By Mark Durivage, Quality Systems Compliance LLC
Every organization regulated by the FDA has been adversely affected by the coronavirus (COVID-19) pandemic. This tragic situation has exposed the vulnerability of the global supply chain and the lack of emphasis placed on contingency planning.
ISO 22301:2019 Security and resilience – Business continuity management systems - Requirements, is the world’s leading international business continuity management standard (BCMS). ISO 22301 can help an organization establish, implement, and maintain a BCMS that supports quality management system (QMS) integrity during natural disasters, including pandemics, environmental accidents, technology mishaps, and man-made crises impacting the public and/or private sectors.
The benefits of implementing a BCMS include supporting the overall strategic objectives, generating a competitive advantage, protecting organizational reputation, encouraging organizational success, and providing financial stability.
The requirements specified in ISO 22301:2019 are generic and are intended to be applicable to all organizations regardless of type, size, and nature of the organization. The extent of BCMS requirements’ applicability depends on the organization’s environment, complexity, and the type of impact the organization may or may not accept following a disruption. A brief overview of the requirements for each clause is provided.
Clause 1: Scope. ISO 22301 specifies requirements to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented BCSM to prepare for, respond to, and recover from disruptive events when they arise. Establishing a BCSM is especially warranted when the organization must continue to deliver medicinal products and services during a disruption.
Clause 2: Normative References. ISO 22301 has one normative reference (ISO 22300 Security and resilience – Vocabulary) and no informative references.
Clause 3: Terms and Definitions. ISO 22301 provides 31 terms and definitions used to support the standard’s requirements, as well as the terms contained in ISO 22300 Security and resilience – Vocabulary.
Clause 4: Context of the Organization requires an understanding of the organization, its purpose, objectives, and context while considering the needs and expectations of interested parties in light of legal and regulatory requirements. Organizations should consider using a risk-based approach, identifying disruptive incidents and determining how those events could impact the organization and, ultimately, customers and patients. When defining the scope of the BCMS, the organization is required to document and explain exclusions.
Clause 5: Leadership. The organization’s top management must ensure the business continuity policy and business continuity objectives are compatible with the company’s strategic direction. Top management must demonstrate leadership and support for the organization and encourage employee involvement. Responsibility and authority for carrying out business continuity roles within the organization must be established.
Clause 6: Planning. The organization must identify and determine risks and opportunities that could influence organizational effectiveness and/or impact operations. Appropriate action plans, proportional to the identified risks and opportunities, must be developed. The business continuity objectives must be consistent with the business continuity policy, communicated, measurable, monitored, and updated based upon the needs and expectation of interested parties. When changes are made to the BCSM, system integrity and potential consequences must be considered.
Clause 7: Support. The organization needs to identify and provide the necessary resources, including procedures, and communication tools. Competency requirements should be determined for the people under the organization’s control (full-time, part-time, contractors, and consultants) who have an impact on organizational performance, and ensure these people are aware of their responsibilities. Internal and external communications applicable to the BCMS must be established. A system is required for establishing, controlling, and updating documents necessary to support the BCMS.
Clause 8: Operation. The organization is required to plan and develop its BCMS processes by studying potential disruptions, analyzing business risks, and setting priorities. A formal process should be established, implemented, and maintained that can be used to evaluate and set business continuity and recovery priorities, objectives, and targets.
Resource requirements necessary to implement business continuity solutions also must be considered, including people, information and data, physical infrastructure (e.g., buildings, workplaces and other facilities, plus associated utilities), equipment and consumables, information technology (IT) systems, communication technology systems, transportation and logistics, finance, and suppliers. The organization is required to periodically test the effectiveness of business continuity strategies and solutions, and seek opportunities to improve each.
Clause 9: Performance Evaluation. The organization must determine how to monitor and measure the performance and effectiveness of its processes. It also must ensure the internal audit program is capable of determining whether the system conforms to established requirements. Top management is required to review the BCMS, at planned intervals, to ensure its continuing suitability, adequacy, and effectiveness.
Clause 10: Improvement. The organization is required to identify, react to, and evaluate nonconformities when they occur by implementing corrective actions to address causes, and then reviewing those actions’ effectiveness. The organization must continuously improve the system’s performance, suitability, adequacy, and effectiveness.
Once the organization has identified potential natural disasters and man-made crises that could disrupt the delivery of medicinal products and services, each risk must be evaluated for its potential impact to the company, its likelihood of occurrence, and overall risk response (Fig. 1).
Fig. 1 — Example Risk Matrix
- Low impact on schedule, performance, compliance, ability to operate, etc.
- Moderate impact on schedule, performance, compliance, ability to operate, etc.
- High impact on schedule, performance, compliance, ability to operate, etc.
- Low - rare, though possible
- Medium - could occur occasionally
- High - likely to occur
Risk (Impact x Likelihood)
- Low - risks are largely acceptable, monitor the risk periodically for changes which may affect the risk
- Medium - control measures to mitigate the risk may be planned
- High - control measures to mitigate the risk must be planned. The continued effectiveness of control measures must be monitored periodically.
- Low – no mitigation or analysis is required
- Medium – mitigation and analysis may be required
- High – mitigation and analysis are required
While the list of events that can disrupt operations may be nearly the same for most organizations, the impact and likelihood of each risk will vary significantly between organizations. For example, businesses located in coastal areas, such as Los Angeles or Miami, have a greater chance to be struck by a tsunami than a business located Dallas, Texas. A vertically integrated company may not be affected as severely by a pandemic as a company that is horizontally integrated and has a higher reliance on its supply chain. A rural facility will probably have a lower risk of terror attack than a facility located in a large metropolitan city.
Table 1 provides examples of issues to consider when developing a contingency plan. Please note, the table is meant as an example and is not meant to be all inclusive:
Table 1 — Example Disruptive Events
The organization has to anticipate risk by planning, and then decide whether to accept, reduce, control, mitigate, transfer, or avoid each risk. Risks should only be accepted when the benefits outweigh the potential risks; never accept unnecessary risk. The organization must develop and document, using a risk-based approach, business continuity plans (procedures) consistent with the BCMS policy and objectives.
The BCMS procedures must be proportionate to the identified risks (low, medium, high) and:
- specifically define immediate actions to be taken during a disruption
- provide for and allow flexibility in response to the changing conditions of a disruption
- minimize the impact through implementation of appropriate solutions
- assign roles and responsibilities for execution and monitoring
As noted above, not every disruption poses the same level of threat to each organization. If the risk is assessed to be high, a mitigation and analysis plan must be developed. For a risk classified as medium, mitigation and analysis may be required. In each case, the decision should be documented by the BCMS team. For risks identified as low, no mitigation or analysis is required.
Documenting business continuity plans (procedures), risk assessments, and communication plans, in my opinion, is best accomplished with one comprehensive document, referred to as a BCMS Manual. Having all of the information in one place greatly facilitates execution of the plan when a disruption occurs.
The BCMS Manual can include call lists for employees, suppliers, and other interested parties. It is best to have the documents printed in controlled binders, in case the disruption includes a power loss and data system issues.
The organization is required to develop a communications plan that enables timely and effective communications to relevant interested parties during a disruption. The communications plan should consider both internal and external interested parties. Internally, it is important to communicate to employees any impact the disruption will have upon the organization, the current plan for addressing the disruption, and how additional information will be shared.
Externally, suppliers, partners, and other interested parties also should be informed about the disruption and the organization’s plan for addressing it. Depending on risk, some external parties could be contacted through email, while others may require a call or teleconference.
Another consideration for external communications is the local community. Effectively communicating with the local community can help protect organizational reputation and contribute to organizational success.
The coronavirus (COVID-19) pandemic has been a wakeup call, demonstrating how woefully unprepared most organizations are for a widespread global event. This tragic situation has exposed the vulnerability of the global supply chain and the lack of emphasis placed on contingency planning. Contingency planning needs to be considered holistically, rather than as a simple focus on information and data systems, which typically is the case.
About the Author
Mark Allen Durivage has worked as a practitioner, educator, consultant, and author. He is Managing Principal Consultant at Quality Systems Compliance LLC, an ASQ Fellow and SRE Fellow. Durivage primarily works with companies in the FDA regulated industries (medical devices, human tissue, animal tissue, and pharmaceuticals) focusing on quality management system implementation, integration, updates, and training. Additionally, he assists companies by providing internal and external audit support as well as FDA 483 and Warning Letter response and remediation services. He earned a BAS in computer aided machining from Siena Heights University and an MS in quality management from Eastern Michigan University. He holds several certifications including; CRE, CQE, CQA, CSSBB, RAC (Global), and CTBS. He has written several books available through ASQ Quality Press, published articles in Quality Progress, and is a frequent contributor to Life Science Connect. Durivage resides in Lambertville, Michigan. Please feel free to email him at email@example.com with any questions or comments.