• No results found

Business Continuity Management

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Business Continuity Management"

Copied!
9
0
0

Loading.... (view fulltext now)

Download now ( 9 Page )

Full text

(1)

Business Continuity Management

(2)

Business Continuity Management

Summary description:

This document provides the rationale for developing a business continuity culture.

It details the University’s aims and objectives in this regard and identifies the key

roles and responsibilities.

Scope: All staff on the Hull and Scarborough Campuses.

With effect from: January 2014

Other related policies/documents: University Major Incident Plan, Campus

Closure.

Contact for further information:

Grace Dalley

Deputy Secretary

Email:

[email protected]

Tel: 01482 465299

This document is available in alternative formats from the Committee

Section

Approved by: Vice-Chancellor, University Registrar & Secretary, Senior

Management Group.

Next due for review: January 2017

Reference to any superseded policy/amalgamations: not applicable

Relevant legal framework: Not applicable

Equality Analysis: Not applicable

Freedom of Information

This policy is publicly available through the University's Publication Scheme under

the Freedom of Information Act 2000.

Other professional standards reference points: ISO 22301:2012, Business

(3)

Business Continuity Management

1 BACKGROUND

The Executive has identified the lack of a robust business continuity plan as a strategic risk for the University. In 2011 internal auditors identified gaps in the University’s business continuity

provision and external consultants Jermyn Consulting were engaged by the University in 2012 to complete a full review of business continuity and crisis management and report on its findings. The assignment involved a review of available documentation and structured discussions with

representatives across the organisation. The University was benchmarked against the

requirements of ISO 22301:2012 for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving a business continuity management system. The findings of the review were disseminated and presented to the Executive and included a project plan and an indicative timeline for its implementation.

2 WHY DO WE NEED BUSINESS CONTINUITY MANAGEMENT?

Business Continuity Management (BCM) is a process that enables the University to proactively identify and minimise the impact of risks that could affect its objectives, operations and

infrastructure.

BCM provides the capability for the University to ensure continuity of teaching and research, together with support for its students, staff, departments and faculties following any disruptive incident. Whilst the University does not have a statutory duty to undertake BCM, it is a business imperative; also the University has legal and moral responsibilities for staff, students and visitors and recognises the importance of this process in ensuring it can continue its critical activities after a disruption and to protect its reputation as a leading university in the UK.

(4)

I. Minor incidents: are interruptions or disruptions that can be sufficiently disruptive to

require the implementation of business continuity arrangements. They can be

addressed by departmental business continuity plans. They are smaller scale events, affecting one or a small number of departments e.g. a localised computer virus, denial of access to a building, a minor power cut for a short period etc. However sometimes minor incidents can become major incidents.

II. Major incidents: require the implementation of the University’s Major Incident Plan,

providing they meet the plan’s criteria of causing serious harm to staff, students, the University community or property. This is a plan focused on more serious/larger scale events e.g. a national emergency, widespread media coverage of an incident, a power cut affecting the campus etc. Using the power cut example, the Major Incident Team (MIT) would focus on the urgent priorities i.e. the welfare of people and the safety / security of buildings. In addition, a business continuity response would be required in terms of how the University would continue its important functions. Separate

(5)

BUSINESS CONTINUITY MANAGEMENT POLICY

3. AIMS AND OBJECTIVES

The BCM policy is focused on protecting and recovering the critical activities of the University. A critical activity is one that would impact on the reputation of the University or have a serious impact on its financial position or customers of the University if it was not performed or resumed within an appropriate defined period. This is likely to include some activities in the following areas: teaching (including assessment), research, services provided to students and Professional Services such as IT, HR and Estates.

In the first instance business continuity plans will be developed which address the highest risk areas. Thereafter plans will be rolled out across all parts of the University and include activities that take place within Faculties, Departments, Schools, Institutes and Centres across the Hull and Scarborough Campuses. It will also include all areas of Professional Services.

The University works with a number of partner institutions to deliver its services and a risk‐based approach will be adopted in terms of the University’s expectations of these organisations having business continuity plans.

The Business Continuity Management policy has the following key objectives:

 To raise the profile of BCM within the University of Hull. This will include ensuring that staff are aware of the plans, their roles in them and receive appropriate training

 To embed Business Continuity into the culture of the University so it becomes an integral part of decision making

 To ensure that critical activities across the University are identified and that suitable business continuity arrangements are in place or developed for them

 To establish appropriate structures to plan for and respond to incidents

 To ensure that BCM arrangements are ongoing and subject to regular reviews, audits and exercises

 To develop and review business continuity processes for continuous improvement, in accordance with best practice.

4. MANAGING BUSINESS CONTINUITY

 It is expected that over time all departments within the University will go through the Business Continuity management process. This will involve identifying critical business activities, the arrangements in place to continue to provide these activities in the event of a disruption as well as resource requirements. Individual Departments/Schools/Centres will be expected to nominate appropriate people (Business Continuity Coordinators) to co‐ordinate the development of their Department/Schools/Centre’s Business Continuity arrangements. The Business Continuity Manager will provide support as required.  Departments business continuity plans will be reviewed by the Business Continuity

Coordinators at least annually, and will also be updated when there are significant changes to personnel, premises, suppliers etc

(6)

5. ROLES AND RESPONSIBILITIES

University Business Continuity Lead (UBCL)

The University Registrar and Secretary has been assigned as the lead for Business Continuity Management across the University.

This involves:

 Assisting with raising the profile of Business Continuity at a strategic level  Chairing the Business Continuity Steering Group

 Confirming to the Excutive and Council annually that, the University’s business interruption risks are being appropriately and effectively managed. This will include a progress report on the development of Business Continuity Plans and the outcome of exercises to test the plans.

University Business Continuity Manager

The University Business Continuity Manager is responsible for overseeing the Business Continuity activities on behalf of the University.

This involves:

 Raising the profile of Business Continuity across the University as an ongoing responsibility and

ensuring that information is available to staff (with the aim of embedding BCM into the activities of the University)

 Providing advice and assistance throughout the BCM process

 Developing appropriate guidelines and templates for Faculties and Departments to detail their business continuity arrangements

 Assisting in the development of overarching plans and providing advice to BC

Coordinators in the completion of their Department's Business Impact Analysis (BIA) and development of their Department business continuity plans

 Ensuring that the University’s arrangements are regularly reviewed and tested

 Providing or commissioning training for appropriate staff and leading on the development of University exercises to review arrangements that have been put in place

Business Continuity Steering Group

As the senior decision making group, the Business Continuity Steering Group is responsible for:  Ensuring there is a consistent approach to Business Continuity across the University  Supporting and endorsing the BCM awareness raising regarding Business Continuity with

the aim of embedding it into the culture of the University  Monitoring the roll out of BCM across the organisation

 Reviewing the BCM policy to ensure it remains fit for purpose

Business Continuity Champions (Faculty/ Professional Services Department level)

The Business Continuity Champion (each Faculty has one and some of the departments in Professional Services) will be nominated by the Deans and relevant members of the Executive. The role of Business Continuity Champions is to:

(7)

 Complete Faculty Business Continuity plans

 Attend corporately run exercises and participate/lead in the running of exercises for the Faculty as appropriate

Business Continuity Co‐ordinators (Department level)

The Department Business Continuity Coordinator is nominated by the Head of Department to develop and maintain Business Continuity planning for the department. This will include:

 Attending relevant training and awareness sessions to develop knowledge and understanding of Business Continuity Management

 Completing the required documentation, with assistance from other members of the department

 Ensuring that Business Continuity plans remains fit for purpose and up to date  Attending and participating in workshops and other events as required to develop the

Business Impact Assessment and Business Continuity Plan and review and test the plan.  Attending University run exercises and participate/lead in the running of exercises for the

department as appropriate Staff

It is important that everyone at the University is aware of BCM. Staff should be aware of any arrangements in their department’s plan that may affect them including how they will be contacted /notified of an incident, what their role is during an incident, what they should do if they are not able to access their usual place of work, etc.

(8)

7. BUSINESS CONTINUITY STANDARD TERMINOLOGY AND DEFINITIONS

Term Abbreviation Definition Business

continuity plan:

BCP Documented procedures that guide organisations to respond, recover, resume, and restore to a pre-defined level of operation following disruption. NOTE Typically this covers resources, services and activities required to ensure the continuity of critical business functions.

Business Continuity Management

BC A holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.

Business Impact Assessment

BIA Process of analysing critical activities so that their timely recovery can be achieved. The BIA includes identifying an owner for the critical activity, key resources required to deliver the activity (eg, personnel, premises, ICT), plans to recover unavailable resources and the maximum tolerable outage,

Critical Activities

Activities that would impact on the reputation of the University or have a serious impact on its financial position or stakeholders of the University if it was not performed or resumed within an appropriate defined period

Exercise /test A process of testing business continuity plans with a view to

improving department, faculty and/or University business continuity plans

Implementation The technical practice within the BCM lifecycle that executes the agreed strategies and tactics through the process of developing the BCP.

Invocation Act of declaring that an organisations business continuity

arrangements need to be put into effect in order to continue delivery of key products and services. This will usually be declared by the Head of Department.

Major Incidents An incident will be classed as a Major Incident if the Emergency Services declare it as such or if the Head of Department, the Security Manager or the H&S Team consider the scale, duration (Maximum Tolerable Period of Disruption) and/or impact of the incident will or is affecting a strategic building/area/process and/or the core business function and/or the reputation of the University is under threat.

Major Incident Team

MIT The Major Incident Team is a small team of Senior Managers who have the authority to make swift and major decisions in the event of a major incident. The MIT is chaired by the Registrar and Secretary and is supported by a core team of Service Heads and the Dean(s) of the affected Faculty as appropriate.

Minor incidents Interruptions or disruptions that can be sufficiently disruptive to require the implementation of business continuity arrangements. They can be addressed by department business continuity plans. They are small scale events, affecting one or a small number of departments.

Maximum tolerable period of disruption

MTPD Duration after which the University is irrevocably threatened if product and service delivery cannot be resumed.

(9)

Recovery Point Objective

RPO The maximum amount of data that may be lost when a service is restored after an incident. Recovery Point Objective is expressed as a length of time. For example a Recovery Point Objective of one day may be supported by daily backups where up to 24 hours of data may be lost.

References

Download now ( PDF - 9 Page - 650.59 KB )

Related documents

Contents. MBS Lending - RESIDENTIAL LENDING GUIDELINES. INTERMEDIARY USE ONLY - Last updated February 2016

- Loans, hire purchase, maintenance - Annual payments made (Loans with less than 12 months to run may be disregarded, provided the aggregate monthly payment does not exceed

PERFORMANCES OF Coleus tuberosum ON AN ACID MINERAL SOIL IN BENGKULU

Performance of Kentang Hitam grown on the acid mineral soil in Bengkulu in which type of soil as Typic Haplohumult was enormously growth indicated by average length of plant when

Table of Contents. Page 1 of 7

The Business Stakeholders role works with the Major Incident Manager and the IT Management team, providing business criticality perspectives and input into potential courses of

Hans Vaihinger - The Philosophy of 'As If'.pdf

[r]

... as if the world wasn t complicated

long position in the underlying futures contract plus a cash amount equal to the excess of the futures price over the strike price (this is equal to the excess of the futures price

Management Of CCG Incidents

Any incident with an initial impact score (consequence) of 4 (major) or 5 (catastrophic) on the incident assessment matrix is classed as a serious incident and will be

HUNGARY. Butterflies Bela Kun, Lal Bahadur Shasti, Istvan Széchenyi F 60 F 70 F 80 F 1 FO 1.50 FO 2 FO 2.50 FO 3 FO 60 F 1 FO 2 FO

Centenary of the Hungarian Postal Administration 1967.. 10 FO S OUVENIR

Building Customer Loyalty in the Telecom Market

But what differentiates a loyalty program from traditional CRM is that a loyalty programs aim at proactively and continuously rewarding the customer for loyal behaviors and