Business Continuity Management
1.0
Summary
Business Continuity Management is a process that identifies potential threats to
an organisation, providing a framework for building resilience and the capability
for an effective response to incidents that will safeguard the interests of its key
stakeholders, reputation, brand and value creating activities.
University Business Continuity Plans are developed to address major
incident(s), which fall into any of the following five categories: 1.
2.
3.
4.
5.
Loss of, serious damage to, or inability to access premises.
Loss of a large number of staff (eg pandemic).
Loss of key equipment/services.
Loss of voice & data communications and other vital information.
Loss of a key third party eg public utilities, material or service supplier
etc.
1
1.2
Business Continuity Management Invocation Process (Flow Diagram)
Local Incident Plan
developed and implemented
Business Continuity Plan
developed and implemented
An incident occurs
Hardware
eg property
Software eg
information
Security
Control are
informed
First
responders
are informed
First responders
(and others as
necessary) resolve
the issue
Where necessary Security
open Incident Room and
inform Local Incident Team
LIT Senior Manager
assesses incident
Is the incident serious?
Yes
Review in
2 hours
No
LIT Manager calls out
Local Incident Team
LIT contains the incident
LIT Senior Manager
organises post incident
de brief
Local Incident Plan is
reviewed and revised
LIT Manager considers the
incident to be serious and informs
Emergency Management Team
(Uni Executive Managers) and
Business Recovery Team as
necessary
Business Continuity Team
assembles for briefing by LIT
Manager
Business Continuity Plan is
invoked
Business is recovered
Senior Manager from Business
Continuity Planning organises a
post incident de brief
Business Continuity Plans is
reviewed and revised
2
Emergency
Management Team
convenes and provides
direction
1.3
1.4
Business Continuity Plan Objectives
1.
Provide a framework, through which the key tasks for business continuity
management and recovery can be achieved.
2.
Take all reasonable steps to protect and preserve the health, safety and welfare
of employees and others on University premises.
3.
Take all necessary actions to secure affected premises and protect assets.
4.
Maintain an acceptable level of service and operational capability.
5.
Assign responsibilities for actions in the event of a major incident affecting the
operation of the Unit.
6.
Maintain communication with employees and others regarding operational
capability and recovery efforts.
7.
Detail tasks for damage assessment, salvage and recovery.
8.
Identify internal and external communication needs.
9.
Collate data and information required for insurance recovery purposes.
10.
Ensure business continuity plans are maintained and current.
Roles and Responsibilities
Important: Where incidents are protracted then relief teams made up of deputies will
be required.
Head of Unit
Take overall responsibility for business continuity management and recovery strategies
for their respective Unit.
Nominate appropriately trained and experienced staff as being responsible for
identifying critical activities, developing business continuity plans and implementing
recovery strategies.
Ensure plans remain current and are reviewed/revised following incidents or changes
to business, contact details etc
Testing the plan at least every three years to ensure it is effective.
Emergency Management Team (EMT): Made up of University Senior Executives
who will be responsible for making major decisions during serious incidents.
Business Continuity Management Co-ordinator (BCMC): The role of the BCMC
occurs where an incident involves more than one unit eg multi occupancy buildings.
Typically the BCMC will be appointed by Faculty/Service most affected by the incident.
The Co-ordinator is the link between the various teams and external agencies.
Unit/Service Managers: It is the accountability of the manager of each individual
business/operational unit to provide an effective 'fit for purpose' BCM capability for their
specific business/operational unit.
3
Local Incident Team (LIT): This team will convene at the outset to decide the next
level of call-out and will consider strategic and longer-term decisions.
Business Recovery Team (BRT): the Unit Senior Management Team will convene
following a major incident with the responsibility of implementing and co-ordinating the
unit’s/service’s individual BCM plans, additional specialist support can be drawn in as
required eg Fire Officer, Safety Officers, Biological/Chemical Safety Officers etc.
Note: Where resources permit there should be separate membership of both the LIT
and BCT. In smaller service units this may not be possible.
2.1
Business Recovery Team - Contact Details
Business Recovery Teams are made up of Unit Senior Managers (or deputies) along
with additional support as necessary eg Head of Maintenance, Health & Safety
Officer(s), ISS Managers, Property Manager, Human Resources, Insurance Officer
Important: This information must be reviewed/revised quarterly and forwarded to
the Security Manager
Position
Name
Contact No 1
4
Contact No 2
2.2 Business Continuity Plan - Critical Activities and Impact Analysis - Example
Unit Name:
ISE
Critical Activity
Person Completing:
Identify Areas Affected
Group activities into
the 5 family groups:
 Premises
 People
 Data/Comms/IT
 Equipment/
Services
 3rd Party Providers
If areas outside your unit are likely
to be affected, ensure that relevant
parties will be contacted (as per
your local incident plan)
4.1 Loss of
specialist
teaching
equipment,
fume cabinets
Yes
Unit Only
University
Yes
Other(s)
(incl. supply chain)
No
A N Other
Date Completed: Jan 2013
Review Date (3months): Mar 2013
Business Continuity Risk
Comments/
Impact Analysis
Mitigation
Recommendations
Assess the impact to
Identify and document the
Any further comments
business according to the
alternative arrangements that or recommendations
timescales of incident
will mitigate the impact of an as to future planning
incident on your critical
etc.
activities
1 Day
2 – 7 Days
> 7 Days
High
Medium
Low
High
Medium
Low
High
Medium
Low
Low
High
High
 Reciprocal arrangements
 Consider reciprocal
with labs in Medical
arrangements with
School- contact Dr A
other Universities
Nother Tel: 0000
and teach outside
normal hours,
 Temporary arrangements
whenever facilities
to teach students outside
are available
normal hours, inform
Security Control to open
 Make arrangements
buildings and ESS to
with coach company
switch heating on and
to provide transport
adjust cleaning regimes
for staff and students
 Technicians to transport
key equipment and
materials to the medical
school using school
transport
 Materials and equipment to
be stored temporarily in
room 1.2b as agreed with
school
 Email all students and staff
advising of alternative
venues
 Post notices at entrance to
buildings etc
5
2.2 Business Continuity Plan - Critical Activities and Impact Analysis
Unit Name:
Critical Activity
Group activities into
the 5 categories:
 Premises
 People
 Data/Comms/IT
 Equipment/
Services
 3rd Party Providers
Person Completing:
Identify Areas Affected
If areas outside your unit are likely
to be affected, ensure that relevant
parties will be contacted (as per
your local incident plan)
Unit Only
University
Other(s)
(incl. supply chain)
Date Completed:
Review Date (3months):
Business Continuity
Comments/
Impact Analysis
Risk Mitigation
Recommendations
Assess the impact to
Identify and document the Any further comments or
business according to the
alternative arrangements recommendations as to
timescales of incident
that will mitigate the
future planning etc.
impact of an incident on
your critical activities
1 Day
High
Medium
Low
2 – 7 Days
High
Medium
Low
> 7 Days
High
Medium
Low
Insert additional rows as necessary
6