Pharmaceutical companies need particularly responsive and professional emergency and crisis management because they bear a special responsibility in supplying the population with drugs, some of which are vital. With customized and effective Business Continuity Management (BCM), they should therefore shed light on industry-specific risk zones – and implement measures that lead to a rapid restoration of the ability to act in the event of an emergency involving idle production lines or failed supply chains.

One second can be far too long a period of time – for example, if a power failure brings the operation of a production plant to a standstill, thereby destroying the entire day's production of medicines. However, this is only one of numerous critical incidents such as cyber attacks, transport stoppages in logistics or contamination of batches already delivered, which pharmaceutical companies must have to constantly reckon with.

Standards provide orientation

To effectively guard against these and other risks, two standards are helpful: first, the international, well-established ISO* 22301:2019 for establishing security and resilience by developing business continuity management systems. Second, specifically in Germany, the modernized BSI* Standard 200-4, which formalizes the topic with regard to implementation within IT. We have adapted both standards for use in the pharmaceutical industry and defined the critical action areas for Business Continuity Management (see diagram).

Figure: Fields of action of msg Global Business Continuity Management © msg industry advisors ag 

In terms of implementation, our approach covers all the key stages from the broad perspective of international guidelines and requirements down to detailed action plans for implementation at the plant or group of plants, known as Business Continuity Action Plans. Here, the first action plan provides a set of suggested immediate actions to address all types of failures and disruptions, regardless of the type of threat or cause of failure. The other five action plans outline the steps needed to restore the site and business functions should they fail. This relates in particular to the unavailability of access to technology, equipment, personnel, third parties/suppliers and as well as buildings or blocked access to them.

In an emergency, however, these tools only develop their full effectiveness in an organization that is fully informed about the topic and whose risk and compliance officers have the necessary knowledge to apply them. Regardless of the risk or crisis scenario, in our projects, the following starting points regularly prove to be critical to the success of ideally coordinated Business Continuity Management in the long term:

Organization: Assessing strengths correctly

Following the principle of "from overview to detail," the first task should be to create the framework conditions to ensure a BCM can function in the best possible way. Especially since BCM initiatives also run the risk of being lost in the operationalization of their objectives as "action paper tigers" in the routines of day-to-day business.

"A BCM initiative must not end up as an "action paper tiger."

To avoid this, it is essential to raise awareness within the company to ensure it recognizes the high value of an interlocking global, regional and local organization by looking beyond its own divisional and site boundaries. This usually requires accompanying change or transformation management on the way to new corporate structures and cultures. With this readiness for change, the focus is now on the goals and existing strengths, for example, by answering the following key questions:

• What exact results/effects do executives and relevant employees of the workforce expect from Business Continuity Management?
• What definition of BCM is based on this expectation?
• How should an appropriate program be implemented? Which people/roles have so far been responsible for the subject and its implementation in the organization? Is there a better way to do this, and if so, how?
• Of special importance and a requirement of ISO 22301: What are the minimum requirements for the availability of the processes?

Locations: Making weak points and risk tolerance transparent

The second crucial step is to identify the risks at each of the company sites, whether they are production plants or branch locations. This "site profiling" creates a clear, detailed picture of the risk potential at each site. This should also include a definition of technical and organizational measures as to what specifically needs to happen when any threat is met with a weak spot. The target result in this case is a comprehensive and simultaneously practicable emergency response plan. This must enable businesses to respond in the event of a deviation from routine, an incident, or a crisis. The assessment or prioritizing of risks, on the other hand, differs substantially depending on the location – for example, in terms of supplier reliability / replaceability or the safety of manufacturing processes. This individual risk tolerance should also be recorded in concrete terms, for example, via aspects such as:

• Which processes should the BCM cover? How should their criticality be classified, e.g. in a time spectrum (process failure resolvable within 2, 8, 24, 48, etc. hours)?
• How does subdivision into process classes help to identify the really important processes?
• Where are there "hidden" process links?
• Which processes are not relevant at all? Under what conditions could this change and how realistic is it?

When it comes to subdividing and prioritizing processes, supply chains are highly critical; for example, when pharmaceuticals need to get from high-bay warehouses to wholesalers, to clinics, to pharmacies, all the way to the patient. These procedures, however, are normally not so vital that they can't take a two-hour outage, but they must be back up and operating within two to 24 hours. For this, however, inventories and supply ranges must be secured appropriately. Other considerations, such as the evaluation of logistics performance, can, of course, play a role in the classification of criticality: Should drugs be transported with a 40-ton truck or with five vans, for example? In the second case, the cost and environmental impact may be worse, but the risk of traffic-related delays and breakdowns is reduced.

Taking advantage of pharmaceutical industry know-how

BCM managers in the pharmaceutical business should take advantage of an industry-specific benefit when it comes to day-to-day application: They are usually well acquainted with analogous risk management methods from the GxP world. Many companies have already gained valuable experience in risk definition and assessment, for example, during the validation of computer systems, which have been documented – and so have, in principle, implemented the systematics indicated above.

"The GxP world provides valuable procedural patterns for Business Continuity Management."

For example, the EU GMP Guide (Annex 11, Chapter 16) specifies: If computerized systems support critical processes, provisions must be made for the scenario of a system failure to ensure continuous process support – for example, by means of a manual or alternative system. The time required to put these alternative procedures into operation shall be determined in each case for a specific system and the supported processes on a risk-dependent basis, and the procedures shall be adequately documented and tested. To arrive at an all-encompassing methodology for business continuity management, these empirical values and findings should be applied beyond the technology dimension to the fields of buildings, equipment, staff, and suppliers.

*Abbreviations:

ISO: International Organization for Standardization

BSI: Bundesamt für Sicherheit in der Informationstechnik / Federal Office for Information Security