An “All Hazards” Approach to Business Continuity Planning Is Healthcare’s Next Challenge

One of the most important lessons healthcare companies learned during the COVID-19 pandemic is that they need to implement and maintain better strategies, processes and procedures to enable resiliency and recovery. As they seek to mature their business continuity plans (BCPs)/continuity of operations plans (COOPs), not only to satisfy recently increased regulatory scrutiny by the Centers for Medicaid and Medicare Services (CMS) and The Joint Commission (TJC) on recovery documentation but also to be better prepared for the next event, organizations are realizing that many of the existing plans focus on information technology disruptions and events, and not so much on other important aspects of business continuity, such as identifying vulnerabilities, developing supply chain resiliency plans or after-action reporting. However, regulatory bodies have emphasized an “all hazards” approach to business continuity, which is necessary for effective response and recovery. In this blog, we outline the necessary steps to developing a robust BCP/COOP that addresses that emphasis.

Cornerstones of an Effective Business Continuity Plan

BCPs/COOPs are crucial to healthcare organizations to help them remain both fiscally viable and operational in order to provide care for the community during and after an emergency. The BCP reduces economic impact to the organization during an event, allowing it to maintain critical business and logistical functions. Further, BCPs help healthcare organizations recover and get back to business as usual more quickly and effectively. During an event such as the COVID-19 pandemic, healthcare organizations would activate both their required emergency preparedness plans and their BCPs or COOPs.

Effective business continuity planning starts with a business continuity team that can tackle the plan development in phases. Every BCP starts with a hazard vulnerability analysis (HVA). The HVA assesses the level of risk, preparedness and impact on an individual healthcare organization of hazards of any kind, including natural disasters, infrastructure failures, security threats, mass casualty events and, now, infectious diseases (e.g., Ebola, Zika and COVID-19).

The HVA is complemented by a business impact analysis (BIA) an organization’s essential processes and what would happen if each of these processes is disrupted. The BIA is performed at a department level and incorporates all regulatory and legal requirements for each of the processes. One output of the BIA is the establishment of a recovery timeline, which indicates how long a function or service can be down, and a recovery point, which specifies the acceptable amount of data that can be lost for each specified function. Healthcare organizations should identify and prioritize these essential services at a departmental level in the context of the organization’s top-ten HVA risk categories. It is helpful to establish a strategy for the prioritization of essential processes and functions, such as a numeric scoring matrix. For example:

• Priority 1: Functions that could pose an immediate threat to employee or patient safety and welfare and/or have an immediate negative economic impact if not continually performed.
• Priority 2: Functions that, if stopped or delayed, would cause a major negative impact to the healthcare organization and stakeholders. This includes services that may impact contractual obligations with internal or external parties, such as patients, employees or vendors.
• Priority 3: Functions that that would cause a minor negative impact if suspended or delayed, including services required by contractual obligations with vendors, employees or patients.

Resourcing

After identifying and prioritizing processes and functions, organizations need to determine the resources necessary to carry out each service. This should include memorandums of understanding (MOUs) with all partners, third parties and suppliers essential to carrying out the prioritized functions. Teams need to think broadly when compiling the list of required resources: They should include physical equipment, IT applications, interdependencies, and any special skills required to perform the essential functions. Identifying all personnel trained and qualified to perform a particular essential service can help reallocate resources more easily. To this end, an organizational matrix that details the skill sets required for all essential roles will ensure that those skills remain top of mind. Further, maintaining a record of employee-related information such as licenses, certifications and completed training will allow healthcare organizations to fill essential roles and facilitate mobilization of workers within the organization as needs arise.

After-Action Reporting

After-action reporting is an important component of business continuity management. It is the deliberate utilization of the organization’s after-action reporting process not only to gather feedback after an event but to summarize what took place, analyze the actions taken by participants and highlight areas needing improvement. Further, an after-action report enables organizations to track compliance and, most importantly, provides input for updating the BCP/COOP (and emergency operations plans), which should be updated annually or after any significant event. Based on the after-action reports, MOUs with community partners should also be updated.

The following are additional best practice considerations for emergency management recovery processes:

• Issue regular and transparent communications that reassure employees and balance caution with a business-as-usual mindset.
• Utilize MOUs with community, state and local authorities and vendors.
• Implement a supply chain resiliency strategy and keep in contact with suppliers regarding their ability to perform their contractual obligations, or reset business assumptions and update memorandums of understanding, as necessary.
• Monitor state and federal support initiatives while remaining mindful of documentation requirements.
• Determine how the event affects budgets and business plans to assess financial and operational risks, including the evaluation of short-term liquidity (e.g., terms and conditions on loans and contracts with creditors and investors).
• Consult legal teams for advice on potential liabilities and risk mitigation.
• Review, test and update as needed business continuity plans by department or service.

Summary

As healthcare organizations return to a “new normal,” they are continually attempting to determine what their pathway to recovery will look like. Do we have enough supplies for patients and staff? What will our financials look like? Is our crisis response working? Are we compliant with TJC and CMS requirements? These are questions that organizations are asking themselves as they go through this unprecedented time. As discussed, the following key components should mark the path to recovery and help healthcare organizations mature their emergency response programs:

• Organizational risk assessment/hazard vulnerability analysis: study of potential operational risks and their likelihood. There should be an understanding internally of workarounds/contingent capabilities to mitigate the impact of those risks if they were to occur.
• Business impact analysis: A study, by department, of all business processes within an organization that incorporates all the regulatory and legal requirements for each of the processes. Further, a business impact analysis report should be created as part of the overall analysis that outlines the findings, the most critical processes, and the equipment, tools, staff and timelines required to ensure that these processes remain active during a disruption or become active as soon as possible after a disruption.
• Business continuity plan or continuity of operations plan: A robust BCP or COOP that addresses the critical processes necessary for the organization to continue services. This plan is updated through an supported by senior management. BCPs/COOPs should be developed, implemented and maintained by a multidisciplinary team that represents various departments and key stakeholders who will be tasked with identifying and prioritizing those critical processes that should be maintained during and after an incident. The BCP highlights the organization’s commitment to the continuity of business services during and after an incident and its commitment to plan maintenance, training and drills. All aspects of a BCM program should be tested regularly, preferably in an integrated fashion that allows for validation of interdependent recovery strategies, plans and teams.

Applying these best practices ensures the controlled, efficient, and cost-effective release of resources and mitigates healthcare organizations’ fiscal, legal and regulatory risks. For more on the topic, listen to our on-demand webinar “Healthcare Emergency Management Insights, Including Resilience Considerations: Turning Pandemic Learnings Into More Effective Emergency Management Initiatives.”