- Recent crises have increased executive awareness and internal pressure to create a business continuity plan (BCP).
- Healthcare-driven regulations require evidence of sound business continuity practices.
- Customers demand their vendors provide evidence of a workable BCP prior to signing a contract.
- IT leaders, because of their cross-functional view and experience with incident management and DR, are often asked to lead BCP efforts.
Our Advice
Critical Insight
- BCP requires input from multiple departments with different and sometimes conflicting objectives. There are typically few, if any, dedicated resources for BCP, so it can't be a full-time resource-intensive project.
- As an IT leader you have the skill set and organizational knowledge to lead a BCP project, but ultimately, business leaders need to own the BCP – they know their processes and their requirements to resume business operations better than anyone else.
- The traditional approach to BCP is a massive project that most organizations can’t execute without hiring a consultant. To execute BCP in-house, carve up the task into manageable pieces as outlined in this blueprint.
Impact and Result
- Implement a structured and repeatable process that you apply to one business unit at a time to keep BCP planning efforts manageable.
- Use the results of the pilot to identify gaps in your recovery plans and reduce overall continuity risk while continuing to assess specific risks as you repeat the process with additional business units.
- Enable business leaders to own the BCP going forward. Develop a template that the rest of the organization can use.
- Leverage BCP outcomes to refine IT DRP recovery objectives and achieve DRP-BCP alignment.
Workshop: Develop a Business Continuity Plan for Healthcare
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Define BCP Scope, Objectives, and Stakeholders
The Purpose
- Define BCP scope, objectives, and stakeholders.
Key Benefits Achieved
- Prioritize BCP efforts and level-set scope with key stakeholders.
Activities
Outputs
Assess current BCP maturity.
- BCP Maturity Scorecard: measure progress and identify gaps.
Identify key business processes to include in scope.
- Business process flowcharts: review, optimize, and knowledge transfer processes.
Flowchart key business processes to Identify business processes, dependencies, and alternatives.
- Identify workarounds for common disruptions for day-to-day continuity.
Module 2: Define RTOs and RPOs Based on Your BIA
The Purpose
- Define RTOs and RPOs based on your BIA.
Key Benefits Achieved
- Set recovery targets based business impact and illustrate the importance of BCP efforts via the impact of downtime.
Activities
Outputs
Define an objective scoring scale to indicate different levels of impact.
- Objective scoring scale to assess cost, goodwill, compliance, and safety impacts.
Estimate the impact of downtime.
- Apply the scoring scale to estimate the impact of downtime on business processes.
Determine acceptable RTO/RPO targets for business processes based on business impact.
- Acceptable RTOs/RPOs to dictate recovery strategy.
Module 3: Create a Recovery Workflow
The Purpose
- Create a recovery workflow.
Key Benefits Achieved
- Build an actionable, high-level recovery workflow that can be adapted to a variety of different scenarios.
Activities
Outputs
Conduct a tabletop exercise to determine current recovery procedures.
- Recovery flow diagram – current and future state
Identify and prioritize projects to close gaps and mitigate recovery risks.
- Identify gaps and recovery risks.
- Create a project roadmap to close gaps.
Evaluate options for command centers and alternate business locations (i.e. BC site).
- Evaluate requirements for alternate business sites.
Module 4: Extend the Results of the Pilot BCP and Implement Governance
The Purpose
- Extend the results of the pilot BCP and implement governance.
Key Benefits Achieved
- Outline the actions required for the rest of your BCMS, and the required effort to complete those actions, based on the results of the pilot.
Activities
Outputs
Summarize the accomplishments and required next steps to create an overall BCP.
- Pilot BCP Executive Presentation
Identify required BCM roles.
- Business Continuity Team Roles and Responsibilities
Create a plan to update and maintain your overall BCP.
- Maintenance plan and BCP templates to complete the relevant documentation (BC Policy, BCP Action Items, Recovery Workflow, etc.)
Develop a Business Continuity Plan for Healthcare
Streamline the traditional approach to make BCP development manageable and repeatable.
Analyst Perspective
A BCP touches every aspect of your organization, making it potentially the most complex project you'll take on. Streamline this effort or you won't get far.
None of us needs to look very far to find a reason to have an effective business continuity plan (BCP).
From pandemics to natural disasters to supply chain disruptions to IT outages, there's no shortage of events that can disrupt your complex and interconnected business processes. How in the world can anyone build a plan to address all these threats?
Don't try to boil the ocean. Use these tactics to streamline your BCP project and stay on track:
- Focus on one business unit at a time. Keep the effort manageable, establish a repeatable process, and produce deliverables that provide a starting point for the rest of the organization.
- Don't start with an extensive risk analysis. It takes too long and at the end you'll still need a plan to resume business operations following a disruption. Rather than trying to predict what could cause a disruption, focus on how to recover.
- Keep your BCP documentation concise. Use flowcharts, checklists, and diagrams instead of traditional manuals.
No one can predict every possible disruption, but by following the guidance in this blueprint, you can build a flexible continuity plan that allows you to withstand the threats your organization may face.
Frank Trovato
Research Director,
IT Infrastructure & Operations Practice
Info-Tech Research Group
Andrew Sharp
Senior Research Analyst,
IT Infrastructure & Operations Practice
Info-Tech Research Group
Executive Summary
Your Challenge | Common Obstacles | Info-Tech's Approach |
|
|
|
Info-Tech Insight
As an IT leader, you have the skill set and organizational knowledge to lead a BCP project, but you must enable leaders to own their department's BCP practices and outputs. They know their processes and therefore know their requirements to resume business operations better than anyone else.
Use this research to create business unit BCPs and structure your overall BCP
A business continuity plan (BCP) consists of separate but related sub-plans, as illustrated below. This blueprint enables you to:
- Develop a BCP for a selected business unit (as a pilot project), and thereby establish a methodology that can be repeated for remaining business units.
- Through the BCP process, clarify requirements for an IT disaster recovery plan (DRP). Refer to Info-Tech's Disaster Recovery Planning workshop for instructions on how to create an IT DRP.
- Implement ongoing business continuity management to govern BCP, DRP, and crisis management.
Overall Business Continuity Plan | ||
---|---|---|
IT Disaster Recovery Plan | BCP for Each Business Unit | Crisis Management Plan |
A plan to restore IT application and infrastructure services following a disruption.
Info-Tech's Create a Right-Sized Disaster Recovery Plan blueprint provides a methodology for creating the IT DRP. Leverage this blueprint to validate and provide inputs for your IT DRP. |
A set of plans to resume business processes for each business unit. This includes:
|
A plan to manage a wide range of crises, from health and safety incidents to business disruptions to reputational damage.
Info-Tech's Implement Crisis Management Best Practices blueprint provides a framework for planning a response to any crisis, from health and safety incidents to reputational damage. |
IT leaders asked to develop a BCP should start with an IT Disaster Recovery Plan
It's a business continuity plan. Why should you start continuity planning with IT?
1 IT services are a critical dependency for most business processes. Creating an IT DRP helps you mitigate a key risk to continuity quicker than it takes to complete your overall BCP, and you can then focus on other dependencies such as people, facilities, and suppliers.
2 A BCP requires workarounds for IT failures. But it's difficult to plan workarounds without a clear understanding of the potential IT downtime and data loss. Your DRP will answer those questions, and without a DRP, BCP discussions can get bogged down in IT discussions. Think of payroll as an example: if downtime might be 24 hours, the business might simply wait for recovery; if downtime might be a week, waiting it out is not an option.
3 As an IT manager, you can develop an IT DRP primarily with resources within your control. That makes it an easier starting point and puts IT in a better position to shift responsibility for BCP to business leaders (where it should reside) since essentially the IT portion is done.
Healthcare complexities pose multiple obstacles against driving BCP best practices
Lack of organizational commitment
Organization and hospital leadership is busy with other commitments, which makes it difficult to get their buy-in for BCP. Without strong leadership commitment, BCP is a low-priority initiative.
Lack of BCP understanding
It's pivotal to implement BCP training to ensure that stakeholders will be able to apply it when needed. Without organizational commitment, there may be limited investments in training programs, leaving staff unaware of the BCP best practices, making it hard for them to follow and apply protocols.
Time limitations to implement BCP
Due to the above reasons, healthcare leaders feel that it's not worth the time and effort to invest in BCP. Low commitment leads to lack of time to train, monitor, and apply business continuity initiatives.
Resource shortage to implement BCP
Lack of commitment leads to the insufficiency of resources in terms of staff, technology, and investment into BC planning for business responsiveness to potential crises.
Regulatory compliance complexity: The healthcare industry is highly regulated, and leaders should make sure that patients' data is confidential and in accordance with standards, such as HIPAA (Health Insurance Portability and Accountability Act). Meeting such regulatory requirements while maintaining business continuity is a very challenging endeavor, making healthcare leaders reluctant to consider BCP over other competing priorities.
Rapidly evolving threats: Given the significant improvements in technology and high dependence of hospitals and healthcare providers on automated systems, cyberthreats and their impact on day-to-day work have increased dramatically. System failure, data breach, and ransomware can easily cause a disaster and jeopardize business continuity.
High dependence on external providers: Healthcare organizations are highly dependent on external entities, such as contract research organizations (CROs), medical device manufacturers, research institutes, medical clinics, regulatory agencies, pharmaceutical companies, etc. The high dependency on external entities make BCP compliance much more complicated than other industries.
Tackling the above challenges and obstacles requires leadership awareness of the BCP's crucial importance on their business, and their commitment to apply it. In addition to leadership buy-in, it requires resource allocation and training, financial support, mission alignment, collaboration with external entities, and testing the BCP framework.
Info-Tech Insight
In this blueprint, we keep referring to "business units," which in the context of healthcare, depending on the sector, means clinical department, back office, or a company's business unit. For instance, in the context of hospitals, business unit means "clinical department," whereas for a CRO it means "back office."
Modernize the BCP
If your BCP relies heavily on paper-based processes as workarounds, it's time to update your plan.
Back when transactions were recorded on paper and then keyed into the mainframe system later, it was easier to revert to deskside processes. There is very little in the way of paper-based processes anymore, and as a result, it is increasingly difficult to resume business processes without IT.
Think about your own organization. What IT system(s) are absolutely critical to business operations? While you might be able to continue doing business without IT, this requires regular preparation and training. It's likely a completely offline process and won't be a viable workaround for long even if staff know how to do the work. If your data center and core systems are down, technology-enabled workarounds (such as collaboration via mobile technologies or cloud-based solutions) could help you weather the outage, and may be more flexible and adaptable for day-to-day work.
The bottom line:
Technology is a critical dependency for business processes. Consider the role IT systems play as process dependencies and as workarounds as part of continuity planning.
Info-Tech's approach
The traditional approach to BCP takes too long and produces a plan that is difficult to use and maintain.
The Problem:
You need to create a BCP but don't know where to start.
- BCP is being demanded more and more to comply with regulations, mitigate business risk, meet customer demands, and obtain insurance.
- IT leaders are often asked to lead BCP.
The Complication:
A traditional BCP process takes longer to show value.
- Traditional consultants don't usually have an incentive to accelerate the process.
- At the same time, self-directed projects with no defined process go months without producing useful deliverables.
- The result is a dense manual that checks boxes but isn't maintainable or usable in a crisis.
The Info-Tech difference:
Use Info-Tech's methodology to right-size and streamline the process.
- Reduce required effort. Keep the work manageable and maintain momentum by focusing on one business unit at a time; allow that unit to own their BCP.
- Prioritize your effort. Evaluate the current state of your BCP to identify the steps that are most in need of attention.
- Get valuable results faster. Functional deliverables and insights from the first business unit's BCP can be leveraged by the entire organization (e.g. communication, assessment, and BC site strategies).
Expedite BCP development
Info-Tech's Approach to BCP:
- Start with one critical business unit to manage scope, establish a repeatable process, and generate deliverables that become a template for remaining business units.
- Resolve critical gaps as you identify them, generating early value and risk mitigation.
- Create concise, practical documentation to support recovery.
By comparison, a traditional BCP approach takes much longer to mitigate risk:
- An extensive, up-front commitment of time and resources before defining incident response plans and mitigating risk.
- A "big bang" approach that makes it difficult to predict the required resourcing and timelines for the project.
Case Study
A workshop on continuity planning to improve an existing BCP approach and extend it to the larger organization.
SOURCE
Info-Tech
INDUSTRY
Healthcare Systems
In October 2022, Info-Tech Research Group conducted a four-day business continuity workshop with supply chain process and operational team stakeholders, IT representatives, and the continuity team. The engagement focused on the methodology to augment the existing continuity plan approach with the intent of scaling it to the larger organization. The stakeholders who participated across the four-day engagement provided valuable organizational knowledge and subject matter expertise.
The engagement focused on working with the team of participants and leveraged the following practical approach for defining continuity requirements and exercising the methodology:
- Gather feedback from key stakeholders and participants and identify prevalent challenges, frustrations, risks, and opportunities.
- Identify dependencies for a subset of supply chain business processes.
- Execute a business impact analysis to provide objective comparison and prioritization between activities.
- Execute a business impact analysis to provide objective comparison and prioritization between core IT systems identified during the process analysis.
- Examine scenario planning for candidate business processes and IT systems to identify gaps in current recovery capabilities and provide a framework for a full response plan.
- Review integration between technical incident management, IT disaster recovery, regional response teams, and organizational crisis management.
- Examine the artifacts, governance, and roles required for a larger BCP program.