Business Continuity Management 1.0 Summary Business Continuity Management is a process that identifies potential threats to an organisation, providing a framework for building resilience and the capability for an effective response to incidents that will safeguard the interests of its key stakeholders, reputation, brand and value creating activities. University Business Continuity Plans are developed to address major incident(s), which fall into any of the following five categories: 1. 2. 3. 4. 5. Loss of, serious damage to, or inability to access premises. Loss of a large number of staff (eg pandemic). Loss of key equipment/services. Loss of voice & data communications and other vital information. Loss of a key third party eg public utilities, material or service supplier etc. 1 1.2 Business Continuity Management Invocation Process (Flow Diagram) Local Incident Plan developed and implemented Business Continuity Plan developed and implemented An incident occurs Hardware eg property Software eg information Security Control are informed First responders are informed First responders (and others as necessary) resolve the issue Where necessary Security open Incident Room and inform Local Incident Team LIT Senior Manager assesses incident Is the incident serious? Yes Review in 2 hours No LIT Manager calls out Local Incident Team LIT contains the incident LIT Senior Manager organises post incident de brief Local Incident Plan is reviewed and revised LIT Manager considers the incident to be serious and informs Emergency Management Team (Uni Executive Managers) and Business Recovery Team as necessary Business Continuity Team assembles for briefing by LIT Manager Business Continuity Plan is invoked Business is recovered Senior Manager from Business Continuity Planning organises a post incident de brief Business Continuity Plans is reviewed and revised 2 Emergency Management Team convenes and provides direction 1.3 1.4 Business Continuity Plan Objectives 1. Provide a framework, through which the key tasks for business continuity management and recovery can be achieved. 2. Take all reasonable steps to protect and preserve the health, safety and welfare of employees and others on University premises. 3. Take all necessary actions to secure affected premises and protect assets. 4. Maintain an acceptable level of service and operational capability. 5. Assign responsibilities for actions in the event of a major incident affecting the operation of the Unit. 6. Maintain communication with employees and others regarding operational capability and recovery efforts. 7. Detail tasks for damage assessment, salvage and recovery. 8. Identify internal and external communication needs. 9. Collate data and information required for insurance recovery purposes. 10. Ensure business continuity plans are maintained and current. Roles and Responsibilities Important: Where incidents are protracted then relief teams made up of deputies will be required. Head of Unit Take overall responsibility for business continuity management and recovery strategies for their respective Unit. Nominate appropriately trained and experienced staff as being responsible for identifying critical activities, developing business continuity plans and implementing recovery strategies. Ensure plans remain current and are reviewed/revised following incidents or changes to business, contact details etc Testing the plan at least every three years to ensure it is effective. Emergency Management Team (EMT): Made up of University Senior Executives who will be responsible for making major decisions during serious incidents. Business Continuity Management Co-ordinator (BCMC): The role of the BCMC occurs where an incident involves more than one unit eg multi occupancy buildings. Typically the BCMC will be appointed by Faculty/Service most affected by the incident. The Co-ordinator is the link between the various teams and external agencies. Unit/Service Managers: It is the accountability of the manager of each individual business/operational unit to provide an effective 'fit for purpose' BCM capability for their specific business/operational unit. 3 Local Incident Team (LIT): This team will convene at the outset to decide the next level of call-out and will consider strategic and longer-term decisions. Business Recovery Team (BRT): the Unit Senior Management Team will convene following a major incident with the responsibility of implementing and co-ordinating the unit’s/service’s individual BCM plans, additional specialist support can be drawn in as required eg Fire Officer, Safety Officers, Biological/Chemical Safety Officers etc. Note: Where resources permit there should be separate membership of both the LIT and BCT. In smaller service units this may not be possible. 2.1 Business Recovery Team - Contact Details Business Recovery Teams are made up of Unit Senior Managers (or deputies) along with additional support as necessary eg Head of Maintenance, Health & Safety Officer(s), ISS Managers, Property Manager, Human Resources, Insurance Officer Important: This information must be reviewed/revised quarterly and forwarded to the Security Manager Position Name Contact No 1 4 Contact No 2 2.2 Business Continuity Plan - Critical Activities and Impact Analysis - Example Unit Name: ISE Critical Activity Person Completing: Identify Areas Affected Group activities into the 5 family groups: Premises People Data/Comms/IT Equipment/ Services 3rd Party Providers If areas outside your unit are likely to be affected, ensure that relevant parties will be contacted (as per your local incident plan) 4.1 Loss of specialist teaching equipment, fume cabinets Yes Unit Only University Yes Other(s) (incl. supply chain) No A N Other Date Completed: Jan 2013 Review Date (3months): Mar 2013 Business Continuity Risk Comments/ Impact Analysis Mitigation Recommendations Assess the impact to Identify and document the Any further comments business according to the alternative arrangements that or recommendations timescales of incident will mitigate the impact of an as to future planning incident on your critical etc. activities 1 Day 2 – 7 Days > 7 Days High Medium Low High Medium Low High Medium Low Low High High Reciprocal arrangements Consider reciprocal with labs in Medical arrangements with School- contact Dr A other Universities Nother Tel: 0000 and teach outside normal hours, Temporary arrangements whenever facilities to teach students outside are available normal hours, inform Security Control to open Make arrangements buildings and ESS to with coach company switch heating on and to provide transport adjust cleaning regimes for staff and students Technicians to transport key equipment and materials to the medical school using school transport Materials and equipment to be stored temporarily in room 1.2b as agreed with school Email all students and staff advising of alternative venues Post notices at entrance to buildings etc 5 2.2 Business Continuity Plan - Critical Activities and Impact Analysis Unit Name: Critical Activity Group activities into the 5 categories: Premises People Data/Comms/IT Equipment/ Services 3rd Party Providers Person Completing: Identify Areas Affected If areas outside your unit are likely to be affected, ensure that relevant parties will be contacted (as per your local incident plan) Unit Only University Other(s) (incl. supply chain) Date Completed: Review Date (3months): Business Continuity Comments/ Impact Analysis Risk Mitigation Recommendations Assess the impact to Identify and document the Any further comments or business according to the alternative arrangements recommendations as to timescales of incident that will mitigate the future planning etc. impact of an incident on your critical activities 1 Day High Medium Low 2 – 7 Days High Medium Low > 7 Days High Medium Low Insert additional rows as necessary 6