Two men in business suits sit on a wooden bench. One holds a notebook and pen, while the other gestures with an open laptop as they have a serious work discussion about Track and Trace in an office setting.

Implementation of a BCM to safeguard track and trace

A logistics and retail company in the consumer goods sector, subject to specific EU requirements regarding track and trace, commissioned 3-core to set up a Business Continuity Management System (BCMS). The focus was on a particularly critical area where any failure would have had an impact on delivery capacity, traceability and, consequently, regulatory compliance. For this reason, BCM was a key issue from a business perspective.

Background and Objectives for Track and Trace

In the track-and-trace environment, a high degree of interdependence between internal process chains and external partners is coupled with clear compliance requirements. For our client, it was crucial not only to document business continuity but also to structure it in such a way that decisions can be made quickly in the event of a disruption and that traceability remains clear for both internal and external stakeholders. Particularly in the Track and Trace context, it is important to consider not just ‘a single process’ but the end-to-end chain, including interfaces, data flows and responsibilities.

Typical questions regarding business continuity management included:

  • Which processes are truly critical, and at what point does a failure become business-critical?
  • Which dependencies (IT, staff, service providers, sites, partner interfaces) are critical to success?
  • What minimum output must be achieved during emergency operations to ensure that track and trace and delivery capability remain verifiable?

Track & Trace provides transparency regarding the origin, movement and status of products within the supply chain. It thereby supports compliance with regulatory requirements, which at EU level are primarily set out in Directive 2014/40/EU and Regulation (EU) 2018/574.

Approach and Implementation

The introduction of the BCMS was supported throughout the entire process, from process mapping and analysis right through to business continuity strategies and contingency planning. This was based on collaboration with 14 specialist departments to gather process knowledge, dependencies and contingency assumptions directly from operational sources. In addition to the process mapping, a key focus was on not simply classifying track-and-trace requirements as ‘critical’ across the board, but rather translating them into objectives for emergency operations and recovery.

1. BCMS setup and integration of the business units

2. Business Impact Analysis (BIA) and Risk Analysis

3. Develop business continuity strategies

4. Tool-based documentation and training

1) BCMS set-up and involvement of the business units

To begin with, the objectives, scope and approach were agreed upon, and the involvement of the business units was organised. The interviews served not only to map out processes, but above all to systematically identify dependencies, bottlenecks and external interfaces.

The interviews focused on, amongst other things:

  • Process chains and interfaces (including external partners/service providers)
  • Resources and bottlenecks (staff, IT, locations, data flows)
  • Contingency operational assumptions (what is realistically achievable in the event of a disruption)

2) Business Impact Analysis (BIA) and Risk Analysis

In the next step, criticality, tolerable downtime and recovery requirements were assessed for each process. At the same time, relevant risks were evaluated in order to consistently derive priorities and the need for action. For Track and Trace, this involved specifically defining the minimum functionality required during emergency operations and determining the point at which a failure becomes critical from both an economic and regulatory perspective.

In brief:

  • BIA clarifies impacts and time sensitivity (what needs to be up and running again, and how quickly).
  • Risk analysis assesses threats and vulnerabilities (what could realistically occur and how severe the impact would be).
  • The following, amongst other things, were derived from the BIA: Emergency operation objectives and minimum performance (to ensure that Track and Trace remains verifiable)
  • Restart objectives (e.g. time/data requirements) and priorities for restarting

  • critical dependencies that directly affect track-and-trace capability

3) Deriving and coordinating continuity strategies

Based on the analysis, appropriate continuity strategies were developed – with a focus on emergency operations, recovery and feasibility in day-to-day business (including external partners). In doing so, it was determined which measures would have the greatest impact on maintaining stable delivery capability and track-and-trace documentation, even in the event of disruptions.

4) Tool-supported documentation and training

The 3-core BCM tool was utilised, which maps the work steps in line with BSI Standards 200-4 and 200-3, from process mapping through BIA and risk analysis to the development of continuity strategies. Content was recorded and evaluated directly within the tool, and refined iteratively in collaboration with the specialist departments. In addition, staff received targeted support and training to ensure that the operational implementation of BCM is firmly embedded within the organisation and that the results can be incorporated into the BCM cycle.

Outcome for our client

The result was the implementation of a Business Continuity Management System that prioritises critical processes, highlights dependencies and provides strategies for emergency operations, including business continuity, recovery and restoration. For the particularly critical track-and-trace area, this provided requirements, emergency operation objectives and restart priorities as a basis for managing delivery capability and traceability even during emergencies. Through documentation and collaboration with the specialist departments, specific requirements were established for control, record-keeping and continuous improvement.

Our services for the BCMS

Implementation of a Business Continuity Management System (BCMS)

We designed a bespoke BCMS implementation for our client, defined the methodology, and managed and steered the entire process – from the initial assessment through to strategy development – ensuring that BCM is available within the organisation as a system (rather than a single document) and as a tool.

Involvement of 14 departments through interviews

Through interviews with a total of 14 departments, processes, interdependencies, resources and suppliers were documented. This created a basis that allows for cross-departmental comparison and supports decision-making in an emergency, particularly where track and trace must be ensured.

Conducting a Business Impact Analysis (BIA) and risk analysis

We carried out the BIA and risk analysis in parallel and presented the results in such a way that criticality levels, emergency operational objectives, restart requirements, recovery plans and the correct priorities could be clearly derived and agreed upon.

Instruction and training of staff on the operational implementation of BCM

Staff were trained in procedures, roles and operational requirements so that the results can be utilised and maintained in day-to-day operations, and further developed and improved within the BCM cycle.

Creation of comprehensive documentation using the 3-core BCM tool

All work outputs and analyses were documented in the BCM tool. This enables evaluations, reviews and updates to be carried out without the need for multiple files, and ensures that requirements such as track and trace can be tracked consistently and concisely.

Discover More: Projects & Articles