Director of Business Assurance. Business Continuity Officer

Transcription

1 University of Sunderland Business Continuity Policy and Process Policy Reference Central Register Policy Reference Faculty / Service Policy Owner Director of Business Assurance Date Policy Written Amended December 2015 Date Policy Last Updated N/A Author Business Continuity Officer Date to Business Assurance Board February 2016 Date to Audit Committee February 2016 Date for next review February 2017 Comments Business Assurance 4th Floor, Edinburgh Building Page 1

2 1. Introduction Business Continuity Management (BCM) is important to the Higher Education sector as it ensures the continuity of teaching and research programmes as well as all commercial and support activities. In addition, it demonstrates to funding bodies and other external stakeholders that engaging with the University of Sunderland is as assured an arrangement as possible. The principles of Business Continuity in Higher Education are shared and promoted via the Higher Education Business Continuity Network (HEBCoN). The following diagram The BCM Lifecycle depicts the best practice process that should be followed in order to successfully develop Business Continuity Plans (BCPs) and integrate BCM into the organisational culture of the University. BCM Lifecycle : British Standard This Policy aims to inform, implement and embed Business Continuity into the culture of the University. Its successful delivery means that the University can confidently strive towards fulfilling its vision. To be recognised as one of a new generation of great civic universities innovative, accessible, inspirational and outward looking; with global influence and remarkable local impact The increasingly competitive environment of the Higher Education sector has resulted in Universities placing more of an emphasis on Business Continuity. This is especially true given the developing concept of the customer and the continued recognition re the importance of meeting (if not exceeding) customer expectations. The ability to continue to deliver Critical Functions at the expected level following an interruption may be achieved through good fortune however it is only through the introduction of a Business Continuity framework this can be guaranteed. Recognising this, the University of Sunderland has defined Critical Functions as areas of the University that would impact on the its continued ability to operate and trade successfully and which would be likely to result in financial, legal, reputational or human welfare damage being experienced. The Business Assurance Service have identified what they believe to be the critical functions within the University and it is these areas which will be the initial focus of BCM during the next 12 months. Business Assurance 4th Floor, Edinburgh Building Page 2

3 2. Purpose and Scope This policy provides a strategic framework for the implementation of BCM and applies to all University Services, Faculties, London Campus and other subsidiary companies. The end product of the BCM process will be as set of Business Continuity Plans that will mitigate the effects of a business interruption by reinstating critical functions as a matter of urgency. Plans will detail the resources and alternative arrangements that should be taken into consideration when reinstating functions. BCPs will dovetail with the existing Incident Response and HSE Plans, taking into account call out procedures and things such as the roles of key members of staff. It is likely that plans from all three of these areas could be activated at the same time and the University should therefore recognise the potential impact that this could have on any response. Plans will initially focus on Service and Faculty areas and will not be incident/interruption specific. Agreement will be sought from Service and Faculties about the criticality of functions that have been identified prior to the commencement of any BCM work in those areas. It is recognised that there are activities that would not be captured as a critical function e.g. Open Days, however, it is recognised that it is equally important to have BCPs in place for such events. It is proposed that a list of alternative critical events will be captured as a result of discussions that take place. Further development within the area of Business Continuity will include developing site/campus specific plans and encouraging partners/suppliers to have their own BCPs in place, embedding this into the procurement process. Business Continuity will be added as an additional area of focus for all business assurance reviews. This will ensure that Business Continuity arrangements are considered for each area being reviewed and will consequently improve resilience across the University. BCPs will be developed in accordance with guidance suggested by the Business Continuity Institute (BCI), International Standard 22301, Resilience within High Education Guidance, HEBCoN and the experience of the Business Assurance Service. 3. Definitions Business Continuity Business Interruption Critical Function Business Impact Analysis (BIA) Business Continuity Management Plans The concept of ensuring that critical functions of the University remain deliverable in the event of a business interruption. Any event that has the potential to disrupt day to day activities of the University. It is commonly recognised that there are 6 general causes of business interruption; loss of staff, accommodation, IT Services/Systems, documentation, utilities and contractor failure. Functions or Services that are vital to the delivery of the University s business. The loss or interruption of such functions could cause significant financial, legal, reputational or human welfare issues for Staff, Students or customers. A process that allows functions to be analysed so that their criticality can be determined, the impact of their loss is understood and the resources required to reinstate them identified. An agreed plan that ensures that Services and/or Faculties can continue to deliver their critical functions in the event of a business interruption. 4. Roles and Responsibilities All employees of the University should have an understanding of Business Continuity. The Business Continuity process will involve employees from across the University which will help to embed Business Continuity into the University. The key roles and responsibilities are detailed below: Role Responsibility Director of Business Assurance University s Incident Manager Owner of the University s incident management/ business continuity framework. Business Continuity Officer To drive the Business Continuity process within the University and guide Services and Faculties through the process. To create BCPs for the University and handover those plans to Faculties and Services. To create and deliver training events across the University which will test plans and raise awareness of Business Continuity practices. Deans of Faculty / Directors of Internal drivers and supporters of BCM who will lead on the completion of the Service process and the further embedding of Business Continuity into the University. University Staff To contribute to the Business Continuity planning process. To share information on how their functions are delivered. To have awareness of BCPs and procedures once developed. 5. Approach Business Assurance 4th Floor, Edinburgh Building Page 3

4 In order to successfully embed Business Continuity within the University we will follow recognised best practice and the Business Continuity Lifecycle demonstrated on page 2. The process which follows reflects the best practice lifecycle and provides a methodology suitable for delivery within the University. 1. Gaining Executive Support 8. Review/ Challange/Test 2. Identifying Critical Functions 7. Reporting to BAB 3.Agreement of Critical Functions 6. Sign off of BCPs 4. Populating the BIA 5. Developing BCPs Refer to Appendix A for further detailed information. 6. Identification of Critical Functions: Critical functions have been identified across the University. These are identified in Appendix B, and will be the initial focus of the roll out of BCM work. BCPs will be produced for these as a priority. Subsidiaries, the Executive and key IT Systems will be addressed once initial BCPs have been established. 7. Business Impact Analysis (BIA) BIA s are an element of the Business Continuity process. They are used to gather information on critical functions and will inform BCPs. An example of a BIA has been provided at Appendix C. The BIA process will gather: General information on where the function is carried out and what it involves. How long the University could survive without the function. Are there any time sensitivities? (Critical periods when the function becomes more important to be reinstated) The impact of losing the function. The type of interruption that threatens the delivery of the function. (Staff, buildings, IT, Utility or Supplier related) The resources required to reinstate the function. (Staff, accommodation, IT etc.) Dependents and Dependencies. Single points of failure. The BIA process will be instigated by the Business Continuity Officer once critical functions have been agreed by Deans and Directors. Meetings will take place with function managers in order to gather the information required to develop the BCP. 8. Business Continuity Plans Business Assurance 4th Floor, Edinburgh Building Page 4

5 A BCP is an agreed plan designed to ensure that Services and/or Faculties can continue to deliver their critical functions in the event of a business interruption. The BCP will present the resources and actions needed to reinstate a Service / Faculty or Function. Refer to Appendix D. In addition, actions and points to be considered in relation to the five general causes of business interruption will provided along with any other supporting guidance or documentation which will aid the reinstatement of the function. Agreed BCPs will be handed over to Faculties/Services and will become their responsibility to maintain with the support of the Business Continuity Officer who at this time will implement a regular verification process to ensure continued compliance with policy. 9. Training and Education In order to fully embed Business Continuity into the University and to ensure that plans remain fit for purpose a training and exercise calendar will be created once plans are in place. Business Assurance 4th Floor, Edinburgh Building Page 5

6 Appendix A: BCM Process Diagram There are 8 stages to successfully creating BCPs and integrate Business Continuity into the University, they are: Stage 1 Gaining Executive Support: Executive approval is sought on the proposed Business Continuity Process, the identified critical functions and the prioritised work plan. Stage 2 Identify Critical Functions: The Business Assurance Team carries out an initial scoping exercise to identify the critical functions that will form a prioritised work plan. Stage 3 - Agreement of Critical Functions: The views of Deans / Directors and their senior teams will be sought on the critical functions identified within their area. Stage 4 Populating the BIA: Once an agreement has been reached about the criticality of functions, meetings will be arranged with operational managers to aid the completion of the BIA and provide essential details about how the function will be reinstated. Stage 5 Developing BCPs: After populating the BIA the Business Continuity Officer will use the information provided to create a BCP for each critical function. Stage 6 Sign off BCPs: Once BCPs have been developed for areas within a Faculty or Service, these will be presented to the Deans and Directors to which they relate for agreement. Stage 7 - Reporting to Business Assurance Board: Following sign off of the BCP by Deans / Directors a summary of completed plans, along with any recommendations made by the BCO, will be reported to the Business Assurance Board for information on a six monthly basis. Stage 8 Review/challenge/test: In order for a BCP to remain current it should be exercised and reviewed on a regular basis. Business Assurance 4th Floor, Edinburgh Building Page 6

7 Appendix B: Critical Functions - Services Service Function Description Academic Services Timetabling/ Attendance Establishing and maintaining the timetabling system. This function works in partnership with Faculties to ensure that lectures are appropriately accommodated. Graduation Production of parchments and organisation of ceremonies. Examination Timetabling Working in partnership with Faculties to schedule examinations in suitable locations at appropriate times. CEI Yet to be determined Facilities Security Physical security of the estate, staff and students. Logistics (Inc. postal services, move services and stores) Domestic Services/ Facilities Support Energy Management Travel and Transport Residential Services Childcare Catering Management Estates Operations Postal Services, move services and stores provision for the University. Cleaning and maintenance of the estate. Estate related and links with providers. Campus bus (Sunderland) and car parking Accommodation provision for students and external contracts. Onsite nursery for the local area. Onsite catering- delivered by stakeholders Operability of the estate Human Resources HSE Safeguarding, prevent and general HSE on all campuses. HR Management Systems and info Supporting info to be available for all areas of the University. E.g. Chris21, Equality and Diversity. IT Operations Front line response service for staff and students. Development Developing and seeking to improve IT provision across the University. IT Service Management The management of IT Service provision across the University. Legal Governance and Information Governance The management of information held by the University. Business Assurance Data Protection The management of personal data held by the University. Marketing and Recruitment Insurance Incident/ Investigations Emergency Planning Business Continuity Fraud and Bribery Student Recruitment Admissions International Recruitment Ensuring that insuring the estate, staff and students (Where applicable) Taking control of incidents/ investigations across the University to ensure they come to a positive conclusion. Response and planning of how to manage incidents. Responding to business interruptions and providing advice when required. The lead contact for any fraud/ bribery investigations that need to take place across the University. Recruitment of home and EU Students. Processing of student applications. Recruitment of International Students from outside of UK and EU. Communications Release of agreed material to the media including social media. UKVI Ensuring the University maintains its UKVI licence. Planning and Finance Student Records Processing of fees, enrolment and visa tracking. Student and Learning Library Services Two sites at Sunderland and one site in London. Support Student Services Financial aid, health and wellbeing, counselling. Web and Learning Technology Ensuring that the opportunity to utilise web based technology is maximised across the University. Business Assurance 4th Floor, Edinburgh Building Page 7

8 Appendix B: Critical Functions - Services Faculty Function Description Faculty of Arts Design Boards and Academic Programme and module assessment boards. and Media Awards Teaching The teaching of courses covering 16 departmental areas. Faculty of Applied Science Faculty of Education and Society Faculty of Business and Law Student Experience Health and Safety Health and Safety Teaching Student Experience Boards and Academic Awards Teaching Health and Safety Boards and Academic Awards Placements Student Experience Teaching Student Experience Boards and Academic Awards Attendance monitoring, disability and student support, timetabling. Ensuring the health and safety guidance is adhered to within the faculty. Ensuring the health and safety guidance is adhered to within the faculty. The teaching of courses covering 8 departmental areas. Attendance monitoring, disability and student support, timetabling. Programme and module assessment boards. The teaching of courses covering 3 departmental areas. Ensuring the health and safety guidance is adhered to within the faculty. Programme and module assessment boards. The organisation and management of student placements. Attendance monitoring, disability and student support, timetabling. The teaching of courses covering 3 departmental areas. Attendance monitoring, disability and student support, timetabling. Programme and module assessment boards. Business Assurance 4th Floor, Edinburgh Building Page 8

9 Appendix C: Business Impact Analysis Essential Information Critical Function Sub Functions (if applicable) Urgency to be reinstated Time Sensitivity (if applicable) Time Impact of an interruption or loss of function Immediate Reputational Financial Legal Security Environmental Welfare What threatens the function? Loss of staff Inaccessible building IT/ Systems Failure Electricity/ Utilities loss Supplier/ Stakeholder/ contractor failure Stakeholders affected by the interruption Function is dependant upon Single points of failure (if applicable) Contingency Arrangements: Create as required- linked to real threats Staffing Normal Provision Minimum Provision Alternative Provision Normal Provision Accommodation Alternative Provision IT Systems/ Services Essential Provision Timescale required Contingency Arrangements Electricity/ Utilities loss Loss of water Loss of gas Loss of electricity Loss/ interruption as a result of supplier/ stakeholder failure Supplier/ Stakeholder What they provide Contingency Key Contacts Contact Name/ Department / Organisation Contact details Recommendations Contingency arrangements that are not in place. Ref Recommendation Date ed ed by Business Assurance 4th Floor, Edinburgh Building Page 9

10 Appendix D: Incident Prompt List As per Contingency Arrangements. Loss of staff: The following actions and considerations should be taken in the event of a business interruption, which has been caused by a loss of staff: Loss of building: The following actions and considerations should be taken in the event of a business interruption, which has been caused by a loss of a building: Loss of IT Systems: The following actions and considerations should be taken in the event of a business interruption, which has been caused by IT failure: Loss of utilities: The following actions and considerations should be taken in the event of a business interruption, which result in the loss utilities: Water Gas Electricity Loss of Suppliers or Stakeholders: Business Assurance 4th Floor, Edinburgh Building Page 10

11 The following actions and considerations should be taken in the event of a business interruption, which has been caused by IT failure: Supplier What they provide s Business Assurance 4th Floor, Edinburgh Building Page 11