Business Continuity & The Coronavirus: Are Your Pharma Operations At Risk?

The coronavirus outbreak in the Wuhan province of China has caused disruption of the global economy across all market sectors. We have been here before: the SARS outbreak in 2002 killed 774 individuals worldwide; in 2009 a new H1N1 virus swept the globe and contained a unique combination of influenza genes not previously identified in animals or people. To date, the coronavirus, officially designated as COVID-19 by the World Health Organization (WHO), has surpassed SARS¹ in terms of fatalities.

The pharma industry has not been idle, with more than 30 companies working on treatment therapies and at least nine² clinical trials underway to test therapeutic interventions for COVID-19 acute respiratory disease, according to ClinicalTrials.gov and the Chinese Clinical Trial Register.

China has gone to extraordinary measures to contain the virus; however, there is a distinct possibility that it will be very hard to control its proliferation.  Some experts are speculating that containment may no longer be possible and that COVID-19 will join the four coronaviruses now circulating in people to become a fifth endemic human coronavirus.³

Most countries have established some level of pandemic preparedness plan to address virus containment and, when available, vaccine inoculation. However, weathering the pandemic as an organization or adapting to what may become an indigenous risk to ongoing operations requires planning to ensure business continuity.

4 Phases Of Business Continuity Management

Any organization should modulate its response to incidents based upon business impact, in order to allocate precious resources to what poses the greatest threat to ongoing operations. A business continuity framework prepares an organization to continue operations amidst the potential myriad business disruptions and aims to build high-level resilience in all departmental services and sites. A pandemic presents a unique challenge because its global spread threatens the workforce as well as the goods and components, across the overall product value stream. A business continuity management (BCM) framework consists of the following elements:

1. Business Impact Analysis: This step identifies and prioritizes the key activities of a business that may be adversely affected by any disruptions. It is important to understand which core business elements are essential to the organization's ability to function and be effective.
2. Incident Response: This outlines the immediate actions needed to respond to an incident in terms of containment, control, and minimizing the impact in terms of resources, time, and cost.
3. Recovery: This covers actions to take to recover from an incident to minimize disruption and recovery times, using predefined recovery time objectives (RTOs) to guide the recovery execution process.
4. Risk Assessment: This involves using risk management tools and threat assessment tools to identify and quantify risks to business operations.

3 Fundamental Parameters Of Business Continuity

Within each of the four phases above, we focus on understanding three fundamental parameters that are central to business continuity: establishing the maximum tolerable disruption period (MTDP) for the identified process, agreeing upon a recovery time objective (RTO), and process resilience.

MTDP measures the maximum allowable time the business could tolerate an interruption in operations for each key work center or operation as it pertains to the business' value stream. Understanding interdependencies between operations will be essential to determining the MTDP.

The RTO sets the metrics for responding to the disruption. An organization must define early in the process whether survival of the business is the base acceptance criterion for the continuity of activity. Having a clear definition, based upon recent or forecasted data as it pertains to a pandemic's impact on operations, will be essential to defining realistic RTOs. Ideally, the targeted RTO will be less than the MTDP.  

The third component — process resilience — describes a process' ability to continue, even in failure. RAID fault tolerance for an IT network is an example of machine resilience; redundant power streams are an example of site resilience; and organizational responsibility distributed by location is an example of organizational resilience.  Analyzing an organization against these criteria forms the basis for creating an effective BCM plan. The primary considerations associated with an effective BCM plan are shown in Figure 1.

Figure 1: Business continuity management (BCM) components

Building A Business Continuity Plan

Business Impact Analysis

A business impact analysis (BIA) can be used to identify the time scale and extent of the impact of a disruption at several levels in an organization. Once the scope is determined, the BIA focuses on the activities that support products and services, identifying those whose failure would most quickly threaten delivery.  These tend to be the "operational" activities involving interaction with customers or other outside organizations, as with customer service, sales, and production.  However, delivery of operational activities may depend on the support of other internal and external processes, such as IT, human resources, and utilities, which must be taken into account.  

Incident Response

Incident response plans identify the necessary actions and the resources needed to enable the organization to manage an interruption, whatever its cause. The key requirements for an effective response are:

• A clear procedure for escalation and control of an incident
• Communication with stakeholders
• Plans to resume interrupted activities

Recovery

Developing a BCM capability is achieved through a structured framework that highlights any shortcomings in capability. A program designed to test each recovery procedure — in escalating exercises — is one practical way to ensure the planned recovery processes can be effective.  The procedures must address both internal and external processes where contract service provider requirements for the BCM plan are defined in service level agreements (SLAs). Suppliers and contract service providers whose failure would cause significant disruption to the organization should be required to demonstrate their recovery capability. 

The recovery framework should interrogate and address the following business continuity elements:

• Technical – Is the equipment and process strategy viable and does it work?
• Procedures – Are the procedures complete, and do they define the necessary elements to instruct in a crisis?
• Logistical – Are logistical elements related to supply chain, testing, and data management complete and harmonized to support the augmented operations in a crisis?
• Timeliness – Can the procedures achieve the required RTO for each activity?
• Administrative – Are the procedures manageable?
• Personnel – Are the right people involved and do they have the required skills, authority, and experience?

Risk Assessment

A risk assessment is an essential precursor to informing the final BCM plan. Types of threats to consider include those that are natural, man-made, technological, or pandemic in nature, or that include loss of utilities. Threat analysis should determine the likelihood of their occurrence and the level of impact to the organization if they were to occur. The threat landscape should look beyond the direct elements of each identified critical process. For example, China makes the basic components for India to manufacture the active pharmaceutical ingredients (APIs) for much of our industry. Any disruption to this supply chain could have a profound impact on the global industry's ability to make crucial life sustaining products. Looking beyond the direct impact, China also makes many of the personal protective equipment items, such as masks, gloves, etc., that are essential to operating in a GMP environment today and which many countries rely upon to contain the contagion from spreading.

Looking at the resource risk in the U.S., the last penicillin plant went out of business in 2004. Today, many of our antibiotics come from China and this could have a significant impact on our ability to maintain a healthy and effective workforce in a pandemic.

In all risk assessment exercises, consideration should be given to how to mitigate or lessen the likelihood of occurrence. Threats that result in high-risk ratings should be reviewed with management to determine the need for additional mitigation strategies to lessen the possibility of the threat causing a business outage.

Conclusion

As we face our latest pandemic threat, the need to have a well-defined and tested BCM plan in place cannot be overemphasized. Beyond state and national preparedness plans, organizations should be actively evaluating their continuity plans, especially when it comes to strategic contract service providers and partners, to ensure there is a reasonable mitigation plan in place. Looming large is the portent that the current outbreak cannot be contained, and we will have to live with the ever-present risk of COVID-19 becoming part of our regular genome.

References:

1. https://www.nytimes.com/2020/02/09/world/asia/coronavirus-china.html 3  
2. https://www.biocentury.com/coronavirus
3. https://www.statnews.com/2020/02/04/two-scenarios-if-new-coronavirus-isnt-contained/

About The Author:

Bikash Chatterjee is chief operating and science officer for Pharmatech Associates. He has over 30 years' experience in the design and development of pharmaceutical, biotech, medical device, and IVD products. His work has guided the successful approval and commercialization of over a dozen new products in the U.S. and Europe. Chatterjee is a member of the USP National Advisory Board and is the past chairman of the Golden Gate Chapter of the American Society of Quality. He is the author of Applying Lean Six Sigma in the Pharmaceutical Industry and is a keynote speaker at international conferences. Chatterjee holds a B.A. in biochemistry and a B.S. in chemical engineering from the University of California at San Diego.