Kevin M. Quinley02.04.13
The popular TV series “Doomsday Preppers” on the National Geographic Channel profiles survivalists who prepare for calamities—war, flood, famine, hyper-inflation and civil unrest. However tempting it is to dismiss these folks as crackpots, the underlying notion of preparing for disasters has merit for medical device companies and their management teams.
While few suggest that medical device firms put war and famine atop their risk management focus lists, various other misfortunes can befall device firms. No one recommends replacing your Excel spreadsheet with the Mayan calendar in assessing risk. Failure to plan for risks can interrupt a company’s business operations and threaten its survival. In fact, thinking about “unthinkables” before they occur can competitively position device companies to boost their resilience and lend a competitive edge in a tough marketplace.
Superstorm Sandy and its recent devastation—particularly in the New York and New Jersey area, where many medical device and drug companies have operations—is a wakeup call for medical device firms regarding the need to design and enact disaster recovery plans. Insured losses from Sandy will top billions of dollars.
Disasters Come in Many Guises
Not all disasters, however, arrive as hurricane-driven waves. Sandy should inspire medical device firms and their management teams to review and retool their disaster recovery plans. Doing so ensures that the company can resume operations and rebound quickly after a loss. Sadly, risk managers are corporate counterparts to funeral directors. No one enjoys contemplating his or her own mortality. Similarly, those managing medical device risks must think about “what if” scenarios, even when business runs smoothly and others think the risk manager is a worrywart.
What will it take for your device firm to contemplate disaster? What is your vulnerability point? Are you located near an earthquake fault line? Are you in a flood zone? Does your clean room work with volatile chemicals? What supply chain disruptions—from a key supplier or customer—would cripple your business?
They All Have a Plan—Until They Get Hit
Disaster recovery plans should be current, fire-tested and address the area that could be hit, diverting resources to mitigate loss and resume full operations. A disaster recovery plan does not consist of drafting an impressive document and then crossing off a checklist with an air of, “Whew, glad that’s done!” The danger is that such a plan becomes credenza decoration, gathering dust on a shelf. When disaster strikes, folks scramble to locate the plan to see what to do.
This is not optimal. At home, you do not want to wait to have a kitchen fire before reading the manual on how to work that extinguisher you’ve had in the pantry for years. As the boxer Mike Tyson noted at the height of his career, referring to opponents plotting to beat him, “They all have a plan—until they get hit.” That is true of many device firms as well.
Having a plan but waiting until you get hit to use it is the antithesis of disaster recovery planning. Unfortunately though, it is the norm for many companies. Some device firms just want to be able to say, “Yes, we have a written disaster recovery plan.” Writing one is only half the job, though. The more challenging role for medical device management teams is weaving the plan into everyone’s consciousness and to heighten everyone’s awareness of the plan.
Not Just an “IT Thing”
One misconception is that disaster recovery planning is a computer function or “something that the IT department does.” It must go beyond just information technology. Yes, effective disaster recovery includes ensuring that a device firm’s nerve center—usually the computer system—is functional. It must, however, transcend an IT-only fixation.
At a medical device firm, one person may oversee risk management or have title of risk manager. The scale of most medical device firms does not allow the luxury of having a full-time risk manager. Regardless of the title of the person tasked with this role, however, disasters present a crucible. Disaster recovery should not depend just on the risk manager but rather on many people. There should be interchangeability so that executing the plan does not depend on one person, i.e. the risk manager. Redundancy is a sound risk management attribute for medical device firms. So is a multidisciplinary approach.
Supply Chains Need Risk Management
Modern disasters take many different forms. They may not necessarily be forces of nature or spectacular fires, though such events certainly qualify. If the U.S. Securities and Exchange Commission accuses your company’s CEO of insider stock trading, that is as much a crisis or disaster as an earthquake, tornado or tidal wave. Maybe you received a subpoena from the U.S. Department of Justice about billing policies or overseas sales practices. Maybe the U.S. Food and Drug Administration issues a “black box” warning about your device. Maybe a television news program airs a sensationalistic TV expose about your device and its alleged hazards. Perhaps the company’s product has been maligned as defective in a class action lawsuit.
Disasters assume many shapes. A disaster recovery plan can be useless unless key vendors, suppliers or contractors your organization depends upon are informed about your recovery plans. Manage contingent business interruption risks by strengthening your supply chain. For starters, medical device firms preparing for a rebound should know their supply chain.
Here are some tactics:
For the device firm’s management and executive team, a disaster is the equivalent of a pro athlete’s game day. This is what they are paid for. Here they are on center stage, in the spotlight. The pros who win on game day are the ones who not only have the will to win, but the will to prepare in the months before the test.
So it is with risk management. For medical device companies, what determines a disaster recovery plan’s success will not just be efforts during a disaster and its aftermath, but the weeks and months before the event. How well did the device firm’s management team use this opportunity to get ready?
The time to fix your roof is when the sun is shining. Medical device executives need not become doomsday preppers or fringe fanatics to protect their companies. Smart medical device management teams will use “calm” times wisely to prepare themselves and their organizations for the unthinkable.
Kevin Quinley, CPCU, is principal of Quinley Risk Associates, a risk management consulting firm in the Richmond, Va., area. He has more than 25 years of risk management experience with medical device companies. You can reach him at www.kevinquinley.com or at kevin@kevinquinley.com.
While few suggest that medical device firms put war and famine atop their risk management focus lists, various other misfortunes can befall device firms. No one recommends replacing your Excel spreadsheet with the Mayan calendar in assessing risk. Failure to plan for risks can interrupt a company’s business operations and threaten its survival. In fact, thinking about “unthinkables” before they occur can competitively position device companies to boost their resilience and lend a competitive edge in a tough marketplace.
Superstorm Sandy and its recent devastation—particularly in the New York and New Jersey area, where many medical device and drug companies have operations—is a wakeup call for medical device firms regarding the need to design and enact disaster recovery plans. Insured losses from Sandy will top billions of dollars.
Disasters Come in Many Guises
Not all disasters, however, arrive as hurricane-driven waves. Sandy should inspire medical device firms and their management teams to review and retool their disaster recovery plans. Doing so ensures that the company can resume operations and rebound quickly after a loss. Sadly, risk managers are corporate counterparts to funeral directors. No one enjoys contemplating his or her own mortality. Similarly, those managing medical device risks must think about “what if” scenarios, even when business runs smoothly and others think the risk manager is a worrywart.
What will it take for your device firm to contemplate disaster? What is your vulnerability point? Are you located near an earthquake fault line? Are you in a flood zone? Does your clean room work with volatile chemicals? What supply chain disruptions—from a key supplier or customer—would cripple your business?
They All Have a Plan—Until They Get Hit
Disaster recovery plans should be current, fire-tested and address the area that could be hit, diverting resources to mitigate loss and resume full operations. A disaster recovery plan does not consist of drafting an impressive document and then crossing off a checklist with an air of, “Whew, glad that’s done!” The danger is that such a plan becomes credenza decoration, gathering dust on a shelf. When disaster strikes, folks scramble to locate the plan to see what to do.
This is not optimal. At home, you do not want to wait to have a kitchen fire before reading the manual on how to work that extinguisher you’ve had in the pantry for years. As the boxer Mike Tyson noted at the height of his career, referring to opponents plotting to beat him, “They all have a plan—until they get hit.” That is true of many device firms as well.
Having a plan but waiting until you get hit to use it is the antithesis of disaster recovery planning. Unfortunately though, it is the norm for many companies. Some device firms just want to be able to say, “Yes, we have a written disaster recovery plan.” Writing one is only half the job, though. The more challenging role for medical device management teams is weaving the plan into everyone’s consciousness and to heighten everyone’s awareness of the plan.
Not Just an “IT Thing”
One misconception is that disaster recovery planning is a computer function or “something that the IT department does.” It must go beyond just information technology. Yes, effective disaster recovery includes ensuring that a device firm’s nerve center—usually the computer system—is functional. It must, however, transcend an IT-only fixation.
At a medical device firm, one person may oversee risk management or have title of risk manager. The scale of most medical device firms does not allow the luxury of having a full-time risk manager. Regardless of the title of the person tasked with this role, however, disasters present a crucible. Disaster recovery should not depend just on the risk manager but rather on many people. There should be interchangeability so that executing the plan does not depend on one person, i.e. the risk manager. Redundancy is a sound risk management attribute for medical device firms. So is a multidisciplinary approach.
Supply Chains Need Risk Management
Modern disasters take many different forms. They may not necessarily be forces of nature or spectacular fires, though such events certainly qualify. If the U.S. Securities and Exchange Commission accuses your company’s CEO of insider stock trading, that is as much a crisis or disaster as an earthquake, tornado or tidal wave. Maybe you received a subpoena from the U.S. Department of Justice about billing policies or overseas sales practices. Maybe the U.S. Food and Drug Administration issues a “black box” warning about your device. Maybe a television news program airs a sensationalistic TV expose about your device and its alleged hazards. Perhaps the company’s product has been maligned as defective in a class action lawsuit.
Disasters assume many shapes. A disaster recovery plan can be useless unless key vendors, suppliers or contractors your organization depends upon are informed about your recovery plans. Manage contingent business interruption risks by strengthening your supply chain. For starters, medical device firms preparing for a rebound should know their supply chain.
Here are some tactics:
- Identify in advance all your key suppliers to your production facilities in your supply chain;
- Identify the raw materials, utilities and components on which your production facilities depend;
- Identify the locations of your suppliers’ suppliers; and
- Make advance arrangements with contingency suppliers.
For the device firm’s management and executive team, a disaster is the equivalent of a pro athlete’s game day. This is what they are paid for. Here they are on center stage, in the spotlight. The pros who win on game day are the ones who not only have the will to win, but the will to prepare in the months before the test.
So it is with risk management. For medical device companies, what determines a disaster recovery plan’s success will not just be efforts during a disaster and its aftermath, but the weeks and months before the event. How well did the device firm’s management team use this opportunity to get ready?
The time to fix your roof is when the sun is shining. Medical device executives need not become doomsday preppers or fringe fanatics to protect their companies. Smart medical device management teams will use “calm” times wisely to prepare themselves and their organizations for the unthinkable.
Ten Steps to Boost Your Company’s Disaster Preparedness
|
Kevin Quinley, CPCU, is principal of Quinley Risk Associates, a risk management consulting firm in the Richmond, Va., area. He has more than 25 years of risk management experience with medical device companies. You can reach him at www.kevinquinley.com or at kevin@kevinquinley.com.