Transcription
Business Continuity StrategyJanuary 2020
Business Continuity Strategy1) IntroductionThe University of Lincoln recognises the need to improve the resiliency of the University against known andperceivable threats, risks and disruptions both planned and unplanned.The purpose of the University’s business continuity strategy is to;a) Define the University’s approach and commitment to Business Continuity.b) Ensure that the operational risks directly associated with the University’s critical activities can beidentified.c) Outline the framework by which the University will recover key business priorities and functions followinga disruption or major incident.d) Clarify roles and responsibilities in relation to Business Continuity planning and management.e) Clearly define the business continuity process and how it is embedded and monitored regularly across theinstitution.2) Scopea) The University of Lincoln will implement business continuity planning to limit the damage of any foreseenor unforeseen business interruptions, returning the University back to business as usual, effectively andefficiently, whilst ensuring the safety and welfare of staff, the protection of property and premises andthe reputation of the University.b) Business continuity plan owners will be identified and a business continuity plan will be produced by eachSchool and Professional Service department with assistance from the Planning and Business Intelligenceteam.c) School plans will be overseen at local College level by the College Leadership Team and Director ofOperations as appropriate.d) Business Continuity plans will be produced and documented in the standard format using the SharePointonline Portal system administered by Planning.3) Objectivesa) Identify critical business activities and functions for each area.b) Assess the impacts over time of not performing these activities and functionsc) Identify and set prioritised timeframes for resuming these activities and functions at a specified minimumacceptable level, taking into account the time within which the impacts of not resuming them wouldbecome unacceptabled) Take into account operational systems (including ICT systems), people, premises, stakeholders (thirdparties) in identifying recovery each School/Department’s requirements and resources, as well as legal,reputational and other requirements.January 20202 Page
Business Continuity Strategye) Provide strategic information for the incident management team to manage recovery resources from aninstitutional point of view by way of over-arching plans or summary information from individual businesscontinuity plans where appropriate.f) Review plans annually (or as a result of a major departmental/structural change or where new activitiesare identified to be at particular risk) by the plan owner with the assistance of Planning using the onlinesystemg) Business Continuity Plans will be completed for all Colleges and Professional Service Departments at theBrayford, Riseholme and Holbeach campuses.h) Diagram 1 below illustrates the processes undertaken to establish a BC programme for critical and noncritical activities.Identifythe RisksReviewannuallyThe am 1 Process map for business continuity planningJanuary 20203 Page
Business Continuity Strategy4) Implementationa) The Director of Planning and Corporate Strategy is responsible for ensuring the implementation and dayto day management of the University’s Business continuity process. The Director of Planning andCorporate Strategy on an annual basis will; consider the resources allocated to business continuity by reviewing the needs of maintaining andimproving the BC processtake into account the installation of resiliency measures aligned to perceived riskconsider the strategic needs of the Universityb) The Director of Planning and Corporate Strategy is required to ensure that BC plans are in place across thewhole of the University of Lincoln.c) The Director of Planning and Corporate Strategy is responsible for ensuring all plans are backed up inappropriate formats.5) Budget Activitiesa) Where significant expenditure is required to mitigate significant risks and to ensure the resiliency of theUniversity, a business case will be put forward by the BC plan owner, with the assistance of the Directorof Planning and Corporate Strategy. Where appropriate this will be escalated to the SLT / resourced inaccordance with the perceived risk and availability of resources.b) All expenditure relating to a “live” incident will be allocated against a dedicated budget cost code, so thatexpenditure can be analysed and form part of an evaluation report. The Finance department areresponsible for notifying the IMT of the dedicated budget code and for maintaining and reporting financialinformation utilised during real incidents.6) Business Continuity Roles and Responsibilitiesa) Business Continuity Review ManagerResponsible for oversight of the Business continuity programme across the institution.The BC Review Manager has full authority for the implementation of the BC programme and the allocation ofresources in relation to BC activity.i)To ensure that business continuity resources are allocated effectively and in accordance with theneeds of the incident and the Incident Management Team (IMT) to minimise impacts and promoterecovery.ii) The current post holder is the Director of Planning and Corporate Strategy.b) Business Continuity & Risk Leadi)To provide advice on all BC and risk related matters.ii)To ensure that there is a clearly defined BC process in place across the institution.January 20204 Page
Business Continuity Strategyiii) To ensure that resiliency strategies through the business continuity plans are in place across theUniversity in accordance with the needs of the Director of Planning and Corporate Strategy and theIMT and to monitor and report on all business continuity activities.iv) To work with BC Plan owners (and in particular, ICT with regards to the IT Disaster Recovery plan) andto liaise, where appropriate, in managing expectations and implementing appropriate solutions.v) To ensure plan owners fulfil their responsibilities.vi) To work with all plan owners and their teams to ensure plans are tested regularly and embeddedlocally.vii) The current post holder is the Senior Business Intelligence Officer (BC & Risk).c) BC Plan Ownersi)Responsible for the maintenance and review of all BC documentation relating to their area ofresponsibility.ii) Responsible for the embedment of business continuity within their teams, and to ensure the plan isshared and is accessible to relevant areas of their teams.iii) Responsible for integrating resilience measures within their area of responsibility and with peers,through day to day activities.iv) To appoint deputy responsible persons to ensure that business continuity planning is up to date anda team leader is available during any invocation requirements.7) Business Continuity Invocation Processa) Plan owners must request permission from the IMT before they invoke their plan to ensure that acoordinated and managed response to incidents is achieved.b) Plan owners must provide Information to the IMT regarding: Incident impactRequest to invoke and resources requiredEstimated Return To Operation timeRisk recovery assessmentConfirmation of contact details to be utilised between IMT and BC Plan owner for the duration ofthe recovery.c) Resource Requirements –These are to be detailed in the business continuity plan and should include (but not be limited to) People Systems (information and data, ICT requirements, equipment, consumables) Premises (buildings, work environment and associated facilities) Equipment and consumables Stakeholders (partners, suppliers, reciprocal arrangements)d) Plan owners must contact the IMT through either: January 2020The Incident Manager or Security Team ext 6062 / 01522 8860625 Page
Business Continuity Strategy Email to imt@lincoln.ac.ukThe methodology communicated by the IMT8) Incident Management Teama) The IMT will be made up of standing members with co-opted members brought in to deal with specificincidents. The Incident Manager may invoke a partial IMT team to convene to make initial decisions whichmay lead to the establishment of the full IMT should it be deemed necessary (see separate IMT policy fordetails)9) BC Solutionsa) The BC & Risk Lead will work with key individuals in relation to BC to identify and implement solutionsthat are readily available, cost effective and meet the needs and expectations of the critical activity owner,the staff, the students, the SLT and the wider community. Where additional resources are required, alloptions will be presented in a business case. The Director of Planning and Corporate Strategy will decideon the most appropriate solution or escalation of the business case, in accordance with the University’sexisting formal processes.b) Solutions and outstanding risk mitigation actions will be managed through the BC process and escalatedwhere necessary to the High Level Risk Register.10)Critical CriteriaAn activity, service or product will be deemed critical dependant on the impact it has to the whole organisationor to a significant number of academic programmes and support directorates.11) Embedment of the Strategya) Exercising BC PlansBC Plans will be exercised utilising, Walk Through, Desktop and periodically simulated exercises whereappropriate, managed by the Director of Planning and Corporate Strategy.b) Training of BC PersonnelAll staff involved with the development of Business Continuity plans will receive training to enable them toimplement business continuity actions in accordance with this Strategy, managed by the Director of Planningand Corporate Strategy.c) Review of StrategyThe Director of Planning and Corporate Strategy is responsible for the implementation and maintenance ofthis strategy. This strategy will be reviewed annually and when significant changes occur, the policy will bepresented to the SLT for approval.January 20206 Page
implement business continuity actions in accordance with this Strategy, managed by the Director of Planning and Corporate Strategy. c) Review of Strategy . The Director of Planning and Corporate Strategy is responsible for the implementation and maintenance of this strategy. This strategy will be reviewed annually and when significant changes .
