Risk
advertisement
CAUBO Annual Meeting Winnipeg, Manitoba June 16, 2008 Concurrent Session Business Continuity and IT Disaster Recovery: Ensuring an Integrated Approach Overview of Presenters Gerry Miller University of Manitoba Philip Stack Associate Vice President Risk Management Services University of Alberta Presentation Outline Part 1 Overview of Integrated Emergency Management Part 2 IT Disaster Recovery “An emergency will occur at some point in the history of the university. Never assume it only happens to someone else.” (1999 Harrell, G. North Carolina Hurricane) ___________________________________________ An Emergency at the University/College •Unexpected •Unscheduled •Unplanned •Unprecedented •Definitely Unpleasant “It’s not a matter of whether a disaster or emergency scenario will confront a campus but when. I have confronted numerous emergency situations requiring rapid decisions, such as several campus evacuations and extended closures that threatened the institution’s academic program. Dealing with the long-term trauma people faced was a humbling and daunting experience. “Our decision to create comprehensive plans and to continually monitor and update these plans has proved to be one of the best uses of our time and resources.” John Cavanaugh, President University of West Florida 5 Why Worry about Emergency Management? 1/2 •Society’s Tolerance - more informed, wiser society not willing to accept uncertainty as in the past. •Institutional Accountability – to the Community, the Board, Government, to Us. New legislation closes gaps for corporate immunity e.g. the directing mind. •Legal Risk - an act or lack of an act could land the University in court and someone potentially with a record. The trend to hold the University responsible for failing to take reasonable steps to prevent a crisis. Or, for failing to be adequately prepared to manage a crisis situation. Making emergency preparedness a priority may require building crisis management into job descriptions, personnel evaluations and audits. - Poland (1994) 6 Why Worry About Emergency Management? •Reputation - Potential damage to the University’s reputation, and, just as important, damage to your own reputation. •Fragile - The systems may be overloaded and the infrastructure easily broken. Large interdependencies can result in disastrous failures e.g. power outage in eastern Canada and USA, failure of the IT system, failure of communications. •Educational institutions - are not exempt from regulations e.g. WH&S/OH&S and the need to provide a safe environment. They may be different in inherent risks and operational risks – but they are still accountable. “The key to risk management is delivering risk information, in a timely and succinct fashion, while assuring that key decision makers have the time, the tools, and the incentive to act upon it…it follows that the biggest single responsibility of the risk management function is intelligent communication”. Kloman, Felix. (Risk Management Reports, 2001) 7 2/2 What are we trying to achieve? 1. Integrated Emergency Management Program 2. Involvement of Faculties, Departments and Planning 3. Business Continuity including Pandemic readiness 4. Enhancing Emergency Preparedness and Management components The Goal • Increase readiness •Building capacity and reliability PreventionMitigation Preparedness •University wide approach •Systems, adaptable and flexible •Emergency management principles •Strengthen practices and decision making •Protect the core businesses Recovery Response IEMP Prevention Disaster/ Plans Major Preparedness Emergency/ Training Outage Level 1 Level 2 or 3 Assessment Initial Emergency EOC Activation Recovery Normal CMT Activation Restoration Operations Faculty/Department Unit Action Plan Resumption Response Faculty/Depart ment Action Internal and External Stakeholders When The Wheels Come Off ! Continuity Layered Planning and Interoperability University’s Integrated Emergency Management Program University of Alberta Crisis Communications Plan University of Alberta Emergency Master Plan Faculty/Department Action Plan Department/Unit Action Plan Health Authorities Emergency Response Departments Government Agencies Appendix Emergency Master Plan & Faculty/Department Action Plans. Administration and Maintenance Risk, Prevention, Preparedness Post Incident Measures Resources and Forms Crisis Communication Plan and Teams Supporting: Preparedness, Response, Recovery and Resumption University wide Emergency Contacts - In/Ex Action Plans: Response, Recovery, Res. Loss of Critical vendor Roles, Responsibilities, Checklists Loss of IT, Communications Loss of Utilities Incident Command System and SOPs Loss of People Capacity Activation and Notification, Operation General, Incident Command Introduction, System Policy, Overview U of A Integrated Emergency Management Program Loss of Equipment/Vehicles Loss of Facility/ Office/Workspace Business Continuity Action Plans 12 How do you get there? Business Continuity to Action Plans Phased Development: 1. Analysis 2. Alternate Measures, Solutions and Strategies 3. Implementation (Faculty/Department: Emergency Operations Plan/Action Plan) 4. Maintenance Business Impact Analysis • Critical business services • Work flows • Maximum acceptable downtime • Vital records and documents • Priorities for recovery and resumption Planning For A Catastrophe Is Positive Thinking. Not Thinking Is • Interdependencies A Disaster! Caring, Protecting, Responsible 14 Scenario Planning • • • • • Loss of access Loss of utility Loss of facility Loss of people Loss of IT and or Telecommunications • Loss of critical vendor How to Recover Lost Business Services and Functions Caring, Protecting, Responsible 15 University and Risks • Risk of fire, flood, tornado: Water, structural damage • Risk of crime, disorder, terrorism: Theft, bomb threat, work place violence, civil disturbance, hostage, shooter, fraud • • • • • • • • • Public Health Emergency: avian pandemic, meningitis Risk to utilities: High temperatures, High or low humidity Risk to environment: Mold and mildew, pests, asbestos Risk of hazards on roads Human error IT risks Financial Risks Regulatory Risks Reputation Risk You are in the Risk Management Business! 16 Potential Consequences • • • • • • • • • • • • • • Health, safety and security Injuries or loss of life Animal care Specimens, data, vital records Legal Regulatory Financial Infrastructure Reputation Loss of students Loss of Faculty and Staff Loss of collections Loss of valuable documents Morale Risk Does Not Respect Boundaries! 17 Risk Analysis Tool What can go wrong? Risk: How likely is it? What are the consequences? Natural Disaster/ Man-Made Emergency Fire Flood Natural Source: Technical Man-Made Probability Severity Risk Level Priority Remote Catastrophic Medium 3 High 2 Occasional Catastrophic Major Power Outage Probable Critical High 1 Bomb Threat Improbable Critical Low 4 Caring, Protecting, Responsible 18 U of A Integrated Emergency Management Program Crisis Communications Plan U of A PHR Strategy U of A Emergency Master Plan Analysis and Action Plans Faculties Teaching IT and Records Staff Research Animal care Labs Staff Administration Human Resources Facilities and Operations Power Campus Security Heat Planning Water Finance Essential Services EH&S Residence Services Grounds Communications Sponsors Payroll IT Buildings Response Redeployment Perishables Operations Communications 19 Integrated Emergency Management Program - Model Ready, Resilient and Robust University Functions, Services, Systems and Processes Risk Management Culture Leadership and Commitment Incident Command System – The Building Blocks Incident Commander Public Information Command Liaison Officer Command Staff Safety Officer Operations Planning Logistics Finance/ Administration Doers Thinkers Getters Payers First Responders 21 General Staff Sample Emergency Operations Centre EOC Director University President University Emergency Policy Group: VPs and General Counsel EOC Coordinator Liaison Officer: Internal/External Public Information Officer Liaison Officer Faculty and Deans Deputy EOC Director Operations Section Chief Logistics Section Chief Planning and Intelligence Section Chief Finance & Administration Section Chief Registrar HR IT & Telecomm Supply Management Documentation Unit leader Resource Tracking Financial Services Financial Services Public Safety Facilities Management Facilities Management Capital Projects Demobilization Situation Status Contracts Risk Mgnt & Insurance Student/Residents Services 22 Management Style During an Emergency at a University •Emergencies prompt a change in management style •From Consultative to Command and Control “You’ve got to take stock of the damage and how you’ll recover from it. You’ve also got to take stock of your human resources, who’s available and what’s their work capacity. Remember that damage isn’t just physical. Take stock of outside resources. Who can help? The big thing: Take control. As president, as a CIO, you’re in the best position to look out for your own institution. Don’t rely upon FEMA (Emergency Management Alberta, Public Safety Canada ). Don’t rely upon the government. Don’t rely upon the state (province). Take control of the situation.” John Lawson, VP Information Technology and CIO, Tulane 23 In Summary • Leadership commitment • Integrated approach • Build a risk culture • Train and exercise Here‘s why we need to be ready for emergencies... Seventh place... Sixth6th place... place 5th place Fifth place... 4th place Fourth place... 3rd place Third place... 2nd place Second place... And the WINNER is...
