Your BCP in 5 Steps

A Business Continuity Plan can be as long or as short as a department, unit or division requires – there is no one size fits all, and not everything listed in the 5 steps will be relevant to your area; the key is to ensure that the BCP is easily accessed, easily updated and easily adopted should the need arise. The overarching goal of the BCP planning process is to assist each unit to recover to a fully operational level within 30 days of a major interruption, with interim timelines based on function criticality. Key to your BCP is knowing how your services intersect with and depend on those covered by the institutional BCPs noted under Tab One; consider these intersections as you think of your own, local BCPs.

Planning Assumptions:

Assume that either a severe staffing loss or damaged facility could severely impact technology resources on campus, and that information technology resources will be unavailable at the onset of an emergency.

The following should also be taken into consideration as you plan:

  • Emergencies and crises may occur at any time of the day or night, weekday, weekend, or holiday, with little or no warning;
  • Emergency response and associated recovery efforts will be influenced by the changing patterns of services, facility use and present campus population through the normal cycles of the academic calendar;
  • Crises may be community-wide, so it is necessary to plan for and carry out crisis response and short-term recovery operations in conjunction with other campus and local resources.

Guidance: (not everything listed in this step will be relevant to your area)

Planning assumption: during an emergency, your unit may experience a disruption in your operations due to:

  • High staff absenteeism
  • Unavailability of supplies and materials
  • Interruptions to services like power, transportation and communications.

Objective of the business continuity planning process

To determine how your unit will maintain essential services/functions in the event of an emergency.

Determine acceptable levels of service during the recovery period, and what processes need to be maintained or restored first to keep the business running. This means that your unit may be forced to modify, reduce, or even eliminate specific services/functions to cope with the impacts of the emergency. These impacts may be felt across the organization or localized to specific business units. As you begin discussions, you may find that you have existing resources that you can use to extract information about essential services in your organization (e.g., pandemic plans,  etc.).

Functions/Operations are broken down in to three tiers/timelines:

Tier I – Critical Functions: Must be operational within 72 hours and are normally overseen/provided institutionally 

  • Also known as essential services in emergency situations. Defined as those services or activities usually provided by the institution as part of shared services BCPs including those required to provide food and shelter to students in residence; protection of the health and safety of humans through EHS, the Hazardous Materials Group, etc; full and complete care of animals in research capacities; and all services of security, safety and regulatory personnel. Critical Business Functions have been defined as payroll continuity and systems continuity (AMS, VPN, UT Alerts, etc). Critical services shall include those providing continuous access to buildings and grounds, communications, and indirect support such as building operations, preservation of infrastructure, utility systems, material procurement and certain contract and legal activities. (Examples: campus safety, hazardous material clean-up, physical plant operations, at-risk research).
  • Ask yourself which, if any, of your unit/departmental/divisional service(s), when not delivered, create(s) an impact on the health and safety of individuals. For example, does your division manage vivaria, have critical research labs, services on which staff rely during crises (counselling, student safety, etc)? Use the Essential Services Ranking template to assist. Otherwise, move to Tier 2, below.

Tier II – Intermediate Functions: Must be operational within 1 week (7 days)

Those functions and services that are secondary to the University’s critical functions that can withstand a short-term disruption of more than 72 hours, but need to be resumed in a timely manner (1 week) to avoid a long term impact to the operation (examples: classroom instruction, student counselling, general, less time-sensitive research).

Tier III – Deferrable Functions: Must be operational within 30 days

Those functions and services that can be paused or deferred during an incident and can resume when conditions permit (examples: routine building maintenance, training, donor solicitation, grant solicitation

Guidance: (not everything listed in this step will be relevant to your area)

As part of your business continuity planning process, you'll need to identify the number of staff and the types of skills required to perform and maintain your identified essential services/functions.

Use the Essential Services Criticality Factor template to help you capture the information necessary to develop your plan.

Try to identify any special requirements necessary to perform the essential services/functions (for example, signing authority level; requisite training or licensing; access to equipment).

You may also wish to prepare a list of special tasks and skills required in emergency situations and assign them to appropriate employees, e.g. crisis management team, employee support, IT backup, defining security perimeters etc.

Additional sites with useful information:

Guidance: (not everything listed in this step will be relevant to your area)

Identify essential employees and other critical inputs (sub-contractors, services, logistics, alternate locations, etc.) required to maintain business operations by location and function during the event.

This could take the form of a simple phone/email list (to be updated regularly by a team members assigned this task) which would include the contact information and usual location (building/office location, or WFH).

Also determine whether your team can perform the tasks required to maintain business and operational continuity from an alternate or remote location (ie another location on campus or a remote location such as a home office) or are there campus locations which are required to achieve this? For example, if yours is an essential service, but a fire or flood render your regular location inoperable, where could you relocate to? Could you make advance arrangements on a different campus or at another location on your campus just in case an issue arises?

Next

  • Communicate your plan to those identified as essential employees and vendors or partners.
  • Determine who needs to be contacted with critical information.
    • Build distribution lists and maintain for accuracy.
    • Assign an individual to this task as a standing responsibility.
  • Develop a contact plan to reach employees: wireless, home, etc.
  • Ensure employees know where to receive information and updates about whether they can return to work, or if they are to report to a different location
  • Ensure mission-critical employees know their role in the plan and have access from remote locations (i.e., home broadband, phone, VPN for security).
  • Make sure the plan can be executed by alternate employees who are not necessarily the “expert” in cases where those employees cannot be reached.
  • Determine the need for a designated recovery site for your people to resume work. Plan for communications, data connectivity, desktops and workspace at that site.
  • If you require support from vendor partners, ensure they also have a documented plan that complements your needs. Review periodically to keep the plan current.

Guidance: (not everything listed in this step will be relevant to your area)

As was confirmed during the COVID pandemic, IT infrastructure is essential to enabling operational and business continuity. It is vital that your unit assesses its data and technology needs in the event of a failure in operations and work with institutional IT offices to ensure that infrastructure is in place and available to you.

Data and technology readiness checklist:

  • Determine the status of your existing disaster recovery plan. Do you have one and is it maintained? Have you tested the plan?
  • Determine the vulnerability of your unit’s technology infrastructure to disasters, including floods, fires, etc. Could you access your data during/following a fire in your office, for example?
  • Determine the need for off-site data storage and backup
  • Develop a technology plan that includes hardware, software, facilities and possibly service vendors if institutional ITS is unable to support a particular local function.
  • Determine the effectiveness of your data backup and recovery policies and procedures.
    • Are the procedures fully documented and an appropriate staff member responsible for the maintenance of that documentation?
    • Perform a data recovery test. Was the test successful?

Guidance: (not everything listed in this step will be relevant to your area)

Identify critical inputs (e.g. raw materials, suppliers, sub-contractor services/ products, and logistics) required to maintain business operations by location and function during an emergency. Examples might include: cell phones and chargers; PPE supplies; generators, etc.

Suppliers and sub-contractors

Use the Contact Info for Critical Suppliers (DOC) to list essential information on your key suppliers.

Partners and support providers

This is for important partners who do not fall into the earlier categories, but whom you would need to contact in the event of an emergency:

  • Partners (internal and external) who are neither vendors nor customers. These could include internal business units who rely on your unit/department for information and internal business units that would support your recovery. Examples could include insurance, campus safety, facilities, communications and legal .

Use the Contact Info for Critical Partners (DOC) to list essential information about these other partners.