Everybody counts! Disaster & Contingency planning

Transcription

Everybody counts! Disaster & Contingency planning
Everybody counts!
Disaster & Contingency planning
Terminology
-
Disaster / catastrophe
Contingency
IT system failure
Flood
Fire
Labor strike
Theft / Sabotage
Tsunami
Volcano eruption (ash could)
Global IT virus
Telecommunication disruption
Affecting only one or very
few institutions
One site / region
-
Affecting several institutions
National / international
Organizational resiliency:
The capacity of an organization to resist to incidents internal or
external to the organization endangering normal business
operations
Overview
Disaster planning:
Why is it important to have an organizational resiliency program in
your registry?
What should an organizational resilience program address?
How to get started…
Key elements of organizational resiliency
Implementation of your plan
Contingency planning:
Contingencies for bone marrow donor registries
Steps towards an international emergency task force
International emergency contact list
Why is it important to have an organization resiliency
program in a registry?
Living in Grenoble, France
The Alps
Two Rivers:
Isère & Drac
Risk assessment
1. Dams: Flood waves
Example: Monteynard
40 min for wave to reach Grenoble
Wave of 8-12 meters high
In total 10 dams upstream of
Grenoble; 1 in 16.000 dams
has an accident
2. Chemical production site
south of Grenoble
3. Nuclear reactor for scientific
purposes in Grenoble
4. Natural risk: earth quakes
Threats may not be obvious at first glance, they need to be assessed!
What should an organizational resilience program address?
Key elements of organizational resiliency
Strategic plan: definition of recovery time objectives
Tools: risk assessment, business impact analysis
Prevention and mitigation
Crisis response (staff/people)
Business continuity (resources)
Disaster recovery (information technology)
Exercise and training
Appendix:
Identify and explicit critical staff, resources, tools
Keep emergency contact lists of staff, partner organizations, other
stakeholders
Communication plan
Specific scenarios …
How to get started…
WMDA guidelines upcoming
WMDA crisis response, business continuity and disaster
recovery guidelines
WMDA - Quality Assurance Working Group
J. Pingel, B. Amer, C. Case Jr., R. Hornung III, A. Schmidt
Guidelines on key aspects of organizational resiliency
Example organizational resiliency program included
Approved by WMDA board in Nov. 2011
To be published soon
Compose a project team
Compose a representative team of registry members which may include:
Director
Business Continuity Manager
Information technology
Medical department / Search unit
Human Resources
Finances
Legal department
Press / Communication
…and choose the project leader who will establish and maintain the
organizational resiliency program
Hazard analysis and risk assessment: Grenoble
Incident
Probability
Human
Impact
Facility
Impact
Business
Impact
Unmitigated risk
1. Natural Hazards
Earthquake
1
3
3
3
3
(=(3+3+3)/3*1)
Flood
2
1
2
2
3.3
(=(1+2+2)/3*2)
3
3
2. Technological Hazards
Information Systems
Failure
3
0
0
Electrical Disruption
Unmitigated risk =
probability * severity
Communication
System Failure
Hazardous Materials
3. Human Hazards
Pandemic
3
3
0
2
Act of Terrorism
Labor Strike
0 = N/A, 1 = low, 2 = intermediate, 3 = high
5
Business impact analysis
BIA: a management level analysis that identifies the impacts of losing the entity’s
resources (NFPA).
Identify for each identified key business unit:
Number of staff
Principal activities
Recovery time objective (RTO)
Recovery point objective (RPO)
Which processes depend on this business unit’s activities?
On which other business units does the analyzed one depend?
Critical activities?
Cost of operation and recovery during outage time?
Aim:
Prioritize activities necessary during recovery
Identify dependencies (internal or external)
List supporting resources needed to meet your RTO and RPO
→ Develop timelines for recovery activities (staff, activity, resources)
What are the key elements of an organizational
resiliency program?
Crisis response
Crisis response: Defines structures and actions used to evaluate and address
threats produced by a preceding incident or event
Catastrophe
Crisis
Incident
Contingency
Take actions according
to plan
Inform stakeholders
regularly
Escalate requests for
assistance/resources
Respect safety of
individuals at all times
Crisis Management
Team
•
•
•
•
•
•
Assess information about incident
Possible courses of action?
Prioritize by process impacted
Resources/assistance required?
Which coordination strategy?
Who are the spokespeople?
Business continuity
Business Continuity: The capacity of an organization to plan for and respond to
incidents or events that impact or disrupt business operations; pertaining to the
coordination of repair, replacement or alternate locations, critical facilities or the
reassignment of critical tasks based on staff availability
Identify
Provide
Critical functions: Tasks and
activities related to the key
business to deliver key services
and products
Resources:
Resources for operations of CS
Back-up resources
Emergency resources
Critical staff (CS): Staff trained
on tasks directly related to the
key business of the organization
Location/facilities:
Where can staff work if standard
facilities are not available?
Develop Plans, Communication Guidelines, Standard
Operating Procedures, ... that take effect in an emergency
Critical services, critical staff
What are the critical tasks of my registry? (=Key business)
How many staff is required to keep up these activities during a crisis?
Current work-up requests (Example: 2 of 8 staff members)
Donor clearance
Stem cell collection
Transportation
Urgent donor searches (Example: 1 of 3 staff members)
…
→ List: critical task, resources needed, staff name & contact information
Which activities could be suspended?
Projects
Donor recruitment
Post transplantation activities, e.g. patient / donor follow-up
…
Disaster recovery
Disaster Recovery: The capacity of an organization to quickly return to an
acceptable level of business operations after an incident or an event; pertaining
to the information systems used to accomplish critical functions
Identify
Retrieve
Identify critical information (files,
records,...): How much / which
data can be lost without severe
impact to business operations?
Regular backups should be kept
in a location separate from
original files and validated by
data restoration tests
Store
Keep electronic copies of
important documents
Determine safe locations for
documents and system with
adequate fire/water protection
Keep software library for
restoration of computer systems
Run mirrored systems to prevent
failure
Implementation of the program
Test, exercise and maintenance
Make your organizational resiliency program available to all
staff → SOP
Test it with different scenarios
Example: total / partial loss of building, pandemics
Desktop exercise
More complex, “virtual” scenarios needing real actions
Review your solutions
Was the plan accurately activated?
Is your chain of command identified?
Is your plan understandable?
Do you have all necessary resources?
Are there any new aspects that need to be included?
Maintain your program on (bi-) annual basis
Contingency planning
Contingency planning
Contingency: Unpredictable incident with impact on global systems like, e. g.
communication or transportation systems, thereby limiting or disrupting
normal business operations.
Examples: pandemics, international flight restrictions, global IT virus
Contingencies affect multiple locations simultaneously
Business is heavily impacted
2 cases to consider:
Mass casualties (e.g. nuclear disaster)
→ Business operations must be increased / resources are needed
Large impact on resources needed for operations (e.g. ash cloud)
→ Business operations restricted or disrupted
Mitigate contingencies
National collaboration
Identify partner organizations for co-operations
Blood Services
International organizations like Red Cross, …
Governmental partners / Military
Discuss / adapt resiliency programs
The Future:
International collaboration
Establishment of the WMDA international emergency task force
Nov. 2011: WMDA board decides on establishment of an
International Emergency Task Force
Spring 2011: bylaws approved by WMDA board
International Emergency Task Force Bylaws (1)
Purpose:
The Task Force will provide to the best of its ability assistance to
WMDA registries that request assistance in responding to incidents
that impact their operations.
Objectives:
To provide additional resources to registries to ensure the continued
delivery of products
To assess impact to operations
To determine options to assist in averting the issue that is impacting
operations
To optimize the use of resources in response to large scale incidents
that impact many registries (i.e. chartering one plane for multiple
couriers versus chartering one plane for each courier)
International Emergency Task Force Bylaws (2)
Organization
7 members from all over the world
(America / Europe, Middle East and Africa / Asia, Pacific, Australia,
NZ and WMDA office)
Chairperson to be appointed by WMDA board (2 year period)
Concept of Operations
Notification via E-Mail (telephone)
Response time: 1-2h
Assistance as possible and required
Direct help by registries
Escalation to other organizations
Format of Emergency Task Force Assistance Request Form
Detailed information about incidence, contacts and requested
assistance
Emergency contact list
Aim: Provide Registry with a printable list of emergency contacts from
other WMDA registries.
Information collected in the WMDA annual questionnaire
Contact list to be sent out within WMDA annual report
What should you do?
Incorporate the emergency contact list in your organizational
resiliency program
Update this information annually
Conclusions
Take home message
The biggest threat to your registry is…
…never having thought about risks before it is too late!
Get prepared!
Compose a team
Assess your risks and their potential impact on operations
Use WMDA guidelines to prepare:
Crisis response plan
Business continuity plan
Disaster recovery plan
Tell your staff what you planned for and why!
Acknowledgements
WMDA - Quality assurance working group subcommittee:
Cullen Case (NMDP, USA)
Ray Hornung (NMDP, USA)
Beth Amer (One Match, Canada)
Alexander Schmidt (DKMS, Germany)
WMDA office: Lydia Foeken, Florian Krouwel
Gemeinsam gegen Leukämie!
Thank you for your
attention!