Policies and Procedures
Policy 101 – Business Continuity Planning
March 19, 2010
March 19, 2010
Director of Risk Management Services
Risk Management Services
The University requires that all campus departments prepare and maintain a current, written and tested plan of action for unexpected events which may disrupt their normal business operations. Examples of these types of disruptive events include, but are not limited to, fires or natural disasters, information technology and telecommunications interruptions, utilities outages, communicable diseases on a pandemic scale, environmental emergencies and human-related disruptive events.
These business continuity plans help to ensure that maximum possible service levels are maintained during these unexpected events and that campus departments recover from interruptions as quickly as possible. Business continuity plans should at a minimum identify mitigation strategies for interruptions involving: 1) employees and staff; 2) utilities; 3) information technology and telecommunications; and 4) campus facilities or other workplace requirements.
Reason for Policy
The University requires a plan of action to be in place prior to an unexpected or catastrophic event in order to minimize the degree of impact when such an event occurs. These plans provide an organized support system to the entire University population, allow critical services to continue functioning during the event, and hasten the resumption of normal operations following the event.
While the University attempts to plan for reasonable, worst-case scenarios, we cannot foresee every possible event that may interrupt our operations. Business continuity plans are not required to address every possible scenario that could cause an interruption, but should plan for the "effects" of any interruption. Plans should be flexible, practical and achievable.
Certain campus departments are responsible for centralized core services that support the entire University. Examples of these departments include, but are not limited to, Energy Services, Facilities Services, Public Safety, Information Technology Services, Human Resources, Environment, Health and Safety and Finance and Accounting. Departments that provide these campus-level services are responsible for the business continuity planning of such services and communicating these plans to their stakeholders.
Departments that rely on these core campus level services should develop their plans in accordance with their service providers. The Continuity of Operations Plan templates offered by Risk Management Services include a section for identifying internal and external dependencies.
- 101.1 - Preparing Business Continuity Plans
Frequently Asked Questions
Q: Who should have a business continuity plan?
A: All campus departments should maintain a written business continuity plan and update it on an as-needed basis. Campus departments have discretion as to the organizational level for which they write their plan. For example, some departments may develop individual plans for each unit or location while others may develop one overall plan. The important thing is that the plan (or plans) is effective, practical and current.
Q: How often should my department's business continuity plan be updated?
A: Business continuity planning is a continuous process and a robust plan needs to be flexible to deal with changing situations. Departments should review their plan at least annually to address changes in personnel, critical functions, facilities and other infrastructure needs.
Q: Who in my department is responsible for writing our business continuity plan?
A: Developing an effective business continuity plan is a collective effort that should include your department's senior leadership. Campus departments should also utilize those employees, stakeholders or other resources that can contribute to this planning process. Departments should also assign a plan administrator who is responsible for the maintenance and updating of the plan.
Q: Once my department's plan is developed, what should we do with it?
A: Campus departments should keep their business continuity plan in a place where it is easily accessible when needed. Remember that your campus building may not be accessible during a loss, so backup copies should also be maintained at an off-site location. An electronic copy that can be accessed remotely should be made available to all necessary stakeholders. Departments should also send a backup copy to Risk Management Services, which maintains all campus plans. In the event of a disaster, Risk Management Services can access your plan if all other options are unavailable.
Q: How do we test our plan?
A: There are a number of strategies for testing your department’s plan. One of the more effective ones is conducting a table-top exercise where you simulate a particular loss scenario in a controlled setting and then address how you would respond to that situation. Table top exercises should involve all those who will have a primary role in your department's recovery. The University also conducts campus-wide table top exercises on a routine basis. You may also contact Risk Management Services for additional information on how to test your plan.
Q: Is my department's business continuity plan responsible for addressing campus-level responsibilities such as power and other utilities?
A: Campus departments that are responsible for centralized core services that support the entire University are responsible for addressing these. However, your department should be familiar with the campus level planning that is already in place in order to determine how your plan may dovetail with the plans of these core services. During the planning process, your department will be expected to address both internal and external dependencies and how to operate without them.
101.1.1f - Pandemic Influenza - Continuity of Operations Plan Template
101.1.2f - Facility Resiliency - Continuity of Operations Plan Template
Guide to Business Continuity and Recovery Planning on Campus
|Business Continuity Planning||Risk Management Servicesfirstname.lastname@example.org|
March 19, 2010