Need a bone to throw at a customer (Business Continuity/Contingency Plan)

LesPiles

Involved In Discussions
#1
Hello everyone,

Here is my problem: we have a client (actually two!) who ask a BCP.

We started to look at it. Our approach was that, given the complexity of the thing (there is sufficient material on this subject that a standard - ISO 22301 ? has been developed!), we did not believe in a "document" submitted to the customer who should be of any practical use if a major incident occurred. We rather believed that we should consider the BCP as a long-term process, a "living" process one, involving different actors who have fully participated in the program and support it).

Although we have started to develop our system and have written some procedures, our client is getting impatient (for him, having a plan is one of the requirements for the award of a contract) and he wants to see a plan (formed ?filled ").

Some risks have in already been identified for one of our two customers (or are a concern for at least one):

? Risk of the business being sold by the main shareholder;
? Risk of a strike;
? Risk linked to parts supply chain (we are in electronics and some parts are end of life);
? Fire risk (plant).

Those are the 4 most concrete cases we have on a first pass.

The question is: "How can I (and in what form) present something that would satisfy my client? ".

In what form, I mean "content" and "container". I remind you that I?m starting from scratch.

Examples would be great.

Thank you in advance to all!

LesPiles
 
Elsmar Forum Sponsor

Wes Bucey

Quite Involved in Discussions
#2
Re: Need a bone to throw at a customer

Confirm "BCP" (Business Continuity Plan or Business Contingency Plan) is requested by prospective customer before approving your organization as a supplier.

Identifying risks are really only part of the process. This is essentially a FMEA (Failure Mode & Effects Analysis) exercise.

  1. The organization identifies potential failure issues
  2. Organization assesses likelihood of occurrence
  3. Organization has plan to overcome or minimize damage done by failure

The point being:
Merely identifying the potential risks is worthless unless you can do an insurance underwriter's job and figure the probability of it happening and determining a setaside of money to cure the situation if it should occur.

The setaside of money can either be a cash fund or an insurance policy to repair or replace the damaged segment of the business (getting new customers, employees, vendors, designs, physical plants and/or equipment, and numerous other details too numerous to detail here in the Cove.) Some economic analyses I have participated in ran to dozens of pages, dependent on the complexity and scope of the target business.
 
F

feldspath

#3
Re: Need a bone to throw at a customer

[...] we did not believe in a "document" submitted to the customer who should be of any practical use if a major incident occurred [..]
Why would you think that?
 
#5
Re: Need a bone to throw at a customer

I imagine that your customer is looking for a document that shows you have a system in place.

From experience I would do the following:

Generate a scope (operations of your business) and purpose (to maintain production for customers) to provide direction
Hold team meetings to identify risks (supplier failure, fire, flood, chemical release, industrial action, key equipment failure etc.)
Produce a risk register which uses occurrence, severity and recoverability to rate the risks
Detail the actions to be taken in the event of each risk occurring
Produce a DRP which lists roles and responsibilities in the event of a disaster
Produce a summary document listing recovery times for customers
Place copies of all DRP docs into a secure online server (so you can access them remotely)

Hope that helps,

Phil
 

Mike S.

Happy to be Alive
Trusted Information Resource
#6
Money is not the only way to handle or mitigate risks in a BCP. For example, maybe you have a second plant or approved subcontractor that could take on work from your plant if a tornado wiped you out. If your electric power went out maybe you have backup generators you own or could rent or borrow. If your computers are hacked you have full backups off-site. Etc.
 

SteveK

Trusted Information Resource
#7
As Phil P indicates you need to have a document to demonstrate you have a plan in place. We have a full BCP we can test using the various types of scenarios indicated. To go with this we have our Business Continuity Policy, maybe having one of these would be acceptable to you customers i.e.

Business Continuity Policy

Introduction

The impact of any disaster can be reduced through a considered assessment of threat, vulnerability & risk. Such residual level of risk can be mitigated by the adoption of Business Continuity Planning and Management.
The benefits of undertaking Business Continuity Planning and Management within ACME are:

  • Maintenance of key cash flows and profit streams post-event to ensure long-term survival of the Group is not put at risk
  • The Group meets its contractual and governance obligations
  • Improved credibility for ACME as an organisation and greater confidence in the Group from all stakeholders.
  • This policy outlines the approach to business continuity planning and management, its implementation and recovery processes and incident communication within the Group.
Objectives

  • To ensure that ACME has a workable continuity plan that will enable acceptable standards of service to be provided to business critical groups within defined and agreed timescales, following either the total and/or partial loss of vital services or facilities.
  • To establish an effective 'crisis management’ and communications structure that will operate in the event of a disaster at ACME.
  • To establish a process for developing, maintaining and testing business continuity plans.
Policy Statement

In line with management best practice, ACME is committed to reducing business risk to acceptable levels wherever possible. To ensure that the group as a whole remains viable in the event of disaster ACME must maintain a business continuity plan, describing the actions to be taken in the event of crisis or disaster. Priorities and time scales for recovery must be agreed within the business and must be clearly identified and included in the plan. The plan must be subjected to periodic testing.

Applicability

This policy applies to all ACME companies and functions within the Group.

Hope this helps.

Steve
 

Mike S.

Happy to be Alive
Trusted Information Resource
#10
Money is the only way to handle such issue.
Really? If all of your data is wiped out and no backups exist, how is money gonna help? Unless it is enough to pay-off all the resulting damages and lawsuits and help you build a new business to start over, money alone is not the answer.
 
Thread starter Similar threads Forum Replies Date
R Do we need FDA Establishment Registration for Bone Screws? US Food and Drug Administration (FDA) 21
R Do we need issue ECN (Engineering Change Notice) towards updated Material Specification? Design and Development of Products and Processes 2
N IPC-A-630 - Is this free or do i really need to pay for it? Manufacturing and Related Processes 3
C ISO/ IEC 17021 Resource requirement (need help) Document Control Systems, Procedures, Forms and Templates 5
P Need a programmer for QVI's VMS software for optical inspection machine Inspection, Prints (Drawings), Testing, Sampling and Related Topics 0
silentmonkey How to decide what characteristics need to be verified during incoming inspection? ISO 13485:2016 - Medical Device Quality Management Systems 5
D Change Approval Requirements - Does every change need formal customer approval? Design and Development of Products and Processes 17
T Do I need a qualified compiler for class B software? IEC 62304 - Medical Device Software Life Cycle Processes 3
E 13485:2016, Sections 4.1.6, 7.5.6 and 7.6 - Validation of Software - Need some Advice please ISO 13485:2016 - Medical Device Quality Management Systems 2
C ISO 13485 :2016 - CAPA - Does every CAPA need to be checked by regulations? ISO 13485:2016 - Medical Device Quality Management Systems 9
L Proof of Concept Studies - Do we need to comply with SAE reporting? Medical Device and FDA Regulations and Standards News 3
gunnyshore Adding a new facility - do I need to submit an amendment to the MDL or MDEL, or both? Canada Medical Device Regulations 3
N FDA UDI - Label vs. Labeling - Does the insert need to include UDI? Other US Medical Device Regulations 0
SocalSurfer AS9100 new certificate, but need QMS software, help Quality Assurance and Compliance Software Tools and Solutions 2
A Demonstration of Equivalence - Need for comparing biological characteristics for an SamD EU Medical Device Regulations 1
G Need to change KPI we called NC parts (maximum 3%.) to FTQ (first time quality) IATF 16949 - Automotive Quality Systems Standard 4
W Need for current design or process control FMEA and Control Plans 2
L Turkish Requirements - Does the Software need to be translated? CE Marking (Conformité Européene) / CB Scheme 2
J Need for a cleanroom in the manufacture of a medical device for a clinical trial EU Medical Device Regulations 4
S Need help with analysing a survey on minitab Using Minitab Software 1
M IATF 16949 8.5.1.3 Verification of job set-ups - Do we need secondary check? IATF 16949 - Automotive Quality Systems Standard 7
P Electrosurgical Device User Need: Cord Flexibility -> Requirement Other Medical Device and Orthopedic Related Topics 4
P Do I need to get registered or have German entity to sell IVD products in Germany? CE Marking (Conformité Européene) / CB Scheme 2
J Documentation structure - Do I need Work Instructions? Document Control Systems, Procedures, Forms and Templates 23
G Need resources / tutorials about OPS (Operation) for ISO IT (Information Technology) Service Management 8
D Do non-IATF customers need to be included in audit scope? IATF 16949 - Automotive Quality Systems Standard 23
M Do you need an Applicable general safety and performance requirements Checklist? EU Medical Device Regulations 2
Y Does Solidworks (2D/3D drafting modules) need validation? Other Medical Device and Orthopedic Related Topics 5
M Do we need to create a new CER or can we just update the existing CER EU Medical Device Regulations 3
K A proposal for the model Quality Management - I need help for the project ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
B Record Management - Does the QMS need to control templates of records? Records and Data - Quality, Legal and Other Evidence 17
Q Need clarification on requirements.... Class i, gmp & 510(k) exempt Medical Device and FDA Regulations and Standards News 12
U Do we need clinical trial data for Class IIa medical device under MDR EU Medical Device Regulations 7
G Do we need to QA cert? We only plan to supply reagents Medical Device and FDA Regulations and Standards News 3
I MSA requirement for 5 Micrometers + CP changes need customer approval? IATF 16949 - Automotive Quality Systems Standard 2
R Evaluating the need for preventive action Preventive Action and Continuous Improvement 3
R Probability - Need a help to solve the below question Statistical Analysis Tools, Techniques and SPC 5
E In need of a new TGA sponsor - Small software company Other Medical Device Regulations World-Wide 4
8 Need Help - Runout - Function Gage Inspection, Prints (Drawings), Testing, Sampling and Related Topics 7
B Need For BIS Standard Mark? Imported OEM's Power supply,Li-Ion Battery Other Medical Device Regulations World-Wide 0
F How many signatures do we need on calibration certificates? ISO 17025 related Discussions 8
B We need a QMS: file-based templates or software Other Medical Device Related Standards 23
M AQL table - I need to sample 1250pcs AQL - Acceptable Quality Level 3
atitheya Need of conducting medical trials in European Union EU Medical Device Regulations 2
L Gage R&R studies for identical Devices - Need to confirm the requirement to perform them Reliability Analysis - Predictions, Testing and Standards 2
D Does every piece of equipment used in a laboratory need to have an IQ protocol written and executed? ISO 13485:2016 - Medical Device Quality Management Systems 1
I IATF16949 Audit Preparation, Need "searchable" ANPQP 3.1 or latest IATF 16949 - Automotive Quality Systems Standard 1
A Does Class 1 Medical Device need to be certified to MDSAP? Canada Medical Device Regulations 5
S New to FAIR, need help in filling it out AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 8
S ISO 9001:2015 & ISO 14001:2015 - I need a format for Design & Development planning ISO 14001:2015 Specific Discussions 2

Similar threads

Top Bottom