Everybody counts! Disaster & Contingency planning Terminology - Disaster / catastrophe Contingency IT system failure Flood Fire Labor strike Theft / Sabotage Tsunami Volcano eruption (ash could) Global IT virus Telecommunication disruption Affecting only one or very few institutions One site / region - Affecting several institutions National / international Organizational resiliency: The capacity of an organization to resist to incidents internal or external to the organization endangering normal business operations Overview Disaster planning: Why is it important to have an organizational resiliency program in your registry? What should an organizational resilience program address? How to get started… Key elements of organizational resiliency Implementation of your plan Contingency planning: Contingencies for bone marrow donor registries Steps towards an international emergency task force International emergency contact list Why is it important to have an organization resiliency program in a registry? Living in Grenoble, France The Alps Two Rivers: Isère & Drac Risk assessment 1. Dams: Flood waves Example: Monteynard 40 min for wave to reach Grenoble Wave of 8-12 meters high In total 10 dams upstream of Grenoble; 1 in 16.000 dams has an accident 2. Chemical production site south of Grenoble 3. Nuclear reactor for scientific purposes in Grenoble 4. Natural risk: earth quakes Threats may not be obvious at first glance, they need to be assessed! What should an organizational resilience program address? Key elements of organizational resiliency Strategic plan: definition of recovery time objectives Tools: risk assessment, business impact analysis Prevention and mitigation Crisis response (staff/people) Business continuity (resources) Disaster recovery (information technology) Exercise and training Appendix: Identify and explicit critical staff, resources, tools Keep emergency contact lists of staff, partner organizations, other stakeholders Communication plan Specific scenarios … How to get started… WMDA guidelines upcoming WMDA crisis response, business continuity and disaster recovery guidelines WMDA - Quality Assurance Working Group J. Pingel, B. Amer, C. Case Jr., R. Hornung III, A. Schmidt Guidelines on key aspects of organizational resiliency Example organizational resiliency program included Approved by WMDA board in Nov. 2011 To be published soon Compose a project team Compose a representative team of registry members which may include: Director Business Continuity Manager Information technology Medical department / Search unit Human Resources Finances Legal department Press / Communication …and choose the project leader who will establish and maintain the organizational resiliency program Hazard analysis and risk assessment: Grenoble Incident Probability Human Impact Facility Impact Business Impact Unmitigated risk 1. Natural Hazards Earthquake 1 3 3 3 3 (=(3+3+3)/3*1) Flood 2 1 2 2 3.3 (=(1+2+2)/3*2) 3 3 2. Technological Hazards Information Systems Failure 3 0 0 Electrical Disruption Unmitigated risk = probability * severity Communication System Failure Hazardous Materials 3. Human Hazards Pandemic 3 3 0 2 Act of Terrorism Labor Strike 0 = N/A, 1 = low, 2 = intermediate, 3 = high 5 Business impact analysis BIA: a management level analysis that identifies the impacts of losing the entity’s resources (NFPA). Identify for each identified key business unit: Number of staff Principal activities Recovery time objective (RTO) Recovery point objective (RPO) Which processes depend on this business unit’s activities? On which other business units does the analyzed one depend? Critical activities? Cost of operation and recovery during outage time? Aim: Prioritize activities necessary during recovery Identify dependencies (internal or external) List supporting resources needed to meet your RTO and RPO → Develop timelines for recovery activities (staff, activity, resources) What are the key elements of an organizational resiliency program? Crisis response Crisis response: Defines structures and actions used to evaluate and address threats produced by a preceding incident or event Catastrophe Crisis Incident Contingency Take actions according to plan Inform stakeholders regularly Escalate requests for assistance/resources Respect safety of individuals at all times Crisis Management Team • • • • • • Assess information about incident Possible courses of action? Prioritize by process impacted Resources/assistance required? Which coordination strategy? Who are the spokespeople? Business continuity Business Continuity: The capacity of an organization to plan for and respond to incidents or events that impact or disrupt business operations; pertaining to the coordination of repair, replacement or alternate locations, critical facilities or the reassignment of critical tasks based on staff availability Identify Provide Critical functions: Tasks and activities related to the key business to deliver key services and products Resources: Resources for operations of CS Back-up resources Emergency resources Critical staff (CS): Staff trained on tasks directly related to the key business of the organization Location/facilities: Where can staff work if standard facilities are not available? Develop Plans, Communication Guidelines, Standard Operating Procedures, ... that take effect in an emergency Critical services, critical staff What are the critical tasks of my registry? (=Key business) How many staff is required to keep up these activities during a crisis? Current work-up requests (Example: 2 of 8 staff members) Donor clearance Stem cell collection Transportation Urgent donor searches (Example: 1 of 3 staff members) … → List: critical task, resources needed, staff name & contact information Which activities could be suspended? Projects Donor recruitment Post transplantation activities, e.g. patient / donor follow-up … Disaster recovery Disaster Recovery: The capacity of an organization to quickly return to an acceptable level of business operations after an incident or an event; pertaining to the information systems used to accomplish critical functions Identify Retrieve Identify critical information (files, records,...): How much / which data can be lost without severe impact to business operations? Regular backups should be kept in a location separate from original files and validated by data restoration tests Store Keep electronic copies of important documents Determine safe locations for documents and system with adequate fire/water protection Keep software library for restoration of computer systems Run mirrored systems to prevent failure Implementation of the program Test, exercise and maintenance Make your organizational resiliency program available to all staff → SOP Test it with different scenarios Example: total / partial loss of building, pandemics Desktop exercise More complex, “virtual” scenarios needing real actions Review your solutions Was the plan accurately activated? Is your chain of command identified? Is your plan understandable? Do you have all necessary resources? Are there any new aspects that need to be included? Maintain your program on (bi-) annual basis Contingency planning Contingency planning Contingency: Unpredictable incident with impact on global systems like, e. g. communication or transportation systems, thereby limiting or disrupting normal business operations. Examples: pandemics, international flight restrictions, global IT virus Contingencies affect multiple locations simultaneously Business is heavily impacted 2 cases to consider: Mass casualties (e.g. nuclear disaster) → Business operations must be increased / resources are needed Large impact on resources needed for operations (e.g. ash cloud) → Business operations restricted or disrupted Mitigate contingencies National collaboration Identify partner organizations for co-operations Blood Services International organizations like Red Cross, … Governmental partners / Military Discuss / adapt resiliency programs The Future: International collaboration Establishment of the WMDA international emergency task force Nov. 2011: WMDA board decides on establishment of an International Emergency Task Force Spring 2011: bylaws approved by WMDA board International Emergency Task Force Bylaws (1) Purpose: The Task Force will provide to the best of its ability assistance to WMDA registries that request assistance in responding to incidents that impact their operations. Objectives: To provide additional resources to registries to ensure the continued delivery of products To assess impact to operations To determine options to assist in averting the issue that is impacting operations To optimize the use of resources in response to large scale incidents that impact many registries (i.e. chartering one plane for multiple couriers versus chartering one plane for each courier) International Emergency Task Force Bylaws (2) Organization 7 members from all over the world (America / Europe, Middle East and Africa / Asia, Pacific, Australia, NZ and WMDA office) Chairperson to be appointed by WMDA board (2 year period) Concept of Operations Notification via E-Mail (telephone) Response time: 1-2h Assistance as possible and required Direct help by registries Escalation to other organizations Format of Emergency Task Force Assistance Request Form Detailed information about incidence, contacts and requested assistance Emergency contact list Aim: Provide Registry with a printable list of emergency contacts from other WMDA registries. Information collected in the WMDA annual questionnaire Contact list to be sent out within WMDA annual report What should you do? Incorporate the emergency contact list in your organizational resiliency program Update this information annually Conclusions Take home message The biggest threat to your registry is… …never having thought about risks before it is too late! Get prepared! Compose a team Assess your risks and their potential impact on operations Use WMDA guidelines to prepare: Crisis response plan Business continuity plan Disaster recovery plan Tell your staff what you planned for and why! Acknowledgements WMDA - Quality assurance working group subcommittee: Cullen Case (NMDP, USA) Ray Hornung (NMDP, USA) Beth Amer (One Match, Canada) Alexander Schmidt (DKMS, Germany) WMDA office: Lydia Foeken, Florian Krouwel Gemeinsam gegen Leukämie! Thank you for your attention!