BUSINESS CONTINUITY PLANNING Dr Karolyn Kerr

What is Business Continuity Planning (BCP)? Possible Threats Scope and Context of BCP Business Impact Assessments Business Continuity Plan Development Testing and Validation Training Roles and Responsibilities

What is Business Continuity Planning (BCP)?

Possible Threats

Scope and Context of BCP

Business Impact Assessments

Business Continuity Plan Development

Testing and Validation

Training

Roles and Responsibilities

What is Business Continuity Planning (BCP)? BCP seeks to mitigate all major interruptions of business systems and to ensure a level of capability remains during and following disruption to core business systems

BCP seeks to mitigate all major interruptions of business systems and to ensure a level of capability remains during and following disruption to core business systems

Possible Threats Human error Application failure Intentional disruption from an external source to a network (virus or worm) Power outage Service provider failure

Human error

Application failure

Intentional disruption from an external source to a network (virus or worm)

Power outage

Service provider failure

Scope and Context of BCP Significant outage of technology leading to the unavailability of critical business systems Disaster recovery planning a subset of BCP Contingency plans generally relate to a planned event, BCPs relate to services and assets that are already operational

Significant outage of technology leading to the unavailability of critical business systems

Disaster recovery planning a subset of BCP

Contingency plans generally relate to a planned event, BCPs relate to services and assets that are already operational

Scope and Context of BCP At a minimum, a BCP must have: A budget formalised and approved by senior management Formal disaster declaration authorities which will be responsible for activating the BCP An incident management system within the organisation to manage BCP processes once activated A regularly reviewed BCP that is benchmarked against industry regulations, where present, and other organisations’ processes

At a minimum, a BCP must have:

A budget formalised and approved by senior management

Formal disaster declaration authorities which will be responsible for activating the BCP

An incident management system within the organisation to manage BCP processes once activated

A regularly reviewed BCP that is benchmarked against industry regulations, where

present, and other organisations’

processes

BCP Development The steps in the process to develop and implement a BCP commonly noted as required are: Business impact analysis Business continuity plan development Training and testing of the plan

The steps in the process to develop and implement a BCP commonly noted as required are:

Business impact analysis

Business continuity plan development

Training and testing of the plan

Business Impact Assessment Provides the supporting evidence of where priorities for plans and preparation should take place Criticality criteria identify critical functions the organisation must perform to continue to deliver services Identify risks to critical functions Rate risks according to the likelihood of them occurring & level of impact

Provides the supporting evidence of where priorities for plans and preparation should take place

Criticality criteria identify critical functions the organisation must perform to continue to deliver services

Identify risks to critical functions

Rate risks according to the likelihood of them occurring & level of impact

Business Impact Assessment Clinical and administrative impact Core information required to treat patients in each area Core clinical services required Core people required to get the systems back up and running Impact of length of time and time of day

Clinical and administrative impact

Core information required to treat patients in each area

Core clinical services required

Core people required to get the systems back up and running

Impact of length of time and time of day

Business Continuity Plan Development Complicated process due to the size and complexity of health care organisations. Automated BCP software is available The key tasks in BCP development are: Reduction (of risk) Readiness Response Recovery

Complicated process due to the size and complexity of health care organisations.

Automated BCP software is available

The key tasks in BCP development are:

Reduction (of risk)

Readiness

Response

Recovery

Reduction (of risk) Supported through readiness actions Could include ensuring staff have an understanding of any workarounds required i.e. manual admission and discharge packs

Supported through readiness actions

Could include ensuring staff have an understanding of any workarounds required i.e. manual admission and discharge packs

Readiness Plans and actions that could be done in preparation for an outage Management and co-ordination requirements Communication – who and how Appropriate team of people aware of their roles - able to be brought together when the BCP is activated

Plans and actions that could be done in preparation for an outage

Management and co-ordination requirements

Communication – who and how

Appropriate team of people aware of their roles - able to be brought together when the BCP is activated

Response Initial response to an outage including impact assessment Pre-planned response cascade Ongoing risk status reported back to emergency team at regular intervals One central control centre with clear guidelines to assist with understanding roles and decision making

Initial response to an outage including impact assessment

Pre-planned response cascade

Ongoing risk status reported back to emergency team at regular intervals

One central control centre with clear guidelines to assist with understanding roles and decision making

Recovery Input electronic data missed during outage Reschedule appointments Temporary admin staff may be required Recovery time dependant on length of outage

Input electronic data missed during outage

Reschedule appointments

Temporary admin staff may be required

Recovery time dependant on length of outage

Testing and Validation When testing the plan, consider: Is the plan achievable? Is there a clearly defined starting point for the plan, i.e. activation? Does the plan address the situation in a timely, cost-effective, consistent way ?

When testing the plan, consider:

Is the plan achievable?

Is there a clearly defined starting point for the plan, i.e. activation?

Does the plan address the situation in a timely, cost-effective, consistent way ?

Testing and Validation Review of the BCP process is required following an outage Ongoing maintenance and review of the plan required to ensure applicability to changing systems and processes.

Review of the BCP process is required following an outage

Ongoing maintenance and review of the plan required to ensure applicability to changing systems and processes.

Training Staff are aware that such a plan exists and where it is kept, their role in BCP Making staff aware of what the impact may be will increase staff ability to function through appropriate workarounds

Staff are aware that such a plan exists and where it is kept, their role in BCP

Making staff aware of what the impact may be will increase staff ability to function through appropriate workarounds

Roles & Responsibilities IS departments are seen to be responsible for the co-ordination of development Senior health care providers from all disciplines provide analysis of criticality and feasible workarounds and maintain plans Senior executive staff support the development and implementation of the BCP and adequate ongoing funding

IS departments are seen to be responsible for the co-ordination of development

Senior health care providers from all disciplines provide analysis of criticality and feasible workarounds and maintain plans

Senior executive staff support the development and implementation of the BCP and adequate ongoing funding

Conclusions Likely to become increasingly common throughout the health sector as awareness increases and the shift to almost entirely paperless systems continues. Comprehensive plan required in health care organisations, given the criticality of many business systems and the risk to patient care delivery.

Likely to become increasingly common throughout the health sector as awareness increases and the shift to almost entirely paperless systems continues.

Comprehensive plan required in health care organisations, given the criticality of many business systems and the risk to patient care delivery.

Conclusions Development complex and time consuming, with subsequent possible mitigation strategies requiring considerable financial support. No standard benchmarks for the development of BCPs, but consistency enough within the literature to guide developers towards an appropriate plan for their organisation.

Development complex and time consuming, with subsequent possible mitigation strategies requiring considerable financial support.

No standard benchmarks for the development of BCPs, but consistency enough within the literature to guide developers towards an appropriate plan for their organisation.