Business Continuity Framework v

Transcription

1 UC Policy Library Business Continuity Framework Last Modified December 2017 Review Date March 2020 Approval Authority University Registrar Contact Officer Risk Manager Vice-Chancellor's Office Introduction This document identifies the approach adopted by the University to prepare for and maintain a level of business continuity in the face of disruption. The following content describes the framework that will allow decision makers to access information and resources that can assist in the ongoing running of the University in the event of disruption. This framework should be considered in conjunction with the University Emergency Management Plan (PDF, 1.73MB), Emergency Statute (PDF, 116KB) and the Risk Management Framework (PDF, 888KB). The Foundations of the Framework Responding to Disruption Disruption in this context is defined as an event that would cause the functions of University or a unit within the University to be materially impaired through loss of access to resources. Examples include the loss or a building, power outages, significant loss of staff due to illness (pandemic) or campus wide events such as earthquakes. The nature of the event should not define the response, rather it defines the scale. In order to be scalable, the structure must be consistent across the University. Experience with the seismic events of taught us that a detailed response plan (had it existed) could not be implemented because each event was different. The resources or lack of required improvisation and on the ground decision making. Page 1 of

2 The University s Emergency Management Plan sets out how the University will deal with a critical incident which is defined as: Any unplanned or unforeseen natural, or human-related event that disrupts normal business and may be a threat to life or property. The Emergency Management Plan sets out what procedures and resources are in place to respond to a critical event. The Business Continuity ( BC ) Framework compliments this Plan by delegating business continuity planning ownership and responsibilities to organisational units to determine their priorities and the mechanisms by which they will ensure that the resources identified are secured. This facilitates the involvement of individual staff in the actions required to ensure operating capacity continues. The 4 R s (Readiness, Response, Recovery and Reduction) The 4 R s (Readiness, Response, Recovery and Reduction) adopted from the New Zealand national and regional framework, form the foundations of emergency management at the University and are incorporated into the University s Emergency Management Plan, which is aligned to the University s Plan. Elsewhere in Australasia, the 4 R s may also be called the 2 P s and 2 R s (Prevention, Preparedness, Response and Recovery). Note: Diagram of the 4 R s A critical component of emergency management, business continuity ensures critical business functions and activities continue to run uninterrupted, or with minimal disruption when an event occurs. Business continuity represents a part of effective disaster risk management, as mitigation measures prior to an event to ensure that core business processes are resumed. Page 2 of

3 BCP Principles In general, the key principles of business continuity are: It is a journey, not a destination so continuous review is required. It is integrated into business of usual processes. It provides a structure to support decision makers when normal structures may be disrupted. Enables the maintenance of relationships between staff and the organisation in times of disruption. Provides clear guidance to staff as to what their role is in an event. Enables an organisation to address predetermined priorities to minimise the impact of losing access to resources in the institution. The key outcomes of implementing a business continuity framework for the University are to: Underpin the preparedness of the institution, Enhance the effectiveness of a response to an event, and Ensure that responses reflect the predetermined priorities and that there is a smooth transition from response to recovery from and event. For the University, business continuity planning facilitates: 1. The preservation of its assets and operations; 2. The return to business as usual as soon as practical. Business Continuity Planning The Five Key Questions 1. What, if anything, exists currently? 2. Who are your key contacts? Who needs to know WHAT and WHEN? 3. Who are your key stakeholders? 4. What are your critical functions/processes? 5. What are your critical items of equipment? Page 3 of

4 What controls are in place to manage disruption? How vulnerable are the controls? What, if anything, exists currently? This question was important to ask first, as some units had already invested time in formulating a BCP to a greater or lesser extent. Acknowledging and using work previously undertaken, where possible, was a key lever in obtaining the support of colleagues. Who are your key contacts? The key contacts are those people who the departments relied upon to get the functions of the department functioning. Generally the minimum group identified will be staff members. In the post-earthquake scenario the first contact was to check that staff members and their families were safe and ascertain who would be available to assist in getting the department functioning. Subsequent contacts would be initiated to provide updates on the University situation and or to request that staff members be available to assist in continuity projects. The contact details for this group needed to be available. Electronic lists can be obtained from the HR system but these are not always accurate and there is no guarantee that the HR system will be available in an emergency situation. Departments are recommended to maintain their own physical copies and also to ensure they are loaded in to all UC provided smartphones. Who are your key stakeholders? Key stakeholders are those who rely on the department for some form of service. An academic department may have research or consultancy contracts which may be impacted by an outage. The funder or sponsor would be regarded as a key stakeholder. In a campus wide situation, the stakeholders are likely to be external to the University. Critical considerations include consideration of the timing of the advice and the necessity to ensure that the stakeholder specific messaging is consistent with the wider University communications. What are your critical functions/processes? Critical processes are those functions that must occur, examples could include payroll, a long term experiment that could only occur at specific times such as a fruit ripening assessment. What are your critical items of equipment? Critical equipment are those items that are a department relies on to complete core activities. Generally these will be specialist items that require specialised support e.g. mass spectrometers that require recalibration by technicians who are based in Europe or -90 degree freezers housing rare samples such as Antarctic fish. In the former example the Page 4 of

5 issue is the time delay to having the machine back in service, in the latter the concern is to ensure that the contents of the freezer are not lost. BCP for Units, Library, Facilities and Information Technology Information Technology The Disaster Recovery Plan has been prepared and documents the response of the IT team in the event of a systems outage. Facilities (Engineering Services) Engineering Services hold the key responsibilities of ensuring that: Buildings are available for the use of the tenants; Services to the buildings are maintained; Review of alternate buildings. Contact lists of key contractors are maintained and are available to staff in the event of a call out at any time. Library The Library has a business continuity plan which focuses in particular on the unplanned closure of one or more libraries; severe or sustained impact to a range of core library service such as loss of access to online databases or to Learn; and dealing with significant real or potential damage to collections. Its key components include setting up of response teams, roles, contact lists and procedures to be followed in each scenario. All Units Contact details of all staff are held by leaders within the Unit (managers, team leaders, PVCs, HoDs and HoS). Monitoring and Assurance The University will regularly carry out a stocktake of the following: Impact analysis of the essential activities of the agency. This includes assessing the dependency of operations and services based on procurement arrangements and identifying the protection of resources that support delivery of essential services the University provides. Protection measures and procedures of both internal and external service capability, including those that support engagement team activities. Page 5 of

6 The effectiveness of the implementation of resilient solutions or adaptive capacity of the unit. Evaluation measuring effectiveness Regular reviews will be undertaken to ensure that departmental requirements are in place and appropriately maintained. These will be undertaken on a rolling basis ensuring that all units are reviewed on a triennial basis. The current plan is attached as Appendix 1. Key review activities include: checking of key contact details; o Ensuring hard copies of contact details are available; review of key stakeholders records; o Evidence of review Regular assessment of critical equipment; Regular evaluation of the mechanisms for mitigating vulnerability of critical equipment. Auditing The University may employ the following auditing practices and mechanisms Health checks. These would be undertaken by the Office of the Registrar as part of an ongoing review and improvement programme. The tool used to assess the departmental BCP is in Appendix 2. Internal Audit reviews Internal Audits reviews would be incorporated as necessary as part of the agreed internal audit plan. Reporting An annual report will be provided to the Audit and Risk Committee of Council and a six monthly update of progress will be provided to the SMT. Related Documents and Information UC Policy Library Emergency Management Plan (PDF, 1.73MB) Emergency Management Policy (PDF, 3Kb) Page 6 of

7 Emergency Statute (PDF, 116KB) Risk Management Framework (PDF, 888KB). UC Website and Intranet UC Plan. External The Guide to the National Civil Defence Emergency Management Plan 2015 (Ministry of Civil Defence & Emergency Management website) Document History and Version Control Table Version Action Approval Authority Action Date 1.00 Policy development and inclusion on the UCPL University Registrar Dec 2017 Page 7 of

8 Appendix 1 Review Plan Focus Areas for ) Service Areas a) Engineering Services b) IT To be checked at the end of 2018 around September c) Payroll d) Timetabling 2) Actions for 2018 Apply Audit Tool to above Service Areas and 5 academic departments (one from each College). The purpose of the Review Plan is to ensure that there are resources in place to allow the Unit/Department to response to disruption mitigation measures in place. Page 8 of

9 Appendix 2 Review checklist - generic Department: SMT Member responsible: Manager: Review date: Reviewer: Activity Communication details held: Electronic Hard Copy Who is responsible for maintenance of the list? Details are accurate Responsible Manager is able to reach staff in a timely manner. Key Stakeholders: Identified and current contact details held Who is responsible for maintenance of the list? Critical Functions Are the critical functions identified if so where? (Operational Plan, BCP etc.) Are these functions requiring external support? If so how will support be actioned contracts, contact details etc. Who is responsible for maintenance of the contacts list? Critical Equipment Is the critical equipment identified if so where? Is alternative equipment available if needed? o How fit for purpose will that alternative equipment be in the future? (Operational Plan, BCP etc.) Can the department access external support? If so how will support be actioned contracts, contact details etc. Who is responsible for maintenance of the contacts? Plan Complete Plan Incomplete Page 9 of

10 Appendix 3 Significant Strategic and Operational risks identified Page of