SBS - The Best Value in QMS software

Need a bone to throw at a customer (Business Continuity/Contingency Plan)

L

LesPiles

#1
Hello everyone,

Here is my problem: we have a client (actually two!) who ask a BCP.

We started to look at it. Our approach was that, given the complexity of the thing (there is sufficient material on this subject that a standard - ISO 22301 ? has been developed!), we did not believe in a "document" submitted to the customer who should be of any practical use if a major incident occurred. We rather believed that we should consider the BCP as a long-term process, a "living" process one, involving different actors who have fully participated in the program and support it).

Although we have started to develop our system and have written some procedures, our client is getting impatient (for him, having a plan is one of the requirements for the award of a contract) and he wants to see a plan (formed ?filled ").

Some risks have in already been identified for one of our two customers (or are a concern for at least one):

? Risk of the business being sold by the main shareholder;
? Risk of a strike;
? Risk linked to parts supply chain (we are in electronics and some parts are end of life);
? Fire risk (plant).

Those are the 4 most concrete cases we have on a first pass.

The question is: "How can I (and in what form) present something that would satisfy my client? ".

In what form, I mean "content" and "container". I remind you that I?m starting from scratch.

Examples would be great.

Thank you in advance to all!

LesPiles
 
Elsmar Forum Sponsor

Wes Bucey

Prophet of Profit
#2
Re: Need a bone to throw at a customer

Confirm "BCP" (Business Continuity Plan or Business Contingency Plan) is requested by prospective customer before approving your organization as a supplier.

Identifying risks are really only part of the process. This is essentially a FMEA (Failure Mode & Effects Analysis) exercise.

  1. The organization identifies potential failure issues
  2. Organization assesses likelihood of occurrence
  3. Organization has plan to overcome or minimize damage done by failure

The point being:
Merely identifying the potential risks is worthless unless you can do an insurance underwriter's job and figure the probability of it happening and determining a setaside of money to cure the situation if it should occur.

The setaside of money can either be a cash fund or an insurance policy to repair or replace the damaged segment of the business (getting new customers, employees, vendors, designs, physical plants and/or equipment, and numerous other details too numerous to detail here in the Cove.) Some economic analyses I have participated in ran to dozens of pages, dependent on the complexity and scope of the target business.
 
F

feldspath

#3
Re: Need a bone to throw at a customer

[...] we did not believe in a "document" submitted to the customer who should be of any practical use if a major incident occurred [..]
Why would you think that?
 
L

LesPiles

#4
Re: Need a bone to throw at a customer

Hello feldpath ... Because too many scenarios could occur ...
 
P

Phil P

#5
Re: Need a bone to throw at a customer

I imagine that your customer is looking for a document that shows you have a system in place.

From experience I would do the following:

Generate a scope (operations of your business) and purpose (to maintain production for customers) to provide direction
Hold team meetings to identify risks (supplier failure, fire, flood, chemical release, industrial action, key equipment failure etc.)
Produce a risk register which uses occurrence, severity and recoverability to rate the risks
Detail the actions to be taken in the event of each risk occurring
Produce a DRP which lists roles and responsibilities in the event of a disaster
Produce a summary document listing recovery times for customers
Place copies of all DRP docs into a secure online server (so you can access them remotely)

Hope that helps,

Phil
 

Mike S.

Happy to be Alive
Trusted Information Resource
#6
Money is not the only way to handle or mitigate risks in a BCP. For example, maybe you have a second plant or approved subcontractor that could take on work from your plant if a tornado wiped you out. If your electric power went out maybe you have backup generators you own or could rent or borrow. If your computers are hacked you have full backups off-site. Etc.
 
S

SteveK

#7
As Phil P indicates you need to have a document to demonstrate you have a plan in place. We have a full BCP we can test using the various types of scenarios indicated. To go with this we have our Business Continuity Policy, maybe having one of these would be acceptable to you customers i.e.

Business Continuity Policy

Introduction

The impact of any disaster can be reduced through a considered assessment of threat, vulnerability & risk. Such residual level of risk can be mitigated by the adoption of Business Continuity Planning and Management.
The benefits of undertaking Business Continuity Planning and Management within ACME are:

  • Maintenance of key cash flows and profit streams post-event to ensure long-term survival of the Group is not put at risk
  • The Group meets its contractual and governance obligations
  • Improved credibility for ACME as an organisation and greater confidence in the Group from all stakeholders.
  • This policy outlines the approach to business continuity planning and management, its implementation and recovery processes and incident communication within the Group.
Objectives

  • To ensure that ACME has a workable continuity plan that will enable acceptable standards of service to be provided to business critical groups within defined and agreed timescales, following either the total and/or partial loss of vital services or facilities.
  • To establish an effective 'crisis management’ and communications structure that will operate in the event of a disaster at ACME.
  • To establish a process for developing, maintaining and testing business continuity plans.
Policy Statement

In line with management best practice, ACME is committed to reducing business risk to acceptable levels wherever possible. To ensure that the group as a whole remains viable in the event of disaster ACME must maintain a business continuity plan, describing the actions to be taken in the event of crisis or disaster. Priorities and time scales for recovery must be agreed within the business and must be clearly identified and included in the plan. The plan must be subjected to periodic testing.

Applicability

This policy applies to all ACME companies and functions within the Group.

Hope this helps.

Steve
 

Mike S.

Happy to be Alive
Trusted Information Resource
#10
Money is the only way to handle such issue.
Really? If all of your data is wiped out and no backups exist, how is money gonna help? Unless it is enough to pay-off all the resulting damages and lawsuits and help you build a new business to start over, money alone is not the answer.
 
Thread starter Similar threads Forum Replies Date
R Do we need FDA Establishment Registration for Bone Screws? US Food and Drug Administration (FDA) 21
D What evidence to I need to supply as a remote location in relation to manufacturing sites? IATF 16949 - Automotive Quality Systems Standard 8
T Non API products need to comply to API Q1? Oil and Gas Industry Standards and Regulations 3
G Need journal and reference of abnormal bar chart SPC Statistical Analysis Tools, Techniques and SPC 3
MSeibert47 Daily Quality Topics - Need Ideas Please! Food Safety - ISO 22000, HACCP (21 CFR 120) 15
W Do Reference materials for IATF need to be 17025? IATF 16949 - Automotive Quality Systems Standard 15
D Need some Help on 8D fault tree analysis Problem Solving, Root Cause Fault and Failure Analysis 6
A Need to calculate tolerance Intervals with a set of non-normal data and 3-Parameter Weibull distribution Using Minitab Software 0
Melissa Risk Management Process, How far do I need to go? ISO 14971 - Medical Device Risk Management 10
F Need Quality Manager advice. Quality Manager and Management Related Issues 6
T Do we need an SOP for ISO 9001? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
B Do CTQs need to be equipment specific? FMEA and Control Plans 8
K Contract Manufacturer Do they need a complaint procedure? Medical Device and FDA Regulations and Standards News 8
K Screen printing ink and machine selection_ Need help Manufacturing and Related Processes 6
D Do employee training records need to be centralized? IATF 16949 - Automotive Quality Systems Standard 10
H Need of EU Representative Designation for Turkey? EU Medical Device Regulations 3
H If we use agile - do we still need to document TF as a waterfall just for the notified bodies need? IEC 62304 - Medical Device Software Life Cycle Processes 2
briteme4 AS9102 First Article Inspection - do I need a second reviewer and signer? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
J Furnace repaired - Do I need a new initial TUS? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
B Does FDA Registration QSR need to cover non-medical devices for contract repackager? US Food and Drug Administration (FDA) 1
S Need ISO 15189:2012 Documentation toolkit. Document Control Systems, Procedures, Forms and Templates 0
J Need a contract monitoring Tool General Information Resources 0
P UDI-PI requirements on reusable surgical device, do we need serialisation? ISO 13485:2016 - Medical Device Quality Management Systems 3
J Need Help with FPY Data in Assembly Process Manufacturing and Related Processes 7
W 17025 and NIST handbook relationship (need advice) ISO 17025 related Discussions 8
lanley liao Does all of the suppliers need to integrated into the supplier list qualified of the company? Oil and Gas Industry Standards and Regulations 2
K Need procedure for D&D inputs? ISO 13485:2016 - Medical Device Quality Management Systems 4
S Need help on "Country of Origin" Medical Device and FDA Regulations and Standards News 0
Ed Panek Immediate need for 80601-2-56 Consulting expert. PM me for details Career and Occupation Discussions 0
Tagin You're Gonna Need a Bigger Root Cause Coffee Break and Water Cooler Discussions 12
M PSA Suppliers - CSR matrix and need the quality manual of PSA APQP and PPAP 6
M Need Help With Information Security Asset Risk Register IEC 27001 - Information Security Management Systems (ISMS) 2
K Interesting Discussion "World Class Product" based QM. I need advice. Quality Management System (QMS) Manuals 14
I Do I need to sign off my annual audit calendar? Internal Auditing 2
P Do we need to retrospectively use the "MD" symbol (indicating device is a medical device) on labels, e.g. finished devices within expiration date? EU Medical Device Regulations 2
M Do I need separation in my circuit with a medical charger? IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
V Certified Auditor - Need of additional certification specific to industry ( GMPs) ASQ vs ECA vs others Professional Certifications and Degrees 1
D Low risk IVD study in the UK, do I need MHRA approval? UK Medical Device Regulations 1
A Medical Device Contract Manufacturer - Does the CM need to register with FDA? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
J Records Control - Does each individual record need to be numbered? Records and Data - Quality, Legal and Other Evidence 2
N Is there a need for clinical test of Class IIa products (for MDR)? EU Medical Device Regulations 2
J Do Software Subcontractors need to be ISO13485 compliant in the EU? EU Medical Device Regulations 3
K Do I need a "State of the art" plan? CE Marking (Conformité Européene) / CB Scheme 1
S Need advice for schooling Quality Manager and Management Related Issues 5
R What information do i need to get from the device manufacturer 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 0
S Need guidance on project ISO 13485:2016 - Medical Device Quality Management Systems 2
H Need MSA 4th ed. compliant attribute MSA template General Measurement Device and Calibration Topics 4
J Need Change Control Yes/No Decision Tree Template ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
C Does an accessory need an IFU if it use is discussed in the Parent device IFU? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 5
B Countries with no need for FSC (Free sales certificate) Other Medical Device Regulations World-Wide 0

Similar threads

Top Bottom