A Permanent State of Disaster Recovery

What a week! The west coast of the US was on fire; the east coast under water; the Gulf coast buffeted by hurricane winds; and the Delta variant resurgent overall. It might be time to rethink how we approach disaster recovery and business continuity.

A few years ago, many of the the small biotechs and vendors I audited didn’t even have disaster recovery or business continuity plans. “We don’t host any systems on site,” more than one company told me. How did they plan to process SAEs/clean data/monitor sites in the event of a disruption? “We’ll work from home!” The more mature companies had plans, but the style at the time was to define a step-by-step process for responding to various types of events, a Choose-Your-Own-Adventure for catastrophic response: For fire, turn to page 3. For power outage, page 7. The pandemic made painfully clear how important it was to have a disaster recovery/business continuity plan, and how inadequate we were at foreseeing the exact steps required to respond to a real disaster. Be honest: did your business continuity plan anticipate that work-from-home would occur simultaneously with remote home schooling? Or running a lab when 50% of your staff are quarantined?

Post-COVID, I’m seeing a trend toward disaster recovery and business continuity plans that provide a flexible, redundant set of tools rather than a prescribed sequence of steps. For example, the leader of a safety case processing team might have several options for responding to an incident: work from home if the team has access to internet and electricity; divert work to a vendor if not; if the whole region is down, divert work to an off-shore vendor.

This approach requires significant pre-planning and an expanded budget. Just-in-time redundancy requires qualifying and contracting with vendors that provide home health, telemedicine, mobile medicine, functional service provider, and courier services in advance of a disaster so they can be mobilized when needed and without delay. Sponsors must also be prepared with creative approaches to tasks that used to happen in person, from site monitoring visits to delivering study drug to training to approving documents. Regulatory agencies offer as much guidance as they can, but overall this approach relies on the “quality cycle” – plan, execute, oversee, and improve – rather than regulatory “dos and don’ts.” More than ever, we’re collaborating: calling our colleagues from other companies, posting questions on industry message boards, asking our contacts at FDA to weigh in.

Overall, COVID has made us more flexible as an industry, but most of us have still not experienced a significant disruption. My prediction: when a serious disaster strikes, whether it’s an earthquake, a cyber attack, or a chain of smaller concurrent events, most of us will wish we had done more to prepare.

Denise DeRenzo Lacey, RQAP-GCP, has over twenty years’ experience in clinical Quality Assurance and clinical development operations. Her practice focuses on application of quality risk management techniques for clinical studies, including risk-based approaches to auditing, data quality and integrity, and SOP development. She has provided consulting services to a wide range of pharmaceutical, medical device, biotech and CRO clients in the US and Europe and has held senior positions at Vertex Pharmaceuticals and Radius Health.