University Continuity Management Framework Policy
Classification number | LCG 1142 |
---|---|
Framework category | Legal, Compliance and Governance |
Approving authority | Board of Governors |
Policy owner | University Secretary |
Approval date | February 28, 2019 |
Review date | March 2022 |
Last updated | Editorial Amendments, February 18, 2020 |
Purpose
- The purpose of this Policy is to establish University-wide standards, which govern the development, implementation, and continual improvement of a Continuity Management Framework, promoting the University’s ability to withstand disruptive Occurrences, and maintain resilience and sustainability across the institution.
Definitions
-
For the purposes of this Policy the following definitions apply:
“Activity” or “Activities” means one or more tasks undertaken by, or for the University that produces or supports the delivery of one or more services.
“Business Impact Assessment” means the process of analyzing Activities and the effect that a Disruption might have on them.
“Continuity” means the capability of the University to continue delivery of services at acceptable predefined levels following a Disruption.
“Continuity Lead” means the assigned organizational unit representative.
“Continuity Plan” means a documented process that guides the University to respond, recover, resume, and restore to a predefined level of operation following a Disruption.
“Critical Function” means the critical operational and/or support functions that could not be interrupted or unavailable for more than a mandated or predetermined timeframe without significantly jeopardizing the University. Vital functions without which the University will either not survive, or will lose the capability to effectively achieve its objectives.
“Disaster” means a significant event involving widespread, long-term impacts and exceeds the capacity of the institution to recover operations without the assistance of external aid.
“Disaster Recovery” means the strategies and plans for recovering and restoring the organization’s technological infrastructure and capabilities after a serious interruption.
“Disruption” means an Occurrence that interrupts normal business, functions, operations, or processes, whether anticipated or unanticipated.
“Emergency Management Response Team" or “EMRT” means members that are responsible for the coordination and management of emergencies affecting Durham College and the University.
“Emergency” means an impending event, however caused, that constitutes a danger of major proportions and could result in serious harm to persons, substantial damage to property, or affects the core business and/or credibility of the institution.
“Minimum University Continuity Objective” means the minimum level of service that is acceptable to the University to achieve its business objectives during disruption.
“Occurrence” means an event that might be, or lead to, an Emergency or Disaster. An Occurrence can be described as either a Disruption (Continuity response) or incident (Emergency response).
“Prioritized Activities” means the Activities to which priority must be given following an Occurrence in order to mitigate impacts.
“University Continuity Management” means a holistic management process that identifies potential threats to the University and the impact to the operations that those threats, if realized, might cause, and which provides a framework for building resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand, and Activities.
“University Member” means any individual who is:
- Employed by the University;
- Registered as a student, in accordance with the academic regulations of the University;
- Holding an appointment with the University, including paid, unpaid and/or honorific appointments; and/or
- Otherwise subject to University policies by virtue of the requirements of a specific policy (e.g. Booking and Use of University Space) and/or the terms of an agreement or contract.
Scope and authority
-
This Policy applies to all University Members and extends to all Activities.
-
This Policy applies to all facilities the University owns, leases, or operates in at any capacity.
-
This Policy applies to all Administrative, Research, and Academic levels of the University.
-
The EMRT will provide strategic support for all response and Continuity Activities. Units will implement their Continuity and/or Emergency response plans and will report on Activities and resource requirements to the EMRT at regular intervals as defined by the operational period of the Emergency.
- The University Secretary, or successor thereof, is the Policy Owner and is responsible for overseeing the implementation, administration and interpretation of this Policy.
Policy
- Continuity is the key discipline that sits at the core of assembling and improving the resilience of the University. Continuity Management holistically identifies the University’s priorities and prepares solutions to address disruptive Occurrences.
-
Continuity Framework
- This Policy supports the design and implementation of Continuity Plans to protect and continue the operations of the institution, and support the strategic objectives in the event of any disruption to the University.
- The framework includes the identification of risks and threats, the creation of response structures and plans to address Disruption and Disaster, and promotes validation and continuous improvement. The framework is flexible to changes in the internal and external operating environment and delivers measurable value to the University.
-
General
- A framework methodology will be developed by the Office of Campus Safety in collaboration with Risk Management, to standardize the base information in a Continuity Plan, develop absolute and relative requirements for planning, and provide guidance for the units in creating Continuity Plans and strategies.
- Each unit will be responsible for the development and maintenance of a Continuity Plan that follows the University Continuity Management framework and methodology.
- Each unit will assign a Continuity Lead to act as the primary contact for the Continuity Plan throughout the development, implementation, and maintenance of the plan for their department.
- Emergency contact lists will be established by each unit and shared with the Office of Campus Safety, and maintained as part of the Continuity Plan. The Emergency contact lists will be updated annually.
- Continuity Plans will be reviewed and updated on an annual basis and will be submitted to the Office of Campus Safety.
- The Continuity Planning will include a Disaster Recovery Plan that addresses maintaining business processes and services in the event of a Disaster and the eventual restoration of normal operations.
-
Elements of University Continuity Management
- The University Continuity Management program will be established, based on the following elements:
- Raising awareness of Continuity through training and communication, embedding Continuity into the Activities of the University.
- Establishing a procedure to conduct a Business Impact Assessment to determine the Continuity requirements across the institution, identifying objectives, functions, and constraints of its operating environment.
- Identifying and recommending appropriate solutions to determine how Continuity will be achieved in the event of an Occurrence.
- Identifying and documenting the priorities, procedures, responsibilities, and resources that will support the University when managing an Occurrence. This should achieve Continuity of the Prioritized Activities and ensure recovery of disrupted Activities to a predefined level of service (the Minimum University Continuity Objective) within the planned time frames. This includes the development of a response structure that defines roles, authority, and skills required to manage an Occurrence.
- Exploring the Continuity solutions and response structure to ensure they reflect the size, and complexity of the University and its operation, and are accurate, effective, and complete.
- Administering ongoing maintenance and review to continuously improve the overall level of organizational resilience.
- The University Continuity Management program will be established, based on the following elements:
-
Roles and Responsibilities
- Senior Leadership Team
- Provide leadership, commitment, and resources as part of governance.
- Emergency Management Program Committee
- Ensure the University Continuity Management adequately reflects the University Continuity capability;
- Oversee, advise, and manage the University Continuity Management program, making recommendations, and reporting to SLT.
- Office of Campus Safety
- Develop and deliver an effective Continuity program, which includes the development of tools and resources, and facilitation and coordination of plans throughout the University;
- Support units in the development of their Continuity Plans; and support for continual improvement;
- Develop appropriate templates for the University to detail its arrangements, ensuring consistency in the program with flexibility to recognize dependencies and differences across units;
- Identify and recommend strategies that collectively support Continuity across the institution;
- Conduct annual audit and provide effective storage of all University Continuity Plans.
- Continuity Leads
- Attend relevant training and awareness sessions to develop knowledge and understanding of Continuity Management;
- Work with Office of Campus Safety to complete and maintain Business Impact Assessment to identify Critical Functions, needs, resources, and tools to continue operation of the unit during and after a Disruption;
- Work in collaboration with other Continuity Leads to identify dependencies and develop collective strategies;
- Develop, implement, and maintain Continuity Plans on behalf of the unit;
- Ensure the Continuity Plan adequately reflects the unit’s Continuity capability;
- Communicate the implications of unit changes that may impact the Continuity program;
- Conduct and participate in exercises, training of other staff and faculty at the University within their unit on all aspects of the Continuity Plan;
- Complete an annual review and update of the Continuity Plan;
- Initiate a response for the unit during an incident;
- Participate in training sessions, learning or Activity relevant to a Disruption post Occurrence.
- Risk Management
- Assist in the identification of Critical Functions for the intuition;
- Provide commitment and support in collaboration with Office of Campus Safety to Continuity management across departments;
- Provide institutional risk registers for the purposes of support in defining and describing risk at the University from an institutional perspective;
- Support in identifying potential Continuity management strategies;
- Consult on the composition of the Continuity management plans.
- All University Members
- Acknowledge roles and responsibilities during an occurrence to ensure effectiveness by understanding the Continuity program;
- Respond appropriately as outlined in the Continuity Plan.
- Information Technology Services
- Assist in the identification and strategy of Critical Functions that rely heavily on IT infrastructure or applications;
- Engage in the assessment of impacts as they relate to the availability of utilities or technology and in the development of plans that identify dependencies on IT resources;
- Develop, maintain, and test the Disaster Recovery Plan.
- Senior Leadership Team
Monitoring and review
-
This Policy will be reviewed as necessary and at least every three years. The Emergency Management Program Committee is responsible to monitor and review this Policy.
Relevant legislation
-
This section intentionally left blank.
Related policies, procedures & documents
-
ISO 22300:2012 Societal security – Terminology
ISO 22301:2012 – Societal security – Business Continuity Management systems – Requirements
Emergency Preparedness
Risk Management Policy
Good Practice Guidelines, 2018 Edition
Business Impact Assessment Procedures
Disaster Recovery Planning Procedures