CPOM Module 18, Section 2: Developing Business Continuity and Disaster Recovery Plans
MODULE 18: RISK MANAGEMENT, BUSINESS CONTINUITY & SUSTAINABILITY

Section 2: Developing Business Continuity and Disaster Recovery Plans

A practical, hands-on guide to creating comprehensive plans for any crisis, covering downtime procedures, natural disaster response, utility failures, and maintaining patient care when systems go dark.

SECTION 18.2

Developing Business Continuity and Disaster Recovery Plans

From Controlled Chaos to Orchestrated Response: Building Your Pharmacy’s Playbook for Survival.

18.2.1 The “Why”: Orchestrating Calm in the Midst of Chaos

In the previous section, you became a master diagnostician, capable of identifying and assessing the myriad of risks that threaten your department’s health. Now, you must become the master strategist and tactician. Identifying a risk is a critical intellectual exercise; preparing for it is the fundamental work of leadership. A disaster, by its very nature, is an exercise in chaos. Systems fail, communication breaks down, and the normal, predictable rhythms of your operation evaporate in an instant. In this environment, human instinct is to react, to improvise, and often, to become paralyzed by uncertainty.

A Business Continuity Plan (BCP) is the antidote to that chaos. It is not merely a document; it is an orchestrated response, a pre-composed symphony of actions designed to bring order, clarity, and purpose to a crisis. It replaces improvisation with procedure, panic with process, and uncertainty with clear lines of authority and communication. It is the tangible embodiment of your commitment to your patients and your staff, a promise that even when everything else fails, the pharmacy’s core mission to provide safe and timely medication therapy will not.

Developing a BCP is one of the most significant responsibilities you will undertake as a leader. It forces you to confront your department’s deepest vulnerabilities and to think through, in excruciating detail, how you would continue to function under the worst possible circumstances. This is not simply about creating “downtime procedures.” It is about building a resilient organization. It’s about ensuring your team knows exactly who is in charge, what their specific role is, and how to perform their critical functions when the digital safety nets are gone. It’s about knowing how to protect your most valuable assets—your medications and your people. A well-crafted and well-rehearsed BCP is the ultimate expression of proactive leadership; it transforms a potential catastrophe into a manageable operational challenge.

Retail Pharmacist Analogy: The City-Wide Blackout

Imagine it is 3:00 PM on a Friday, the first of the month. Your pharmacy is packed. Suddenly, with a flicker and a thud, the entire city block goes dark. The power is out, and the utility company reports it will be for at least 24 hours. There is no generator. You are plunged into a state of operational crisis.

The Unprepared Pharmacy (Improvisation): The manager shouts, “Everyone stay calm!” But there is no plan. Technicians stand around, unsure what to do. Pharmacists try to use their cell phone flashlights to find prescriptions. The computers are down, so you have no access to patient profiles, allergies, or the dispensing queue. The phones are dead. The refrigerator is slowly warming, filled with thousands of dollars of insulin and vaccines. A frantic mother comes in for her child’s amoxicillin, but you can’t find the written script in the dark. A fragile diabetic patient needs their insulin, but you can’t process the sale because the cash register is dead. The scene descends into controlled chaos, patient care grinds to a halt, and immense financial loss is imminent.

The Prepared Pharmacy (Orchestration): The manager calmly announces, “We are now activating our Power Outage Protocol.” They open a large binder—the BCP.

  • Phase 1 (Secure Assets): A designated technician immediately takes the temperature logs and portable coolers to the refrigerator and freezer. They begin packing all insulin, vaccines, and other refrigerated items with ice packs, per a pre-written checklist. The goal is to prevent product loss.
  • Phase 2 (Establish Command): A designated pharmacist grabs the “Downtime Kit,” which contains battery-powered lanterns, paper prescription blanks, calculators, and a credit card imprinter. They become the “manual entry” station.
  • Phase 3 (Triage & Dispense): Another pharmacist stands at the front of the store, triaging patients. “We are currently able to fill emergency medications only. Please form a line here if you need a life-sustaining medication like insulin or a new antibiotic.” They have a paper list of the most common maintenance meds and their cash prices.
  • Phase 4 (Data & Finance): The manager uses a clipboard to manually log every prescription dispensed—patient name, drug, quantity, and price. This log will be used for billing reconciliation once power is restored.

The prepared pharmacy is still facing a crisis, but they are operating with purpose. They are mitigating financial loss, maintaining a lifeline of care for their most vulnerable patients, and managing chaos through a pre-planned, orchestrated response. That binder is their Business Continuity Plan. Your job is to build that binder for every conceivable disaster that could strike your hospital pharmacy.

18.2.2 Foundational Concepts: BCP, DRP, RTO, and RPO

Before we build the plan, we must master the language. The world of continuity planning is filled with acronyms. Understanding these core concepts is essential for building a coherent strategy and for communicating effectively with hospital leadership and IT departments.

Masterclass Table: Business Continuity Plan (BCP) vs. Disaster Recovery Plan (DRP)
Concept Business Continuity Plan (BCP) Disaster Recovery Plan (DRP)
Core Focus Maintaining business operations. How do we keep the pharmacy running (even in a limited capacity) during the disaster? Restoring IT systems. How do we get our technology and data back online after the disaster?
Guiding Question “How do we keep dispensing critical medications to patients when the EHR is down?” “What is the step-by-step technical process to restore the pharmacy server from backup tapes?”
Scope Enterprise-wide. Involves people, processes, and technology. It’s about the entire operational workflow. IT-focused. Primarily concerned with hardware, software, networks, and data.
Pharmacy Example The comprehensive plan that outlines manual paper-based ordering, pharmacist verification on paper MARs, technician delivery routes using printed patient lists, and communication via runners during a network outage. The specific IT checklist for failing over to a backup server, restoring the dispensing database from the last backup, and verifying network connectivity to all pharmacy workstations and automation.
The Critical Link

Think of it this way: The BCP is the plan that keeps you afloat in the lifeboat after the ship sinks. The DRP is the plan to salvage the ship and get it running again. The DRP is a critical component of the overall BCP, but it is not the BCP itself. As a pharmacy leader, you are primarily responsible for developing the BCP, while you will be a key stakeholder and contributor to the IT department’s DRP.

Masterclass Deep Dive: Recovery Time Objective (RTO) and Recovery Point Objective (RPO)

These two metrics are the heart of any disaster recovery strategy. They are determined by the business (you) and executed by IT. Getting them right is critical for aligning technical capabilities with clinical needs.

Recovery Time Objective (RTO)

“How long can we afford to be down?”

Definition: The RTO is the maximum acceptable length of time that a specific system or application can be unavailable after a disaster or failure occurs. It answers the business question: “What is the longest we can operate without this system before the consequences become unacceptable?”

Pharmacy Example:

  • EHR/CPOE System: The RTO might be 4 hours. We can manage on paper for a single medication pass, but beyond that, the risk of error, missed doses, and operational chaos becomes too high.
  • Automated Dispensing Cabinets (ADCs): The RTO might be 2 hours. Nurses can pull from an override list for a short time, but the system needs to be back online quickly for controlled substance security and accurate inventory.
  • Sterile Compounding Software: The RTO might be 8 hours. We can revert to manual calculations and paper records for a single shift, but it is slow and high-risk.

Recovery Point Objective (RPO)

“How much data can we afford to lose?”

Definition: The RPO is the maximum acceptable amount of data loss, measured in time. It is determined by how often data backups are made. It answers the business question: “If we have to restore from a backup, what is the most recent data point we need?”

Pharmacy Example:

  • EHR/CPOE System: The RPO might be 15 minutes. This means the system is backed up at least every 15 minutes. If the system crashes, we might lose the last 14 minutes of entered orders, but no more. An RPO of 24 hours would be clinically catastrophic.
  • ADC Database: The RPO might be near-zero (synchronous replication). Because this system tracks controlled substances, any data loss is unacceptable. The data is often replicated to a backup server in real-time.
  • Purchasing/Inventory System: The RPO might be 24 hours. The data is backed up nightly. Losing one day’s worth of receiving data would be an inconvenience to re-enter, but not a clinical crisis.
The Cost of Time

As a leader, you must understand this critical relationship: Shorter RTOs and RPOs are exponentially more expensive. An RTO of 4 hours might be achievable with standard IT recovery procedures. An RTO of 5 minutes requires a multi-million dollar “hot site” with automatic failover capabilities. Similarly, an RPO of 15 minutes is standard, while an RPO of zero requires expensive real-time data mirroring. Your job in the planning process is to define the clinically necessary RTO and RPO for each system, providing the justification for the required investment from the hospital.

18.2.3 The Business Continuity Playbook: A Step-by-Step Guide to Development

Developing a BCP is a formal project that requires structure, collaboration, and rigorous analysis. This playbook will guide you through the essential phases of creating a plan that is comprehensive, practical, and effective.

1

Phase 1: Project Initiation & Team Formation

A BCP cannot be created in a vacuum by a single manager. It requires a multidisciplinary team that represents all critical functions of the pharmacy. Your first step is to formally charter this project and assemble the team. The team should include: Pharmacy Director/Manager (Project Sponsor), Operations Manager, Clinical Manager, Informatics Pharmacist, IV Room Supervisor, Lead Technician, and a representative from hospital emergency management.

2

Phase 2: The Business Impact Analysis (BIA)

This is the most critical analytical step of the entire process. The BIA is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations. You will identify every key function your pharmacy performs and analyze the impact of its failure over time. This analysis is what allows you to define the RTO for each function.

Masterclass Template: The Pharmacy Business Impact Analysis (BIA)
Critical Pharmacy Function Description Dependencies (Systems, People, Utilities) Impact of Disruption at 4 Hours Impact of Disruption at 24 Hours Maximum Tolerable Downtime (RTO)
New Order Verification Pharmacist review and verification of all new medication orders. EHR/CPOE, Network, Pharmacist staff Moderate. Revert to paper. Delays in STAT orders. High risk of transcription errors. Catastrophic. Widespread delays, high probability of major medication errors, inability to check profiles/allergies. 4 Hours
Sterile Compounding (IVs/TPN) Aseptic preparation of sterile products. HVAC (Cleanroom), Power, IV Compounding Software, Pharmacist/Technician staff Major. Inability to compound patient-specific IVs. Switch to commercially available products. Delays in chemo/TPN. Catastrophic. Cessation of all chemotherapy, TPN, and critical drips. Direct patient harm. 2 Hours (for HVAC/Power)
ADC Restocking Refilling automated dispensing cabinets on nursing units. ADCs, Network, Technician staff, Packager Minor. Units can run on existing stock. Some overrides needed. Major. Widespread stockouts on units, nurses cannot access medications, significant care delays. 12 Hours
Controlled Substance Management Dispensing, tracking, and securing all controlled substances. Vault, ADCs, EHR, Pharmacist/Technician staff Major. Revert to manual paper tracking. High risk of documentation errors and diversion. Inability to dispense from ADCs in override. Catastrophic. Potential for massive diversion. Inability to provide adequate pain management. High regulatory risk. 2 Hours
3

Phase 3: Develop Recovery Strategies & Document the Plan

Once you know your priorities (from the BIA), you can develop the actual recovery strategies. For each critical function, you will define the manual processes, workarounds, and resources needed to continue operating. These strategies are then documented in the formal BCP document.

Anatomy of a World-Class BCP Document

A BCP should not be a dense, narrative document. It should be a modular playbook of checklists, flowcharts, and clear instructions. Key sections must include:

  • Plan Activation Criteria: What specific event triggers the activation of this plan? (e.g., “Confirmed EHR downtime expected to exceed 60 minutes”).
  • Emergency Command Structure: A flowchart showing who is in charge during the disaster (The “Pharmacy Incident Commander”) and their direct reports.
  • Communication Plan: How will the pharmacy communicate internally (e.g., runners, walkie-talkies) and externally (to nursing, providers, hospital command center)? Includes key contact lists.
  • Team Roles & Responsibilities: A detailed breakdown of “disaster roles” (e.g., “Manual Order Entry Pharmacist,” “ADC Override Coordinator,” “Medication Runner”) and their specific duties.
  • Resource Inventory: A list of all necessary supplies (downtime forms, flashlights, batteries, etc.) and their physical location (the “Downtime Kit”).
  • Disaster-Specific Protocols: The detailed, step-by-step playbooks for each type of disaster (EHR Downtime, Power Failure, etc.).
  • Plan Deactivation & Recovery Procedures: How do you safely transition back from manual processes to normal operations? This includes critical steps for data reconciliation to prevent errors.

18.2.4 Masterclass Deep Dive: The EHR Downtime Protocol

The most common, and arguably most complex, disaster you will face is an unplanned, prolonged failure of the Electronic Health Record (EHR) and Computerized Provider Order Entry (CPOE) systems. This event instantly blinds the entire hospital. Your ability to execute a seamless downtime protocol is a direct measure of your department’s resilience and preparedness.

Visual Masterclass: EHR Downtime Response Flowchart
Downtime Alert Received
(Code Triage – IT Alert)
Activate Pharmacy BCP
(Pharmacy Incident Commander Appointed)
Team 1: Order Management
Deploy runners to units
Receive paper orders
Manual profile check & verification
Team 2: Dispensing & Delivery
Generate manual pick lists
Pull meds from stock/ADCs
Deliver meds via runners
Team 3: Clinical & Communication
Print backup MARs
Field calls from nursing
Communicate updates to units
System Restored – Begin Recovery
(Initiate Data Reconciliation Protocol)
The EHR Downtime Battle Box: Your Arsenal

Every pharmacy should have a physical, clearly marked “Downtime Battle Box” that can be immediately accessed. This box is your lifeline. It should be inventoried quarterly and contain:

  • Laminated Role Cards: Pockets-sized cards detailing the specific responsibilities for each downtime role.
  • Communication Tools: Fully charged walkie-talkies and a printed list of all key hospital phone numbers.
  • Lighting: High-powered LED flashlights and headlamps with extra batteries.
  • Forms & Labels: Large stacks of pre-printed downtime prescription forms, patient medication profile forms, and auxiliary labels.
  • Reference Materials: Printed copies of critical clinical protocols (e.g., heparin, insulin), dosing nomograms, and a recent hospital formulary.
  • Dispensing Tools: Calculators, pens, markers, and clipboards.
The Single Greatest Risk in Recovery: The Double Dose

The transition from a downtime event back to normal operations is fraught with peril. The single greatest risk is that a medication administered and documented on a paper MAR during the downtime is not correctly reconciled in the newly restored EHR, leading to the nurse giving the same dose again. Your recovery protocol must have a robust, mandatory process for this reconciliation.
The Solution:

  1. Freeze the eMAR: No new administrations can be documented in the EHR until reconciliation is complete.
  2. Pharmacist-Led Reconciliation: A dedicated team of pharmacists must go unit by unit, with the paper MARs in hand, and compare them line-by-line against the EHR’s medication administration record.
  3. Document Manually-Given Doses: Each dose given during the downtime must be manually entered into the EHR by a pharmacist with a note (e.g., “Given during downtime at 14:15 per paper MAR”).
  4. Official “All Clear”: Only after every unit is reconciled can the Pharmacy Incident Commander give the “all clear” for normal medication administration to resume via the EHR. This process is tedious and time-consuming, but it is the only way to guarantee patient safety.

18.2.5 Training, Testing, and Continuous Improvement

A BCP that has never been tested is not a plan; it is a theory. The final, and perhaps most important, component of business continuity planning is to create a culture of readiness through rigorous training and realistic drills. You would never expect a code team to perform flawlessly without mock codes; you cannot expect your pharmacy team to execute a downtime plan they have never seen or practiced.

A Tiered Approach to BCP Testing
Test Type Description Frequency Pharmacy Example
Tabletop Exercise A discussion-based session where team members walk through a simulated disaster scenario. It is designed to test the logic of the plan and identify gaps in a low-stress environment. Annually The BCP team gathers in a conference room. The leader presents a scenario: “At 10:00 AM, a construction crew severed the main network cable to the hospital. All systems are down. What are your first five actions?” The team then talks through their roles and the plan’s procedures.
Functional Drill A hands-on test of a single, specific component of the BCP. It involves actual staff performing their duties in a simulated environment. Semi-Annually The informatics pharmacist schedules a 1-hour “mock downtime” for a single nursing unit. The pharmacy team must use the downtime forms, a runner is dispatched, and the unit must communicate with the pharmacy using only the protocol-defined methods.
Full-Scale Simulation A high-fidelity, large-scale exercise that simulates a real disaster as closely as possible. It involves multiple departments and often includes surprise elements. Biennially (often part of a hospital-wide drill) As part of a hospital-wide “active shooter” drill, the pharmacy is put on lockdown. Staff must execute the lockdown BCP, accounting for personnel trapped outside the department and managing medication requests from the command center without being able to leave the pharmacy.
The After-Action Report: Where Real Learning Happens

After every drill, exercise, or real-world event, the BCP team must conduct a formal debrief and create an After-Action Report (AAR). This is a simple but powerful document that answers four key questions:

  1. What was supposed to happen? (According to the plan)
  2. What actually happened? (The real-world performance)
  3. What went well, and why? (Strengths to sustain)
  4. What can be improved, and how? (Actionable opportunities for improvement)

The output of the AAR is a list of action items that are used to revise and update the BCP. This continuous cycle of Plan -> Test -> Debrief -> Revise is what transforms a static document into a living, evolving, and truly effective business continuity program.