage, etc. Recovery Requirements Documentation and Review: Upon completion of the BIA, the operational and technical requirements are documented and reviewed. Reviewers should include senior leaders to operational end users. All stakeholders should be represented and engaged throughout the plan development process. This review ends with acceptance and sign-off on the documented requirements. Dependency Analysis: It is important to identify the internal and external dependencies of critical services. 3

4 Internal dependencies include employee availability, corporate assets, (equipment, facilities, computer applications, data, tools, vehicles), and support services (finance, human resources, security and information technology support). External dependencies include suppliers, any external corporate assets (equipment, facilities, computer applications, data, tools, vehicles), and support services (facility management, utilities, communications, transportation, finance institutions, insurance providers, government services, legal services, and health and safety services). 2. Solution Design The purpose of the solution design phase is to identify the most cost effective restoration solution that meets the requirements from the impact analysis stage. For IT applications, this is commonly expressed as: The minimum application and application data requirements The time frame in which the minimum application and application data must be available 3. Implementation Implementation is the execution of the design elements that have been identified in the previous steps. Although testing can occur throughout the BCP development, the unit testing that takes place during components of the implementation should not take the place of organizational testing. 4. Testing and Acceptance Testing is a critical step in the planning process to ensure organizational acceptance and readiness. It ensures that the business continuity solution satisfies the organization s restoration needs. Testing may include: Testing of moves to primary and secondary sites Operational manual processes cross over Disaster command center call back If the BCP fails to meet expectations, check for insufficient and/or inaccurate data or requirements, design discrepancies, or solution implementation errors. 5. Maintenance The BCP is a living document and will need to be reviewed and maintained on a periodic, scheduled basis. Maintenance of the BCP plan/document can be divided into three activities: 1. Confirmation of the information in the document and training for staff members whose roles are identified as critical for response and restoration. 2. Periodic testing and validation that the technical solutions are in fact available and appropriate for recovery operations. 3. Testing and validation to ensure documented operational services for the organization remain unchanged for continuous operations. These should be performed on a scheduled biannual or annual maintenance cycle. 4

5 BCP Strategic Benefits Well-planned organizations survive with limited impact when interruptions occur, while those that do not plan for these incidents may place their institution in jeopardy. Disasters can and will strike at any time. They may come in multiple forms. They can happen one at a time or all at once. Planning and testing of the identified solutions make the critical difference between successfully managing an incident within acceptable parameters and having a situation that may take days or longer to fix. It is important that each staff member understands and knows his/her specific task and role during a disruption. This requires consistent and frequent staff training on the processes and solutions outlined in the BCP. Frequent reviews are also required to keep the plan updated. This preparedness is critical to the strategic goals of any healthcare organization. A BCP: helps healthcare organizations fulfill their moral responsibility to protect patients, employees, the community and the environment facilitates compliance with regulatory requirements of federal, state and local agencies enhances an organization s ability to increase patient safety, reduce financial losses, regulatory fines, loss of market share, damages to equipment, or disruption to service delivery in the event of a business interruption reduces exposure to civil or criminal liability in the event of an incident enhances an organization s image and credibility with patients, employees, clients, funders, vendors and the community may reduce the organization s insurance premiums BCP Critical Success Factors 1. Governance, leadership, and sponsorship Ensure that a governance structure (i.e., committee) is in place that will ensure senior management commitment and define senior management roles and responsibilities. The BCP senior management committee is responsible for the oversight, initiation, planning, approval, testing and audit of the BCP. It also implements the BCP, coordinates activities, approves the BIA survey, oversees the creation of continuity plans and reviews the results of quality assurance activities. 2. User involvement Remember that the BCP is more than the IT department; all organizations, units and departments should be involved in the development of the plan, from the impact analysis through testing and implementation. Ownership by all staff is needed. Staff s solid understanding and knowledge of the process is imperative for success. 3. Training and testing BCPs can be smoothly and effectively implemented if and when all employees are briefed on the contents and are properly trained on their individual responsibilities. Continuous training updates and testing should be 5

6 developed and scheduled to achieve and maintain high levels of competence and readiness. While exercises are time and resource consuming, they are the only method for validating a plan. 4. Acceptance As part of the quality assurance and acceptance process, reviews of the BCP should assess the plan's accuracy, relevance and effectiveness. It should also uncover areas that need improvement. Continuous appraisal of the BCP is essential to maintaining its effectiveness. Reviews should be coordinated with operational staff, knowledgeable managers and the BCP steering committee. 5. Communication Ensure that there is a BCP communication plan. The communication process ensures that all employees and affected personnel will have updated information. The communication plan should include links to training and specific organizational unit updates when the BCP is modified and updated. There is no such thing as over communicating when it comes to addressing the BCP. In my experience, people have the best intentions of putting together a great BCP. Then, resources and time become challenging constraints that hinder the process. However, based on industry and personal experience, it only takes one incident to put business continuity planning on the short list of priorities. Don t be caught with a skeleton plan; it could place your organization at great (and unnecessary) risk. About Hayes Hayes is ranked Top Professional Services Firm by KLAS,* and has won multiple Best in KLAS awards since Hayes is also ranked in Healthcare Informatics Top 100 and Inc s list of fastest growing companies. Hayes consultants are subject-matter experts in IT strategic planning, revenue cycle improvement, system implementation and optimization, interoperability and business and clinical operational efficiency. Hayes also offers software solutions to improve efficiency and productivity. To learn more about Hayes services, visit or call us at * Source: Top 20 Best in KLAS Awards: Software & Professional Services. 6