Business Continuity Program EPC Quarterly Meeting November 5 th 2009 New York Presbyterian Cornell Campus
A new era 2
GBeyond Emergency Management if 30%+ of MSK workforce is unavailable for work if IT systems are unavailable if a building & its contents are inaccessible if key suppliers and business partners couldn t fulfill their obligations What happens if disruptions are long term? 3
To close for comfort NYC steam explosion: Lex. & 41 st. MSK Business offices: 3 rd & 41 st. HR, IT, Pt. Accounts, EM Finance, Payroll, Billing, Security, Compliance, Public Affairs, Pharmacy, Research, Clinical Info. Chanin Building: Closed for 1 month 4
What is Business Continuity? Creation & validation of a practiced logistical plan to recover and restore partially or completely interrupted critical functions within a predetermined time after an extended disruption. Goal: Minimize or eliminate the impact of events that disrupt critical clinical & business operations, functions, and services. 5
What is Business Continuity? BC process integrates the following disciplines: Incident/Emergency Management Clinical and Business Recovery Strategies Technology Recovery Security Management (IT & Physical) 6
Landscape of Healthcare BC Most hospitals have not initiated formal BC Mostly response oriented IT-centric disaster recovery programs exist Expense in conducting a formal BC program 7
Landscape of Healthcare BC Just in time supply practices reduce inventory costs, but leave hospitals vulnerable to surge events Aging facilities & infrastructure = risk TJC EP elements increased 34% in 2008 and 2009 8
Origin of MSK BC Program Findings of Risk Management Assessment : MSK robust in short term crisis management Geographical vulnerabilities, (NYC, 633, 53 rd ) Potential for long term disruptions w/high Impact 9
Origin of MSK BC Program Findings of Risk Management Assessment : High reliance on IT functions. Still growing Research assets also at risk in long term crisis Standardized BC strategy for MSK desirable 10
TJC emphasizes BC, DR & resiliency Develop capability to self sustain (96+hours) Maintain/restore critical systems/services Providing care, treatment, services Safe discontinuance of services and/or evacuation Recovery process or plan Knowing interdependencies key Objectively defining impact of disruption Documenting practical work around procedures
Risk vs. Cost vs. Benefit JCAHO TJC Service To Our Customers Institutional Best Practices Reputation HIPAA Int. Audit Int. Audit Business Continuity Disaster Recovery and Contingency Operations Protect Information and Processes Mission Research Ext. Audit Industry Standard. NYS-DOH 12
MSKC leadership approves Business Continuity program Project Owners: Finance & Emergency Management 13
14
Essentially, we re looking for someone to take the blame for everything that goes wrong around here. 15
16
From Virtual s Initial Briefing May, 30 2008 The Business Continuity Program Life Cycle modified U.S. DoD graphic Normal Operations Incident Occurs Recovery Time Objective Return to Normal Operations Capability Minimum Acceptable Level of Capability Risk Avoidance Emergency Response Risk Mitigation Recovery Restoration Contingency Planning and Crisis Management Proactive BCM Activities Prevention and Preparedness Risk Avoidance Time Reactive BCM Activities Response, Recovery & Restoration Proactive BCM Activities Prevention and Preparedness
The Business Continuity Plans 6 BC Plans Working Together Incident Occurs Normal Operations Emergency Response and Damage Assessment Mitigation Action Plan may allow organization to avoid disruption Crisis Management Plan Activated Preparing for Recovery of Critical Operations Normal Operations Minimal Acceptable Level of Capability Operating in Recovery mode Disaster Recovery Plan Activated Implement Restoration Plan Time Hour 0 Recovery Begins Recovery in place Restoration Begins Back to Normal Emergency Response Plan Save lives and protect assets Conduct damage assessment Site Emergency Operations Center (EOC) Crisis Management Plan Executive Command Center (ECC) Regional and/or higher ECC(s) activated Command, Control, and Communications Mitigation Action Plan Tasks to initiate mitigation action(s) Avoid or minimize disruption Business Recovery Plan Ensure that critical functions continue to be performed Departmental Recovery Plans Requires EOC communications and authorizations Disaster Recovery Plan Ensure critical technical infrastructure is available Hot site recovery Restoration Plan A plan to return to normal operations
Intuitive BC Application & Process Sustainable Planner (SP) IT application/tool to manage BC Process User friendly, survey-based custom templates Healthcare centric consultants Program & IT application self sustainable 19
Phase I Assessment of MSK BC Status Assessment of key clinical and business Functions/Departments. Document gaps & strengths of current BC planning to: Better understand corporate competencies proven to sustain BC planning capabilities Evaluate BC disciplines and integration Recommendations for methods & tools for BC planning at MSK. 20
Phase I Assessment of MSK BC Status Key questions to be answered: Where are we now? Where do we ultimately want to be? Where should we be next? The Business Continuity Maturity Model Method & tool used to conduct self-assessment http://www.virtual-corp.net/html/bcmm.html 21
BC Assessment Results 22
BC Assessment Results Some levels very mature others not Strengths & gaps identified 7 recommendations Short term target = level 4 at all competences 23
Key Findings Only certain personnel had key BC related knowledge for their departments (succession) Need to establish of enterprise level business continuity goal & formalization Need to Identify, codify & share process flows & IT interdependencies, i.e. validate IT/DR 24
Key Findings Need to identify, codify & share clinical & business recovery strategies Need to conduct enterprise wide Business impact analysis (BIA). Business continuity must be treated as a sustainable process, not a project 25
And the work begins. Plans are nothing; Planning is everything. Dwight D. Eisenhower 26
Business Continuity Focus Recovery Event Classes Loss of access: (Workplace, floor, bldg, campus, region) Key personnel IT applications Services and suppliers Critical assets 27
CBR Pilot Scope Pilot Functions Scope Location Admitting Entire Function 1275 York Ave Facilities Main Campus Plant Ops 1275 York Ave Facilities Trade - Electricians 1275 York Ave Finance & Payroll Entire Function 633 3rd Ave IT Entire NJ Data Center Lyndhurst, NJ Pharmacy Main Pharmacy, Rockefeller Pharmacy, Sleepy Hollow Pharmacy Main Campus 53rd Street Sleepy Hollow Radiology Entire Function 1275 York Ave Rockefeller Pavilion Admin / Executive 53rd Street Rockefeller Pavilion Support Services 53rd Street Security Entire Function 1275 York Ave SKI Vivarium Zuckerman, Basement SKI Immunology Research Zuckerman, Flrs 14,15,16 Sleepy Hollow Entire Site Sleepy Hollow, NY Urgent Care Center Entire Function 1275 York Ave
BC Pilot Activities by Step Step 1 Scope BC Project Identify planning teams Prepare for data collection Step 2 Collect BC Data Gather business impact & dependency data in SP Step 3 Conduct Impact Analysis Validate recovery objectives Step 4 Formulate Strategies Conduct strategy workshops Finalize strategy documentation Step 5 Document BC Plan Finalize all plan documents Generate plans Conduct desk checks
BC Planning Outcomes Document processes to maintain continuity of clinical operations & business Document impacts caused if critical functions or services disrupted Document functional interdependencies 30
BC Planning Outcomes Define alternate process requirements for each component Document workaround and/or manual procedures and alternate resources for operational continuity Ensure interdependent business processes can be synched up 31
BC Program: Next Steps Phase 2 Conduct BC Program Pilots Design BC program specs based on assessment Build SP templates for BC/EM & BIA analysis Conduct clinical and administrative pilots (underway) Phase 3 Deploy BC program across MSK Most likely a 2 2.5 year process to completion Phase 4 Maintain BC program 32
"There are risks and costs to a program of action. But they are far less than the long-range risks and costs of comfortable inaction". The time to fix the roof is when the sun is shining John F. Kennedy 33