business continuity planning - amazon...
TRANSCRIPT
Business Continuity in the
Pharmaceutical Industry
Report Submitted to the AT&T Foundation
August 16, 2004
Edward A. Stohr
Howe School of Technology Management
Stevens Institute of Technology, Hoboken, NJ 07030
E-Mail: [email protected]
and
Paul Rohmeyer
Howe School of Technology Management
Stevens Institute of Technology, Hoboken, NJ 07030
E-Mail: [email protected]
with
Matin Shaikh
CSSC Corporation
E-Mail: [email protected]
Endorsed by the Healthcare Institute of New Jersey http://www.hinj.org
i
Acknowledgements The research reported in this paper was supported by a grant from the AT&T Foundation.
The authors wish to thank Lou Laucirica, Dean of the Undergraduate Program, Howe School of
Technology Management, who wrote the proposal to the AT&T Foundation and provided much
needed support for the work carried out under this grant.
We also wish to express our gratitude to the Healthcare Institute of New Jersey (HINJ) for their
endorsement of this research project. In particular, Bob Franks, President and William R. Healey,
Executive Vice President of the Healthcare Institute of New Jersey, and were especially helpful in
this regard. Many thanks also to Edward J. Ludwig, Chairman of the Board, President and CEO
of Becton, Dickinson and Company, for his endorsement and support for this study.
We are greatly indebted to the 10 senior executives from the pharmaceutical industry who were
interviewed during the course of this study for so graciously devoting their time and wisdom to
our project.
Finally, this research could not have been completed without the help and hard work of a number
of people from the Howe School of Technology Management. Dean Hultin provided valuable
contacts and Professor Michael zur Muehlen provided technical advice regarding the online
survey. We are particularly indebted to Fernanda Cabas who expertly handled all aspects of the
administration of the survey and worked graciously with faculty, staff and the survey respondents
to make the project a success. We also wish to thank the Howe School staff for cheerfully
volunteering their time to help us with the mailings and research assistants Karen Sobel Lojeski,
Ram Iyer and Raj Kempaiah for their assistance at many stages in the project.
ii
Business Continuity in the Pharmaceutical Industry Executive Overview
Our study focused on the managerial and organizational aspects of business continuity in the
pharmaceutical industry. We addressed the following research questions:
• What is an appropriate evaluation model for business continuity (BC) and Disaster Recovery
(DR) in the Pharmaceutical Industry? • How closely do firms in the industry follow BC best practices? • How well are firms in the industry prepared for a major disaster? Before proceeding, it is necessary to clarify our terminology. We use DR to refer to the back-up
and recovery of computer systems and networks. BC is a much broader term referring to the
ability of a company to survive a major disruption in its environment and internal systems. BC
includes DR but also addresses larger concerns of human safety, reputation of the organization,
and the restoration of business services and processes in the event of a disaster.
A preliminary study was conducted in June- August 2003 in order to develop a framework for
assessing business continuity plans and processes (see Chapter 3). We call this framework the
Business Continuity Evaluation Model (BC-EM). Subsequently, two surveys were conducted
using this framework. The first survey (see Chapter 4) of senior executives in the pharmaceutical
industry explored a number of issues pertinent to business continuity. The second survey (see
Chapter 5) compared the state of preparedness of the pharmaceutical and finance industries and
was administered to lower- to middle-level IT managers. A number of interviews were also
conducted with senior executives in the pharmaceutical industry (see Chapter 6).
The framework we developed for evaluating the BC preparedness of an organization requires
assessment of a company’s performance in the following major areas of concern1:
• Industry-specific issues and concerns
• Top management involvement in BC
• Risk assessment and planning for BC
• Organization and governance
• BC processes (rehearsal of plans and communication with employees)
1 The complete framework, which contains more dimensions than listed here, is described in Chapter 3.
iii
• Technical concerns
The major conclusions from this study of BC preparedness in the pharmaceutical industry are
outlined below using this framework. It must be emphasized at the outset that the conclusions do
not apply to all firms in the industry. Some firms, especially the larger firms, seem to be paying
more attention to BC and DR best practices than others. Finally, as in any study using surveys
and interviews, there are limitations on the generizability of the results.
Some General Results
First, at a global level of analysis:
• Small companies (less than $1 billion in revenues) are less well prepared for a disaster than larger pharmaceutical firms on all five dimensions of the BC-EM model that were included in this survey.
• The pharmaceutical firms in our sample are less well prepared than the (large) financial
services firms represented in our sample on most BC-EM dimensions.
• Good performance on the planning and organization and governance dimensions of the BC-EM framework is positively correlated with respondents’ perceptions of their companies’ overall preparedness.
Industry-specific Issues and Concerns
When asked to list the most critical assets that must be protected in their organizations, the
pharmaceutical executives listed continuity of business processes, continuity of manufacturing
operations, and protecting R&D data. The top concern seemed to depend on the role of the
respondent – R&D executives, for example, cited the intellectual capital invested in R&D as their
top concern.
The executives in the survey and those we interviewed agreed that regulations such as those
imposed by the Federal Drug Agency (FDA), the Health Insurance Portability and Accountability
Act (HIPAA) and the Sarbanes-Oxley Act were important drivers of BC readiness in their
organizations. Of these, the FDA’s GxP (Good Manufacturing Practice, Good Lab Practice, etc.)
are the most pertinent to the pharmaceutical industry. Non-compliance with FDA requirements
can carry fines of $100 millions or more. A number of executives we interviewed were concerned
that their companies would find it difficult to remain in regulatory compliance in the event of a
iv
disaster. For example, the FDA requires that companies continuously monitor safety; this means
continuity of patient call centers and the ability of physicians to monitor pharmacological
reactions in almost real time.
There is little doubt that the regulations mentioned above and their enforcement can have a
positive influence on BC and DR practices in the pharmaceutical industry. However, a number of
the executives we interviewed mentioned the cost of compliance and were concerned that the
investment in compliance would limit the attention to BC and restrict budgets applied to broader
BC concerns. Several of the interviewees pointed out that FDA regulations do not apply to the
discovery phase of the R&D life cycle and that R&D intellectual capital, in which companies
have $ millions invested, may not be as well protected as other critical assets of the organization.
Top Management Involvement in BC
Leadership involvement is probably the first prerequisite for success since BC requires
commitment of significant resources and constant vigilance to ensure that plans are updated and
appropriate physical, human, and system resources are in a constant state of readiness. In this
regard, it is perhaps a concern that only 38% of the respondents in the survey of senior executives
indicated that the board of directors of their company was highly involved in BC practices.
Risk Assessment and Planning for BC
With regard to planning, a majority of the companies represented in our surveys and interviews
had performed three essential steps for disaster preparedness: performing a risk analysis and
developing both business continuity and disaster recovery plans. However, a significant number
of companies had not performed one or more of these planning steps. Several pharmaceutical
executives indicated that their firms were just beginning to develop formal BC plans, and others
expressed concern that planning for BC was not taken seriously in their organizations.
Among the pharmaceutical executives in the first survey who said that their firms had a formal
BCP plan, 42% said that these plans were updated at least once per year, 13% said that the plans
were never updated and a surprisingly large proportion of the executives answered “Not Sure”.
Most of the respondents who said that their companies had a formal BC plan indicated that the
v
plan includes internal and external business partners (e.g., operations, technical support, vendors,
and suppliers.)
Organization and Governance
Given a BCP, the next logical steps are to create a budget and assign organizational
responsibilities for BC. Overall, only one in five respondents to the executive survey stated that
their firms have created a separate budget for BC. The companies that do have a separate budget
are mainly large firms. In many organizations, it appears that financing for BC is diffused
throughout the organization as components in budgets of organizational units – mostly in the IT
budget, although it is not clear whether the IT budget component is for systems recovery (DR)
rather than BC in the larger sense.
Slightly over half of the firms indicated that their organizations had created a Crisis Management
Center. However, nearly 40% of the executives stated that their organizations had not created a
new organization position or team focusing on BC/DR. As was the case for BC budgets, most
respondents indicated that BC responsibility was diffused throughout the organization. In some
firms, the lines of BC responsibility are confused: IT accepts its responsibility for DR but
believes that the business units have responsibility for the broader concerns of BC; on the other
hand, the business units either believe that IT has responsibility for both BC and DR or that BC
and DR are more or less the same thing.
Given the importance of BC, this uneven performance of firms on the organization and
governance dimension is a concern. Again, smaller firms (less than $1 billion in revenue) are
significantly worse than large forms on this dimension.
BC Processes
BC plans need to be communicated to employees and frequently rehearsed. The survey results
indicate poor performance in this area. Only 20% of the pharmaceutical executives either agreed
or agreed strongly with the statement that “Your company does a good job communicating its
BCP procedure to its employees.” On this point, there is close agreement between the senior
executives in the first survey and the junior IT managers in the second survey. Only 18% of the
junior IT managers from pharmaceutical firms agreed or strongly agreed with this statement.
vi
Similarly, only approximately 40% of the respondents in the survey of senior executives said that
their BC plans were rehearsed at least once per year. These results are hardly surprising given the
lack of BC plans in a number of the organizations in this study and the poor results for the
organization and governance dimension described in the previous paragraph.
All the companies represented by the executives we interviewed perform regular interviewed
perform regular data system back up and recovery exercises. However, these exercises may only
be performed on the most important systems. Some pharmaceutical companies seem to
concentrate more on system back up rather than the fuller range of exercises that are needed for
BC such as drills to ensure the safety of employees and provisions to get them back to work
quickly when a major disruption occurs.
The Technical Dimension
The questions on the BC-EM technical dimension concerned the existence of redundant
geographically distant recovery facilities, the existence and frequency of system backup
procedures, and whether or not recovery procedures are performed by external vendors. In this
area, slightly over 60 % of the executives said that their firms had distantly located recovery sites
while over 90% stated that system storage and backup procedures were in place. In about half of
the companies, recovery is facilitated through the use of outsourcers (e.g. Sungard or IBM) and/or
by the use of redundant systems. An example of system redundancy is the distribution (and
periodic synchronization) of Oracle databases used to support a global SAP ERP system.
According to one interviewee who is an industry consultant, most companies in the industry have
only “cold site” backup facilities and will therefore experience delays in bringing their processes
back online after a disruption. The larger companies have “hot” or “mirrored” sites, which are
preferable from the point of view of time to recover. This form of back up might only be in place
for large and important systems, however. Archiving is mostly to tape - some to optical storage.
According to the same industry consultant, all medium to large companies have back up power
systems and sometimes sell the energy produced. Backup systems to ensure continuity of water
supplies are less common and companies rarely have redundant communication systems. For the
vii
most part, our interviewees said that their companies had redundancy in manufacturing in the
sense that they were able to manufacture each drug in more than one location.
Neither the surveys nor the interviews focused on the technical aspects of BC and DR. The above
observations can at best indicate that there is a range of technical preparedness among the
companies represented by our interviewees.
Inter-Industry Comparison The second survey of junior IT professionals (see Chapter 5) provides an anchor point for the
other results of this study by comparing the pharmaceutical industry performance on the BC-EM
dimensions with that of other industries, in particular, the financial services industry.
No significant differences were found on any of the BC-EM dimensions between respondents
from the pharmaceutical industry and respondents from a “catchall” group of industries excluding
both financial and pharmaceutical.
However, it appears that the financial services firms represented in this study are doing a better
job with regard to BC than firms in the pharmaceutical industry. We found superior performance
of the firms on three of the four dimensions of the BC-EM model that were included in this
survey: BC Planning, Organization and Governance (treated as a single dimension) and BC
Processes. No significant differences were found on the Leadership Concern for BCP dimension.
Significant differences between pharmaceutical and financial services respondents were found on
all other questions in the survey. The major areas of difference are summarized below:
• Financial services professionals were more likely to be a member of a BC or DR team
and more likely to know who is responsible for BC and DR in their business units.
• Financial services respondents were significantly better informed about BC plans than
their colleagues in the pharmaceutical industry.
• The financial services respondents indicated that BC rehearsals were carried out more
frequently in their organizations.
• The respondents from the pharmaceutical industry were significantly less confident in
their firm’s overall preparedness for a major disaster than the respondents from the
financial services industry.
viii
A striking difference between the financial services and pharmaceutical industry respondents is
the relative uncertainty of the latter with regard to issues of business continuity in their
organizations. This is illustrated by the different percentages of “not sure” answers that were
obtained on many of the questions in the survey. The uncertainty of the pharmaceutical
respondents might be attributed to the relatively poor communication of BC plans and relative
lack of BC training that was noted above.
Limitations In addition to the limitations mentioned above concerning the generalizability of our surveys and
interviews, the scope of our enquiry was limited. We focused on the managerial aspects of
business continuity best practice. Technical issues were treated from a management point of view
and were not covered in depth. Moreover, important inter-organizational dimensions of the BC-
EM model such as maintaining external relationships with suppliers, customers, and service
providers were treated only superficially.
Summary A major objective of this study was to determine whether firms in the pharmaceutical industry
follow business continuity (BC) best practices. Limitations of the nature and size of this survey
prevent us from making a definitive answer to this question. Moreover, there is no established set
of standards against which firms can measure themselves with regard to BC best practices.
However, there are several indications that many of the pharmaceutical firms represented in this
survey, especially the smaller firms, are not following anything that might be described as BC
best practice.
A second major objective of this study was to determine the overall state of preparedness of firms
in the pharmaceutical industry. The above results, and the responses to the questions asking
executives how well their organization is prepared for a major terrorist attack or natural disaster,
are not reassuring. It seems that firms in the pharmaceutical industry have much to do to improve
their position with respect to business continuity. The firms seem to have system backup and
recovery procedures in place. They are also working to comply with FDA, HIPAA and Sarbanes
Oxley regulations, many of which have implications for DR and BC. However, the overall
approach to BC in many of the firms in this study is haphazard. A number of companies are just
beginning to develop BC plans, many do not have separate budgets in place, and many have not
created clear lines of responsibility for BC. Training in BC is lacking and communication of BC
ix
plans to employees is poor. Finally, BC plans are rehearsed infrequently or not at all in many of
the organizations.
x
TABLE OF CONTENTS
Acknowledgements............................................................................................................. ii Business Continuity in the Pharmaceutical Industry Executive Overview ....................... iii Chapter 1............................................................................................................................. 1 Chapter 2........................................................................................................................... 18 Chapter 3........................................................................................................................... 21 Chapter 4........................................................................................................................... 57 Chapter 5........................................................................................................................... 92 Chapter 6......................................................................................................................... 116
xi
Chapter 1
INTRODUCTION AND INDUSTRY BACKGROUND
1. INTRODUCTION Natural and man-made disasters can profoundly impact the profitability of companies and often
result in company failures. Whole industries and regional economies can be affected. The most
significant disasters in the 1990’s were weather-related. Hurricane Andrew in 1992 caused $25
billion or more in damage; FEMA recorded 56 significant disasters in 2003 alone (Fema 2004).
Man-made disasters include industrial accidents such as the chemical leak at Bhopal in 1984,
which caused 8,000 deaths in the first three days and cost Union Carbide $470 million in claims
(GreenPeace 2004). The Exxon Valdez disaster caused significant environmental damage and
cost Exxon approximately $6 billion in punitive damages and clean-up costs (Wikipedia 2004).
Recently, terrorist acts have changed national consciousness about the potential for major
disruptions to the economy and changed our way of life. According to a General Accounting
Office Study (GAO 2003), the World Trade Center disaster, in addition to the tragic loss of life,
resulted in economic losses of almost $200 billion.
Disaster preparedness, the existence of appropriate business continuity plans and their
communication and rehearsal, can make a difference. Companies occupying the World Trade
Center varied widely in their levels of preparedness on September 11. Some companies, including
Morgan Stanley, Cantor Fitzgerald and American Express were able to resume business within
several days. Other companies suffered severely, many of them going out of business. Some of
these companies lacked proper evacuation plans; others had not practiced plans for evacuation. In
many cases, there were no backup communication systems and some companies didn't even have
an accurate list or a count of employees (Kean 2002). According to a study by the University of
North Texas, almost 50% of small to medium-sized companies, who lack a disaster recovery plan
go out of business within two years of suffering a major disaster (Patel 2004).
Our purpose in this research is to study the preparedness of organizations in the pharmaceuticals
industry with regard to business continuity and disaster recovery.
Specifically, we wish to answer the following questions:
• What is an appropriate evaluation model for BC and DR in the Pharmaceutical Industry?
1
• How closely do firms in the industry follow BC best practices? • How well are firms in the industry prepared for a major disaster?
The pharmaceutical industry is one of the largest in the United States and one of the most
important in terms of its impact on the economy. Furthermore, the industry is characterized by
large investments in R&D projects that take years to complete. The protection of intellectual
assets and assurance of uninterrupted work to minimize time to market of new drugs is of crucial
concern. Moreover, these assets must be protected not only against competitors but also against
sabotage and threat by terrorist organizations and other potential enemies. The pharmaceutical
industry is highly regulated and many of these regulations are concerned with the security and
safeguard of electronic and hardcopy documents through the implementation of appropriate
business continuity practices. It is of interest therefore in this study to examine the state of
compliance of pharmaceutical organizations with regulatory requirements such as Sarbanes-
Oxley, HIPAA, and new FDA regulations that require or imply the need for companies to
develop and rehearse appropriate business continuity plans.
In the next section, we define some terms that will be used throughout the study. This is followed
by a brief overview of the regulatory climate in the pharmaceutical industry. In sections 4 and 5,
we list the disasters and attacks that organizations must protect themselves against and provide a
brief overview of the impact of recent events on national awareness of the importance of BC
planning. Some observations on the importance of executive involvement in BC are provided in
section 6. In section 7, we provide a brief overview of the pharmaceutical industry with special
emphasis on features that are likely to impact business continuity efforts. In section 8, we
summarize our conclusions.
After this brief introductory chapter, subsequent chapters will describe the model that we used to
evaluate the business continuity and disaster recovery preparedness of pharmaceutical
organizations and the results of two surveys and a series of interviews based on this model.
2. DISTINCTION BETWEEN BUSINESS COTINUITY AND DISASTER RECOVERY
Before proceeding, it is useful to define some terms that will be used frequently in this study.
2
Business continuity (BC) refers to the ability of a company to survive a major disruption in its
environment or internal systems. The focus is on safeguarding the tangible and intangible assets
of the company and ensuring the continuity of its business processes to minimize the impact of a
disaster on revenue streams. Physical assets include employee lives, buildings, documents,
computer systems and equipment. Intangible assets include intellectual capital, and company
reputation. In addition, any negligence of the company can result in damaging law suits.
Business continuity planning (BCP) specifies the methodology, organizational structure,
governance and procedures necessary to backup and recover organizational units struck by a
catastrophic event.
In this report, we will use the abbreviation BCP to refer to the planning phase of business
continuity and BC to the implementation, rehearsal and execution of the business continuity
plans. Business continuity is, or should be, a major concern of the board of directors and top
management.
Disaster recovery involves the technical restoration of information systems following some
disruptive event. Disaster recovery is generally used in a narrower context to refer to the recovery
of computer systems, communication systems and data in the event of a disaster.
Disaster Recovery Planning (DRP) involves the specification of responsibilities and procedures
for data security, backup and recovery, the establishment of redundant data sites, and the
development of service level agreements with trading partners and security vendors that specify
the procedures to be undertaken in the event of a disaster.
Generally, top management looks to its Information Technology (IT) staff to develop the DRP
and to ensure that information systems are properly safeguarded.
Contingency planning activities such as Business Continuity Planning (BCP) and Disaster
Recovery Planning (DRP) are significant concerns for both IT and business managers. Increased
reliance on information systems to support and enable critical business processes has resulted in
the creation of new technical and business risks. Disruptions to information systems may
therefore result in losses of opportunity, revenue, and reputation.
3
In the literature, disaster recovery is often used in a broader sense to entail recovery of both IT
and non-IT assets. We maintain the above distinction between BC and DR for clarity of
exposition.
3. THE REGULATORY CLIMATE
The Food and Drug Administration (FDA), is the main regulatory agency for pharmaceutical
companies. When patient data is relevant as in clinical trials, pharmaceutical companies must also
comply with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Like
companies in other industries, pharmaceutical companies are also subject to the Sarbanes-Oxley
Act (SOA) of 2002. While other regulations apply to the pharmaceutical industry, we restrict our
discussion to these three sets of regulations.
On average it takes about 12 years to bring a drug to market. The discovery phase of the life cycle
of a drug is not so heavily regulated as the succeeding laboratory studies, clinical studies and
manufacturing phases, which are subject to strict FDA regulations including GxP (Good Lab
Practice, Good Manufacturing Practice, etc.) FDA-regulated companies in the pharmaceutical,
biotechnology, medical device and other GMP (Good Manufacturing Practices) industry
environments are under great pressure to comply with new FDA requirements such as cGMP
(Current Good Manufacturing Practice) and 21 CFR Part 11, which is designed to ensure the
authenticity, integrity, and confidentiality of electronic records. Fines for ignoring FDA warnings
and violating FDA regulations can range into the $100 millions (PharmaScorecard 2004). Many
organizations are spending heavily to achieve FDA compliance by improving and validating
laboratory, clinical and manufacturing processes. Validation involves providing documented
evidence that shows with a high degree of assurance that a process or system meets its
predetermined specifications and intended use.
The objective of HIPAA legislation is to reengineer all processes surrounding the capture, storage
and transmission of health information across different Health Plans, Health Care Clearinghouses,
and who transmit health information in electronic form. After these standards are in place, a
Healthcare Provider will be able to submit data for claims and other standardized transactions
using an industry-standardized electronic data interchange (EDI) template. Pharmaceutical
companies do not engage in standard healthcare-related transactions but they are impacted by
HIPAA’s requirement that Protected Health Information (HPI) must be highly secure and may
4
not be used without authorization from the patient. HPI compliance applies to data from clinical
trials and activities related to determining the safety and efficacy of a product after it is in
commercial distribution.
SOA mandated a number of reforms to enhance corporate responsibility, improve financial
disclosures, and combat corporate and accounting fraud. It also created the "Public Company
Accounting Oversight Board," also known as the PCAOB, to oversee the activities of the auditing
profession. Section 404 of SOA requires the Securities and Exchange Commission (SEC) to
publish and enforce rules for ensuring the accuracy and transparency of corporate financial data.
This includes a requirement that management assumes responsibility for establishing and
maintaining internal control over financial reporting. The goals of an SOA compliance project
and a business continuity planning effort are closely aligned. A comprehensive Business Impact
Analysis (BIA) and risk assessment, both core components of a Business Continuity Planning
(BCP) project, will help identify risk and control deficiencies that can result in process and
system downtime. BCP generally includes data gathering, process mapping and risk
identification, which are all core requirements of Section 404 of SOA. Conversely, an SOA
compliance effort yields valuable information for developing or updating a business continuity
plan.
More generally, keeping businesses running in case of disaster or disruption, the key objective of
BCP, is also an integral part of implementing regulatory compliance. The resilience of business
systems, transaction integrity, IT asset availability, and the security and availability of sensitive
customer information, are all important business imperatives shared by both BC and compliance
efforts. While the cost of achieving compliance is high, it is possible that better documented and
more stable processes will bring long-run benefits to the company. Through achieving
compliance, companies in the pharmaceutical industry may experience improved operational
efficiencies, faster time to market, better quality of the product, and reduced risk of being
penalized for non-compliance (SEC 2004).
On the other hand, compliance does not meet all the requirements for business continuity. For
example, FDA regulations do not apply to the important drug discovery phase of the
pharmaceutical research and development process. Also, regulations do not generally cover
5
human relations issues such as ensuring the safety and health of personnel, providing alternative
places of work, and rehearsing BC plans to ensure rapid resumption of business in the event of a
disaster. Finally, there is a danger that companies might focus their budgets and attention on
achieving compliance and that important aspects of BC might be neglected.
4. COMMON CAUSES OF DISRUPTION
Disaster recovery planning professionals categorize hazard-events that would be disruptive to an
organization, as follows (Disaster Recovery Guide 2004):
• Environmental Disasters: Tornado, Hurricane, Flood, Snowstorm, Drought, Earthquake,
Electrical storms, Fire, Subsidence and Landslides, Freezing Conditions, Contamination
and Environmental Hazards, Epidemic
• Organized / Deliberate Disruption: Act of terrorism, Act of sabotage, Act of war, Theft,
Arson, Labor disputes, Cyber crime.
• Loss of Utilities and Services: Electrical power failure, Loss of gas supply, Loss of water
supply, Petroleum and oil shortage, Communications services breakdown, Loss of
drainage, Waste removal.
• Equipment or System Failure: Internal power failure, Air conditioning failure,
Production line failure, Cooling plant failure, Equipment failure (excluding IT hardware).
• Other Emergency Situations: Workplace violence, Public transportation disruption,
Neighborhood hazard, Health and Safety Regulations, Employee morale, Mergers and
acquisitions, Negative publicity, Legal problems.
From a more technical information systems perspective, statistics are generally available that
describe overall rates of data loss (Protect Data 2004) associated with information systems:
• Hardware or System Malfunctions - 44 percent of all data loss
• Human Error - 32 percent of all data loss
• Software Corruption - 14 percent of all data loss
6
• Computer Viruses - 7 percent of all data loss
• Natural Disasters - 3 percent of all data loss
Table 1 shows the estimated losses reported by 486 respondents to a survey conducted by
(Computer Security Institute 2004). Denial of service attacks caused the highest losses to
companies in 2003 - probably because of the high incidence of computer viruses such as the
MyDoom worm, which caused time-triggered denials of service. Of interest to the pharmaceutical
industry is the high cost associated with loss of proprietary information. This category had been
the most expensive category of loss in five previous surveys conducted by the Computer Security
Institute. According to the same survey, approximately one half of all cyber security breaches are
perpetrated by employees rather than outsiders.
Table 1: Dollar Amount of Losses by Type
Type of Violation $ Loss
(millions) Sabotage 0.9 System Penetration 0.9 Web Site Defacement 1.0 Misuse of Public Web Application 2.7 Telecom fraud 4.0 Unauthorized Access 4.3 Laptop theft 6.7 Financial Fraud 7.7 Abuse of Wireless Network 10.2 Insider Net Abuse 10.6 Theft of Proprietary Information 11.5 Denial of Service 26.1
Source: Computer Security Institute 2004
From lists such as above, it is clear that the majority of challenges related to protection of
information and data in the organization may not be accurately characterized as “disasters” in a
general sense, rather they are often situations of equipment failure, software failure, user error, or
malicious code. However, perhaps the most crucial considerations as related to BCP are related
to the likelihood or nature of the occurrence, but rather of potential impact of an incident and,
therefore, the degree of difficulty associated with recovery.
As we have seen, IT disasters may be caused by many situations including natural disasters or the
actions of individuals, which can be the result of specific motivations (e.g. crime, terrorism, and
7
malicious vandalism) or human error. The root causes and possible scenarios are many and
diverse. Therefore, planning is perhaps best focused on understanding the consequences of
disaster events rather than the respective root causes.
5. HISTORIC CONTEXT OF BC/DR2
Companies in all industries prepared for the possibility of a major catastrophe at the turn of the
century when it was feared that many business transaction systems, process management in
systems, and systems embedded in crucial equipment might fail because of the discontinuous
change in the year from "99" to "00". Literally billions of dollars were spent by companies in
reviewing and improving legacy systems and replacing others by ERP systems such as SAP that
were not only Y2K compliant but also offered advantages in terms of integration of functions, a
common database for reporting and control, and a spectacular decrease in the number of different
legacy systems that need to be maintained. Nowadays most of the industry is supported by ERP
systems.
There can be little doubt that the preparations for Y2k have had a salutary effect on the state of
preparedness of companies in all industries including the pharmaceutical industry. This is also the
case for the third parties such as telecommunications, power, water and other utility companies
and police and public emergency services on which pharmaceutical companies must rely in times
of crisis. Hitherto undocumented processes were documented for the first time and, in many
cases, defined in electronic form in ERP and workflow systems. Such process knowledge is
essential for business continuity because understanding process steps and identifying essential
process participants and other process resources are the first steps in recovering or working
around an interruption caused by the destruction of property, equipment or data caused by an
attack or accident. However, Y2K preparations were concentrated on preventing systems failure
due to software and hardware malfunction. The Y2K preparations did not focus on business
continuity in its broadest sense of protecting human lives and critical assets and ensuring that the
business could continue to operate in the event of physical attacks or accidents. Moreover, the
year 2000 was followed quickly by the collapse of the stock market and a downturn in the
economy. As a result, IT expenditures have been reduced in most companies and there is a danger
that system and process preparedness, except where mandated for reasons of regulatory
compliance, might be suffering as a result. For example, some firms may have let their process 2 I am indebted to (Nash 2003) for some of the material in this section.
8
knowledge (such as process maps and process recovery plans) deteriorate under continued
financial pressure and the need to develop new systems to meet rapidly changing business
conditions.
The events of September 11 raised public awareness of the vulnerability of our private and public
infrastructure to concerted attack. Companies in financial services, which were most impacted by
the attack fared variously in terms of their recovery time (RT) after the event. Solomon Smith
Barney, which had invested in satellite facilities in Rutherford, New Jersey, was functioning the
next day. Other companies had first to locate and occupy new premises in New Jersey and were
slower to become operational. Firms that had invested in third party recovery facilities found that
these facilities had limited capacity and that other firms had been quicker to use the facilities. It is
probable that September 11 caused firms to pay more attention to business continuity in its fullest
sense. However, with the passage of time, companies may be getting a false sense of security
with the result that investments in business continuity may be declining.
A survey (Bolles and Kirkpatrick, 2001) of organizations carried out in October 2001 indicated
that firms had initiated significant BCP activities prior to the terrorist attacks of that September.
The authors noted that while apparently prepared for some level of response, organizations were
clearly challenged by the new requirement to plan for “targeted, destructive action”. (Cowley
2002) highlighted the apparent effect of the terrorist attacks had on BCP as well, noting one
expert’s comments that "There was a sudden awareness: we could have not just a building (loss),
but a regional catastrophe."
6. TOP MANAGEMENT CONCERN WITH BC
Despite the apparent sense of urgency and realism resulting from the WTC disaster there are
indications that IT and business leaders are not aligned with respect to BCP and DR. (McMillan
2003) observed “U.S. business executives and CIOs are living in two different worlds when it
comes to how they think about disaster recovery.” The implication is that there is no overarching
plan or budget that includes both BC and DR in a coordinated fashion. Instead, business
executives tend to leave information security (DR) to their IT departments and IT executives
leave broader BC concerns to line management.
9
As in any endeavor that consumes time, resources and dollars, the commitment of top
management is a major precondition for BC and DR preparedness (Barnes 2001). When asked the
question "Which of the following possible developments do you think will have the greatest
impact on your business over the next year?" 59 out of a sample of 318 senior executives rated
"Terrorist Attack in the United States" equal to "Fall in the value of the U.S. dollar" as their top
concern (GTCI 2003). The results are shown in Figure 1. It is interesting to note the high
proportion of concerns related to international events in this list.
19%
19%
16%14%
13%
6%
5%
3%
3%
2%Fall in U.S. dollar
Terrorist attacks inU.S.Volatile oil prices
Serious unrest inMiddle EastRising domesticinterest ratesTrade war withEuropeInternational healthemergencyPolitical instabilityinChinaPower supplyfailuresDeflation in Japan
Figure 1: Developments Having Greatest Impact on Business
When the same group of executives was asked if they had “well developed contingency plans for
future acts of terrorism that might directly or indirectly affect your business,” 25% of the
executives said that their companies had comprehensive and tested plans and 56% indicated that
their companies had “partially developed plans” (Figure 2).
10
24%
51%
7%
11%7% Comprehensive &
tested plansOnly partiallydeveloped plansIntend to developplansNo formal plans
Missing
Figure 2: Contingency Plans for Acts of Terrorism
In the same survey, 75% of the respondents said that they were either very confident or confident
that their companies had “adequate security for their information assets (Figure 3).
26%
49%
18%
7%0%
Very confident
Confident
Neutral
Not confident
Veryunconfident
Figure 3: Confidence in Security of Information Assets
This study seems to indicate that top management is aware of the dangers faced by their
organizations and are beginning to make preparations. They are also quite confident about the
ability of the IT organizations to manage information security and integrity issues. Whether these
preparations are sufficient and the confidence in IT is justified are questions that will be
investigated in this research study of the pharmaceutical industry.
7. THE PHARMACEUTICAL INDUSTRY
The pharmaceutical industry is one of the largest in the United States and one of the most
important in terms of its impact on the economy. Pharmaceutical companies are
11
involved in the business of discovering, manufacturing and distributing drug compounds. They
invest in long term, complex research and development activities to gain medical progress.
According to the Pharmaceutical Research and Manufacturers of America (PhRMA 2004), an
investment of 10 to 15 years and greater than $800 million are required to deliver a new
medicine. Investment in new medicines by the pharmaceutical industry was over $33 billion in
2003 involving the work of over 70,000 research scientists worldwide. The industry estimates
that each dollar spent on new medicines saves $4.44 on hospitalization and medical treatment.
Although the benefits are significant, the uncertainties in developing new medicines are also
significant. U.S. based firms account for the lion’s share of the world’s pharmaceutical research
activities according to data from the Organization for Economic Co-operation and Development
(OECD).
The infrastructure and culture of an industry depends to a large extent on its history. To
understand the need for appropriate business continuity and disaster recovery planning in the
pharmaceutical industry it is therefore helpful to look briefly at the evolution of the
pharmaceutical industry over the last century. Through most of the 20th century, the industry
experienced steady growth. "Blockbuster" new drugs characterized the industry and the firms that
discovered and marketed these drugs grew into some of the largest and most admired companies
in the U.S. Large investments in research involving long development times and great risk were
rewarded by equally long periods of time in which the newly discovered drugs were protected by
patents allowing drug companies virtual monopoly status in certain product areas.
This competitive and regulatory environment provided a certain amount of organizational slack.
The most successful companies grew into large organizations with relatively autonomous
divisions based on functional lines. Thus, R&D, manufacturing, distribution, marketing and sales,
and corporate functions tended to be separate divisions in most companies and this is still the case
today. The divisions are headed by senior executives (CEOs and Presidents) who have
responsibility for all physical, human and intellectual resources required to accomplish the
division’s objectives. Corporate or shared functions such as Legal, Human Resources,
Accounting/Finance and corporate Information Systems (IS) tend to report to a Chief Technology
Officer (CTO), Chief Financial Officer (CFO) or Chief Information Officer (CIO) at corporate
headquarters. Of interest to this study, the IS function in R&D generally reports to its own CIO
and is kept quite separate from corporate IS. The reason for this is that the information
technology requirements for research are highly specialized and different in nature to the
12
transaction reporting and business database management required in the rest of the business. With
respect to the concerns of business continuity and disaster recovery, the functional structure of
pharmaceutical companies complicates matters since it is harder to identify and manage the
dependencies between functions that must be maintained in a crisis situation and because the
business continuity requirements of each functional area are so different. For example, in R&D it
is essential to protect huge investments in intellectual assets such as drug compounds, while the
need to restore processes after a calamitous event (time to recover) is not high. In contrast, many
business functions need to be able to recover critical business data and to be operational on an
almost continuous basis.
In the latter part of the 80's and through most of the 90's, competition became more intense. In
particular, generic drug suppliers began to appear dramatically decreasing the window of time
during which companies could gain a return on investment in a new drug by being its sole
supplier. The generics put downward pressure on prices. Furthermore, a period of decreasing
returns to investments in the drug discovery process set in. It became harder to find blockbusters.
Of the thousands of drugs tested only a few ever make it market. Research became more
specialized and intense requiring huge investments in technology and research expertise.
Moreover, research moved from the traditional chemist's lab to computer-based simulations in
which hundreds of thousands of drugs are electronically formulated and analyzed. These "labs on
a chip" have generated huge knowledge bases of highly proprietary drug compound information
that require protection from loss and, perhaps, industrial espionage. Entirely new approaches to
drug discovery based on bio-tech and genomics were developed. Thousands of small companies
were created to exploit these new technologies loosening the monopoly of traditional drug
companies in the discovery process. The major drug companies responded to these trends by
forming networks of alliances with these companies, buying out those that seemed the most
promising. The networks of alliances and resulting increased dependence on third parties expand
the required scope and complexity of the business continuity efforts of the pharmaceutical
companies.
In the same time period, concerns over public safety increased and regulatory authorities, in
particular the Food and Drug Administration (FDA) increased their standards for testing, and
their requirements for documenting processes and ensuring appropriate backup and recovery
procedures. From the point when animal and clinical testing first takes place to FDA approval
13
and market introduction, the new product development process became heavily regulated. This
increased the cost and time required to bring drugs to market.
The pharmaceutical industry is currently dominated by roughly 20 major pharmaceutical firms.
The concentration of firms in the industry is increasing due to an increasing pace of mergers. To
name a few in recent years, Glaxo combined with Welcome in 1995 to form Glaxo-Welcome and
Glaxo-Welcome merged with SmithKlein Beecham (itself the result of a series of mergers) to
form GSK in 2000. Recently, Pfizer acquired Warner-Lambert in 2000 and Pharmacia in 2002.
Nevertheless, the pharmaceutical industry is less concentrated than other major industries such as
the automobile industry. There are literally hundreds of small pharmaceutical companies. The
bio-tech industry, which has strong relationships to pharmaceuticals, has grown rapidly over the
last 10 years with the number of IPOs resembling that of the dotcoms of the 90's. As the pressure
on profit margins and the need for scale in the industry continue to increase, more mergers and
acquisitions will undoubtedly take place presenting a continuous challenge to those concerned
with security and business continuity. Mergers and acquisitions make business continuity more
difficult because of the need to assimilate different information systems and processes. This is
true when small firms are taken over by larger firms and even more difficult when two large firms
with different cultures and large sunk costs in information technology and business processes
need to be merged into a common entity. Importantly from the point of view of business
continuity, the subjects of the takeovers are often smaller firms with entrepreneurial cultures that
may not so easily adapt to the discipline required for business continuity.
In the last five years, even more pressure has been placed on firms in the pharmaceutical industry.
The competitive environment has become even more intense and the political environment more
uncertain. The squeeze of rapidly increasing costs and increasing downward pressure on prices
continues. The political and public scrutiny of pharmaceutical companies has increased because
of the upward spiral of healthcare costs. Spending on pharmaceutical products is increasing at the
astounding rate of 14-15 % per year (PJB 1995). There are a number of reasons for this. First, the
aging population in the United States and other developed countries increases the demand for
drugs. Second, pharmaceutical companies are forced to increase drug prices to counter the
increased cost of research, the difficulty in discovering new block busters, and the increasing
costs of regulation.
14
Public and government pressure on the pharmaceutical industry is also increasing because of
world-wide pandemics such as AIDS and other diseases that are impacting third world and
developing countries disproportionately. The costs of discovering, obtaining approval and
marketing new drugs far exceeds the price that the majority of the world can pay. As a result,
governments are intervening to force lower prices on major pharmaceuticals and to encourage
and support the growth of companies manufacturing generic compounds. Drug companies, which
have long been among the most admired of companies, now face public skepticism. In this
environment, the public relations component of business continuity planning, protecting the
company image during a crisis, becomes even more important. The increasingly difficult
competitive environment, however, makes it harder to make the case internally that companies
should safeguard themselves against improbable events such as natural disasters and terrorist
attacks, however catastrophic the results of such events might be.
8. CONCLUSIONS: BUSINESS CONTINUITY ISSUES AND CONCERNS
The brief overview in this chapter has provided some background on the industry and highlighted
issues relevant to the BCP and DR concerns of this study. The following are the major
conclusions. Some of these areas of concern are common across industries; others are specific to
the pharmaceutical industry.
• Unfortunately for companies in the pharmaceutical industry, it is increasingly difficult to
discover new drugs. Major companies have fewer and fewer drugs in the pipeline. Intense
competition and the need to remain profitable may divert attention and resources away from
the need to prepare for disasters and breakdowns.
• The pharmaceutical industry is highly regulated and many of these regulations are concerned
with the security and safeguard of documents through the implementation of appropriate
business continuity practices. It is of interest therefore to examine the state of compliance of
pharmaceutical organizations with these regulatory requirements.
• Top management concern and involvement in BCP is essential. IT executives and general
business executives must coordinate their efforts to ensure that both overall business
continuity issues such as the continuity of business processes and human safety and DR
issues such as IT disaster recovery efforts receive appropriate funding and attention.
15
• The strong functional divisions within large pharmaceutical companies might make it
difficult to coordinate on BC planning and in crisis situations. R&D may be more interested
in safeguarding R&D databases while the line businesses will be more interested in protecting
against large delays in restoring business processes. Both groups compete for the same dollar.
• The growth in alliances and networks of pharmaceutical and biotech companies means that
the development of intellectual property is increasingly distributed implying an urgent need
for pharmaceutical companies to include business partners explicitly in their BCP efforts.
• As a result of large-scale mergers and acquisitions, some of the largest pharmaceutical
companies face problems of integrating different cultures and systems. This complicates BC
and DR planning and execution both technically and organizationally.
• The pharmaceutical industry is an intensely knowledge- and information-intensive industry.
A pharmaceutical company's revenues and market valuation are strongly dependent on its
ability to discover new drug compounds and to bring these quickly to market. Security of
intellectual assets must be a focus of BC and DR efforts.
• The development of information technology in both R&D and general business operations
has become so sophisticated and complex that purely manual solutions for continuing
processes and restoring lost information assets after a disaster are now out of the question.
This means that whole systems have to be replicated and organization have to bear the cost of
the resulting redundancy.
• The concentration of the industry in the relatively small area of New Jersey is a concern from
the business continuity perspective since a large proportion of the industry's output could be
impacted by a localized natural or man-made disaster.
The conclusions listed above will guide the development of our model for evaluation of the
business continuity plans of firms in the pharmaceutical industry and will be tested in our
research.
16
References Armstrong, I. (2003). Keeping IT Running. www.scmagazine.com. Barnes, James C.(2001) A Guide to Business Continuity Planning. John Wiley & Sons, Ch. 1. Bolles, G. and Kirkpatrick, T. (2001). Disaster Recovery. Ziff-Davis CIO Insight. www.cioinsight.com. Computer Security Institute (2004) “Computer Crime and Security Survey.” http://www.gocsi.com/ Cowley, S. (2002). September 11 Keeps Disaster Recovery in Forefront. www.computerworldcom. Discovery Guide (2004). http://www.disaster-recovery-guide.com/risk.htm) FEMA (2004). (www.FEMA.gov). GAO (2003). http://www.gao.gov/new.items/d02700r.pdf Kean, Thomas H. (2002). Hearing of The National Commission On Terrorist Attacks Upon The United States. Greenpeace (2004). http://www.greenpeace.org/features/details?item_id=80709 McMillan, R. (2003). Survey: U.S. Business, IT Executives at Odds on Disaster Recovery. www.computerworld.com. Nash, Elby, “Assessing IT as a Driver or Enabler of Transformation in the Pharmaceutical Industry,” Ph.D. Dissertation, Stevens Institute of Technology, 2003. Patel, Nikunj (2004). “Survey of Business Continuity Practices,” Masters Thesis, Stevens Institute of Technology. PhRMA 2004. Pharmaceutical Industry Profile 2004 (Washington, DC: PhRMA) Protect Data (2004). http://www.protect-data.com/information/statistics.html Wikipedia (2004). http://en.wikipedia.org/wiki/Exxon_Valdez_oil_spill
17
Chapter 2
BRIEF OVERVIEW OF THE STUDY 1. RESEARCH QUESTIONS The study addressed the following research questions: • What is an appropriate evaluation model for BC and DR in the Pharmaceutical Industry? • How closely do firms in the industry follow BC best practices? • How well are firms in the industry prepared for a major disaster? 2. METHODOLOGY The research was conducted in five stages as described below. a. Development of the Business Continuity Evaluation Model (BC-EM) A preliminary study was conducted in June- August 2003 in order to develop a model for
assessing business continuity plans and processes. This study involved:
1. A review of the literature and the identification of a number of models for BC and DR.
2. Interviews with five BC experts: four from major pharmaceutical companies and one
from the telecommunications industry Using this information, we developed an organizationally-oriented evaluation model for BC plans
and processes with the following major components:
Strategic Analysis
• Understand company strategy • Perform a business impact analysis focusing on the most critical assets and processes
and taking risk into account, and • Develop a BC/security strategy and BCP budgets
Organization Set performance goals, design, organize and monitor BC and DR along the following
dimensions for both the organization as a whole and the security organization:
• Leadership • Governance
18
• Human Resources • BC and DR processes • Security technologies and technology infrastructure
Organize the BC and DR effort with regard to the following business partners:
• Customers • Vendors • Service providers (especially security related providers) • Business and alliance partners
The above components were used to develop the surveys used in this research. The preliminary
study and development of the BC-EM model are described in Chapter 3.
b. Survey of Pharmaceutical Industry Executives (Main Survey) The purpose of the main survey was to answer the second and third questions listed under
research objectives, namely:
• How closely do firms in the pharmaceutical industry follow BC best practices? • How well are firms in the pharmaceutical industry prepared for a major disaster?
Over the period December 2003 to March 2004, the survey developed in step 1 above was mailed
in hard copy form with a covering letter to approximately 3,000 high-level managers and
executives in the pharmaceutical industry. We received 79 valid responses corresponding to a
response rate 3 % percent, whic is relatively good considering the sensitive nature of the data.
This study is described in Chapter 4 of this report. c. Inter-industry Study: Survey of Lower to Middle Level Managers The purpose of the supporting survey was to:
• Compare lower to middle level management awareness of BC and DR practices across three industry groups: pharmaceuticals, financial services, and miscellaneous other industries
• Cross-validate the senior executive survey by examining the responses and opinions of lower-level managers in the pharmaceutical industry.
This survey was administered in hard copy form to low-to mid-level managers in the Howe
School’s part-time Master of Science Program. Altogether, 200 responses were received with
roughly an equal number of responses in each industry category.) All respondents were enrolled
19
in the Howe School’s Master of Science in Information Systems Program. A profile of students in
this program is provided in the text.
d. Interviews with Pharmaceutical Industry Executives and Other Experts The purpose of the interviews was to:
• Develop a deeper understanding of issues in BC and DR in the pharmaceutical industry than can be obtained from the surveys
• Cross-validate findings from the surveys Interviews lasting from twenty minutes to over an hour were conducted with 10 executives in the
Pharmaceutical Industry along with a 5 interviews with experts and consultants in BC and DR.
The pharmaceutical executive interviews were with high-level executives on the security,
information system and general management. A list of the interviewees was included in the
Acknowledgements section of the Introduction.
The interviews are summarized and analyzed in Chapter 6 of this report.
e. Summary and Overall Conclusions
The main results of the study are summarized in the Executive Summary at the beginning of this report.
20
Chapter 3
BUSINESS CONTINUITY EVALUATION MODEL
1. INTRODUCTION This chapter provides a foundation for the assessment of Business Continuity (BC) and Disaster
Recovery (DR) practices in the pharmaceutical industry. To develop the model, interviews were
conducted in five organizations to identify factors that appear central to the development and
execution of BC activities. Four of the individuals who were interviewed held management
positions in global pharmaceutical organizations with significant responsibilities for supporting
business continuity and disaster recovery planning, testing, and administration. All of the
participating pharmaceutical organizations are extremely large, global organizations. The fifth
interviewee was a manager of business continuity planning for a large telecommunications firm,
with fifteen years general experience in DR and BC matters. The interviews indicate several
apparent significant differences in the approach to BC in the sample companies. Despite
somewhat consistent requirements across the pharmaceutical firms, widely varying approaches to
funding, planning, and managing BC activities were observed. As a basis for further
investigation of BC practices, this chapter uses the observations from the interviews and an
examination of other BCP models that have appeared in the literature, to develop a
comprehensive BC evaluation model (BC-EM) that addresses the broad range of organizational,
human and technical concerns that must be addressed in developing adequate approaches to BC
and DR. The BC-EM model is then used to develop a survey instrument that is included in an
appendix to this chapter.
The chapter proceeds as follows. In the next section, we describe the results of a preliminary set
of interviews with high-level executives concerned with BCP in their organizations. The
interviews reveal a number of issues that must be addressed in a more comprehensive study of
business continuity preparedness. After a brief review of current BC evaluation models in section
3, we develop a more comprehensive model in section 4 of the chapter. Our "BC-EM" model is
used to develop a survey instrument that can be used in a large scale survey of managers
concerned with business continuity. Finally, section 5 of the chapter contains some brief
conclusions and a plan for completion of this study.
21
2. INTERVIEWS IN A SAMPLE OF COMPANIES
Methodology Personal interviews were conducted with five individuals responsible for BC within their
respective organizations. Four of the individuals were actively responsible for BC for global
pharmaceutical organizations. One individual was actively responsible for BC for a large
telecommunications concern. The telecommunications subject was chosen for this phase for two
reasons. First, the individual who was interviewed is a highly experienced Business Continuity
Planner who was expected to provide important insights to improve BC-EM. Secondly, the
collection of information from a firm in a separate industry was expected to help illustrate some
of the important distinctions of BC with respect to pharmaceuticals.
Individuals were interviewed using a combination of structured and semi-structured questions.
All individuals participated in this phase of the study under an agreement that the information
provided would be kept confidential. Therefore, interview results have been documented in a
way that prevents the association of specific observations with individual firms.
Interviews were completed in the form of telephone calls that typically lasted one hour in
duration. In some cases a follow up call was conducted to confirm observations. A structured
survey instrument was used to guide the sessions and promote internal consistency.
The following is a summary of observations from the five (5) interviews that were conducted.
Pharmaceutical Organization 1 The interview conducted with Pharmaceutical Organization 1 (which will be referred to as
Pharma1 in this chapter) was completed with the Chief Information Security Officer (CISO) of
the organization, who reports to the CIO. The organization is a truly global organization whose
products are household names. At the time of the interview, the firm was in the midst of planning
a global redesign of enterprise data centers.
There was no unique budget for BC or DR in Pharma1. Such funding was distributed throughout
the budgets of the various information systems and network functions. Although BC is
apparently important to the executive management of Pharma1, it was not considered a “high
profile” topic. There were no formal roles assigned for BC, as individual systems owners were
22
expected to consider BC within their respective scopes. Data center managers were responsible
for facilitating BC activities including planning and testing. Testing was limited to evaluation of
system or data backup and restoration and did not extend to restoration of business functions or
user activities. Recovery was facilitated through the use of outsourcers (Sungard) and, in limited
cases, the use of redundant systems. An example of designed system redundancy for Pharma1
was the distribution (and periodic synchronization) of Oracle databases used to support the global
SAP ERP system.
A general indifference to BC throughout Pharma1 was evident when considering the weak
linkages of BCP to the business. There appeared to be minimal alignment of BC activities with
the business, and there was very little coordination of BCP or DR planning activities with the
business owners of information systems. There was no coordination of BC activities with
Pharma1’s business partners.
The CIO of Pharma1 was promoting the idea within the company that BC should be considered a
business problem, and that IT should act only as facilitator. Therefore, the CIO was expecting the
business to “step up” to assume a leadership role on BC. However, the CISO (the interview
subject) believed the business units strongly viewed BC as strictly an IT problem, and did not
understood the distinction between the nature of BC and DR.
Pharmaceutical Organization 2 The interview conducted with Pharmaceutical Organization 2 (Pharma2) was completed with the
Director of Information Technology, who reported to the CIO. Pharma2 is the US Research and
Development business of one of the world’s largest pharmaceuticals. Pharma2 has developed and
introduced a variety of successful drugs by relying on a world-class research team that is based in
the US.
Pharma2 maintained unique budget lines for BC and DR, respectively. There was very close
cooperation with the business on BC and DR planning activities. This increased attention was
attributed to a recent incident where the BC was activated, which appeared to have contributed to
increased awareness of BC across the organization in the opinion of the interview subject.
Consistent with their overall focus on research and development, Pharma2 places high priority on
the BC elements that relate to the databases that store chemical compounds produced by basic
23
research and discovery efforts. Significant investment was made in the backup and recovery
facilities used to support the research environment.
There was close coordination of BC activities with business partners in Pharma2, including the
existence of service level agreements that define recovery time objectives. System and data
recovery relied on internal systems as well as outsourcers (Sungard). The interview subject
described how system architectures had been designed to include redundancy in several cases.
Formal risk assessment methods were used in the course of developing the BCP to guide planning
activities.
Pharmaceutical Organization 3 The interview with Pharmaceutical Organization 3 (Pharma3) was completed with the Director of
Information Networks, who reported to the CIO. Pharma3 is the US business unit of a European
pharmaceutical firm. The US business unit is one of the organizations largest.
Pharma3 included DR and BC on the budget for each system and/or project area. This forced
each system owner to address DR and BC objectives and requirements during each budget cycle.
There was little alignment of the business and IT on BC and DR, as management seemed to view
BC as strictly an IT concern. However, high-level management recently drove the creation of a
global BCP initiative that included the definition of formal BC roles and responsibilities. The
interview subject stated that the initiative was started to increase awareness of system
vulnerabilities as a result of the events of Sept. 11, 2001.
BC testing included the involvement of end users, who complete test transactions following
system recovery. The organization relied on outsourcers (IBM) and internal redundancy to
facilitate recovery. The firm had a distinct plan for the recovery of network communications
(voice and data), and was the only firm in the sample to have such a plan.
The interview subject observed a lack of alignment between IT and the business. However he
believed that IT is well prepared as a result of several factors including the fact that most of the
IT management team spent significant portions of their careers working within business units.
Pharmaceutical Organization 4 The interview with Pharmaceutical Organization 4 (Pharma4) was completed with the Director of
IT, who reported to the corporate CIO for one of the largest US-based pharmaceuticals.
24
The interview revealed that governance processes related to BCP, including budgeting,
policies/procedures, change control, and testing, were virtually non-existent. However, a
corporate-level BC officer had been recently identified.
The subject commented that although a central information security organization has been created
within Pharma4, it is not at all involved with BC. The firm recently employed third-party
consultants to complete risk assessments to support BC activities. The existing BCP strategy
included consideration of “compound” or “interdependent” event scenarios, such as when a single
disaster eliminates multiple components of architecture or destroys both the primary and backup
systems. This planning element was not observed in other firms in the sample.
Telecommunications Firm The interview with the Telecommunications Firm (Telco1) was completed with the manager of
BCP. The subject, an employee with almost twenty years with the firm, described how the
organization has long recognized the importance of BC that in his opinion has resulted in a
relatively high level of maturity of their BC program.
The subject described how BC costs were tracked in unique budget categories that were present
even in project-level budgets. BC process guidelines promote a high level of IT/business
alignment on BC activities. BC is recognized as a CIO responsibility, and the CIO routinely
presents BC activities to the business. The firm had invested significantly to build system
redundancy and provide all recovery facilities “in house”. For this reason, there was no reliance
on outsourcers to facilitate recovery. Formal risk assessment, including evaluation of threats and
vulnerabilities, is periodically conducted to support BC activities.
Analysis of Interviews Interviews of the sample of firms produced a number of important observations within a variety
of aspects of the BCP. The results of the small sample interviews for the pharmaceutical industry
suggest a significant level of variability in practices across otherwise similar organizations. (See
Table 1.)
25
Table 1: Some Critical BCP Dimensions
Issue Pharma 1 Pharma 2 Pharma 3 Pharma 4
Critical assets
identified
Yes Yes. Research
data
Yes Yes
Risk assessment
performed /
compound events
considered
No /No Yes/No Yes/No Yes/Yes. Relied
on third-parties.
Separate BCP
Budget: existence
and locus
No.
Distributed to
business
lines.
Yes.
Separate budgets
for both BCP and
DR.
Yes.
Separate budgets
for both BCP and
DR.
Minimal BCP
Budget
Delineation of BCP
roles and governance
BCP is
recognized as
part of
everyone's
responsibility
.
Formal roles
identified.
Yes. There is a
global DR
planning project
underway.
Yes –
centralized.
There is a
designated global
BCP officer.
Alignment of
BCP/security
responsibility with
business.
Weak. IT
mainly
responsible.
Strong Weak. Business
units mainly
responsible.
Strong
Testing functions
and processes.
Yes Yes Yes Yes
Technology / System
redundancy
Limited Strong. Both
internal and
external backups
Limited Moderate
Use of outsourcers Yes - for DR Yes - for DR Yes - for DR Yes – for DR
While all of the firms have identified their most critical assets, one of the firms has not completed
a formal risk analysis and two others have not considered multiple sources of failure in their risk
assessments. There are significant differences in how the firms have organized for BC and DR.
Varying degrees of centralization and formalization are evident. For example, Pharma 1
26
decentralized the BC budget to the business units and embraced the idea that "BCP was part of
everyone's responsibility." Pharma 1 displayed low levels of formality (i.e. role definition.) It is
only recent internal security breaches that prompted Pharma 3 to identify such positions.
Similarly, the four firms have different organizational and leadership arrangements for BC. The
sense that the BCP was aligned with the needs of the business was weak in both Pharma 1 and
Pharma 3 in which the business units are mainly responsible for BC. Note that this observation
may be subject to bias as the interviewees in Pharma 1 and Pharma 3 are security officers.
Governance structures also differ across the sample. Pharma 2 and Pharma 4 appear to have more
mature BC programs than Pharma 1 and Pharma 3. BC processes are somewhat consistent in the
four firms, including practices related to testing the BC program. However, the firms differ in
how they use the results of tests in feedback loops to continuously improve the BC program.
Finally, technology adoption ranged from firms having almost no BC-specific technology
architecture (Pharma 1 and Pharma 3) to firms that specifically designed (or intended to design)
redundancy into their networks. All four firms used outsourcers for backup and recovery of
information assets. This included the use of hot sites for disaster recovery purposes. The firms
interviewed had relied on the use of outsourced recovery hot sites for a period of years prior to
the interviews.
General Observations The interviews yielded a number of insights that provide a glimpse of current practices. Through
completion of the structured interview discussions a number of consistent themes emerged.
The interviewees had experienced difficulty garnering attention to BC just prior to initiating Y2K
planning activities. However, some activities completed under the banner of Y2K actually drove
business continuity planning efforts. This included increased attention to developing internal
redundancies. Firms also experienced diminished attention following the Y2K rollover, but
subsequent renewed interest following the events of 9/11/01.
There appears to be a general trend towards increased board participation. This includes an
increased formalization and emphasis of BC activities. Top management involvement appears to
be generally increasing, including the development of senior-level committees focused on BCP.
Commenting on testing and rehearsal activities, firms expressed concern with limited
participation from the business. Therefore, it may be reasonable to suspect that so-called business
27
continuity activities in some firms are perhaps better described as disaster recovery. On a related
note, perceptions of overall preparation appear to vary between firms and across business units
within firms.
The scope of BC and DR activities appear to emphasize large, centralized systems while not fully
addressing requirements related to distributed systems and LANs. Traditional mainframe-centric
disaster recovery activities appear to represent the bulk of activities considered BC in some firms.
Finally, much discussion centered on the topic of regulation. Inconsistent comments were
provided about the role played by regulation in driving BC activities. However, regulation was
consistently described as a topic of interest in virtually all discussions. The perceived effect of
legislation, however, was inconsistent.
In the remainder of the chapter, information from our preliminary interviews and the existing BC
models from the literature are combined to develop a comprehensive evaluation model for BC
that focuses on management as well as technical issues. While other BC assessment instruments
address particular aspects of BC such as planning, governance, technology, and risk assessment,
BC-EM addresses a complete range of organizational and interorganizational issues that have
become important since the events of September 11, 2001. In turn, the evaluation model is used
to develop a survey instrument (included as an Appendix.)
3. OVERVIEW OF BC EVALUATION MODELS
Basic Concepts The nature of BC has been explored in numerous papers. (Meglarthy 2000) noted, “Corporate
business continuity planning specifies the methodology, structure, discipline, and procedures
needed to back up and recover functional units struck by a catastrophe. Therefore, every
functional unit must accept responsibility for developing and implementing the business
continuity plan, and the plan must have the total support of management.” This describes BC as a
complex construct that includes multiple elements of planning and, by its very nature, is
dependent on the involvement of all functional units. The complexity of DR was described by
(Nemzow 1997) who observed, “disaster recovery is not just equipment, hot sites, and materials.
It also represents communications, people interaction, knowledge bases, workflows, strategy and
backup.”
28
The risk management dimensions of BC were explored by (Lewis et al, 2003) who noted “The
increased use of IT for vital business processes has facilitated the growth of a new economy. Yet,
dependence on technology holds the potential to bankrupt an organization. Generally accepted
analysis techniques used in risk management can be applied to IT to help meet this challenge. An
analysis employing such techniques can provide a risk profile to identify specific disruptive
events, business segments, locations, individual policies, or contracts that contribute
disproportionately to overall loss potential. Such an analysis can reduce uncertainty and support
better strategic decision-making.” Therefore, the planning and coordination processes of the
functional business units should be based on some understanding of risk, and specifically on the
nature of the universe of risk events they may encounter.
(Lipson & Fisher 1999) similarly highlighted the risk management aspects of information security
and contingency planning, and presented the concept of “network survivability”. Noting the
linkage between business and technical risk, Lipson and Fisher stated, “If a cyber-attack disrupts
critical business functions and interrupts the essential services that customers depend upon, then
the survival of the business itself is at risk."
Finally, (Smith 2000) provided insights on the planning process itself. Smith described aspects of
plan development, creation of adequate testing scenarios, and insights on conducting tests of the
plans. He noted the challenges of effective BC in the distributed computing environment,
observing “These plans require far more participation on the part of management and support
organizations than mainframe recovery planning. The scope is no longer limited to recovery;
plans must integrate with existing disaster prevention and mitigation programs. These company-
wide resumption plans are costly to develop and maintain and are frequently prolonged,
problematic, and unsuccessful. Fortunately, there have been successes from which data center
managers can learn.”
BC “Best Practices” The development of a comprehensive model of BC is essential to facilitate a broad-based study of
organizational BC practices across a meaningful sample. Some authors have described individual
“best practices” associated with BC, sometimes grouped into functional or process categorization.
The Business Continuity Institute (Smith 2003) recommended a six-phase approach, summarized
as follows:
29
1. Understand your business strategy
2. Define a business continuity strategy at varying levels of abstraction such as
organizational, functional, and resource-level
3. Develop plans to execute your business continuity strategy
4. Build a “business continuity culture” through training and awareness programs
5. Periodically audit and test your program
6. Institute appropriate governance processes
The National Institute of Standards and Technology (NIST) asserted that the success of BC
activities is dependent upon an understanding of their recommended baseline BC process,
development of a plan with all requisite components, and emphasis on plan maintenance, training,
and testing (NIST 2000). NIST recommended a contingency planning process consisting of the
following steps:
1. Develop the contingency planning policy statement.
2. Conduct the business impact analysis (BIA).
3. Identify preventive controls.
4. Develop recovery strategies.
5. Develop an IT contingency plan.
6. Plan testing, training, and exercises.
7. Plan maintenance.
A number of other prescriptions for process-oriented frameworks have appeared in the literature,
for example in books such as (Barnes 2001) and (Hiles and Barnes 1999). These process models
could provide the basis for models assessing the state of preparedness of an organization with
regard to both BC and DR. Elaborating the tasks required to execute each step and developing
metrics for measuring how well these tasks have been performed by the organization would do
this. A more direct approach to BC assessment is provided by (Ream 2003) who developed a
Business Continuity Management (BCM) maturity model. Similar to maturity frameworks for
other areas of study, the BCM maturity model uses a variety of characteristics to “grade” overall
organizational competence on BC and related processes. Ream graded organizations as follows:
• “Level 1 - Self-Governed - Business continuity management has not yet been recognized as
strategically important by senior management.”
30
• “Level 2 - Supported Self-Governed – At least one business unit or corporate function has
recognized the strategic importance of business continuity and has begun efforts to increase
executive and enterprise-wide awareness.”
• “Level 3 - Centrally-Governed –Participating business units and departments have instituted a
rudimentary governance program, mandating at least limited compliance to standardized
BCM policy, practices and processes to which they have commonly agreed.”
• “Level 4 - Enterprise Awakening - All critical business functions have been identified and
continuity plans for their protection have been developed across the enterprise.”
• “Level 5 – Planned Growth. Business continuity plans and tests incorporate multi-
departmental considerations of critical enterprise business processes.”
• “Level 6 - Synergistic - All business units have a measurably high degree of business
continuity planning competency. Complex business protection strategies are formulated and
tested successfully.”
Ream considered organizations at Level 1 – Level 2 to be “at risk” with respect to response
capabilities based on the overall weakness of their respective BC programs. Similarly,
organizations at Level 3 – Level 4 were labeled “competent performers”. Firms at Level 5 –
Level 6 were described as exhibiting the highest levels of preparedness.
4. TOWARDS A COMPREHENSIVE FRAMEWORK FOR EVALUATING BC
The literature cited previously provides significant insights on the nature and challenges
presented by BC. Furthermore, comprehensive BC practice models such as those described by
(Barnes, 2001), (Smith 2003) and (Ream 2003), and the NIST contingency planning guidelines,
illustrate how various BC practice characteristics may be used to develop an organizational BC
model. Such a model could be used to establish a composite score such as a maturity level to
facilitate a comparison of organizations in a wide sample. However, the above models do not
address all the dimensions of BC. What is needed to support an industry-wide comparison
therefore is the development of a robust evaluation framework that allows identification of the
noted individual practice characteristics and groups them in a way to illustrate a firm’s BC
strategy. The remainder of this chapter develops an integrative organizational model of BC that
jointly emphasizes the roles of the security (or BC) organization and the larger organization of
which it is a part. The model provides an articulation of the major elements of the security and
overall organizations working together as an integrated system. The model will be referred to as
the Business Continuity Evaluation Model, or BC-EM. BC-EM is comprehensive enough to
31
cover the issues highlighted by our interviews as well as those outlined in the literature discussed
in the previous section.
BC-EM consists of two sub models: the BCP Planning Model as illustrated in Figure 1; and the
Management Model illustrated in Figure 2. Using this framework, an organization's BC
preparedness can be assessed by determining the existence and quality of the various elements in
the two figures. Because the model is intended to assess a large numbers of companies in an
industry, the information about each system element need not be as detailed as that required for
an in depth diagnosis of the state of BC within a single organization. Thus, ceteris paribus, the
fact that an organization has performed a business impact analysis might be taken as evidence
that it has developed more effective BC practices than an organization that has not taken this step.
The BCP Planning Model in Figure 1, below, shows the major steps in developing the strategy
and resource allocation for effective security. Based on the organization's strategy, the
assessment model starts with an identification of the assets and processes that are of most value to
the organization. For example, in the pharmaceutical industry, the most important assets are
probably related to its R&D function. The next logical step is to perform a risk/business impact
analysis (Alberts and Dorofee 2003) and to develop a security strategy and security budget.
Organizational
Strategy
Business Impact
Analysis
Strategic Assets
Security Strategy
Security Budget
Security Threats
Figure 1: BCP Planning Model
The establishment of security budgets and a security strategy is considered a joint activity carried
out by the security organization and the overall organization. Starting with the strategy and the
resources devoted to security, the second component of our BC assessment approach, the
Management Model shown in Figure 2, describes the architecture in which the security program
is executed. This architecture has three dimensions. The first dimension consists of the
32
leadership, governance, people, process and technology aspects of both the firm's security
organization and the larger organization of which it is a part. Our contention is that all five
r on
l
cludes
.
T BCP best practice
commendations focus almost exclusively on planning issues in Figure 1 of our model and on
on of
he BC-EM Planning Model integrates concepts from (Smith 2003), (Ream 2003), and the NIST
, and (Barnes 2001). The model includes suggested process steps
ion
aspects are important to security. Moreover, these five aspects can be thought of as separate
conceptual layers. The vertical block arrows in Figure 2 represent the influence of each laye
the one below it. The second dimension of the assessment model addresses the security
organization's influence in improving security at all five levels of the organization. The horizonta
block arrows in Figure 2 show this aspect. The third dimension of the model explicitly in
the vendors and customers of the organization as well as the service providers such as utility
companies and security outsourcers contracted to assist the organization in the event of a disaster
Each external relationship should be actively modeled and evaluated.
From the discussion in section 2, it can be seen that the Smith and NIS
re
issues at the governance layer of Figure 2. In the following section, we organize the discussi
security issues according to the two models outlined in Figures 1 and 2.
The BC-EM Planning Model T
contingency planning guidelines
related to plan development, risk and impact analyses, controls architecture, and contingency
planning, and governance constructs such as budgeting. For example, NIST guidelines emphasize
the importance of the alignment of business strategy with business continuity strategy. Execut
plans represent the instantiation of the aligned strategies. We also include concepts from our own
field observations as described in section 2 such as the importance of ensuring that adequate
communications will be available in a crisis and the identification of responsibilities for BCP
between IT and the rest of the organization.
33
Management/Leadership
Governance
Human Resources
BCP Processes
SecurityTechnology
Security Organization
Management/Leadership
Governance
Human Resources
OrganizationalProcesses
Technology Infrastructure
Organization
Customers
CRM Management
Vendors
SCM Management
Service Providers
Service Agreements
Figure 2: Management Model
Elements of the business continuity strategy include human resources elements (which are
included in the Layered Security Role Model) such as training and awareness, and development
of a business continuity structure. Following Figure 1, the important planning questions at the
high level of granularity for our study are as follows.
• Has the organization identified and ranked its assets in terms of their strategic importance?
• Has a business impact or risk analysis been carried out? Has the organization used a formal
risk assessment methodology such as OCTAVEsm (Alberts, Dorofee 2003)?
• Does the risk analysis account for compound events such as the risk of failure of
interdependent infrastructures?
• Existence of disaster insurance to support recovery
• Has an explicit security strategy been formulated? Does this strategy include the following
essential elements: safety of personnel, security of physical assets, and relocation plans? Has
this strategy been communicated to employees?
• Has a security budget been developed? Is this budget under the control of the security
organization?
• Existence of the following:
• BCP Mission Statement
• BCP Policies and Procedures
34
• BCP Goals & Strategies
• Inclusion of internal and external business partners in planning phase
Table 1 shows typical steps and artifacts produced during the business continuity planning
process.
Table 1: Elements of the BC Planning Process Corporate Strategy What are the most important markets and revenue streams? What are the strategic resources, processes, and databases? Business Impact Analysis Identify external and internal threats Evaluate critical processes and resource dependencies Evaluate regulatory exposure Estimate financial impacts and loss of image Determine recovery time objectives (RTO)for each function Determine impacts of service provider or vendor failure Determine critical resources Evaluate current risk reduction measures List major concerns Security Strategy General Emergency evacuation procedures Safety of staff Alternate work site and relocation procedures Plans for communicating with government, vendors, customers, press Outsourcing of disaster recovery procedures Disaster insurance: physical assets and business income Facilities recovery: structure, power, utilities Computer Center Internal recovery - relocate, rebuild, restore Back-up facilities and procedures Commercial hot-site/cold-site arrangements Communications Crisis communications (voice and data) Restoration of full communication capabilities (voice and data) Security Organization Identification of BC roles and responsibilities Division of responsibilities between general management and the security organization Specification of teams for emergency management The Management Model Turning now to the management model in Figure 2, we first determine the existence, size and
authority of the security organization within the organization.
35
The BC Organization The first issue to be addressed in the Management Model concerns whether the organization has
developed a separate BC organization. The key issues in this area as follows:
• The existence (or otherwise) of a formal entity, such as a steering committee, for managing
the BC process
• The existence of formal budgets devoted to BC and DR (or both) and the organizational
location of these budgets (in the IT organization, headquarters, or line units)
• The role of the general business organization in BC and DR
• The existence of a crisis management center
We next examine the issues pertaining to the five layers in Figure 2 and at the same time address
the role of the security organization in influencing the target organization and the relationships of
the organization with its business partners and service providers (the horizontal block arrows in
the figure.) The following is a summary of each of the five levels in our evaluation model as well
as the horizontal relationships that represent the mechanisms available to the security
organization in its efforts to ensure a secure environment for the organization as a whole.
Manager/Leadership Layer
The ability of both general management and the security officers in a corporation to provide
security is key to the success of any BC effort. A number of studies show the importance of top
management awareness of security risks and willingness to communicate the importance of
security throughout the organization. Also of importance is the experience and skill of the
security managers and their formal reporting relationships in the organization. Communication
between the leaders in the security organization and the larger organization is a key to a secure
organization. The organization's top management should be guided by the managers in the
security organization and should, in turn, make the crucial security versus cost tradeoff decisions
and provide appropriate resources to the security organization and to the organization as a whole.
At this level, BC-EM seeks to capture certain characteristics of the manager(s) who are
responsible for planning and executing business continuity plans within their organization.
Specific security manager characteristics include the following:
• Management title
36
• Percentage of activities in current position that are dedicated to business continuity planning
and/or disaster recovery
• Reporting lines (i.e. report to CIO, CFO, other)
• Level of budget authority
• Professional experience in business continuity planning and disaster recovery
The alignment issues identified in our interviews and in the BC literature are captured by the
following questions:
• Are BC issues regularly discussed at the top levels of the organization? Has the board of
directors been involved?
• Has the responsibility for BC been formally delegated to line management as well as to
information systems and the security organization?
Governance Layer Governance is “the operating model for how the organization will make decisions" (Luftman
2003). Governance in the security/BC domain involves the allocation and direction of security
resources, the delegation of responsibility for different aspects of security to various members of
the organization, prioritization of projects, development of performance measures, the
development and communication of clear roles in the event of a disaster, and the development
and enforcement of security policies. The two-directional horizontal block arrow at this level of
the model in Figure 2 represents the mutual interdependence of governance processes in both the
security and overall organization. The security organization has an important role in developing
the policies and procedures employed in the overall organization. On the other hand, the security
organization is subject to the governance procedures and policies of the overall organization.
Specific areas of governance included in the governance layer of BC-EM are:
• BC Budget that is annually approved
• Tracking of costs of preparation, testing, and actual recovery
• Conformance to regulatory guidelines
• Formal assignment of BC roles
• Headcount dedicated to BC
• Funding model (e.g., centralized vs. decentralized)
• Assignment of oversight and implementation responsibilities
37
• Involvement of senior management and the board on BCP
• Specification of recovery time milestones with business partners
• Use of formal change control over the plan
• Designated Senior Business Management Sponsor of BC
Human Resource Layer The human element in organizations is often considered to be the weak link in security because
most security breaches occur through lack of understanding of security issues, carelessness, or
willful acts of sabotage by employees. Employee awareness and understanding of security issues
and their motivation to adopt security measures is a crucial aspect of a secure organization. Top
management leadership and appropriate governance mechanisms as shown by the vertical arrows
influence awareness, understanding, and safe practices. The horizontal block arrow at this level of
the systems model shows the role of the security organization in monitoring employee behavior
and influencing sound security practices throughout the organization. The Human Resources
aspect of BC-EM includes identification of characteristics associated with BC team members.
This includes the following:
• Technical skills and qualifications • Communications skills • Business acumen • BCP awareness training activities sponsored by the organization • The use of feedback from BCP and/or DR testing activities to support continuous learning • Emergency plans for avoiding loss of life and providing shelter and other forms of support to
employees
The HR evaluation domain also seeks measures of the awareness of IT and other employees of
the need for security and the understanding of the measures that are to be taken in the event of a
disaster. For example, the model seeks to determine if every employee in the organization
received information and directions on how to guard against security breaches, and whether or
not they understand what they should do the ensure business continuity in the event of a disaster.
The model similarly seeks to determine how diligent are employees in following best security
practices, and whether or not IT personal take BC considerations into account in the development
of new software applications and the implementation of system security procedures.
38
Process Layer The process level of the model has two aspects. First, security breaches often occur in business
processes and it is the revenue producing processes such as order entry and service delivery that
must be restored first in the event of an attack or natural disaster. Our assessment model must
therefore address the safeguards that are in place to protect and restore the essential processes of
the organization. The second aspect of the process level is the security and BCP planning
processes themselves. The security organization must develop and practice security procedures
and an essential part of its role is to help the business units (including the information technology
department) to understand and practice security measures and disaster recovery drills. The
horizontal block arrow at the process level in Figure 2 shows this latter aspect. Specific process
concerns are as follows:
• Involvement of senior management in BC and DR activities
• Involvement of the business units and IT
• Frequency of testing
• Testing approaches, including:
• Broad discussion of BC issues throughout the organization
• Restoration of critical systems and applications
• Completion of sample transaction processing by IT and by business units
• Movement of business users to recovery site
• Testing by third party consultants
• Surprise testing
• Participation of external business partners
• Frequency of update of the BCP
• The existence of recovery time objectives for various processes and platforms
September 11, 2001 signaled a change in how BCP is approached. As noted earlier, it
represented perhaps the first time organizations saw a pressing need to prepare for “man-made”
disruptions. Prior to September 11, 2001 there existed the possibility, indeed the actuality, that
some organizations would be victimized by intentionally malicious acts such as arson or
vandalism. However, the scope and scale of the events presented significantly more troubling
possibilities. Other events that can increase awareness of the need for BC and DR include the
imposition of new government regulations and the occurrence of events that require activation of
39
BC and DR processes. The BC-EM Process layer therefore includes “Responsiveness” elements
that measure how organizations have reacted to events such as these are increased management
attention and increased investment related to BC following events such as the World Trade
Center disaster. This includes the following:
• History of activation of the BCP
• Cause of the activation(s)
• Lessons learned during BCP execution
• Subsequent modification of the BCP
Technology Layer Technology is the final layer of our systems model. At this layer, security technologies such as
encryption, digital signatures, mirrored databases, firewalls and virtual private networks are
engineered to provide protection for the organization both from internal misuse, from attack by
outsiders, or from natural or man-made disasters. Again, at this level, there is interplay between
the security organization and other parts of the organization including IT. The security
organization investigates the available secure technologies and champions their use in the wider
organization. IT and senior management should jointly determine the technologies that will be
adapted and the IT projects that will be executed given limited resources. Specific issues relating
to technology are as follows:
• Degree or reliance on internal resources, such as mirrored data centers, to facilitate recovery
• Offsite backup and recovery facilities - cold site or hot site
• Use of third-party facilities to support recovery
• Backup and recovery processes
• Recovery of data communications
• Recovery of end-user office environments
• Channels of communication (cell, land line, etc.) used during recovery
• Degree of embedded redundancy in production systems and networks
• Methods for maintaining accurate technology inventory to support recovery
The third dimension of the BC Management Model concerns the existence and management of
the firm's relationships with its vendors, customers, and service providers.
40
Supply Chain Management for Business Continuity Today, organizations are involved in a complex web of relationships with companies that may be
located all over the world. More than ever, companies are dependent on the performance of
business partners both upstream (vendors) and downstream (distributors, retailers and
transporters) in the value added chain. Regional or even local disruptions can critically impact an
organization's ability to supply goods and services to its customers. In the event of a disaster, all
companies in the value chain must be contacted quickly to ensure continuation of the supply
chain. Shipments may need to be diverted, alternative sources of needed goods might need to be
located. Crucial issues in the management of the supply chain include:
• Well documented supply chain processes so that failure points can be identified and repaired
without undue delay
• Contact information and emergency communication modes for vendors and transporters plus
a list of alternative providers
• The development of a list of items critical to ongoing operations - this might range from
knowledge of scheduled shipments, medical supplies, computer equipment, to seemingly
mundane items such as office supplies
• Contact lists for persons in the organization responsible for ensuring that the company can
communicate with supply chain partners and continue operations in an emergency situation
• The existence of disaster provisions in service level agreements
Customer Relations In order to maintain market share the organization must be able to quickly restore services and
supplies to customers. The organization must also be prepared to protect its reputation and handle
media inquiries. Many of the elements in maintaining vendor relationships remain true for
customer relations. These include documentation of logistics processes, development and
maintenance of customer contact lists, knowledge current customer orders, and lists of company
individuals who maintain relationships with customers and who will be responsible for customer
relations in an emergency situation. Unique elements in managing supply relations include:
• Use of the Pareto (8/20) principle to ensure continued service to the company's most
important customers
• Speed in communicating with customers concerning interrupted shipping or diminished
service
41
• Documented kno0/200wledge of alternative sources of supply of the company's products
(from alternative warehouses or even from competing firms)
• Redundancy in warehouses and shipping routes and transporters
• Arrangements to place informative messages on the company's web site in the event of a
disaster
• Ability to "manage demand" by understanding customer needs and suggesting substitutes if
some products or shipments are impossible
• Identification of a single company spokesman, perhaps the CEO
Service Providers Every company depends crucially on many service providers including utility companies
supplying water, power and communications, contracted disaster recovery outsourcers and
insurance companies. In all cases, discussions should be held with representatives of service
providers to ensure continuity of service in the event of a disaster. Important elements in this area
include:
• The maintenance of lists of service provider contacts
• Availability of business continuity insurance and copies of insurance policies
• Redundant sources of power, water and voice and data communication networks
• Service Level Agreements that explicitly include provision for business continuity
5. ELEMENTS OF BC UNIQUE TO THE PHARMACEUTICAL INDUSTRY
Every company and industry will have unique problems and issues to face in the area of business
continuity and recovery. A separate section of the BC-EM survey in the appendix to this chapter
is therefore devoted to gathering information about the critical assets of companies and an open-
ended question asking respondents to state their major BC and DR concerns.
The following paragraphs summarize our a priori opinions on what is likely to be stressed by
managers in the pharmaceutical industry.
Unique aspects of the pharmaceutical business underscore the importance of BC to firms within
the industry. For pharmaceutical research and development organizations there is clearly a need
to ensure uninterrupted business processes to minimize “time to market” for new drug offerings.
42
Similarly, manufacturing and distribution organizations must ensure efficient management of
logistics to ensure uninterrupted production and delivery flows.
Intellectual assets related to R&D are critically important to pharmaceutical companies. These
assets include databases of drug formulations and results of clinical tests, patents, research
equipment, research laboratories, networks of research alliances, and, last, but not least, the
research personnel themselves. Since clinical tests are ongoing and involve live patients, drug
companies must ensure that the health and lives of persons taking part in clinical tests are not
endangered because of an interruption of supplies.
Pharmaceutical organizations in the United States are subject to oversight by agencies including
the Food and Drug Administration (FDA), Environmental Protection Agency (EPA), and others.
Title 21 Code of Federal Regulations (21 CFR Part 11) Electronic Records, Electronic Signatures
enabled pharmaceuticals to rely on electronic record keeping and, therefore, created responsibility
for maintaining the security of electronic information. Regulatory challenges include issues
related to achieving compliance (i.e. controls) as well as reporting. An example of a process-
oriented concern involves the reporting of adverse events to regulators. Systems must be
available, for example to facilitate a recall of product lots from throughout distribution, including
retail channels.
Apart from the regulatory requirements, increased reliance on IT within pharmaceutical business
processes creates significant needs for BCP. For example, IT has facilitated faster, more efficient
drug discovery processes. Research organizations populate critical databases with the results of
research activities. Disruption to the systems and technologies that support discovery would have
a profound effect on the organization’s ability to function. Pharmaceutical organizations are
directly rewarded for minimizing the “time to market” for new drugs, therefore BCP becomes a
requirement to manage contingencies along the development lifecycle. Manufacturing and
distribution processes are similarly critical to pharmaceutical organizations. Supply chain
management is facilitated by Enterprise Resource Planning (ERP) systems that must be included
within the BCP scope.
43
6. CONCLUSION
This chapter explored and developed a model of business continuity practices in the
pharmaceutical industry. Interviews with four executives responsible for BC in very large
pharmaceuticals industry companies revealed different approaches and different levels of
preparedness in the four companies. The issues raised in these interviews and several existing
prescriptions from the literature were used to develop a comprehensive model for assessing BC
preparedness in the pharmaceutical industry. A survey instrument based on the BC-EM model is
included in the Appendix.
The next step in our research is to use the BC-EM model to survey and interview managers in the
pharmaceutical industry. The result of this study will be a comprehensive assessment of business
continuity practices that should provide insights into the preparedness of firms in the
pharmaceutical industry to cope with calamities such as natural disasters or terrorist attacks.
References Alberts, Christopher & Dorofee, Audrey 2003. Managing Information Security Risks – The OCTAVEsm Approach. New Jersey: Pearson Education. Armstrong, I. 2003. Keeping IT Running. www.scmagazine.com. Barnes, James C. A Guide to Business Continuity Planning. New York: John Wiley & Sons, 2001. Bolles, G. and Kirkpatrick, T. 2001. Disaster Recovery. Ziff-Davis CIO Insight. www.cioinsight.com. Cowley, S. 2002. September 11 Keeps Disaster Recovery in Forefront. www.computerworldcom. Hiles, Andrew and Peter Barnes. The Definitive Handbook of Business Continuity Management. New York: John Wiley & Sons. 1999. Lewis, W., Watson, R., Pickren, A. 2003. An Empirical Assessment of IT Disaster Risk. Communications of the ACM. September 2003. Vol. 46, No. 9ve. Lipson, H., Fisher, D., 1999. Survivability – A New Technical and Business Perspective on Security. CERT Coordination Center, Software Engineering Institute. www.cert.org. Luftman, J. 2003. Managing the Information Technology Resource: Leadership in the Information Age. Prentice Hall.
44
McMillan, R. 2003. Survey: U.S. Business, IT Executives at Odds on Disaster Recovery. www.computerworld.com. Meglarthy, S. 2000. Overview of Business Continuity Planning. Auerbach: CRC Press LLC. Boca Raton, Florida. Nemzow, M. 1997. Business Continuity Planning. International Journal of Network Management, Vol. 7, 127-136. NIST 2000. NIST Special Publication 800-34, Contingency Planning Guide for Information Technology (IT) Systems Ream, S. 2003. How Does Your Company Measure Up? The Business Continuity Management (BCM) Maturity Model. http://www.virtual-corp.net/html/bc_model.html Smith, D. 2003. Learning from BCI’s Good Practice Guidelines: Business Continuity Advice from Someone who Knows. Business Continuity Institute. www.contingencyplanning.com. Smith, K. 2000. Developing and Testing Business Continuity Plans. Auerbach: CRC Press LLC. Boca Raton, Florida. Stacey, T. 2000. The Information Security Program Maturity Grid. Auerbach: CRC Press LLC. Boca Raton, Florida. United States Securities and Exchange Commision 2003. Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System. Federal Reserve, Department of the Treasury, Securities and Exchange Commision.
45
APPENDIX TO CHAPTER 3
Survey Instrument
A survey instrument derived from the BC-EM model described in the chapter is included below.
In this case, the survey is directed towards high-level executives so the BC-EM model is used at a
high level of aggregation to avoid excessive detail and obtrusive questions. Essentially, this
application of the BC-EM model focuses on the existence and adequacy of the model elements
shown in Figures 1 and 2. The BC-EM model could alternatively be used for in-depth studies of a
single organization in which case, a more detailed survey would be constructed.
Survey of Business Continuity Practices _________________________________________ A. Profile of Survey Participant 1. Please indicate the primary function of your business unit.
• Corporate Headquarters/Holding company • IT Services • Sales/Marketing • Security/BCP • Manufacturing/Distribution • Other (Please specify) _____________ • R&D
2. Please select the choice that best describes your formal title.
• Manager/Director of Business Continuity Planning
• Manager/VP in Business Line
• Manager/Director of Disaster Recovery Planning
• Chief Financial Officer
• Chief Security Officer • Chief Operating Officer • Chief Information Officer/Chief Technology Officer
• Manager, Research
• Chief Executive Officer • Other __________________ 3. Please indicate the approximate percentage of activities in your current position that are dedicated to business continuity planning and/or disaster recovery. • Less than 25% • Between 25% and 50% • About 50% • Between 50% and 75% • More than 75% 4. Please select the choice that best describes the individual you report to.
• Manager/Director of Business Continuity Planning
• Manager/VP in Business Line
• Manager/Director of Disaster Recovery • Chief Financial Officer
46
Planning • Chief Security Officer • Chief Operating Officer • Chief Information Officer/Chief Technology Officer
• Manager, Research
• Chief Executive Officer • Other __________________ 5. Please indicate your total level of professional experience business continuity planning and disaster recovery. • Less than 1 year • Between 1 and 3 years • Between 3 and 6 years • Between 6 and 9 years • 10 years or more B. Company Profile 6. Which one of the following best represents your company’s total revenue for the year 2001?
• Under $1.0 million • $100 million to $499.9 million • $1.0 million to $9.9 million • $500million to $999.9 million • $10.0 million to $24.9 million • $1 billion or higher • $25.0 million to $49.9 Million • Non-profit/Not reported • $50.0 million to $99.9 million • Don’t know/Not sure
7. How many employees work for your entire organization, which includes all branches, divisions, and locations?
• Under 100 • 5,000 to 9,999 • 100 to 499 • 10,000 or more • 500 to 999 • Don’t know/Not sure • 1,000 to 4,999
C. Planning for Business Continuity and Disaster Recovery 8. What is the most critical business asset that must be protected by appropriate BCP and DR processes?
• Business data • R & D Information • Manufacturing facilities • Continuity of business processes • Other_______________________
9. What is your greatest concern with regard to security and business continuity? (Please specify) _____________________________________________________________________ 10. Which one of the following statements best describes your corporation’s, division’s or business’s approach to business continuity/disaster recovery planning?
47
• Business continuity/disaster recovery planning has always been a priority in our company. • Business continuity/disaster recovery planning has been a priority in recent years as security
and terrorism threats have increased. • Business continuity/disaster recovery planning became a top priority after September 11th. • Other (Please specify) __________________ 11. Does your corporation, division or business currently have a business continuity/disaster recovery plan? __ 12. If yes, which of the following areas have been identified as top priorities in your business continuity/disaster recovery plan? (PLEASE CHECK ALL THAT APPLY TO YOUR ORGANIZATION) • Planning for interruption of continuity of operations for a much longer period of time than
anticipated • Planning for loss of access to vendors for restoration of service or replacement of critical
equipment • Planning for permanent loss of a facility • Ability to identify where all employees are located and how to reach them • Developing evacuation plans for employees from a threatened or attacked facilities • Implementing an employee communications/training program • Ability to communicate with employees during and immediately after a disaster • Planning for the unanticipated loss of human life • Creating a back-up disaster response team, if designated team is inaccessible or lost in the
disaster • Network redundancy • Mirroring of critical information systems • Network/IT security • Other (Please specify) __________________ 13. Which items exist formally in your firm, as related to BCP? Please indicate all that apply. • BCP Mission Statement • BCP Policies and Procedures • BCP Goals & Strategies, • BCP Steering Committee • BCP Budget that is Annually Approved • Designated Senior Business Management Sponsor of BCP 14. What assessments are done to plan for BC? Please indicate all that apply. • Business Impact Analysis • Risk Assessment • Requirements Gathering • Technical Vulnerability Assessment • Other (Please specify) __________________ 15. Does the organization consider risks associated with interdependent infrastructures as related to enabling BCP? (for example, a major disaster incident that destroys a computing center may also disrupt travel in a metropolitan area, preventing the recovery team from responding quickly)
48
• YES, we consider “compound events” • NO, we do not consider “compound events” • NOT SURE 16. Are formal assessment methods used to estimate risk as part of BCP activities? • YES, the organization uses formal risk assessment methods to support BCP • NO, the organization does not use formal risk assessment methods to support BCP • NOT SURE 17. Do you… • Use a service provider for your network/IT security needs • Plan on using a service provider for network/IT security needs • Neither, do it all in-house • Don’t know/Not sure 19. Does the scope of BCP include ALL Business units or only CRITICAL business units? • The scope includes ALL business units • The scope includes ONLY CRITICAL business units • NOT SURE 20. How often is the BCP plan updated?
• Once per year or more often • About every 2 years • Every 3 years or more • Never • Not sure
21. Does the organization plan to rely on insurance coverage in the course of BCP recovery efforts?
• Yes • No • Not Sure 22. Are internal and external business partners (e.g. operations, technical support, vendors, supplies) included in your business continuity plans?
• Yes • No • Not Sure D. Organizing for BC and DR 23. Who in your organization, by job title, has overall responsibility for implementing business continuity/DR • Security Officer/Security Manager • IT Manager/Director • CIO/CTO • Systems Administrator/Engineer • Network Manager • Corporate Controller/CFO • CEO, President, Owner, Partner
49
• Other (Please specify)
24. Who has responsibility for overseeing your business continuity plans? • CIO organization • Business • CFO organization • Audit • Other (Please Specify) __________________ 25. Has your organization… (PLEASE CHECK ALL THAT APPLY) • Created a new position/job title for the individual responsible for dealing with business
continuity/disaster recovery planning and implementation. • Planning on creating a new position/job title for the individual responsible for dealing with
business continuity/disaster recovery planning and implementation. • Organized a new team or organizational process to focus on business continuity/disaster
recovery planning • Other (Please specify) • Don’t know/Not sure 26. If yes, what is the new job title for this position? ___________________ 27. Has your organization identified a specific organizational unit whose main responsibility is BCP and DR?
• Yes • No • Not Sure 28. If yes, how many internal staff are in this unit? • 3 or less • 4 to 10 • Greater than 10 29. Is the BCP Team responsible for Crisis Management?
• Yes • No • Not Sure 30. How are activities related to BCP funded? • BCP expenditures are paid from business or IT budgets on a project by project basis • There is a distinct annual budget for BCP that is tracked by the CFO organization 31. Do you … • Use a service provider for your business continuity/disaster recovery requirements? • Plan on using a service provider for your business continuity/disaster recovery requirements • Neither, do it all in-house • Not sure 32. Are offsite recovery facilities (owned by third parties) contracted to enable the restoration of computing operations?
• Yes • No • Not Sure
50
33. Does the organization have a crisis command center that is used during a recovery event? • YES, we have a designated crisis command center • NO, we do not have a designated crisis command center E. Management Leadership 34. Please select the statement that best indicates your opinion of the involvement of the board of directors in BCP and DR activities. • Extremely involved and supportive of BCP and DR efforts • Occasionally involved in BCP and DR efforts • Avoids involvement in BCP and DR efforts • No opinion 35. Please select the statement that best indicates your opinion of the involvement of senior management in BCP and DR activities. • Extremely involved and supportive of BCP and DR efforts • Occasionally involved in BCP and DR efforts • Avoids involvement in BCP and DR efforts • No opinion 36. Please select the statement that best indicates your opinion of the involvement of the Information Technology team in BCP and DR activities. • Extremely involved and supportive of BCP and DR efforts • Occasionally involved in BCP and DR efforts • Avoids involvement in BCP and DR efforts • No opinion F. Governance Domain 37. Do regulatory bodies (e.g. US FDA) require specific BCP activities within your organization?
• Yes • No • Not Sure 38. Are the costs of preparation, testing, and actual recovery costs tracked by the finance organization?
• Yes • No • Not Sure 39. Is there formal assignment of BCP roles (i.e. dedicated positions)?
• Yes • No • Not Sure G. Human Resources Domain 40. Does the BCP team have adequate TECHNICAL skills and qualifications to effectively address BCP and DR for your firm? • YES, the team has adequate skills and qualifications • NO, the team does not have adequate skills and qualifications
51
• NOT SURE 41. Does the BCP team have adequate COMMUNICATIONS skills to effectively address BCP and DR for your firm? 1. YES, the team has adequate skills 2. NO, the team does not have adequate skills 3. NOT SURE 42. Does the BCP team have adequate BUSINESS UNDERSTANDING to effectively address BCP and DR for your firm? • YES, the team has adequate business understanding • NO, the team does not have adequate business understanding • NOT SURE 43. Does the organization have a formal awareness training program for BCP and DR policies and procedures?
• Yes • No • Not Sure 44. How do you communicate details of your BCP and DRP to your employees? Please indicate all that apply. • Interoffice Memos • BC/DRP Newsletters • Company-Wide Meetings or Teleconferences • Functional Managers are expected to inform their respective staffs • Posters displayed in common areas such as cafeteria or meeting rooms 45. Do BCP and/or DR testing activities support continuous learning by providing direct feedback through the use of post-test, or “post mortem” test evaluations?
• Yes • No • Not Sure H. Process Domain 46. What types of tests of the BC/DRP are used? Please indicate all that apply. • Discussion (Paul explain) • Restoration of Critical Systems • Restoration of Critical Applications • Completion of Sample Transaction Processing by IT • Completion of Sample Transaction Processing by Business • Movement of Business Users to Recovery Site • 3rd Party Testing • Surprise Testing • Participation of External Business Partners 47. Has the business continuity/disaster recovery plan been tested in the last five years? If so, how often? • No, never tested
52
• Yes, tested quarterly ___ (# of times) in the last five years • Yes, tested annually in the last five years • Yes, tested monthly in the last five years • Don’t know/Not sure
48. How often do you review and/or update your business continuity plans? • Continuous updates performed by dedicated BC/DR staff • Updates made at regularly occurring intervals (for example, quarterly) • Updates made as needed, based on changes to the business or technology • NOT SURE 49. How often do you conduct BC/DR tests or exercises? • Once per Year • Twice per Year • More than Twice per Year • Testing not completed on regularly occurring basis 50. What is the involvement of business users in the course of BCP testing activities? • High level of involvement • Some involvement • Little or no involvement 51. Have recovery time objectives (RTO) been established for crucial business activities?
• Yes • No • Not Sure 52. What are the recovery time objectives (RTO) for the mainframe?
• 4 hours or less • 72 hours or less • 12 hours or less • 7 days or less • 24 hours or less • Greater than 7 days • 36 hours or less
53. What are the recovery time objectives (RTO) for the AS400 or UNIX servers?
• 4 hours or less • 72 hours or less • 12 hours or less • 7 days or less • 24 hours or less • Greater than 7 days • 36 hours or less
54. What are the recovery time objectives (RTO) for Microsoft or Novell servers?
• 4 hours or less • 72 hours or less • 12 hours or less • 7 days or less • 24 hours or less • Greater than 7 days • 36 hours or less
53
I. Technology Domain 55. What backup computing activities are conducted? Please indicate all that apply. • Scheduled backup to magnetic media • Scheduled backup to optical media • Rotation of backup media to offsite storage • Mirroring of critical data to redundant systems • NOT SURE 56. How often does the organization test backup media? • Sample backup media is restored at least monthly to verify successful backup processes • Backup media is only restored in the course of BC/DR testing activities. • NOT SURE 57. Do BC/DR tests include restoration at offsite recovery facilities?
• Yes • No • Not Sure 58. Approximately how far is the primary data center from the recovery site? • Less than 5 miles • Between 5 and 25 miles • Between 25 and 75 miles • Greater than 75 miles 59. How are data communications restored in the course of recovery activities? • Rely on existing, redundant data communications facilities. • Data communications provided by outsourced recovery partner • Data communications ordered as needed from connectivity providers • NOT SURE 60. Do BC/DR recovery activities include restoration/replacement of end user office environments?
• Yes • No • Not Sure 61. How do you communicate with your employees during an emergency response? Please indicate all that apply. • Office Phones • Cellular Phones • Email • Two-way pager • Private Radio System 62. To what degree has the network and systems architecture been designed with redundancy and robustness to minimize the impact of an incident and/or speed recovery? • High degree of redundancy and robustness • Moderate degree of redundancy and robustness • Low degree of redundancy and robustness
54
63. To what degree do you use internal resources (such as mirror data centers) to recover instead of relying on external offsite facilities? • High degree of use of internal resources • Moderate degree of use of internal resources • Low degree of use of internal resources 64. What platforms are included within BC/DR scope? Please indicate all that apply. • Desktop PC • Microsoft Servers • UNIX • AS400 • Other Mid-Range Computing • IBM Mainframe 65. How does the firm maintain an accurate inventory of components considered to be within the BCP scope? Please indicate all that apply. • Electronic inventory system is used CONTINUOUSLY • Electronic inventory system is used PERIODICALLY J. External Relationships: Customers 66. Has a media relationship representative/group been appointed to coordinate communications with customers and the press in the event of an emergency? 66. Is there a secure customer contact list that is guaranteed to be available to communicate with key customers in the event of a disaster? Have employees been assigned to make these contacts in emergency situations? 67. Have arrangements been made to ensure continuous supplies to key customers in the event of a disaster? 68. Are customers aware of the company’s emergency plans? J. External Relationships: Vendors 69. Is there a secure vendor contact list that is guaranteed to be available to communicate with key customers in the event of a disaster? Have employees been assigned to make these contacts in emergency situations? 70. Has the company created a list of alternative suppliers that can be used if supplies from current vendors can not be maintained? 71. Have lists of essential materials and supplies been created so that the company can ensure business continuity in the event of a disaster? 72. Have transportation arrangements been made with the vendors to ensure continuous supplies in the event of a disaster? 73. Are vendors aware of the company’s emergency plans?
55
74. Does the company have adequate knowledge of the BC plans of key vendors? J. External Relationships: Service Providers 75. Is there a secure service provider contact list that will be available to communicate with key providers in the event of a disaster? Have employees been assigned to make these contacts in emergency situations? 76. Are service providers aware of the company’s emergency plans? 77. Do contracts with specify a BCP service level (e.g. guarantee restoration of service within 48 hours)?
• Yes • No • Not Sure 78. Does the organization have service level agreements regarding recovery timetables? • YES, there are formal agreements that describe how quickly various functions will be
restored • NO, there are no formal agreements to describe how quickly various functions will be
restored • NOT SURE 79. Does the company have adequate knowledge of the BC plans of its service providers? 80. Are redundant emergency sources of power and water available? How long can these emergency sources maintain adequate service levels in the event of a disaster? 81. Are redundant emergency voice and communication networks available that can be reliably used in the event of an emergency? Have employees been identified to make sure that these services will be available when needed? 82. Do all service level agreements contain explicit provision for business continuity? Are there guarantees that the company will receive the contracted service in the event of an emergency? 83. Has the firm outsourced disaster recovery capabilities? If so: 84. Has the company created an inventory of essential equipment that must be supplied by external providers in emergency situations? 85. Is adequate workspace available for relocated workers? 86. Does the SLA ensure that emergency procedures are adequately rehearsed?
56
Chapter 4
SURVEY OF SENIOR EXECUTIVES IN THE PHARMACEUTICAL INDUSTRY
1. OBJECTIVES The objective of this part of the research was to answer the following questions:
• How closely do firms in the pharmaceutical industry follow business continuity (BC) best practices?
• How well are firms in the pharmaceutical industry prepared for a major disaster?
2. PROCEDURE To investigate these questions, a survey based on the BC-EM model of Chapter 3 was
administered to senior executives in the pharmaceutical industry. As discussed in Chapter 3, BC
is, or should be, a top concern of both general management and IT executives. A survey based on
the BC-EM model was therefore addressed to executives in both of these categories. To make it
more acceptable and suitable for executives, a number of questions were eliminated from the
more complete BC-EM survey included as an Appendix to the last chapter. In particular, the
management and governance sections of the survey were merged and many technical questions
were dropped. The resulting survey instrument is included as an appendix to this chapter.
From December 2003 to March 2004, the survey was mailed in hard copy form with a covering
letter to approximately 3000 senior managers and executives in the pharmaceutical industry. The
covering letter noted the support of the AT&T Foundation and that the study was endorsed by the
Health Care Institute of New Jersey. Survey recipients were given the choice of filling in the
survey by hand and returning it a stamped return-address envelope or completing the survey on
line at a Web address noted in the covering letter and included in the survey form itself. To
improve the response rate, follow up telephone calls were made to about 10% of the survey
recipients within several days of their receipt of the survey.
The names and addresses for the mailing were obtained from two mail list sources:
• Dun and Bradstreet, Zapdata.com: Pharmaceutical Companies 1 list
• Hoovers Online Pro-plus: Pharmaceutical Industry (SIC 2834, NAICS Code 3254)
57
3. SAMPLE
Responses were obtained from 79 individuals, 27 of which were received on line and the
remaining responses were returned in hard copy form. The overall response rate of slightly over
3% is relatively good considering the sensitive nature of the data.
Table 1 contains summary statistics of the respondents and the sizes of their companies in terms
of annual revenues.
Table 1: Sample Descriptive Statistics
Category Detail N %
Years in Pharma Industry 5 years or less 14 17.7 Between 6 and 10 years 13 16.5 Between 11 and 15 years 14 17.7 Over 15 years 38 48.1 Total 79 100.0 Job Title Chief Executive Officer (CEO) 4 5.1 Chief Financial Officer (CFO) 15 19.0 Chief Operating Officer (COO) 3 3.8 President 2 2.5 Chief Information / Technical
Officer (CIO/CTO) 11 13.9
Chief Security Officer (CSO) 2 2.5 Other 42 53.2 Total 79 100.0 Job Category IT/Security/BCP/Risk Manager 28 35.4 General Manager 51 64.6 Total 79 100.0 Business Unit Category IT/Security/BCP 20 25.3 General Business 43 54.4 R&D 16 20.3 Total 79 100.0 Revenue Category Small – Less $1 billion 42 53.2 Large – Greater than $1 billion 37 46.8
Total 79 100.0
58
The respondents were relatively senior with long tenures in the pharmaceutical industry: only
17.7% had spent less than 5 years, while 48.1% had spent over 15 years working in the industry.
As shown in the table, almost one half of the respondents were either Presidents or “C” level
executives. Four CEO’s (all from relatively small companies) were included in the sample.
To understand the differences in perceptions between respondents who were in general
management as opposed to those that should have familiarity with security or business continuity
in their organizations, the respondents were divided into two groups (see “Job Category” in Table
1. The first group (28 respondents representing 35.1% of the sample) included CIO’s, CTO’s,
CSO’s, BC Managers, Risk Managers, and others with information technology or security as part
of their title. Everyone else in the sample (41 respondents representing 63.9% of the sample) was
placed in the “General Manager” category. This group included CEO’s, CFO’s, COO’s,
Presidents and VP’s in various lines of business.
A slightly different classification is provided by considering the organizational units for which
the respondents worked. As shown by the next group of data in Table 1, most (54.4%) of the
respondents worked in “General Management” areas including Corporate Headquarters,
Manufacturing and Distribution, and Sales and Marketing. Almost equal proportions of the
respondents worked in organizations devoted to IT/Security or BCP (25.3%) and R&D (20.1%).
Finally, the companies that the respondents worked for ranged in size from less than $100 million
in annual revenues to over $30 billion (Figure 1). To test hypotheses concerning the preparedness
of companies of different sizes, the sample was divided into two groups of almost equal size –
“Small Companies” (less than $1 billion in revenues) and “Large Companies” (over $1 billion in
size) - see Table 1.
59
35%
18%10%
18%
19%
Under $100 million$100 million to $1 billion$1 billion to $10 billion$10 billion to $30 billion$30 billion or more
Figure 1: Size of Companies by Annual Revenue
4. OVERALL RESULTS Table 2 provides descriptive statistics for the six questions that required responses on a 5-point
Likert scale (1 = poor performance, 5 = good performance.)
Table 2: Descriptive Statistics
Question N Min Max Mean Std.
Deviation 6. The board of directors is highly involved in business continuity planning activities:
79 1 5 3.14 1.16
7. Senior Management is highly involved in business continuity planning activities:
79 1 5 3.71 1.15
8. Regulations such as (HIPAA and FDA) have had a strong influence in BCP in your organization.
78 1 5 3.82 1.04
9. Oversight by the FDA has strongly influenced the approach to BCP in your organization.
77 1 5 3.52 1.11
29. Your company does a good job communicating its BCP procedures to its employees
74 1 5 2.49 1.24
34. How prepared is your organization for a major terrorist attack or natural disaster of World Trade Center proportions?
77 1 4 2.75 .71
Table 3 contains frequencies from the “Yes-No-Not Sure” questions that were part of the survey.
60
Table 3: Descriptive Statistics – “Yes-No-Not Sure” Questions
Yes No Not Sure
BCP-EM Dimension/ Survey Question N Number % Number % Number % Planning Process
12. Does your corporation or division have a formal business continuity plan? 79 49 62.0 24 30.4 6 7.6 14. (If yes) Does the BCP plan include internal and external business partners (e.g., operations, technical support, vendors, suppliers)? 58 44 75.9 8 13.8 6 10.316. Does your corporation or division also have a formal disaster recovery plan? 78 57 73.1 15 19.2 6 7.7 17. Has your corporation/division conducted a formal risk assessment? 76 45 59.2 21 27.6 10 13.2
Organization and Governance 21. Is there a formal assignment of BCP roles within the business units? 76 33 43.4 33 43.4 10 13.222. Does your organization have a crisis management team or center? 78 43 55.1 26 33.3 9 11.5
23. Is there a separate budget for BCP and/or DR? 78 17 21.8 53 67.9 8 10.325. Is the BCP managed by formal change control processes? 76 25 32.9 31 40.8 20 26.326. Are the costs of operation, testing and actual recovery tracked by the financial organization? 75 22 29.3 35 46.7 18 24.0
Process 28. If your organization conducts BCP recovery exercises, do these exercises include the business units as well as the information technology and security/BCP organizations? 56 23 41.1 17 30.4 16 28.6
Technical 31. Does your company have geographically dispersed recovery facilities? 78 48 61.5 21 21.9 9 11.532. Do you have system and/or data storage back-up procedures in place to recover critical data? 76 70 92.1 1 1.3 5 6.6 33. Are disaster recovery procedures supplied by an external vendor? 76 26 34.2 36 47.4 14 18.4
61
Table 4 shows the results of ANOVA tests to examine the differences between respondents from
the technical and managerial respondents (second column) and the respondents from small (less
than $1 billion in annual revenue) and large (greater than $1 billion in revenue) companies (third
column.)
It can be seen from Table 4, that the technical and managerial groups differed statistically at the
.05 level on only two questions – one from the Organization and Governance dimension and one
from the Process dimension of the BC-EM model. These results imply that high-level managers
in the firms share similar impressions of their firm’s BC preparedness on most questions in the
BC-EM model regardless of whether they are in a general management position (R&D, Sales and
Marketing, etc.) or in a technical position (IT, Security, etc.). This finding must be tempered in
two ways. First, while few of the findings are significant, a close examination of the data shows
that the technical respondents rated their firm’s preparedness higher on all but one question.
Second, the technical and general management respondents are not evenly distributed in each
firm so that it is hard to draw strong conclusions from this data.
As shown in Table 4, smaller companies are significantly less well prepared (at the .05 or .01
level) than larger firms on all questions except questions 14, 28 and 32. Examination of the
results shows that large firms where better prepared (although not significantly) on each of the
latter three questions as well.
Table 4: Anova Tests1 – Management Category and Size as Independent Variables
BC-EM Dimension/
Survey Question
IT/Security - versus -General
Managers
Small - versus -
Large Companies
Leadership Concern for BCP 6. The board of directors is highly involved in business continuity planning activities:
*
7. Senior Management is highly involved in business continuity planning activities:
Critical Issues for BC in the Pharmaceutical Industry 8. Regulations such as (HIPAA and FDA) have had a strong influence in BC in your organization.
9. Oversight by the FDA has strongly influenced the approach to BCP in your organization.
Planning Process 12. Does your corporation or division have a formal business continuity plan?
*
62
14. (If yes) Does the BCP plan include internal and external business partners (e.g., operations, technical support, vendors, suppliers)?
16. Does your corporation or division also have a formal disaster recovery plan?
**
17. Has your corporation/division conducted a formal risk assessment?
**
Organization and Governance 21. Is there a formal assignment of BCP roles within the business units?
**
22. Does your organization have a crisis management team or center?
**
23. Is there a separate budget for BCP and/or DR? * ** 25. Is the BCP managed by formal change control processes? ** 26. Are the costs of operation, testing and actual recovery tracked by the financial organization?
**
Process 27. How often does your company conduct business recovery exercises?
**
28. If your organization conducts BCP recovery exercises, do these exercises include the business units as well as the information technology and security/BCP organizations?
*
29. Your company does a good job communicating its BCP procedures to its employees
Technical 31. Does your company have geographically dispersed recovery facilities?
**
32. Do you have system and/or data storage back-up procedures in place to recover critical data?
33. Are disaster recovery procedures supplied by an external vendor?
*
Overall Assessment 34. How prepared is your organization for a major terrorist attack or natural disaster of World Trade Center proportions?
**
* Significant at .05 level of confidence 1 Excluding “Not Sure” answers ** Significant at .01 level of confidence
Using the variables shown in Table 4, scales were formed for five of the BC-EM dimensions:
Leadership Concern, Planning Process, Organization and Governance, Process, and Technical.
(The conditional questions 14 and 28 were dropped from the Planning and Process dimensions,
respectively.) The reliability (Cronbach Alphas) of the resulting scales are shown in Table 5.
63
Table 5: Reliability of Constructs1
BC-EM Dimension Cronbach Alpha
Leadership Concern (XLEAD) 0.846
Planning Process (XPLAN) 0.781
Organization and Governance
(XORG)
0.731
Process (XPROC) 0.634
Technical (XTECH) 0.424 1 Excluding cases where the respondents were “Not sure” of the answers
Table 6 shows the correlations between the constructs and question 34(overall assessment of the
preparedness of the firm).
Table 6: Correlations of BC-EM Dimension Constructs and Overall Preparation
XLEAD XPLAN XORG XPROC XTECH Q34.
Overall
XLEAD 1
XPLAN 0.349** 1
XORG 0.375*** 0.625*** 1
XPROC 0.258* 0.474*** 0.392** 1
XTECH 0.056 0.522*** 0.401*** 0.143 1
Q34.
Overall
0.440*** 0.561 *** 0.541*** 0.454*** 0.350** 1
*, **, and *** indicate the correlations are significant at the .05, .01 and .001 level, respectively
From Table 6, the overall assessment of the firm’s preparedness for a major terrorist attack or
natural disaster of World Trade Center proportions is significantly correlated to all five
dimensions of the BC-EM model. In particular, it seems that the planning and government
dimensions are important determinants of the overall disaster preparedness.
While the reliabilities for the Process and Technical BC-EM dimensions are lower than the
recommended value of 0.7, it was decided to conduct two MANOVA analyses using the five
scales in Table 5 as dependent variables. Job Category and Revenue Category served as
independent variables in these two separate analyses. The MANOVA analysis for the job
64
category variable was not significant, which implies no differences between technical IT/Security
managers and general managers on the performance of their firms on the five BC-EM
dimensions. The MANOVA analysis for the revenue category variable (size of firm) was
significant at the .001 level, which provides strong support for our hypothesis that larger firms do
a better job on the BC-EM dimensions than small firms.
These results will be revisited in the following sections in which each major dimension of the
BC-EM model will be discussed separately.
5. DETAILED RESULTS Critical Issues for BC in the Pharmaceutical Industry This section of the survey sought information concerning the BC issues that are most critical in
the opinion of the pharmaceutical industry executives.
The senior managers in the sample indicated that regulations and FDA oversight had a strong
influence on BC in their companies: approximately 72% of respondents either agreed or strongly
agreed with the statement in question 8 while 58% agreed with the statement in question 9. See
Table 2 and Figure 2.
0.05.0
10.015.020.025.030.035.040.045.050.0
Strong
ly Disa
gree
Disagre
e
Neutral
Agree
Strong
ly Agre
e
Perc
ent
Regulations such asHIPAA and FDA havehad a strong influenceon BC in yourorganizationOversight by the FDAhas strongly influencedthe approach to BC inyour organization
Figure 2: Impact of Regulations
65
When asked to choose the most critical asset to be protected by BC and DR processes, Continuity
of Business Processes was the most popular answer followed by Manufacturing Processes and
R&D information (see Table 5.)
Table 5: Most Critical Business Asset that Must be Protected by BC and DR?
Critical Asset % of Respondents
Continuity of Business Processes 32.9 Manufacturing Facilities 27.8 R&D Information 19.0 Business Data 11.4 Other 8.9
Business Process Continuity was seen as the most crucial asset to be protected by both IT/security
managers and general managers, while only one respondent from an R&D business unit chose
this as the most crucial item. Not surprisingly, R&D Information was chosen as the most critical
asset by most R&D Managers.
Question 10 asked respondents to state their greatest concern with regard to security and business
continuity. Reflecting the ranking in Table 5, most comments (22) centered around the ability of
the firm to continue vital business processes and to maintain continuous supplies of vital items.
Some typical concerns of respondents in this area are as follows. “Disruption of ability to supply
customers.” “Loss of supplies (needed) to conduct our clinical development,” “Being able to
continue to manufacture & produce drugs for distribution” and “Inability to supply life saving
products.”
Some of these respondents were concerned with the time it would take to restore the process to
normal following a disruption, for example, “To be operational within 24 hours following a
disaster,” “If there were interruptions how quickly could we bring operations back to a normal
state?” and “Set up time to get functional at the new location if something was to happen to the
existing site.”
Complexity of BC implementation was another major area of concern. Problem areas included:
”Integration of a BCP within a large organization,” “Understanding the full scope of BCP
activities by thousands of people worldwide,” and “Understanding an end to end business process
that cuts across different. business units. Knowing impact of failure on one part of chain on
remaining parts business.” A related set of concerns had to do with the additional requirements
66
and difficulties imposed by the need to maintain compliance. Stated concerns in this area
included “Restarting production quickly in cGMP regulated environment.”, “Disaster Recovery
Part II compliance,” and “Part II traceability,” making sure that we can trace changes made to the
systems (manufacturing)
records.”
Seven respondents voiced concerns over external threats. Typical statements include: “Physical
terrorist activity. Not computer (cyber terrorism)”, “Disruption by animal rights activists” and
“Bio terrorism entering the food supply via animal feeds or medications.” Other external threats
that were mentioned as concerns were earthquakes, power outages, and computer hackers.
Another group of respondents voiced concerns over intellectual property: “It is a given that the
electronic manufacturing records need to be secure for their stated lifecycle. But …. the greater
risk is loss of research (information)” and “I think the business data and R & D information are
equally important.” Closely related are stated concerns over data such as “Vital Records - those
records that need to be preserved for the continuation of the business in case of a disaster and to
be able to reconstruct the business.”
Finally, a number of respondents stated people-related concerns such as “People. With only 20
employees, all of them are critical to our ongoing operation,” “Preserving Personal Safety,” and
“Loss of key personnel (institutional knowledge).”
The remaining sections of the paper examine each of the major dimensions of the BC-EM model:
Leadership Concern, Planning for BC, BC Organization and Governance, BC Processes, and
Technical Issues.
Leadership Concern for BC
Concern and involvement in the BC process by the Board of Directors and top management is a
critical for meaningful and effective business continuity program. The survey contained two
questions directed at understanding the preparedness of firms on this dimension of the BC-EM
model (see Table 2 questions 6 and 7.)
67
The respondents, who for the most part are senior managers in their companies, were relatively
evenly divided about the extent of involvement of the Board of Directors in the BC processes in
their companies. About 33% disagreed or strongly disagreed with the statement that the Board
was highly involved, while 29% were neutral on this question. Respondents from large
companies were significantly (at the .05 level) more inclined to say that the Board was highly
involved in BCP (see Figure 2.)
Not surprisingly, since the respondents were themselves senior managers or executives, a large
proportion (78.9%) of the survey participants agreed or strongly agreed with the statement in
question 7 of the survey that senior management was highly involved in business continuity
activities.
0.0
5.0
10.0
15.0
20.0
25.0
30.0
35.0
40.0
StronglyDisagree
Disagree Neutral Agree StronglyAgree
Per
cent Small Co's
Large Co's
Figure 2: Responses to “The Board of Directors is Strongly Involved in BC Planning” The BC Planning Process Among other things, this section of the survey asked respondents if they had taken three steps
essential to successful BC and DR efforts: development of a formal BC plan, development of a
formal disaster recovery plan, and performance of a formal risk management exercise. The results
are shown in Table 3 for questions 12, 16 and 17, respectively. Overall, a majority of companies
had performed these planning steps – 62% had a formal BC Plan, 73% had a formal DR Plan, and
59% had performed a formal risk analysis. There were significant (at the .01 and .05 level)
68
differences between respondents from small (< 1$ billion in revenues) and larger firms as shown
in Table 4 and illustrated in Figure 3.
0
1020
3040
50
6070
8090
100
Small Co's Large Co's
12. Does your corporationor division have a formalbusiness continuity plan?
16. Does your corporationor division also have aformal disaster recoveryplan?17. Has yourcorporation/divisionconducted a formal riskassessment?
Figure 3: Planning for BC and DR – Small versus Large Companies
Among the respondents that said that their firms had a formal BCP plan, 42% said that these
plans were updated at least once per year, 13% said that the plans were never updated and a
surprisingly large proportion of the executives answered “Not Sure” (Figure 4).
0.05.0
10.015.020.025.030.035.040.045.0
Once peryear or more
often
About every2 years
Every 3years or
more
Never Not sure
Per
cent
Figure 4: Frequency with which BC Plans are Updated Almost 76% of the respondents who said that their companies had a formal BC plan indicated
that the plan includes internal and external business partners (e.g., operations, technical support,
69
vendors, and suppliers) - see Question 14 in Table 3. There were no significant differences
between IT/Security managers and general managers or between large and small firms on either
of these questions.
In this section of the survey, we also sought information on the top priority items in the BC Plans.
Figure 5 shows the results sorted in descending order in which each element was mentioned by
the executives in our survey. “Ensuring Continuity of Operations” and “Ensuring the Integrity of
Vital Data” were mentioned most often with an almost equal emphasis on the following five
items.
22%
17%
12%11%
11%
11%
9%4% 3%
Ensuring continuity of operations
Ensuring the integrity and confidentiality ofvital dataKnowing the location of employees andhow to contact themAccess to vendors for restoration ofservice or replacement of critical equipmentImplementing an employeecommunications/training planCreating disaster response teams
Developing evacuation plans for employees
Planning for unanticipated loss of life
Unable to specify - not sure
Figure 5: Top Priorities in BC Plans
Overall, it can be concluded that the firms represented in this survey vary greatly in their
approach and execution of the planning phase of BC.
Organization and Governance Dimensions of the BC-EM Model Translating the BCP from paper into an effective and reliable means for safeguarding the
organization requires a budget and an appropriate organization with clear assignment of roles.
When asked if their organizations had created a separate budget for BC and/or DR, only 21.8%
of the respondents stated that this was the case (Table 3, question 23). There was a significant
difference at the .05 level between the managers responsible for IT and security in their
organizations when compared to managers in other areas of the organization (Table 4.) This could
70
be explained by the framing of the question – managers in the IT and security may be aware of
the budget items for DR within their organizations that would not be visible to managers in other
areas of the business. Firms with annual revenues over $1 billion dollars were significantly (at the
.01 level) more likely to have a separate budget for BC and/or DR (Table 4.) Further examination
of the data showed that only 1 out of the 27 respondents from companies with under $100 million
in revenues stated that their companies had set aside a budget for BC/DR. Larger companies were
not much better in this regard, only 37% of respondents from companies with greater than $100
million in annual revenues indicated that their companies had a formal BC and/or DR budget.
For the firms that have a BC and/or DR budget, Figure 6 shows the organizational units that
manage these budgets.
37%
18%18%
23%
4%InformationTechnologySecurity/BCP
Business Units
CorporateHeadquartersOther
Figure 6: Assignment of BC and/or DR Budgets to Organizational Units Since many of the firms indicated that they are doing something in the area of BC, it seems that
expenditures for BC are tucked away in various operating budgets and assumed to be a normal
part of job responsibilities rather than being explicitly identified.
Only 43.4% of the respondents indicated that their companies had a formal assignment of BC
roles in their organizations (Question 21, Table 3.) A majority (55.1%) of the respondents
indicated that their firms had developed a crisis management center or team (Question 22, Table
3.) Again, there was a significant (at the .01 level) difference (in favor of the larger firms)
71
between small firms with less than $1 billion in annual revenues and larger firms on both of these
questions (Table 4.)
In more detail, Figure 7 shows how the sample organizations have organized for BC. Only 7% of
the respondents indicated that their companies had created a new position for a person responsible
for BC, however 36% of the responses indicated that organization members had been assigned to
teams as part of their responsibilities. The largest proportion of responses (38%) indicate that the
organizations had not created a new position or organized a team or process focusing on BC/DR.
Small firms (less than $1 billion in revenue) were significantly more likely (at the .01 level) to
answer “None of the Above” to this question (Table 4.)
38%
36%
10%
9%7%
None of the above
Organized a new team orprocess focusing onBCP/DR?Not sure
Created a new positionfor an individualresponsible for BCP?Created a new BCPorganization?
Figure 7: Organizing for Business Continuity
Figure 8 shows the breakdown of titles of the person who is responsible for BC/DR in the
respondents’ organizations. The most remarkable aspect of the answers to this question is the
diversity of responses. About 50% of the time, the responsibility is with IT or security officers
and the rest of the time with general management – in particular, 19% of the respondents
indicated that responsibility is at the highest level of the organization with the “CEO, President
or Partner.” The “Other” category (33%) was the largest. Some of the answers in this category
indicated that responsibility for BC was shared by a group of people, for example, “All business
unit managers”, “C-suite Executives”, “CEO, President, Partner”, “CFO, Chief Counsel, CSO,
CTO”, “Different managers for different aspects”, “Facilities and Project Managers.”
72
33%
19%13%
13%
12%
10%Other
CEO, President,Partner
IT Manager/Director
CTO
Securityofficer/manager
CorporateController/CFO
Figure 8: Titles of Persons Responsible for BC/DR Planning
The responses to the question regarding the organizational unit most responsible for business
continuity showed a similar diversity of responses (Figure 9.) Again the responsibility for BC
seems to be diffused broadly through the organization rather than centralized in a single
individual or organizational unit.
33%
19%18%
12%
8%
6% 4%
All business unitsshare responsibilityInformationTechnologyCorporate
Security/BCP
Finance
Other
Not sure
Figure 9: Organizational Units Mainly Responsible for Business Continuity The final two questions in this section of the survey concerned the quality of the BC governance
process:
- Is the BCP managed by formal change control processes?
- Are the costs of operation, testing and actual recovery tracked by the financial
organization?
73
As indicated in Table 3, the responses were almost evenly divided between the possible “Yes”,
“No”, and “Not Sure” answers to these questions. From Table 4, large organizations (greater than
$1 billion in annual revenues) were significantly better than smaller organizations in these two
aspects of BC governance.
Process Dimension To be effective, Business Continuity and Disaster Recovery plans need to be communicated to
employees and frequently rehearsed. The process dimension of the BC-EM framework addresses
these issues.
It seems that the companies represented in this survey are doing a poor job communicating their
BC Plans to employees. Almost one half of the executives (48.6%) either disagreed or disagreed
strongly with the statement “Your company does a good job communicating its BC procedures to
its employees.” Only 6.3% of the executives strongly agreed with this statement (Figure 10). As
shown in Table 4 (Question 29), there were no significant differences either between IT/Security
managers and General Managers or between small and large size firms in this regard.
0.0
5.0
10.0
15.0
20.0
25.0
30.0
35.0
StronglyDisagree
Disagree Neutral Agree StronglyAgree
Per
cent
Figure 10: Responses to “Your Company Does a Good Job Communicating its BCP Procedures to its Employees”
Training is a significant aspect of communication and essential to effective BC and DR. Again,
the firms represented in the sample are falling short of good BC practice. As shown in Figure 11,
74
55% of the executives indicated that no formal BC training courses are provided in their firms. Of
the remaining responses, 20% of the executives stated that training was provided for selected
business personnel, 15% stated that all IT/Security personnel received training, and only 5%
indicated that training was provided to all people in the organization.
55%
20%
15%
5% 5%
No formal BCPtraining coursesprovidedFor selectedbusiness personnel
For BCP/securityPersonnel only
For all IT personnel
Training provided foreveryone in theorganization
Figure 11: Provision of BC Training
Figure 12 provides the results for question 29 concerning the frequency of business recovery
exercises. Overall, 38.6% of the respondents stated that recovery exercises were performed at
least once per year. Even more executives (44.3%) stated that recovery exercises were never
performed.
75
0.05.0
10.015.020.025.030.035.040.045.050.0
Once per yearor more often
About every 2years
Every 3 years ormore
Never
Per
cent
Figure 12: Frequency of Business Recovery Exercises
As shown in Figure 13 and confirmed by an ANOVA test, there is a significant difference (at the
.01 level) between small firms (less than $1 billion in revenue) and larger firms with regard to the
frequency of BC recovery exercises: some 61% of the small firms indicated that they had never
performed a BC rehearsal.
0.0
10.0
20.0
30.0
40.0
50.0
60.0
70.0
Once peryear or more
often
About every2 years
Every 3years or
more
Never
Perc
ent
Large Co'sSmall Co's
Figure 13: Frequency of BC Rehearsals in Small and Large Firms In summary, it seems that the pharmaceutical firms represented in the survey could do much more
in terms of communicating and rehearsing their BC plans.
76
Technical Dimension Because of the relatively large number of non-IT members in the intended sample, only three key
technical questions were included in the survey. These sought information on the existence of
redundant geographically dispersed recovery facilities, the existence of system and/or data back-
up procedures for critical data, and whether or not external recovery procedures are supplied by
external vendors. The results are summarized in Figure 14. From the figure and Table 3, 61.5% of
the respondents stated that their firms had redundant, geographically dispersed recovery facilities.
While not significant at the .05 level, the proportion of the IT/Security managers/executives that
answered this question affirmatively was larger than the proportion of executives from other
business areas. As shown in Table 4 large firms (>$1 billion in sales) were much more likely (at
the .01 level of significance) to have distantly located recovery facilities. In fact, only slightly
over one half of executives from smaller firms stated that they had redundant facilities.
0.010.020.030.040.050.060.070.080.090.0
100.0
31. Does yourcompany havegeographically
dispersedrecoveryfacilities?
32. Do you havesystem and/ordata storage
back-upprocedures in
place to recovercritical data?
33. Are disasterrecovery
proceduressupplied by an
external vendor?
Perc
ent Yes
NoNot sure
Figure 14: Responses to Technical Questions
Overall Assessment of BC Preparedness The last section of the survey asked the executives to assess the overall preparedness of their
companies and to discuss the most important BC issues faced by their companies.
77
Figure 15 shows the executives response to the first question. Approximately one third of the
executives thought that their companies were “Totally Unprepared” or Poorly Prepared” for a
major disaster while over one half (51.9%) thought that their companies were “Reasonably
Prepared” to face a major disaster. No executives thought that their companies were “Completely
Prepared.” Executives from small companies (less than $1 billion in revenues) were significantly
(at the .01 level) more pessimistic concerning their companies’ state of readiness for a major
disaster. Exactly half (50.0%) of the executives from small companies thought that their
companies were “Totally Unprepared” or Poorly Prepared” for a major disaster – see Figure 16.
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
Totally
unprep
ared
Poorly
prep
ared
Reasona
bly prep
ared
Well prepa
red
Figure 15: Responses to “How Prepared is Your Organization for a Major Terrorist Attack
or Natural Disaster?”
The final question on the survey asked the executives to provide their opinion on “the most
important business recovery issue faced by their companies.” In Appendix B, their answers are
included verbatim - assembled into four groups based on whether the managers/executives were
from small or large companies and whether the managers/executives had responsibilities in
IT/Security or in general management.
78
0.0
10.0
20.0
30.0
40.0
50.0
60.0
Totally
unprep
ared
Poorly
prep
ared
Reasona
bly prep
ared
Well prepa
red
Completely
Prepare
d
Per
cent Small Co's
Large Co's
Figure 16: Responses from Small and Large Firms to “How Prepared is Your Organization
for a Major Terrorist Attack or Natural Disaster?” The responses seem to confirm the overall impression gained from this study that many of the
companies represented in the survey are in a formative stage with regard to BCP. Exactly 25% of
the comments, distributed relatively evenly across small and large companies, mentioned the need
to recognize, establish, and designate ownership for BCP. Some of these comments indicate that
the companies are beginning to develop BC plans. Other comments stated concerns with the
recovery time of business processes, concerns about intellectual property, and concerns for
human safety. Several respondents stated that the complexity of implementing BCP in their
companies was a deterrent was a major concern.
6. SUMMARY AND CONCLUSIONS The major conclusions from this survey of senior executives in the pharmaceutical industry are as
follows.
First, at a global level of analysis:
• Small companies (less than $1 billion in revenues) are less well prepared for a disaster than larger pharmaceutical firms on all five dimensions of the BC-EM model that were included in this survey.
• Executives on the management side of their business do not differ significantly from IT
and security managers in their responses to most of the questions on this survey.
79
With regard to special concerns of the pharmaceutical industry, the executives in this survey
listed continuity of business processes, the ability to continue to satisfy customers and maintain
essential services as their top concern. A number of executives were concerned that their
companies would find it difficult to remain in regulatory compliance in the event of a disaster.
The next two most important concerns were continuity of manufacturing operations and
protecting R&D data. The executives agreed that regulations such as those imposed by the FDA
and HIPAA were important drivers of BC readiness in their organizations.
A major objective of this study was to determine whether firms in the pharmaceutical industry
follow business continuity (BC) best practices. Limitations of the nature and size of this survey
prevent us from making a definitive answer to this question. Moreover, there is no established set
of standards against which firms can measure themselves with regard to BC best practices.
However, there are several indications that the pharmaceutical firms represented in this survey,
especially the smaller firms, are not following anything that might be described as BC best
practice. To support this statement, we briefly review the survey results for each of the five
dimensions of the BC-EM model.
Leadership involvement is the first prerequisite for success since BC requires commitment of
significant resources and constant vigilance to ensure that plans are updated and appropriate
physical, human, and system resources are in a constant state of readiness. In this regard, it is
perhaps a concern that we note that only 38% of executives indicated that the board of directors
of their company was highly involved in BC practices.
As indicated above, good performance on the planning and governance dimensions is correlated
with respondents’ perceptions of their companies overall preparedness. With regard to planning, a
majority of the companies had performed three essential steps for disaster preparedness:
performing a risk analysis and developing both business continuity and disaster recovery plans.
However, many of the companies had not performed one or more of these steps. The answers to
the free-form comments indicated that several firms were just beginning to take these first steps.
Given a BCP, the next logical steps are to create a budget and assign organizational
responsibilities for BC. Overall, only one in five respondents stated that their firms have created a
separate budget for BC. The companies that do have a separate budget are mainly large firms. In
many organizations, it appears that financing for BC is diffused throughout the organization as
components in budgets of organizational units – mostly in the IT budget, although it is not clear
80
whether the IT budget component is for systems recovery (DR) rather than BC in the larger sense.
Slightly over half of the firms indicated that their organizations had created a Crisis Management
Center. However, nearly 40% of the executives stated that their organizations had not created a
new organization position or team focusing on BC/DR. As was the case for BC budgets, most
respondents indicated that BC responsibility was diffused throughout the organization. Given the
importance of BC, this uneven performance of firms on the planning and governance dimensions
is a concern. Again, smaller firms (less than $1 billion in revenue) were significantly worse than
large forms on this dimension.
BC plans need to be communicated to employees and frequently rehearsed. This is an important
concern of the process dimension of the BC-EM model. The survey results indicate poor
performance in this area. Approximately 20% of the executives agreed or agreed strongly with
the statement that “Your company does a good job communicating its BCP procedure to its
employees.” Similarly, only approximately 40% of the respondents indicated that their BC plans
were rehearsed at least once per year. These results are hardly surprising given the lack of BC
plans in a number of the organizations in this study and the poor results for the organization and
governance dimension described in the previous paragraph.
The questions on the BC-EM technical dimension concerned the existence of redundant
geographically distant recovery facilities, the existence and frequency of system backup
procedures, and whether or not recovery procedures are performed by external vendors. In this
area, slightly over 60 % of the executives said that their firms had distantly located recovery sites
and over 90% stated that system storage and backup procedures were in place.
In summary, the rather poor performance on five key dimensions of the BC-EM model indicates
that the majority of the pharmaceutical firms in this study are not following best practices with
regard to business continuity. The firms seem to have system backup and recovery procedures in
place. They are also working to comply with FDA and HIPAA regulations, many of which have
implications for DR and BC. However, the overall approach to BC in many of the firms in this
study is haphazard. A number of companies are just beginning to develop BC plans, many do not
have separate budgets in place, and many have not created clear lines of responsibility for BC.
Training in BC is lacking and communication of BC plans to employees is poor. Finally, BC
plans are rehearsed infrequently or not at all in many of the organizations.
81
A second major objective of this study was to determine the overall state of preparedness of firms
in the pharmaceutical industry. The above results, and the responses to the overall question asking
the executives how well their organization is prepared for a major terrorist attack or natural
disaster, are not reassuring. It seems that firms in the pharmaceutical industry have much to do to
improve their position with respect to business continuity.
Further support for some of these conclusions is supplied by an inter-industry study of BC
preparedness that is described in the next chapter of this report.
82
APPENDIX A TO CHAPTER 4
Survey Completed by Senior Executives
83
AT&T Business Continuity Research Initiative: Pharmaceutical Industry Stevens Institute of Technology
Endorsed by the Healthcare Institute of New Jersey http://www.hinj.org
Have we learned from September 11? Can our organizations survive malicious attacks or unexpected natural disasters? Thank you for taking the time to participate in this important survey on business continuity planning in the pharmaceutical industry. Your thoughts and opinions are greatly appreciated. The survey should take less than 15 minutes to complete and your individual responses will remain strictly confidential. Note
84
: If you prefer, this survey may be filled out on line at: http://howe.stevens.edu/bcp If you would like to receive a copy of the final report, please attach your business card or enter your e-mail address below: E-mail ________________________ If you have any questions, please contact: Ted Stohr, Associate Dean for Research and Academics, Howe School of Technology Management Tel: (201) 216-8915, email: [email protected] Some Definitions Business continuity planning specifies the methodology, organizational structure, governance and procedures necessary to backup and recover organizational units struck by a catastrophic event. Disaster recovery involves the technical restoration of information systems following some disruptive event. BACKGROUND INFORMATION 1. What is the primary function of your business unit?
o IT Services o Security/BCP o Sales Marketing
o Research and Development o Manufacturing/Distribution o Corporate Headquarters
o Other__________________
2. Please select the choice that best describes your formal title:
o Chief Information Officer/Chief Technology Officer
o Chief Security Officer o Manager, BCP
o Chief Financial Officer o Manager, Research o Manager/VP in Business Line
o Other__________________
3. What is the annual revenue of your company?
o under $100 million
o $100 million to $1 billion
o $1 billion to $10 billion
o $10 billion to $30 billion
o $30 billion or more
4. How many years have you worked in this industry?
o 5 years or less.
o Between 6 and 10 years (including the 10th year)
o Between 11 and 15 years (including the 15th year)
o Over 15 years LEADERSHIP CONCERN FOR BCP Instructions: Please rate the following item on a scale from 1 Strongly Disagree to 5 Strongly Agree. 5. The board of directors is highly involved in business continuity planning activities:
Strongly Disagree Disagree Neutral Agree Strongly Agree 1 2 3 4 5
6. Senior Management is highly involved in business continuity planning activities:
Strongly Disagree Disagree Neutral Agree Strongly Agree 1 2 3 4 5
CRITICAL ISSUES IN THE PHARMACEUTICAL INDUSTRY 7. Regulations such as (HIPAA and FDA) have had a strong influence on BCP in your organization.
Strongly Agree Disagree Neutral Agree Strongly Agree 1 2 3 4 5
8. Oversight by the FDA has strongly influenced the approach to BCP in your organization.
Strongly Agree Disagree Neutral Agree Strongly Agree 1 2 3 4 5
9. What is the most critical business asset that must be protected by appropriate BCP and DR processes?
o Business data
o R & D Information
o Manufacturing facilities
o Continuity of business processes
o Other_______________________ 10. What is your greatest concern with regard to security and business continuity?
_______________________________________________________________________________________
_______________________________________________________________________________________
85
PLANNING PROCESS 11. Does your corporation or division have a formal business continuity plan?
o Yes o No o Not sure 12. (If yes) How often is the BCP plan updated?
o Once per year or more often o Never
o About every 2 years o Not sure
o Every 3 years or more
13. (If yes) Does the BCP plan include internal and external business partners (e.g., operations, technical support, vendors, suppliers)?
o Yes o No o Not sure 14. (If yes) Which of the following have been identified as top priorities in your BCP plan?
o Ensuring continuity of operations
o Access to vendors for restoration of service or replacement of critical equipment
o Ensuring the integrity and confidentiality of vital data
o Knowing the location of employees and how to contact them
o Developing evacuation plans for employees
o Planning for unanticipated loss of life
o Implementing an employee communications/training plan
o Creating disaster response teams
o Unable to specify - not sure 15. Does your corporation or division also have a formal disaster recovery plan?
o Yes o No o Not sure 16. Has your corporation/division conducted a formal risk assessment?
o Yes
o No
o Not sure
86
ORGANIZATION AND GOVERNANCE 17. Has your organization: (Check all that apply)
o Created a new position for an individual responsible for BCP?
o Organized a new team or process focusing on BCP/DR?
o Created a new BCP organization?
o None of the above
o Not sure 18. Who in your organization, by job title, has responsibility for implementing business continuity/disaster plans?
o Security officer/manager o IT Manager/Director o CIO/CTO
o Network Manager o Corporate Controller/CFO o CEO, President, Partner
o Other__________________
19. Which organizational unit is mainly responsible for BCP?
o Information Technology o Security/BCP o Corporate
o Finance o All business units share responsibility
O Not sure
O Other__________________
20. Is there a formal assignment of BCP roles within the business units?
o Yes o No o Not sure 21. Does your organization have a crisis management team or center?
o Yes o No o Not sure 22. Is there a separate budget for BCP and/or DR?
o Yes o No o Not sure 23. (If yes) Which organizational units have a BCP/DR budget (check all that apply)
o Information Technology
o Security/BCP Team
o Business Units
o Corporate Headquarters
o Other
24. Is the BCP managed by formal change control processes?
o Yes o No o Not sure 25. Are the costs of preparation, testing and actual recovery tracked by the financial organization?
o Yes o No o Not sure PROCESS 26. How often does your company conduct business recovery exercises?
o Once per year or more often o About every 2 years o Every 3 years or more
o Never o Not sure
27. If your organization conducts BCP recovery exercises, do these exercises include the business units as well as the information technology and security/BCP organizations?
o Yes o No o Not sure 28. In you opinion, does your company do a good job communicating its BCP procedures to employees?
o No communication
o Excellent communication 29. Does you company provide formal BCP training courses? (Check all that apply)
o No formal BCP training courses are provided
o For BCP/security Personnel only
o For all IT personnel
o For selected business personnel
o Training provided for everyone in the organization
TECHNICAL 30. Does your company have geographically dispersed recovery facilities?
o Yes o No o Not sure 31. Do you have system and/or data storage back-up procedures in place to recover critical data?
o Yes o No o Not sure 32. Are disaster recovery procedures supplied by an external vendor?
o Yes o No o Not sure
87
OVERALL ASSESSMENT 33. How prepared is your organization for a major terrorist attack or natural disaster of World Trade Center proportions?
o Totally unprepared
o Poorly prepared
o Reasonably prepared
o Well prepared
o Completely prepared
34. What, in your opinion, is the most important business recovery issue faced by your company?
_______________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
________________________________________________________________________________________
88
APPENDIX B TO CHAPTER 4
Responses to Questions about Important Concerns
“What, in Your Opinion, is the most important business recovery issue faced by your company?” (Responses to Q. 34 in survey) Small Companies – IT Executives Business Units want IS to have DR plans but few of them have any BCP in place...computers and data may be ready....but few people will be. This is being addressed this year. Recognition of need and business ownership BCP To be operational within 24 hours following a disaster. Ensuring accessibility to business data. Ensuring the operation of our manufacturing facility. Company recovery would be slow. However, corporate defense is real and active and includes obvious things such as armed guards, tight security, external block walls, fences, cameras, etc. Small Companies – Business Executives Detailed plans on how you re-establish R&D and manufacturing. operations. Employee safety Recovery of R&D information. Retention of staff. Recovery of operations to accepted standards. Concept, formalization and implementation of the overall plan. Ability to continue to supply customers. Replacement staffing/Temporary personnel. Most research in process is stored frozen at -80C. Backup generators can maintain this for 24 hours.All will be lost if power is not restored or more fuel delivered within this time frames. Medical information being available 24/7 Getting production back online. Data Recovery Assuring continued supply of clinical trial materials used in development Integrity of information and data safety of employeer.
89
Workers wanting to stay at home with their families. We are a service organization and need to supply medicines on demand by nursing homes. Maybe roads would be closed, phone lines down - that's how we receive prescriptions. IP, Communications, Manufacturing We are undergoing a formal risk assessment by an outside vendor. I won't know until the results of this assessment are presented along with a formal BCP. Loss of a key manufacturing facility There are two major issues that we face. One is the lack of excess capacity to cover should a disaster happen at a major facility. The cost of carrying that excess capacity is prohibitive. The second is the reliance on a sole source vendor for critical procedures. Large Companies – It Executives The company has excellent plant crisis management and IT disaster recovery programs in place, but no formal BCP. Recommendations for initiating a formal BCP are currently being developed and senior management must assess the risk versus the cost. A formal and well communicated BCP organization. Awareness across the board. Maintaining the IT and external communications infrastructure to facilitate the continuation of business operations. The ability to communicate and exchange information with our employees at sites around the world is paramount to our recovery efforts. The integrity and security of the data. Not really terrorist related. The FDA came out with a ruling called CFR PART II compliance several years ago which required traceability of changes for all systems used to ensure product quality (including manufacturing systems). Being compliant was a huge cost. Utility loss - power, telecommunications Risk of natural disaster resulting in need to evacuate headquarters in NYC. BCP needs to be much better coordinated in process. Planning and implementing a BCP having bought 2 companies in 5 years. WTC scenario does not apply, we are not that tightly concentrated in one geographic area. Most important issue is awareness of employees and contractors so they know what to do and who to contact - what is expected of them. To provide a compliant system environment for taking orders and shipping products to our customers. Completing the newly initiated BCP and preparedness activities across the vast world of XXX
90
Understanding the most critical and important plans where a BCP is needed. Currently audit uses a numbers game - 300 sites - so you need 300 plans. Not a risk based approach to BCP. Sr. Mgr needs to ensure BCP is where it needs to be and is not just a si Agreeing what the core processes are to recover and the necessary order. Large Companies – Business Executives Not knowing how much preparation is necessary, what event to prepare for, and how much to invest in it. A complete BCP plan can be very costly for a large corporation. Continuity of compliance-related operations (safety and clinical data collection) Productivity loss in case of disaster. Data recovery Replacement of manufacturing capabilities There is a unique relationship between the research data and the labs where it is generated. This is difficult to geographically relocate. Additional Resources are needed to handle BCP initiatives. Short term - maintaining supply. Long term - retaining R&D data. Most analysis is based on accidents or operation error, I don't think the concept of a terrorist attack is considered. Human resource continuity
91
Chapter 5
INTERINDUSTRY SURVEY 1. OBJECTIVES The survey described in this chapter is designed to compare the state of preparedness of the
pharmaceutical industry with other industries. To do this, we compare the industry with the
financial services and another “catchall” group of firms from a number of other industries
(Information Technology, Telecommunications, Consulting, etc.) The comparison is made across
a subset of the dimensions outlined previously in the BC- Evaluation Model. The subjects for the
study are practicing professionals in the part-time Master of Science in Information Science
(MSIS) Program at Stevens.
A priori, we believe that the pharmaceutical industry will be less prepared for a crisis than the
financial services industry because the latter has been, until recently, more tightly regulated than
the pharmaceutical industry, and because financial assets and transactions tend to be more
exposed to the general public than the research and development assets of the pharmaceutical
industry. It is hard to draw conclusions with regard to the “other” industries category mentioned
above and, for most purposes this set of responses will be omitted from the analysis. Thus, our
analysis will focus on the comparison of responses of junior professionals in the pharmaceutical
and financial services industries. In summary, we hypothesize that the pharmaceutical group will
show lower BC readiness than the comparison financial services group on every BC-EM
dimension in the survey.
Because small firms may find the cost of disaster recovery and business continuity prohibitively
high, a second hypothesis is that large firms will be better prepared than small firms on all the
BC-EM dimensions.
In addition to the inter industry comparison mentioned above, the inter-industry survey will allow
cross validation of the survey of senior executives described in Chapter 4. In particular, it will be
interesting to compare the responses of the very senior “C” level pharmaceutical executives in the
executive survey to those of the more junior managers in the inter-industry survey.
92
2. PROCEDURE Because we wanted to concentrate on organizational issues in this analysis, questions for the
Technical dimension of the BC-EM model were omitted. This left us with the following six
dimensions for evaluation of the state of BC and DR in the three industry groups:
• Background: Industry and Respondent Demographics • Leadership Concern for BC • Planning Process • Organization and Governance • BC and DR Processes • Overall Assessment
To make the survey more amenable to a classroom situation, a number of questions were omitted
in each of the above BC-EM dimensions when compared to the main survey at the end of Chapter
3. The resulting inter-industry survey form is included as an Appendix to this chapter.
We administered the survey to a selected set of working professionals in our MSIS program. To
obtain a sample from specific industries, we surveyed young professionals in our off-site
programs – two classes from one large financial services company and four classes of
professionals from two major pharmaceutical companies. In addition, we surveyed professionals
who were taking one of our on-campus courses. These respondents worked in a variety of
industries including pharmaceutical and financial services. We received 168 completed surveys
representing a response rate of over 80%.
3. SAMPLE
Table 1 shows the industry backgrounds of the respondents and the sizes of the companies in
terms of revenues. Totals do not add to 168 because some subjects did not answer the industry
question (they were in between jobs.) Most of the pharmaceutical and financial services
companies were in the ”large” category (> $10 billion in revenues) while most of the companies
in the ”other” category were small in size.
Table 1: Industry and Company Size
Industry N % Other Industries 36 21.6 Finance 46 27.5 Pharmaceutical 85 50.9 167 100.0 Annual Revenue N % < $100 Million 8 4.8 $100 M - $1 B 9 5.4
93
$1 B - $10 B 24 14.4 $10 B- $30 B 56 33.5 > $30 B 59 35.3 156 93.4 Revenue Size Category
“Small” < $10 B 41 24.6 “Large” > $10 B 115 68.9 156 93.4
In the analysis, “small” firms were designated as having less that $10 billion in annual revenues
(as shown in Table 1, approximately 25% of firms fell in this category.)
Table 2 provides information on the number of years that respondents have worked in the
industry of their current of most recent employment and the business unit to which they belong.
As can be seen in Figure 1, over one half of the respondents have served no more than five years
in their current industry.
Table 2: Years Worked in Industry and Business Unit of Respondents
Years in Industry N % < 5 years 97 58.1 5 – 10 years 51 30.5 10 – 15 years 14 8.4 >15 years 4 2.4 166 99.4 Business Unit IT Services 117 70.1 Security/BCP 6 3.6 R & D 16 9.6 All other 28 16.7 167 100
Most respondents have relatively junior technical titles (analyst, project manager, etc.) however,
the sample included 11 vice presidents and 7 associate vice presidents. Six respondents have
security or business continuity as part of their duties. Approximately 74 % of the respondents
were either in IT Services or information Security/BC.
94
59%31%
8% 2%5 years or less
Between 6 and 10yearsBetween 11 and 15yearsOver 15 years
Figure 1: Industry Experience of Respondents
4. OVERALL RESULTS
Table 3, provides descriptive statistics for the four questions that required responses on a 5-point
Likert scale (1 = poor performance, 5 = good performance).
Table 3: Descriptive Statistics
Survey Question N Mean Std.
Deviation6. The board of directors is highly involved in business continuity planning activities: 134 3.90 1.10
7. The senior management is highly involved in business continuity planning activities: 150 4.19 0.97 18. Your company does a good job communicating its BCP procedures to employees? 162 3.00 1.02 23. How prepared is your organization for a major terrorist attack or natural disaster of September 11 proportions? 154 3.14 0.98
Table 4 contains frequencies from a series of binary yes-no questions that were part of the survey.
Note that questions 8, 9, 10 and 12 allowed “Not sure” responses while the remaining binary
questions did not.
95
Table 4: Descriptive Statistics – Binary Questions Yes No Not Sure
Survey Question N Number % Number % Number % 8. Has your corporation/business unit conducted a formal risk assessment/business impact analysis 167 110 65.9 11 6.6 46 27.59. Does your corporation/business unit have a formal business continuity plan? 166 120 71.9 12 7.2 34 20.410. Does your corporation/business unit have a formal disaster recovery plan? 167 138 82.6 12 7.2 17 10.212. Does your organization have a crisis management team or crisis management center? 167 99 59.3 20 12.0 48 28.7
14. Are you a member of a BCP team? 164 16 9.6 148 88.6 15. Do you know who is responsible for BCP in your organization/business unit? 166 68 40.7 98 58.7
16. Are you a member of a DR team? 165 37 22.2 128 76.6 17. Do you know who is responsible for DR in your organization/business unit? 164 91 54.5 73 43.7
19. Have you taken part in a BCP exercise? 166 59 35.3 107 64.1 20. Have other people in your business unit taken part in a BCP exercise? 164 81 48.5 83 49.7
As shown in the third column of Table 5, respondents from the pharmaceutical industry had a
higher proportion of “not Sure” answers to questions 8, 9, 10 and 12 than respondents from the
finance industry. A MANOVA test with recoded values for the four variables in Table 5 and
Industry (Finance or Pharmaceutical) as independent variable confirmed that the respondents
from the pharmaceutical industry gave significantly more “Not Sure” answers than their peers in
the financial services industry.
96
Table 5: Percentage of “Don’t Know” Answers by Industry
Percentage
Survey Question Industry Yes No
Not Sure
Finance 91.8 2.0 6.1 8. Has your corporation/business unit conducted a formal risk assessment/business impact analysis? Pharma 60.0 5.9 34.1
Finance 95.9 0.0 4.1 9. Does your corporation/business unit have a formal business continuity plan? Pharma 67.1 8.2 24.7
Finance 100.0 0.0 0.0 10. Does your corporation/business unit have a formal disaster recovery plan? Pharma 80.0 9.4 10.6
Finance 79.6 6.1 14.3 12. Does your organization have a crisis management team or crisis management center? Pharma 58.8 8.2 32.9
Table 6 provides descriptive statistics for the two multiple choice questions in the survey.
Table 6: Organizing and Training for Business Continuity
Organizing for Business Continuity Business Continuity Training Survey Question Industry % Survey
Question Industry %
Created a new position for an individual responsible for BCP?
Other Industries Finance
Pharmaceuticals Total
1.2 13.8 5.4
20.4
No formal BCP training courses are provided
Other Industries Finance
Pharmaceuticals Total
10.2 12.6 21.0 43.7
New team or process focusing on BCP/DR?
Other Industries Finance
Pharmaceuticals Total
4.2 17.4 15.0 36.5
For BCP/Security Personnel only
Other Industries Finance
Pharmaceuticals Total
0.6 6.0 4.8
11.4 Created a new BCP organization?
Other Industries Finance
Pharmaceuticals Total
1.2 5.4 2.4 9.0
For all IT personnel
Other Industries Finance
Pharmaceuticals Total
1.2 3.0 2.4 6.6
None of the above
Other Industries Finance
Pharmaceuticals Total
3 1.8 6.0
10.8
For selected business personnel
Other Industries Finance
Pharmaceuticals Total
3.0 8.4
10.2 21.6
Not sure Other Industries Finance
Pharmaceuticals Total
12 4.2
26.9 43.1
Training provided for everyone in the organization
Other Industries Finance
Pharmaceuticals Total
1.2 1.8 3.6 6.6
97
Using the variables shown in Table 7, scales were formed for four of the BC-EM dimensions:
Leadership Concern, Planning Process, Organization and Governance, and Process. The
reliabilities (Cronbach Alphas) of the resulting scales are shown in Table 5.
Table 7: Reliability of Constructs1
BC-EM Dimension Cronbach Alpha
Leadership Concern (XLEAD) 0.825
Planning Process (XPLAN) 0.722
Organization and Governance
(XORG)
0.634
Process (XPROC) 0.754 1 Excluding cases where the respondents were “Not sure” of the answers
Table 8 shows the correlations between the constructs and question 23 (overall assessment of the
preparedness of the firm).
Table 8: Correlations of BC-EM Dimension Constructs and Overall Preparation
XLEAD XPLAN XORG XPROC Q23.
Overall
XLEAD 1
XPLAN 0.171* 1
XORG 0.107 0.493** 1
XPROC 0.215** 0.363** 0.376** 1
Q23.
Overall
0.227** 0.555** 0.420** 0.218** 1
* and ** indicate the correlations are significant at the .05 and .01 level, respectively
From Table 8, the overall assessment of the firm’s preparedness for a major terrorist attack or
natural disaster of World Trade Center proportions is significantly correlated to all four
dimensions of the BC-EM model that are included in our analysis. As was the case in the main
survey in the last chapter, it appears that planning and governance are the most important keys to
overall preparedness.
98
MANOVA analyses were conducted using the four BC-EM scales in Table 8 as dependent
variables and Industry Category and Revenue Category as independent variables. The MANOVA
analysis for the industry category variable was significant, at the .0001 level confirming our
hypothesis of significant differences between the pharmaceutical, finance and the catchall
category of all other industries on the four dimensions of the BC-EM model that are included in
this survey. A second MANOVA excluding the “all other” category shows a significant (at the
.0001 level) difference between the finance and pharmaceutical industries on the four BC-EM
dimensions. This provides strong support for our hypothesis that firms in the pharmaceutical
industry are less well prepared for a major disaster than firms in the financial services industry.
MANOVA analysis for the revenue category variable (size of firm) was also significant at the
.0001 level, which provides strong support for our hypothesis that larger firms do a better job on
the BC-EM dimensions than small firms.
Table 7 also shows the results of ANOVA tests to check for significant differences between the
three industry groups (second and third columns), and Contrast tests to determine pairwise
differences between the pharmaceutical, finance and other industries (columns four through six).
Table 7: ANOVA and Contrast Tests –Size and Industry as Independent Variables1
ANOVA Contrasts
Survey Question
Size Indus- try
Pharma vs. Finance
Other vs. Pharma
Finance vs. Other
Leadership Concern for BCP 6. The board of directors is highly involved in business continuity planning activities:
7. The senior management is highly involved in business continuity planning activities:
Planning Process 8. Has your corporation/business unit conducted a formal risk assessment/business impact analysis?
* ** ** **
9. Does your corporation/business unit have a formal business continuity plan?
* ** ** **
10. Does your corporation/business unit have a formal disaster recovery plan?
** ** **
Organization and Governance 12. Does your organization have a crisis management team or crisis management center?
** ** ** **
99
14. Are you a member of a BCP team?
** * **
15. Do you know who is responsible for BCP in your organization/business unit?
** ** **
16. Are you a member of a DR team?
** ** **
17. Do you know who is responsible for DR in your organization/business unit?
** ** **
Process 18. Your company does a good job communicating its BCP procedures to employees?
** ** **
19. Have you taken part in a BCP exercise?
* ** ** **
20. Have other people in your business unit taken part in a BCP exercise?
** ** **
21. How often are BCP exercises conducted in your organization?
**
23. How prepared is your organization for a major terrorist attack or natural disaster of September 11 proportions?
** ** ** **
* Significant at .05 level of confidence ** Significant at .01 level of confidence 1 Including “Don’t Know” answers on questions 8, 9, 10 and 12 Industry as Independent Variable When the analysis involved all three industries, significant differences were found on all
questions except questions 6 and 7. Where significant differences are found, these are at the .01
level except for question 10. Comparing respondents from only the finance and pharmaceutical
industries, significant differences were again found on all questions except questions 6 and 7.
Moreover, except for question 14, all of these differences are significant at the .01 level. The data
for questions 8, 9, 10 and 12 included “Not Sure” responses. There is an important difference
between the finance and pharmaceutical respondents in this regard – the latter group was
significantly less sure of their answers (see Table 5 and the subsequent discussion.)
These results show that there are significant differences across industries on most dimensions of
BC preparedness. They also lend support to our overall hypothesis that the pharmaceutical
industry is less prepared for disaster than the finance industry.
100
Size as Independent Variable Significant differences due to company size were found for only six of the 16 questions in Table
6. Hence only weak support is found for the effect of company size in our sample. This may be
because most of the companies in the sample were relatively large companies that could afford to
pay attention to BC matters. Our “small” category included companies with up to $10 billion in
annual revenues and over half of these companies had more than $1 billion in annual revenues
(Table 1.)
5. DETAILED RESULTS In this section, we discuss the results for each of the major dimensions of the BC-EM framework
that were included in the survey.
Leadership Concern for Business Continuity Planning Most respondents feel that both the Board of Directors and top management are highly involved
in the business continuity efforts in their companies. Approximately 56% of respondents either
agreed or strongly agreed that the board of directors was highly involved in business continuity
activities, while an even higher proportion, approximately 74% of respondents, felt that top
management was highly involved in business continuity activities. In fact, there is a significant (at
.01 level) difference between the mean responses for these two questions in favor of top
management having greater involvement than the board. These results may reflect general
impressions rather than direct knowledge as most of the survey respondents were relatively junior
IT professionals. As noted, no significant differences were found between industries with regard
to questions 6 and 7 relating to the “Top Management Concern” dimension of our framework. For
this sample, firm size did not seem to affect the evaluations of leadership concern for business
continuity.
Planning Process For the planning dimension, respondents were asked if their companies had taken three basic
planning steps: performed a formal risk/business impact analysis; developed a formal business
continuity plan; and developed a formal disaster recovery plan. The results are shown in Table 4
for questions 8, 9 and 10, respectively. The responses showed that most respondents believed that
their companies had performed each of these three planning steps. Since many of the respondents
came from the same firms, it is not possible to interpret these results as reflecting the proportion
of firms that have performed each of the three steps. However, there is an interesting pattern in
101
the results: the proportion of “yes” answers increases from question to question while the
proportion of “not sure” answers decreases. Thus, respondents, who, for the most part, were IT
professionals, were much surer that their companies had a formal disaster recovery plan and less
sure about the existence of business continuity plans and business impact analyses. When these
results are compared between respondents from the pharmaceutical and financial services
companies in Table 5, it is clear that the financial services companies were superior on each of
these three planning areas. The uncertainty expressed by the respondents from the pharmaceutical
companies is striking. As discussed above, when the “not sure” answers are taken into account,
the difference between the financial services and pharmaceutical industry on each of these three
planning aspects is statistically significant. These differences are illustrated in Figure 2 with
regard to the existence of Business Continuity Plans.
0.0
20.0
40.0
60.0
80.0
100.0
120.0
Other Finance Pharma
Perc
ent Yes
NoNot Sure
Figure 2: Inter-Industry Comparison: Existence of Business Continuity Plans Organization and Governance When asked how their companies had organized for BC, only 9% of the respondents thought that
their company had created a new organization, 20% thought that a new BCP position had been
created in their organization, while 36.5% thought that a new team or process had been created.
Fully 43% of the respondents checked the “Not sure” box in response to this question.
On the other hand, approximately 59% of the respondents indicated that their company had a
crisis management team, 12% answered “No” to this question, while 28% were not sure. Again, a
higher proportion of respondents from the pharmaceutical industry were not sure how to respond
to this question - 32 % for pharmaceutical industry respondents versus only 9% for financial
102
services respondents (Table 5). The difference between the responses from the finance and
pharmaceutical industry were significant at the .01 level when “Don’t Know” responses are taken
into account (Table 7).
According to the respondents, the major responsibility for BCP is distributed among all business
units in their companies (30% of the responses.) Approximately 22% of the respondents indicated
that Information Technology had the major responsibility; 8% indicated that Corporate
Headquarters had major responsibility, while 6% indicated that a separate security/BC unit had
the major responsibility. Again, a large proportion of the respondents (approximately 30%) stated
that they were not sure who had the major responsibility. Repeating the pattern for other
questions, 37% of pharmaceutical respondents were “not sure” of the answer to this question
while only 4% of the financial services respondents were unsure (see Figure 3).
0.010.020.030.040.050.060.070.0
Created a newposition for an
individualresponsible for
BCP?
New team orprocess
focusing onBCP/DR?
Created a newBCP
organization?
None of theabove
Not sure
Perc
ent
Other Industries Financial Services Pharmaceutical Industry
Figure 3: Inter-Industry Comparison: Organizing for Business Continuity Planning
The remaining four questions (14, 15, 16 and 17 – see Table 4) in this portion of the survey
explored the respondents’ involvement and knowledge of BC and DR in their own business units.
The proportions of respondents who are members of BC and DR teams are 9.6% and 22.2%,
respectively. From Table 4, 40.7% of respondents in the overall sample knew who was
responsible for BC in their business unit/organization, while 54.5% knew who was responsible
for DR. Only 35% the respondents who were not members of a BC team knew who was
responsible for BC in their business unit, while 45% of respondents who were not members of a
DR team knew who was responsible for DR in their unit. As almost all of the respondents are
103
practicing IT professionals it is natural that they would be more familiar with DR than BC.
Nevertheless, it can be concluded that most of these professionals did not know who was
responsible for either BC or DR in their own business units. From Table 6, it can be seen that
there is a significant difference on all four of these questions between the respondents from the
pharmaceutical and financial services industries. Financial services professionals are more likely
to be a member of a BC or DR team and more likely to know who is responsible for these
activities in their business units.
BC Process Dimension The questions in this portion of the survey address issues related to executing BC and DR plans –
communication of the plans to employees, training in BC and DR procedures, and the extent and
frequency with which plans are rehearsed.
Figure 4 shows the distribution of responses to question 18 concerning the effectiveness of
company communications of BC procedures to employees. As can be seen, most respondents
either disagreed with or were neutral to the statement that their company did a good job in
communicating BC procedures; only 30.2% of respondents agreed or strongly agreed with this
statement. This is not surprising considering the previous results concerning the number of
respondents who knew who was responsible for BC in their business units. When the data is
broken down by industry, only 18.0% of respondents from the pharmaceutical firms agreed or
strongly agreed with this statement compared with 58% of respondents from the financial firms.
As shown in Table 7, this difference is significant at the .01 level.
0.0
5.0
10.0
15.0
20.0
25.0
30.0
35.0
40.0
StronglyDisagree
Disagree Neutral Agree StronglyAgree
Perc
ent
Figure 4: “Your company does a good job communicating
its BC procedures to employees”
104
As shown in Table 6 (questions 19 and 20) 35% of all respondents had taken part in BC
exercises, while a greater proportion, 48.5% had taken part in a DR exercise. When this data is
broken down by industry, only 20% of the pharmaceutical respondents had taken part in a BC
exercise compared with 77% of their counterparts in the financial services industry. Similarly
40% of pharmaceutical respondents thought that other people in their business unit had taken part
in a BC exercise in contrast to 85% of financial services correspondents. From Table 7, these
differences are significant at the .01 level.
Figure 5 shows the distribution of responses to question 20 concerning the frequency with which
BC exercises are conducted.
0.0
5.0
10.0
15.0
20.0
25.0
30.0
35.0
Never Every 6months
Every year Lessfrequentlythan onceper year
Perc
ent
Figure 5: “How often are BCP exercises conducted in your organization?”
Most (56.8%) of the respondents indicated that BC exercises were carried out either once or twice
per year. However, 18.0 % of the respondents indicated that BC rehearsals were carried out less
frequently than once per year and 16.2% of the respondents stated that BC exercises were never
carried out in their organizations.
As indicated in Table 7, the differences between industries on this variable were significant at the
.01 level (see also Figure 6). The financial services industry conducted BC exercises more
frequently than the pharmaceutical industry (significance level .01). Larger firms conducted BC
exercises more frequently than smaller firms (significant at the .01 level) – see Table 7.
105
0.05.0
10.015.020.025.030.035.040.045.050.0
Every 6months
Every year Lessfrequently
than once peryear
Never
Perc
ent
Other Industries Financial Services Pharmaceutical
Figure 6: Inter-Industry Comparison: Frequency of BC Rehearsals
Approximately 44% of the respondents stated that no BC training was provided in their
organizations while only 6.6% of the respondents indicated that BC training was provided to
everyone in their organization (see Figure 7). Interestingly, more respondents (11.6%) indicated
that BC training was provided to selected business personnel than to all IT personnel (6.6%). The
pattern of responses for who receives BC training did not vary significantly across industries.
0.05.0
10.015.020.025.030.035.040.045.050.0
No formal BCPtraining
courses areprovided
ForBCP/security
Personnel only
For all ITpersonnel
For selectedbusinesspersonnel
Trainingprovided for
everyone in theorganization
Perc
ent
Figure 7: Training for Business Continuity
106
Overall Assessment of BC Preparedness Almost two-thirds of respondents felt that their organizations were either reasonably or well
prepared for a major disaster (see Figure 8). This relative confidence belies some of the statistics
presented above indicating that there is considerable room for improvement in a number of
individual aspects of business continuity.
0.0
5.0
10.0
15.0
20.0
25.0
30.0
35.0
40.0
Totallyunprepared
Poorlyprepared
Reasonablyprepared
Wellprepared
Completelyprepared
Perc
ent
Figure 8: Responses to “How Prepared is Your Organization to a Major Terrorist Attack or Natural Disaster of World Trade Center Proportions”
As indicated in Table 7, there were significant differences (at the .01 level) between industries
with regard to this variable. Only 67.1 % of the pharmaceutical respondents felt that their
companies were either reasonably prepared or well prepared for a major disaster compared to
89.6% of correspondents in the financial services industry. Significantly, no respondents from the
financial services industry felt that their companies were totally unprepared or poorly prepared
for a major disaster. See Figure 9 for a comparison across industries on this variable. Respondents
from larger organizations were significantly more likely to state that their organizations were
better prepared for a major disaster than those from smaller organizations (.01 level of
significance) – see Table 7.
107
0.010.020.030.040.050.060.0
Totally
unprep
ared
Poorly
prep
ared
Reasona
bly prep
ared
Well prepa
red
Completely
prepa
red
Per
cent
Other Industries Financial Services Pharmaceutical
Figure 9: Overall Preparedness – Comparison Across Industries 6. SUMMARY AND CONCLUSIONS This survey investigated dimensions of BC preparedness in a sample of (mostly IT) professionals
from a variety of industries. The majority of these professionals had less than 5 years experience
in the industry in which they are currently working. The first objective of the survey was to
reinforce the conclusions of the previous study involving senior executives in the pharmaceutical
industry. A second objective was to compare the pharmaceutical industry to other industries, in
particular, the financial services industry, with respect to BCP. The main conclusions are
summarized below.
No significant differences were found between respondents from the pharmaceutical industry and
respondents from a “catchall” group of industries excluding both financial and pharmaceutical.
This was the case on all BC-EM dimensions and all individual questions in the survey as shown
in Table 7.
Overall, smaller firms (less than $1 billion in annual revenues) are less prepared in the area of
business continuity than larger firms. This confirms a similar result in the survey of senior
executives (Chapter 4).
108
It appears that the financial services firms represented in his study are doing a better job with
regard to BC than firms in the pharmaceutical industry and firms in an “all other category.”
According to a MANOVA test, financial services respondents indicated significantly (at the .001
level) superior performance of their firms on three of the four dimensions of the BC-EM model
that were included in this survey: BC Planning, Organization and Governance (treated as a single
dimension) and Process. No significant differences were found on the Leadership Concern for
BCP dimension – most of the respondents, regardless of industry, felt that both the board of
directors and senior management were quite involved in the BC process in their firms. Significant
differences between pharmaceutical and financial services respondents were found on all other
questions in the survey (Table 7.) The major areas of difference are summarized below:
• Financial services professionals were more likely to be a member of a BC or DR team
and more likely to know who is responsible for BC and DR in their business units.
• Financial services respondents were significantly better informed about BC plans than
their colleagues in the pharmaceutical industry.
• The financial services respondents indicated that BC rehearsals were carried out more
frequently in their organizations.
• The respondents from the pharmaceutical industry were significantly (at the .01 level)
less confident in their firm’s overall preparedness for a major disaster than the
respondents from the financial services industry.
A striking difference between the financial services and pharmaceutical industry respondents is
the relative uncertainty of the latter. This is illustrated by the different percentages of “not sure”
answers that were obtained on questions (8, 9, 10 and 12) that allowed this response (see Table
5.) This difference is significant at the .01 level. The relative uncertainty of pharmaceutical
respondents is also evident in their answers to the multiple choice question concerning how their
organization had organized for BC (Table7 and Figure 3.) The uncertainty of the pharmaceutical
respondents might be attributed to the relatively poor communication of BC plans and relative
lack of BC training that was noted above.
The conclusions of the last chapter with regard to the performance of pharmaceutical industry
companies with regard to the various dimensions of the BC-EM model are reinforced by the
analyses in this chapter. Tables 8 and 9 compare senior and junior manager responses on
questions common to both surveys.
109
Table 8: Descriptive Statistics: Juniors and Seniors
Question Survey N Mean Std. Dev.
Seniors 79 3.14 1.16 The board of directors is highly involved in business continuity planning activities: Juniors 67 3.96 0.98
Seniors 79 3.71 1.15 Senior Management is highly involved in business continuity planning activities: Juniors 74 4.22 0.85
Seniors 74 2.49 1.24 Your company does a good job communicating its BCP procedures to its employees Juniors 83 2.70 0.87
Seniors 77 2.75 .71 How prepared is your organization for a major terrorist attack or natural disaster of World Trade Center proportions? Juniors 76 2.91 0.90 Table 8: “Yes-No-Not Sure” Questions: Juniors and Seniors
Yes No Not Sure
BCP-EM Dimension/
Survey Question Survey
N % % %
Seniors 79 62.0 30.4 7.6 Does your corporation or division have a formal business continuity plan? Juniors 85 67.1 8.2 24.7
Seniors 78 73.1 19.2 7.7 Does your corporation or division have a formal disaster recovery plan? Juniors 85 80.0 9.4 10.6
Seniors 76 59.2 27.6 13.2 Has your corporation/division conducted a formal risk assessment? Juniors 85 60.0 5.9 34.1
Seniors 78 55.1 33.3 11.5 Does your organization have a crisis management team or center? Juniors 85 58.8 8.2 32.9
In particular, the junior and senior managers seem to agree that their companies do not do a good
job communicating BC plans to employees and that their companies are not particularly well
prepared for a major disaster. Note that the junior managers seem to be much less certain than the
senior managers on several questions in Table y. It is of interest to compare the pattern of the
responses of the senior executives (Mean 2.75, Std.Dev. 0.71) and their more junior IT
professional colleagues Mean 2.91, Std.Dev 0.90) on the issue of overall preparedness of their
firms (Q.34 in the Senior Executive Survey and Q23 in the Inter-Industry Survey.) Figure 10
shows the result of this comparison. Analysis shows that the senior executives are more confident
that their firms are well prepared than the junior managers (at the .05 level of significance.)
110
0.0
10.0
20.0
30.0
40.0
50.0
60.0
Tota
llyun
prep
ared
Rea
sona
bly
prep
ared
Com
plet
ely
prep
ared
Perc
ent
IT ProfessionalsSenior Executives
Figure 10: Overall Preparedness – Comparison between Senior Executives and Young Professionals in the Pharmaceutical Industry
There can be a number of interpretations for this result. Perhaps the executives, some of whom
were IT or Security leaders in their organizations, have a better perspective on the overall security
in their organizations. On the other hand, it could be argued that the junior IT professionals are
closer to the real problems of the organization and have more reason to be less sanguine about BC
and DR than their superiors.
111
APPENDIX TO CHAPTER 5
Inter-industry Survey
Survey Completed by Junior IT Managers
112
Business Continuity Survey Stevens Institute of Technology
Supported by AT&T Foundation and endorsed by the Healthcare Institute of New Jersey
Thank you for participating in this survey on business continuity planning. Your thoughts and opinions are greatly appreciated. The survey should take less than 10 minutes to complete. Your individual responses will remain strictly confidential. Definitions Business continuity planning (BCP) specifies the methodology, organizational structure, governance and procedures necessary to backup and recover functional units struck by a catastrophic event. Disaster recovery (DR) involves the technical restoration of information systems following some disruptive event. BACKGROUND INFORMATION Company Name ________________________________________ (your company’s name will be kept anonymous) 1. What industry does your company belong to?
o Consulting o Finance
o Manufacturing
o Information Technology
o Information Technology
o Retail
o Pharmaceutical/Healthcare
o Other ___________________________________
2. How many years have you worked in this industry?
o 5 years or less.
o Between 6 and 10 years (including the 10th year)
o Between 11 and 15 years (including the 15th year)
o Over 15 years
3. What is the annual revenue of your company?
o Under $100 million
o $100 million to $1 billion
o $1 billion to $10 billion
o $10 billion to $30 billion
o $30 billion or more
4. What is the primary function of your business unit?
o IT Services o Security/BCP o Sales / Marketing
o Research and Development o Manufacturing/Distribution o Corporate Headquarters
o Other__________________
5. Please provide your formal title: ___________________________________ LEADERSHIP CONCERN FOR BCP Please rate the following items on a scale from 1 Strongly Disagree to 5 Strongly Agree (or indicate that you are not sure) 6. The board of directors is highly involved in business continuity planning activities:
Strongly Disagree Disagree Neutral Agree Strongly Agree Not sure 1 2 3 4 5 0
7. The senior management is highly involved in business continuity planning activities:
Strongly Disagree Disagree Neutral Agree Strongly Agree Not sure 1 2 3 4 5 0
PLANNING PROCESS 8. Has your corporation/business unit conducted a formal risk assessment/ business impact analysis?
113
o Yes o No o Not sure 9. Does your corporation/business unit have a formal business continuity plan?
o Yes o No o Not sure 10. Does your corporation/business unit have a formal disaster recovery plan?
o Yes o No o Not sure ORGANIZATION AND GOVERNANCE 11. Has your organization: (Check all that apply):
o Created a new position for an individual responsible for BCP?
o Organized a new team or process focusing on BCP/DR?
o Created a new BCP organization?
o None of the above
o Not sure
12. Does your organization have a crisis management team or crisis management center?
o Yes o No o Not sure 13. Which organizational unit has the major responsibility for BCP?
o Information Technology o Security/BCP o Corporate
o Finance o All business units share responsibility
O Not sure
O Other__________________
14. Are you a member of a BCP team?
o Yes o No
15. Do you know who is responsible for BCP in your organization/business unit?
o Yes o No
16. Are you a member of a DR team?
o Yes o No
17. Do you know who is responsible for DR in your organization/business unit?
o Yes o No
PROCESS 18. Your company does a good job communicating its BCP procedures to employees?
Strongly Disagree Disagree Neutral Agree Strongly Agree 1 2 3 4 5
19. Have you taken part in a BCP exercise?
o Yes o No
20. Have other people in your business unit taken part in a BCP exercise?
o Yes o No
21. How often are BCP exercises conducted in your organization?
o Never o Every 6 months o Every year o Less frequently than once per year
114
22. Does you company provide formal BCP training courses? (Check all that apply)
o No formal BCP training courses are provided
o For BCP/security Personnel only
o For all IT personnel
o For selected business personnel
o Training provided for everyone in the organization
OVERALL ASSESSMENT 23. How prepared is your organization for a major terrorist attack or natural disaster of World Trade Center proportions?
o Totally unprepared
o Poorly prepared
o Reasonably prepared
o Well prepared
o Completely prepared
24. Please comment on your experience with BCP/DR in your organization _____________________________________________________________________________________________ _____________________________________________________________________________________________ _____________________________________________________________________________________________
115
Chapter 6
INTERVIEWS WITH SENIOR EXECUTIVES IN THE PHARMACEUTICAL INDUSTRY
1. INTRODUCTION
Interviews with senior IT/Security and business executives were conducted throughout the period
of the study. As described in Chapter 3, at the beginning of the study, five interviews were
conducted with senior managers responsible for DR and BC in 4 large pharmaceutical industries
and one telecommunications company. These interviews helped us develop an outline for the BC-
EM model that has been the framework for our study. In turn, BC-EM helped us frame questions
for semi-structured interviews with five business executives and three senior technical people
responsible for security and/or BC in their organizations and. The interviews with senior
pharmaceutical executives confirmed and elaborated on the results of the survey of senior
executives described in Chapter 4. In the following sections, we discuss the main conclusions in
each major dimension of the BC-EM model.
2. CRITICAL ISSUES FOR BC IN THE PHARMACEUTICAL INDUSTRY When asked what were the most crucial assets to be protected by pharmaceutical companies, the
three top items mentioned by the executives surveyed in chapter 4 were continuity of business
processes, protection of manufacturing facilities, and ensuring against loss of R&D information.
The executives we interviewed confirmed these items emphasizing one or the other as the most
important depending on their role in the organization.
The senior executives in the survey described in Chapter 4 indicated that the following items
were critical influences on business continuity in the pharmaceutical industry:
• Regulations and, especially, FDA oversight and the GxP regulations
• Complexity and cost of BC implementation and the additional requirements and
difficulties imposed by the need to maintain compliance.
Obviously, the first item would tend to encourage appropriate investment in BCP, while the latter
would tend to discourage it.
116
The interviews provided some new insights into the issues surrounding the influence of
regulations and the difficulty and cost of compliance. All of the interviewees mentioned that the
cost of non-compliance can be very high with a number of them citing well- known cases where
companies have been fined $100 millions or more for non-compliance. “The FDA does not
directly enforce DR backup - but there are heavy fines if you cannot reproduce records that
should have been retained.” It is “not uncommon for the FDA to fine companies for breaches
such as not archiving microscopic slides properly or not doing appropriate back-up.” Satisfying
FDA regulations maybe even more difficult in the future as the FDA is shifting its attention to
questions related to efficacy and quality of life rather than just the mechanics of processes. There
will be a need to provide strong support for any claims made about drug effectiveness and safety.
Several of the interviewees pointed out that FDA regulations apply mainly to the last three phases
of the R&D Lifecycle: (laboratory studies, clinical studies and manufacturing). The preclinical
phase, in which companies have $ millions invested is not covered by GxP regulations.
According to one interviewee, “Data concerning patents, trade secrets, chemical reactions is
worth $billions and is in danger because it may be kept on paper, in Excel spreadsheets, and a
mixture of different computer types such as Apple, PC, and Cray.”
Several interviewees stated their concerns about their company’s ability to ensure patient welfare
in a time of crisis. The FDA requires that companies continuously monitor safety; this means
continuity of patient call centers and the ability of physicians to monitor pharmacological
reactions. Companies must actively collect, investigate and report adverse events to FDA within
very strict time periods: e.g., a death within 48 hours and other adverse events within 15 days.
This time frame holds anywhere in the world. Compliance is difficult in normal times but in the
event of a crisis this would prove very difficult. According to one interviewee, “this requires real
time recovery - it is not clear that (pharmaceutical) companies are prepared to manage patient
welfare in the event of a serious disruption.”
A number of the executives we interviewed mentioned the cost of compliance and were
concerned that the investment in compliance would limit the attention paid to BC and limit
budgets applied to broader BC concerns. According to one executive, “When the FDA introduced
21CFR Part 11 there was no grand fathering – this could potentially cost organizations billions of
dollars to comply.” A major cost of compliance involves process validation, which may be
performed internally or outsourced to one of several firms specializing in this area. Process
117
validation provides evidence that processes meet specifications and are in control and in
regulatory compliance. Process Validation for conformance to FDA regulations (GxP) applies to
Lab (GLP), Clinical (GCP) and Manufacturing (GMP). The industry is highly concerned with
validation, which means conformance to a rigid set of rules. Part of validation requires that
appropriate business continuity plans and disaster recovery provisions are in place. On the other
hand, this is a burden, which creates inertia and inhibits looking more globally at BCP. Several of
the executives commented on this: “Regulatory requirements (e.g., FDA) are mainly concerned
with DR not BCP in the larger sense. Companies often validate major manufacturing and R&D
processes but do not validate other processes (e.g., sales & admin)…again, R&D typically is
immune from validation.” And, “GXP takes attention and budgets away from other areas of BC.
Folk responsible for operations do feel responsibility. Outage could impact 1000’s of people”
3. PLANNING FOR BC AND DR The two surveys described in this report showed that good planning is correlated with
respondents’ perceptions of their companies overall preparedness. A majority of the companies
had performed three essential steps for disaster preparedness: performing a risk analysis and
developing both business continuity and disaster recovery plans. However, a number of the
companies had not performed one or more of these steps and several respondents indicated that
their firms were just beginning to take these first steps. The inter-industry survey indicated that
respondents from the pharmaceutical industry were much more uncertain than their colleagues in
the financial service with regard to what their forms were doing with regard to planning.
The interviews confirmed these rather mixed results with regard to planning for BC in the
pharmaceutical industry. Some companies seem to have done a thorough job; others have
performed risk analysis and BCP more by “gut feel.” One executive indicated that his company
had no formal BCP. Another indicated that DR plans and processes were only reviewed every
three years. To quote another executive, “Companies do risk analysis and BIA (Business Impact
Analysis) - but not much attention is being paid to this.” Another interviewee said “Not sure with
regard to company-wide BIA. BIA for the R&D function was performed by a major consulting
company about 2 years ago. Everyone agrees this (BIA) would be advisable - but they are too
busy to pay too much attention.”
118
4. ORGANIZING FOR BC AND DR The survey in Chapter 4 showed that pharmaceutical companies had a wide variety of approaches
to funding BC efforts. Overall, only one in five respondents stated that their firms have created a
separate budget for BC and these respondents were from large companies. In many organizations,
it appears that financing for BC is diffused throughout the organization as components in budgets
of organizational units – mostly in the IT budget, which is probably focused on systems recovery
(DR) rather than BC in the larger sense.
Our interviews with pharmaceutical executives confirmed the above results – consider the
following responses from different executives:
• “There are unique budget lines for BCP and DR.”
• “There is no unique budget for BCP or DR.”
• “DR and BCP are included on the budget for each system and/or project area.”
• “BC budgets tend to focus on IT and IT's ability to convince the business that a budget is
needed. Not much attention to budgeting for BC beyond the IT Department.”
• “There is no separate budget for BC. This is mainly built into IT budgets but also BCP is
a part of line of business budgets.”
• “Budgets - there are none for BC specifically, hence there is no accountability (by
contrast, Y2K was centrally managed & budgeted for.)”
The picture with regard to organizing for BC is similarly varied. According the interviewees most
pharmaceutical companies have a Chief Security Officer (CSO). In two cases, the executives
indicated the importance of a “Chief Compliance Officer” in their organizations and, in one case,
the compliance officer also assumed the CSO role. It seems that the IT organization is most often
the person responsible for BC as well as DR. However, some executives indicated that
responsibility for BC had been assigned to people outside the IT or security functions. Consider
two different responses: “Line of business folk have been assigned BCP liaison roles as part of
their regular jobs.” and “The CIO (Chief Information Officer) is promoting the idea within the
company that BCP is a business problem, and that IT is only a facilitator. The CSO believes that
the business units currently think BCP is strictly an IT problem. Another senior executive
indicated that nor formal roles had been assigned for BC in his company.
119
Given the importance of BC, this uneven performance of firms on the budgeting and organizing
dimensions is a concern.
5. MANAGEMENT INVOLVEMENT The survey respondents in chapters 4 and 5 indicated that they thought there was strong
involvement and concern by both the Board of Directors and Top Management in BC. Not
surprisingly, top management was thought to be more deeply involved. A comment by one of the
executives we interviewed places top level concern with BC in historical perspective. “(It was)
hard to get people to pay attention to BC until just before Y2K. Y2K was beneficial with regard
to BC planning. (It) introduced redundancy and improved computer back-up capability and
disaster recovery. Subsequently, interest slackened. September 11 forced management to consider
the impact of a major outage that was not simply computer and network related.”
With regard to Board of Directors involvement, the comments were mixed.
• Very little involvement by the board of directors
• “Corporate boards are interested in the exposure of their companies to external and
internal threats but have generally not been actively involved in BCP, They have shown
sporadic interest, and are reactive to incidents.”
• “BC is not top of mind” (for the board).”
• “Board members have recently been assigned BC responsibility. Guidelines have been
issued and the importance of BC has emphasized. It is up to operating divisions to
interpret and define processes and ensure compliance. (The company has no repository of
process maps). The Board has asked the company to identify the critical business
functions and to estimate recovery time for each.”
Similarly, with regard to top management involvement, some of the responses from the
executives we interviewed are as follows:
• “There is low to moderate involvement. BCP is a good thing but short-term demands are
predominant. One research group, toxicology did a thorough BCP.”
• “Top management has recently discussed BC for critical business functions with each
major business unit. Business Units are left to develop their own BC and contingency
plans - there is no strict oversight of the business units in this regard.”
120
As in the survey results, some confusion over the roles of senior IT leaders and line of business
leaders is again evident in our interviews:
• “BC delegated below Board of Director levels is viewed as an IT task mainly involving
computer center recovery. BC in the broader sense is left to the discretion of the business
units.”
• “The central information security organization is not at all involved with BCP."
• “There is a gap between the board and senior management on the one hand and senior
management and IT / security on the other. Board/ senior management wants to be sure it
is protected - the response of the IT and security people is that "we do back-up and
recovery."
• “The IT Governance Board consisting of CIO’s from the operating units has
responsibility for interpreting requirements and developing strategies across the
company. Will focus on DR (redundancy and infrastructure) rather than on the business
and people-related issues that are necessary for BC.”
6. GOVERNANCE DOMAIN The same variability of responses was observed in the governance domain. When asked how well
BC was aligned with the need of the business, some responses are as follows:
• There is little alignment of BCP activities with the business.
• There is very little coordination of BCP or DR planning activities with the business.
• Business and IT are not aligned at all on BCP and DR.
• Governance processes related to BCP, including budgeting, policies/procedures, change
control, and testing, are almost non-existent. However, there is a corporate-level BCP
officer that has been recently identified.
On the other hand, some of the executives stated that their companies were getting serious about
BC:
• Formal roles have been defined as a result of a recently initiated global BCP project. The
project was started as a result of increased awareness of system vulnerabilities as a result
of the events of Sept. 11, 2001.
121
• There is very close cooperation with the business on BCP and DR. This may be
attributed to a recent incident that contributed to increased awareness of BCP across the
organization.
7. PROCESS DOMAIN In our surveys, the Process Dimension focused on two main concerns: thoroughness and
frequency with which BC plans are practiced and the quality of the communication about BC
plans to employees. Chapters 4 and 5 noted some weakness among pharmaceutical companies in
this area. As stated by one of the senior executive interviewees, “BCP requires policies,
procedures and testing - most companies have only policies in place.”
All the companies represented by the executives we interviewed perform regular data system
back up and recovery exercises. However, one of the executives observed: “Companies often do
not impose consistent policies for backup of all systems large and small nor have they chosen a
single platform (e.g., Oracle Backup) for backing up systems which results in lack of control.
Tests that backups are successful are not always performed. e.g., One large company backed up
laboratory data on tapes - that happened to be unformatted - with the result that no data was
written to them. The company discovered this only when the FDA requested evidence.”
Again, as in chapters 4 and 5, we observe that some pharmaceutical companies seem to
concentrate more on system back up rather than the fuller range of exercises that are needed for
BC such as the safety of employees and provisions to get them back to work quickly when a
major disruption occurs. “There are regular rehearsals for backup and recovery, but no general
business people are involved in rehearsals. The exception may be manufacturing where they do
crisis management and BC drills on a regular basis.” The importance of going beyond just DR to
include employees in exercises is illustrated by one of our executives who observed “that (the
company) recovered quickly from the blackout that occurred in the North East last year. In
particular, there was no loss of data and systems were back up quickly. However it took much
longer to get people oriented processes going again.”
We asked several of the executives about the quality of communication of BCP to employees.
They thought that communications and training in BC could be improved in their organizations.
122
8. TECHNOLOGY DOMAIN The questions in this area concerned the existence of redundant geographically distant recovery
facilities, the existence and frequency of system backup procedures, and whether or not recovery
procedures are performed by external vendors.
For the most part, our interviewees said that their companies had remotely located backup
facilities and the large companies were able to manufacture each drug in more than one location.
Recovery is facilitated through the use of outsourcers (e.g. Sungard or IBM) and in some cases by
the use of redundant systems. An example of system redundancy is the distribution (and periodic
synchronization) of Oracle databases used to support a global SAP ERP system.
According to one interviewee who is an industry consultant, most companies in the industry have
only “cold site” backup facilities and will therefore experience delays in bringing their processes
back online after a disruption. The larger companies have “hot” or “mirrored” sites, which are
preferable from the point of view of time to recover. This form of back up might only be in place
for large and important systems, however. Archiving is mostly to tape - some to optical storage.
According to the same industry consultant, all medium to large companies have back up power
systems and sometimes sell the energy produced. Backup systems to ensure continuity of water
supplies are less common and companies rarely have redundant communication systems.
Neither the surveys nor the interviews focused on the technical aspects of BC and DR. The above
observations can at best indicate that there is a range of technical preparedness among the
companies represented by our interviewees.
9. OVERALL ASSESMENT OF PREPAREDNESS As in the two surveys in chapters 4 and 5, the last questions in the interviews focused on overall
impressions of the preparedness of pharmaceutical firms for a major disaster. The remarks in this
area largely reflect concerns that have been discussed previously in this and previous chapters.
However, it is instructive to repeat some of the answers here.
• “(The company) is well prepared for a cyber attack - not well prepared for a physical disaster.”
• “Attention to BCP varies from company to company and between organizational units
within companies. Major pharmaceutical companies do quite well with DR for the largest
123
and most visible systems. DR is often neglected for smaller LANs and isolated computers.”
• “Overall, (our company) is medium to well-prepared - depends on the organizational unit.
The data center is well prepared, but people and business units are probably not ready for a major disruption.”
• “Utilities breakdown - our company was not well prepared at the time of the blackout but
is now paying attention to this.”
• “The pharma industry is not as well prepared as financial services. Financial services are more highly dependent on IT and have had to pay attention to DR and BCP.”
• “BCP is really not taken seriously. BCP does not usually have an identified budget. Most
companies do not have persons with assigned responsibility for BCP.”
10. SUMMARY
The interviews with senior pharmaceutical executives confirmed and elaborated on the results of
the survey of senior executives described in Chapter 4. Some observations relevant to some, but
not all, firms in the pharmaceutical industry are as follows.
Regulations and, especially, FDA oversight and the GxP regulations are a major concern in the
pharmaceutical industry.
All of the interviewees mentioned that the cost of non-compliance can be very high with a
number of them citing well- known cases where companies have been fined $100 millions or
more for non-compliance.
A number of the executives we interviewed mentioned the cost of compliance and were
concerned that the investment in compliance would limit the attention to BC and limit budgets
applied to broader BC concerns.
Several of the interviewees pointed out that FDA regulations do not apply to the discovery phase
of the R&D life cycle and that R&D intellectual capital, in which companies have $ millions
invested, may not be as well protected as other critical assets of the organization.
With regard to the planning phase of BC, most of the executives we interviewed indicated that
their firms had performed a risk analysis (or Business Impact Analysis) and had prepared
business continuity and disaster recovery plans. However, a number of the companies had not
124
performed one or more of these steps, several executives indicated that their firms were just
beginning to make formal plans, and others expressed concern that planning for BC was not taken
seriously in their organizations.
BC is often not a separate budget item. Rather, BC expenses are tucked away in various accounts
– mainly in IT where it may be used for DR rather than BC in the fullest sense.
Many firms have not designated people or organizational units responsible for BC. In some cases,
the IT function has responsibility for BC; in other cases BC responsibility is diffused throughout
the organization. In some firms, the lines of BC responsibility are confused: IT accepts its
responsibility for DR but believes that the business units have responsibility for the broader
concerns of BC; on the other hand, the business units believe that IT has responsibility for both
BC and DR.
Companies may be well prepared for a cyber attack – but not well prepared for a physical
disaster. Attention to BCP varies from company to company and between organizational units
within companies. Major pharmaceutical companies do quite well with DR for the largest and
most visible systems. DR is often neglected for smaller LANs and isolated computers.
All the companies represented by the executives we interviewed, perform regular interviewed
perform regular data system back up and recovery exercises. However, these exercises may only
be performed on the most important systems. Some pharmaceutical companies seem to
concentrate more on system back up rather than the fuller range of exercises that are needed for
BC such as the safety of employees and provisions to get them back to work quickly when a
major disruption occurs.
Finally, we asked several of the executives about the quality of communication of BCP to
employees. They thought that communications and training in BC could be improved in their
organizations.
125