Business Continuity Management Version 1 approved by SMG December 2013 Business Continuity Policy Version 1 1 of 9
Business Continuity Management Summary description: This document provides the rationale for developing a business continuity culture. It details the University s aims and objectives in this regard and identifies the key roles and responsibilities. Scope: All staff on the Hull and Scarborough Campuses. With effect from: January 2014 Other related policies/documents: University Major Incident Plan, Campus Closure. Contact for further information: Grace Dalley Deputy Secretary Email: g.dalley@hull.ac.uk Tel: 01482 465299 This document is available in alternative formats from the Committee Section Approved by: Vice-Chancellor, University Registrar & Secretary, Senior Management Group. Next due for review: January 2017 Reference to any superseded policy/amalgamations: not applicable Relevant legal framework: Not applicable Equality Analysis: Not applicable Freedom of Information This policy is publicly available through the University's Publication Scheme under the Freedom of Information Act 2000. Other professional standards reference points: ISO 22301:2012, Business Continuity Instittue Good Practice Guide 2013 Business Continuity Policy Version 1 2 of 9
Business Continuity Management 1 BACKGROUND The Executive has identified the lack of a robust business continuity plan as a strategic risk for the University. In 2011 internal auditors identified gaps in the University s business continuity provision and external consultants Jermyn Consulting were engaged by the University in 2012 to complete a full review of business continuity and crisis management and report on its findings. The assignment involved a review of available documentation and structured discussions with representatives across the organisation. The University was benchmarked against the requirements of ISO 22301:2012 for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving a business continuity management system. The findings of the review were disseminated and presented to the Executive and included a project plan and an indicative timeline for its implementation. 2 WHY DO WE NEED BUSINESS CONTINUITY MANAGEMENT? Business Continuity Management (BCM) is a process that enables the University to proactively identify and minimise the impact of risks that could affect its objectives, operations and infrastructure. BCM provides the capability for the University to ensure continuity of teaching and research, together with support for its students, staff, departments and faculties following any disruptive incident. Whilst the University does not have a statutory duty to undertake BCM, it is a business imperative; also the University has legal and moral responsibilities for staff, students and visitors and recognises the importance of this process in ensuring it can continue its critical activities after a disruption and to protect its reputation as a leading university in the UK. The Business Continuity process starts with Incident Management as illustrated below: The University has defined two types of incident: Business Continuity Policy Version 1 3 of 9
I. Minor incidents: are interruptions or disruptions that can be sufficiently disruptive to require the implementation of business continuity arrangements. They can be addressed by departmental business continuity plans. They are smaller scale events, affecting one or a small number of departments e.g. a localised computer virus, denial of access to a building, a minor power cut for a short period etc. However sometimes minor incidents can become major incidents. II. Major incidents: require the implementation of the University s Major Incident Plan, providing they meet the plan s criteria of causing serious harm to staff, students, the University community or property. This is a plan focused on more serious/larger scale events e.g. a national emergency, widespread media coverage of an incident, a power cut affecting the campus etc. Using the power cut example, the Major Incident Team (MIT) would focus on the urgent priorities i.e. the welfare of people and the safety / security of buildings. In addition, a business continuity response would be required in terms of how the University would continue its important functions. Separate documentation exists which details the arrangements for managing major incidents. Business Continuity Policy Version 1 4 of 9
3. AIMS AND OBJECTIVES BUSINESS CONTINUITY MANAGEMENT POLICY The BCM policy is focused on protecting and recovering the critical activities of the University. A critical activity is one that would impact on the reputation of the University or have a serious impact on its financial position or customers of the University if it was not performed or resumed within an appropriate defined period. This is likely to include some activities in the following areas: teaching (including assessment), research, services provided to students and Professional Services such as IT, HR and Estates. In the first instance business continuity plans will be developed which address the highest risk areas. Thereafter plans will be rolled out across all parts of the University and include activities that take place within Faculties, Departments, Schools, Institutes and Centres across the Hull and Scarborough Campuses. It will also include all areas of Professional Services. The University works with a number of partner institutions to deliver its services and a risk based approach will be adopted in terms of the University s expectations of these organisations having business continuity plans. The Business Continuity Management policy has the following key objectives: To raise the profile of BCM within the University of Hull. This will include ensuring that staff are aware of the plans, their roles in them and receive appropriate training To embed Business Continuity into the culture of the University so it becomes an integral part of decision making To ensure that critical activities across the University are identified and that suitable business continuity arrangements are in place or developed for them To establish appropriate structures to plan for and respond to incidents To ensure that BCM arrangements are ongoing and subject to regular reviews, audits and exercises To develop and review business continuity processes for continuous improvement, in accordance with best practice. 4. MANAGING BUSINESS CONTINUITY It is expected that over time all departments within the University will go through the Business Continuity management process. This will involve identifying critical business activities, the arrangements in place to continue to provide these activities in the event of a disruption as well as resource requirements. Individual Departments/Schools/Centres will be expected to nominate appropriate people (Business Continuity Coordinators) to co ordinate the development of their Department/Schools/Centre s Business Continuity arrangements. The Business Continuity Manager will provide support as required. Departments business continuity plans will be reviewed by the Business Continuity Coordinators at least annually, and will also be updated when there are significant changes to personnel, premises, suppliers etc Exercises to test a sample of the Business Continuity Plans will normally be held annually Training and awareness will be a key and ongoing part of Business Continuity Management. Business Continuity Policy Version 1 5 of 9
5. ROLES AND RESPONSIBILITIES University Business Continuity Lead (UBCL) The University Registrar and Secretary has been assigned as the lead for Business Continuity Management across the University. This involves: Assisting with raising the profile of Business Continuity at a strategic level Chairing the Business Continuity Steering Group Confirming to the Excutive and Council annually that, the University s business interruption risks are being appropriately and effectively managed. This will include a progress report on the development of Business Continuity Plans and the outcome of exercises to test the plans. University Business Continuity Manager The University Business Continuity Manager is responsible for overseeing the Business Continuity activities on behalf of the University. This involves: Raising the profile of Business Continuity across the University as an ongoing responsibility and ensuring that information is available to staff (with the aim of embedding BCM into the activities of the University) Providing advice and assistance throughout the BCM process Developing appropriate guidelines and templates for Faculties and Departments to detail their business continuity arrangements Assisting in the development of overarching plans and providing advice to BC Coordinators in the completion of their Department's Business Impact Analysis (BIA) and development of their Department business continuity plans Ensuring that the University s arrangements are regularly reviewed and tested Providing or commissioning training for appropriate staff and leading on the development of University exercises to review arrangements that have been put in place Business Continuity Steering Group As the senior decision making group, the Business Continuity Steering Group is responsible for: Ensuring there is a consistent approach to Business Continuity across the University Supporting and endorsing the BCM awareness raising regarding Business Continuity with the aim of embedding it into the culture of the University Monitoring the roll out of BCM across the organisation Reviewing the BCM policy to ensure it remains fit for purpose Business Continuity Champions (Faculty/ Professional Services Department level) The Business Continuity Champion (each Faculty has one and some of the departments in Professional Services) will be nominated by the Deans and relevant members of the Executive. The role of Business Continuity Champions is to: Act as a first point of contact for Faculty and Departmental business continuity queries Attend relevant training and awareness sessions to develop knowledge and understanding of Business Continuity Management Ensure that the Faculty /Departments are engaged in the process Business Continuity Policy Version 1 6 of 9
Complete Faculty Business Continuity plans Attend corporately run exercises and participate/lead in the running of exercises for the Faculty as appropriate Business Continuity Co ordinators (Department level) The Department Business Continuity Coordinator is nominated by the Head of Department to develop and maintain Business Continuity planning for the department. This will include: Attending relevant training and awareness sessions to develop knowledge and understanding of Business Continuity Management Completing the required documentation, with assistance from other members of the department Ensuring that Business Continuity plans remains fit for purpose and up to date Attending and participating in workshops and other events as required to develop the Business Impact Assessment and Business Continuity Plan and review and test the plan. Attending University run exercises and participate/lead in the running of exercises for the department as appropriate Staff It is important that everyone at the University is aware of BCM. Staff should be aware of any arrangements in their department s plan that may affect them including how they will be contacted /notified of an incident, what their role is during an incident, what they should do if they are not able to access their usual place of work, etc. 6. REPORTING STRUCTURE Business Continuity Policy Version 1 7 of 9
7. BUSINESS CONTINUITY STANDARD TERMINOLOGY AND DEFINITIONS Term Abbreviation Definition Business continuity BCP Documented procedures that guide organisations to respond, recover, resume, and restore to a pre-defined level of operation plan: following disruption. NOTE Typically this covers resources, services and activities required to ensure the continuity of critical business functions. Business Continuity Management BC A holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and Business Impact Assessment Critical Activities Exercise /test Implementation Invocation Major Incidents Major Incident Team Minor incidents Maximum tolerable period of disruption Process Recovery time Objective BIA MIT MTPD RTO value-creating activities. Process of analysing critical activities so that their timely recovery can be achieved. The BIA includes identifying an owner for the critical activity, key resources required to deliver the activity (eg, personnel, premises, ICT), plans to recover unavailable resources and the maximum tolerable outage, Activities that would impact on the reputation of the University or have a serious impact on its financial position or stakeholders of the University if it was not performed or resumed within an appropriate defined period A process of testing business continuity plans with a view to improving department, faculty and/or University business continuity plans The technical practice within the BCM lifecycle that executes the agreed strategies and tactics through the process of developing the BCP. Act of declaring that an organisations business continuity arrangements need to be put into effect in order to continue delivery of key products and services. This will usually be declared by the Head of Department. An incident will be classed as a Major Incident if the Emergency Services declare it as such or if the Head of Department, the Security Manager or the H&S Team consider the scale, duration (Maximum Tolerable Period of Disruption) and/or impact of the incident will or is affecting a strategic building/area/process and/or the core business function and/or the reputation of the University is under threat. The Major Incident Team is a small team of Senior Managers who have the authority to make swift and major decisions in the event of a major incident. The MIT is chaired by the Registrar and Secretary and is supported by a core team of Service Heads and the Dean(s) of the affected Faculty as appropriate. Interruptions or disruptions that can be sufficiently disruptive to require the implementation of business continuity arrangements. They can be addressed by department business continuity plans. They are small scale events, affecting one or a small number of departments. Duration after which the University is irrevocably threatened if product and service delivery cannot be resumed. A set of interrelated or interacting activities which transforms inputs into outputs. The period of time following an incident within which a product or an activity must be resumed, or resources must be recovered. Business Continuity Policy Version 1 8 of 9
Recovery Point Objective Test RPO The maximum amount of data that may be lost when a service is restored after an incident. Recovery Point Objective is expressed as a length of time. For example a Recovery Point Objective of one day may be supported by daily backups where up to 24 hours of data may be lost. See Exercise. Business Continuity Policy Version 1 9 of 9