Hurricane Katrina and the most recent Hurricane Sandy, as never before, opened the eyes of many U.S. businesses to their liability to disaster as never before. The need for disaster recovery and business continuity planning has soared to an all-time high, yet surveys like the one released by FM Global; one of the world’s largest commercial property insurers, report that despite great media attention given to the on-going spate of natural disasters worldwide and their high financial and human costs, many individuals and businesses do little to address their vulnerability to these hazards through physical risk management practices. This would indicate that most companies are not adequately prepared for disasters and would be unable to quickly restore business operations.
Medical device companies that expect their businesses to survive a disaster let alone maintain their position in the marketplace must develop a better understanding of the business impact of significant disruptions and the true cost of downtime. Understanding this information will create business continuity programs that set realistic recovery objectives, and provide a clear action plan.
There’s no doubt that business continuity planning can be a multifarious process. It requires that companies first define their critical business products and services by identifying risks and assessing ways to avoid or mitigate them. Then companies must develop and test plans so that in the event of a disaster or disruption they can keep critical operations running and restore the business to normal. At the heart of this process is a detailed analysis of the impact that disruptions would have on each business unit (BIA). However complex it may be, businesses that do not make business continuity planning a priority leave themselves vulnerable to failure.
Medical Device Firms Face Many Risks
Fires, floods, hurricanes, and equipment failures can affect any business. In some ways, medical device manufacturers face greater risks than other types of business. Medical device companies are wide spread, but concentrated throughout the coastal cities and the Midwest. These areas are vulnerable to earthquakes, tornados, floods, and hurricanes. Additionally, many medical device organizations are small businesses. The combination of property loss and business interruption can have an especially ominous impact on small enterprises.
Regulatory pressures and increasing complexity coupled with the increasing globalization of the market creates an environment in which quality, reliability and safety compete with the business needs to reduce time-to-market and increase product development efficiency (Parametric Technology Corporation, 2012).
Other common threats affecting medical device companies, but not often recognized by top management include:
Workplace health and safety issues
Geographic restrictions due to war or global unrest
Hardware, software and/or other equipment failures
With a dependence on computer systems, adequate information security has also become critically important. At the time of publication of a report released by ehow.com in 2011, the number of malware attacks numbered more than 200 million. They also reported that a 2010 report by McAfee, a security software company, revealed that the cost to corporations of work time lost due to virus attacks was $6.3 million per day (McKenzie, 2011) (Computer Viruses & How They Affect Our Economy, 2011).
The best defense against business interruption is a good offense. Business continuity is the ability of a business to continue operations in the face of a disaster. A medical device company with a viable business continuity plan would be able to continue operations at a productive level until it can resume “business as usual.”
Standards and formal management systems fill the gap
ISO 22301 is suitable for organizations of all sizes, across all industries, public or private, manufacturing or service. It provides a common approach to and language for business continuity management, allowing global organizations to achieve internationally-recognized best practice across a level playing field. For large organizations, this means global consistency. For small enterprises, this means clear concise globally accepted guidelines that can reduce the cost of implementation while providing their customers with a high level of confidence that they are prepared.
The value of ISO 22301 to a business can be broken down into three basic principles:
A business continuity plan is important for any organization, but it can be even more critical for medical device firms because of the critical products and services they provide. Almost any disaster in a medical device firm whether caused by natural disaster, equipment failure, or the act of a hacker, insider threat or terrorist can trigger a series of devastating financial consequences. The combination of property loss and business interruption can have an especially calamitous impact on the picture of small enterprises.
A well thought out plan that anticipates all potential disasters/disruptions and all appropriate responses can make the difference between never recovering from a major loss and continuing daily operations with minimal disruption. It also can reduce a firm’s financial vulnerability and keep insurance costs to a minimum.
John DiMaria is a management system professional, responsible for overseeing product roll-out and client/sales education. He is the product expertise spokesperson for BSI Group Americas.