Business Continuity Management

Business Continuity Management

1.0 Summary

Business Continuity Management is a process that identifies potential threats to an organisation, providing a framework for building resilience and the capability for an effective response to incidents that will safeguard the interests of its key stakeholders, reputation, brand and value creating activities.

University Business Continuity Plans are developed to address major incident(s), which fall into any of the following five categories: -

1. Loss of, serious damage to, or inability to access premises.

2. Loss of a large number of staff (eg pandemic).

3. Loss of key equipment/services.

4. Loss of voice & data communications and other vital information.

5. Loss of a key third party eg public utilities, material or service supplier etc.

1.2 Business Continuity Management Invocation Process (Flow Diagram)

1.3 Business Continuity Plan Objectives

1.  Provide a framework, through which the key tasks for business continuity management and recovery can be achieved.

2.  Take all reasonable steps to protect and preserve the health, safety and welfare of employees and others on University premises.

3.  Take all necessary actions to secure affected premises and protect assets.

4.  Maintain an acceptable level of service and operational capability.

5.  Assign responsibilities for actions in the event of a major incident affecting the operation of the Unit.

6.  Maintain communication with employees and others regarding operational capability and recovery efforts.

7.  Detail tasks for damage assessment, salvage and recovery.

8.  Identify internal and external communication needs.

9.  Collate data and information required for insurance recovery purposes.

10.  Ensure business continuity plans are maintained and current.

1.4 Roles and Responsibilities

Important: Where incidents are protracted then relief teams made up of deputies will be required.

Head of Unit

Take overall responsibility for business continuity management and recovery strategies for their respective Unit.

Nominate appropriately trained and experienced staff as being responsible for identifying critical activities, developing business continuity plans and implementing recovery strategies.

Ensure plans remain current and are reviewed/revised following incidents or changes to business, contact details etc

Testing the plan at least every three years to ensure it is effective.

Emergency Management Team (EMT): Made up of University Senior Executives who will be responsible for making major decisions during serious incidents.

Business Continuity Management Co-ordinator (BCMC): The role of the BCMC occurs where an incident involves more than one unit eg multi occupancy buildings. Typically the BCMC will be appointed by Faculty/Service most affected by the incident. The Co-ordinator is the link between the various teams and external agencies.

Unit/Service Managers: It is the accountability of the manager of each individual business/operational unit to provide an effective 'fit for purpose' BCM capability for their specific business/operational unit.

Local Incident Team (LIT): This team will convene at the outset to decide the next level of call-out and will consider strategic and longer-term decisions.

Business Recovery Team (BRT): the Unit Senior Management Team will convene following a major incident with the responsibility of implementing and co-ordinating the unit’s/service’s individual BCM plans, additional specialist support can be drawn in as required eg Fire Officer, Safety Officers, Biological/Chemical Safety Officers etc.

Note: Where resources permit there should be separate membership of both the LIT and BCT. In smaller service units this may not be possible.

2.1 Business Recovery Team - Contact Details

Business Recovery Teams are made up of Unit Senior Managers (or deputies) along with additional support as necessary eg Head of Maintenance, Health & Safety Officer(s), ISS Managers, Property Manager, Human Resources, Insurance Officer

Important: This information must be reviewed/revised quarterly and forwarded to the Security Manager

Position / Name / Contact No 1 / Contact No 2

2

2.2 Business Continuity Plan - Critical Activities and Impact Analysis - Example

Unit Name: / ISE / Person Completing: / A N Other / Date Completed: / Jan 2013 / Review Date (3months): / Mar 2013
Critical Activity / Identify Areas Affected / Impact Analysis / Business Continuity Risk Mitigation / Comments/ Recommendations
Group activities into the 5 family groups:
· Premises
· People
· Data/Comms/IT
· Equipment/ Services
· 3rd Party Providers / If areas outside your unit are likely to be affected, ensure that relevant parties will be contacted (as per your local incident plan) / Assess the impact to business according to the timescales of incident / Identify and document the alternative arrangements that will mitigate the impact of an incident on your critical activities / Any further comments or recommendations as to future planning etc.
Unit Only / University / Other(s)
(incl. supply chain) / 1 Day / 2 – 7 Days / > 7 Days
High
Medium
Low / High
Medium
Low / High
Medium
Low
4.1 / Loss of specialist teaching equipment, fume cabinets / Yes / Yes / No / Low / High / High / ·  Reciprocal arrangements with labs in Medical School- contact Dr A Nother Tel: 0000
·  Temporary arrangements to teach students outside normal hours, inform Security Control to open buildings and ESS to switch heating on and adjust cleaning regimes
·  Technicians to transport key equipment and materials to the medical school using school transport
·  Materials and equipment to be stored temporarily in room 1.2b as agreed with school
·  Email all students and staff advising of alternative venues
·  Post notices at entrance to buildings etc / · Consider reciprocal arrangements with other Universities and teach outside normal hours, whenever facilities are available
· Make arrangements with coach company to provide transport for staff and students

2.2 Business Continuity Plan - Critical Activities and Impact Analysis

Unit Name: / Person Completing: / Date Completed: / Review Date (3months):
Critical Activity / Identify Areas Affected / Impact Analysis / Business Continuity Risk Mitigation / Comments/ Recommendations
Group activities into the 5 categories:
· Premises
· People
· Data/Comms/IT
· Equipment/ Services
· 3rd Party Providers / If areas outside your unit are likely to be affected, ensure that relevant parties will be contacted (as per your local incident plan) / Assess the impact to business according to the timescales of incident / Identify and document the alternative arrangements that will mitigate the impact of an incident on your critical activities / Any further comments or recommendations as to future planning etc.
Unit Only / University / Other(s)
(incl. supply chain) / 1 Day / 2 – 7 Days / > 7 Days
High
Medium
Low / High
Medium
Low / High
Medium
Low

Insert additional rows as necessary

6