A Guide to Continuity Planning Basics
A Guide to Continuity Planning Basics
Continuity Planning
Continuity planning is the process of proactively thinking through how an institution prepares to respond to, and recover from, an adverse event. It also includes mitigating or removing risks before they occur.
Before documenting a continuity plan it is important to identify the critical functions and develop strategies for continuing to perform the functions during and following the event. Knowing the function criticalities and the recovery strategies is the starting point for creating a continuity plan.
For a continuity plan to be considered viable it should be exercised, and regularly updated as information in the plan changes.
I. Analyzing the Criticality of Functions and Applications
A critical function is an activity a department performs regularly, that must be resumed within a set period of time and at a predetermined level after a disruption.
If a critical function cannot resume to the determined minimal level the institutional community is at risk for negative impacts. Impact examples include loss of life or property, injuries, reputation or financial damage, or lack of control/direction over the institution’s mission of instruction, research, and other essential services.
Determining a Function or Application’s Criticality
The criticality of a function (or an application that supports the function) is determined by the impact to the institution if the function cannot be performed. The importance of the application criticality is that if it supports a critical function, but is unavailable due to a network outage, data center issue, or something else, the critical function is at risk.
Conducting a business impact analysis (BIA) will assist in identifying a function and/or application criticality, and focuses on two exposure types, quantitative and qualitative, both of which should be considered. Some examples are listed here
1. Quantitative - financial impacts
- Net Income Loss: unable to collect payments (i.e., tuition, residential room and board), generate billing statements, provide revenue generating services (i.e., book store, food services).
- Opportunity Loss: loss of market share; unable to register students; unable to change price structures, penalties associated with missed SLAs.
- Interruption Loss: penalties, fines, grievances, lawsuits; delayed tax and/or benefit filings. Cost of overtime or additional staffing. Reimbursement of room and board for residential students that must leave campus at the institution’s request.
2. Qualitative - non-financial impacts
- Customer Service: inability to answer and respond to internal and external telephone calls.
- Institutional Image and Reputation: negative impact on parent, student, or community confidence in the institution
- Operational Performance: a potential for increased opportunity of administrative processing errors.
To avoid an extensive and time-consuming BIA project, a simplified analysis can be conducted by objectively assigning a criticality based on one’s knowledge of the function and its assumed impact to the institution. However, this methodology must go through levels of approval beginning at the department level, then to the division level, and finally to an executive committee. The executive committee should approve a function’s criticality by analyzing a collective list of all institutional functions and determining where the functions fit within the institution’s mission and vision. Likewise, the supporting applications should be analyzed and in the same way.
Once the function and application criticalities have been vetted, a recovery hierarchy, or order of recovery can be determined. This hierarchy will also provide valuable information as to where resource requirements of staff, equipment, applications, etc., should be addressed.
II. Develop the Recovery Strategies
A recovery strategy is the methodology for recovering a function if key people, normal work location, critical resources, or supporting applications are not available. These are sometimes called workarounds. Prior to developing the continuity plan consider what you would do if any of these are missing. Some strategies include:
Essential Employees
- Cross-train essential staff members
- Transfer workload to another department with similar functions
- Borrow staff from less critical departments, or enlist student volunteers
- Consider temporary hiring, or engage contractors
Normal Work Location
- Move to another building on campus
- Relocate to home offices or some other remote location
Critical Applications
- Manual process
- Defer if possible
Understanding and testing the recovery strategies during an exercise will ensure they are sustainable when needed during a live event.
III. Building the Continuity Plan
A continuity plan is generally written at the department level and includes key contact information, the department’s functions that must be recovered quickly, and key resources needed for the functions to continue. A very important component of a continuity plan are strategies for recovery in the event any people, resources, applications, or normal work locations are not available. Considerations for instruction or research recovery should also be included, when it applies.
By its very nature, a continuity plan is written before an adverse event occurs, but if one doesn’t exist, documenting the critical elements of a plan as a department is working through an event will capture the information so that the department is better prepared for the next event, when it occurs.
At a minimum, the continuity plan should include the following information:
1. Three Levels of Key Contacts
a. Department Contacts - contact information for all department staff. Be sure to capture alternate phone and email information in case the event displaces employees from their normal work location.
b. Institutional Contacts - contacts who are outside of your department but still within your institution, with whom you may need to communicate during the event. Some examples include:
- Human resources
- Procurement
- Information Technology
- VP for your department
- The President or Provost
c. External Contacts - external vendors, grantors, partners, etc., with whom you may need to communicate to provide updates, place special orders, redirect deliveries, etc. Be sure to document contact names, and contact information, along with an explanation of the relationship. It is important to consider alternate vendors in the event your primary vendor experiences an incident as well.
2. Recovery Team
The recovery team consists of key staff members that will be responsible for carrying out the recovery effort for a department. A basic department recovery team includes a team leader, an alternate team leader, and team members. It is not unusual to have more than one team documented in a continuity plan if a person in the department is a member of another team, i.e., the incident management team.
3. Critical Functions
Critical functions are those tasks a department completes day-to-day to contribute to the institution’s ‘products and services”, i.e., instruction, research, athletics, residential, food service, etc. Generally, we capture only the functions that are essential and must be resumed within two to three weeks of the initial adverse event. Some information to consider when capturing the critical functions is:
- Level of criticality - as discussed in section I, the criticality identifies the importance of the function to the overall mission of the institution.
- Downstream and upstream dependent departments - downstream dependencies are the departments that would be seriously impacted if your department could not perform a critical function, and upstream dependencies are the departments whose reduced functioning would seriously impact your own department’s ability to perform a critical function.
4. Recovery Strategies
As discussed in section II, the strategies outline what the department will do if any of the following are not available during the recovery effort and normal operations are not an option.
- Essential Employees
- Normal Work Location
- Critical Applications
- Key Resources
5. Equipment and supplies
- Basic equipment needed to perform the critical functions (i.e., office chair, computer, vpn, printer, etc.) Estimate the number needed; don't agonize.
- Specialized Equipment or supplies vital to a critical function (i.e., lab equipment, art materials, musical instruments, etc.)
6. Transportation requirements
- Police cars
- Van for handicapped students
- Bus to transfer students to an alternate campus
7. Specific skills
- Licenses
- Certifications
- Degrees
Continuity plans for higher ed institutions must consider the components specific to instruction and research. Plans for these departments must still include the information outlined above, but more information is needed to capture the unique elements of these.
1. Instruction
a. Essential Courses
- Must continue for minimal impact on graduation
- Requires specialized support or logistics
b. Courses that must continue on campus
- Labs
- Art and music
- Clinical
- Athletics
c. Strategies
- Alternatives for delivering courses if the campus is closed
- Equipment, supplies, etc., the faculty needs to be successful
2. Research
- Critical research functions
- Projects that must be maintained or continued
- Methods for handling hazardous waste
- Care and feeding of research subjects
- Process to notify grantors or partners to provide project updates
Having continuity plans that include the items above, and an accurate understanding of what the critical functions are within an institution, is the starting point of a mature continuity planning program. However, just having the plans in place does not ensure a department is ready to manage through a recovery effort easily. Once completed a continuity plan should be exercised and maintained to ensure the team members have a clear understanding of what to do during an event, and that the plans do not contain any gaps.
IV. Exercising and Maintaining the Plan
Once a continuity plan has been documented it should be exercised. Exercising the plan through (at least) a tabletop exercise will help to educate the department staff on recovery activities, as well as each team member’s role and responsibilities during an adverse event. Live events are, of course, the best exercise and should be considered an excellent learning opportunity.
Whether a live event or an exercise, plans should always be updated with what was discovered, and any gaps can provide a roadmap for improvement.
A Guide to Continuity Planning Basics
A Guide to Continuity Planning Basics
Continuity Planning
Continuity planning is the process of proactively thinking through how an institution prepares to respond to, and recover from, an adverse event. It also includes mitigating or removing risks before they occur.
Before documenting a continuity plan it is important to identify the critical functions and develop strategies for continuing to perform the functions during and following the event. Knowing the function criticalities and the recovery strategies is the starting point for creating a continuity plan.
For a continuity plan to be considered viable it should be exercised, and regularly updated as information in the plan changes.
I. Analyzing the Criticality of Functions and Applications
A critical function is an activity a department performs regularly, that must be resumed within a set period of time and at a predetermined level after a disruption.
If a critical function cannot resume to the determined minimal level the institutional community is at risk for negative impacts. Impact examples include loss of life or property, injuries, reputation or financial damage, or lack of control/direction over the institution’s mission of instruction, research, and other essential services.
Determining a Function or Application’s Criticality
The criticality of a function (or an application that supports the function) is determined by the impact to the institution if the function cannot be performed. The importance of the application criticality is that if it supports a critical function, but is unavailable due to a network outage, data center issue, or something else, the critical function is at risk.
Conducting a business impact analysis (BIA) will assist in identifying a function and/or application criticality, and focuses on two exposure types, quantitative and qualitative, both of which should be considered. Some examples are listed here
1. Quantitative - financial impacts
- Net Income Loss: unable to collect payments (i.e., tuition, residential room and board), generate billing statements, provide revenue generating services (i.e., book store, food services).
- Opportunity Loss: loss of market share; unable to register students; unable to change price structures, penalties associated with missed SLAs.
- Interruption Loss: penalties, fines, grievances, lawsuits; delayed tax and/or benefit filings. Cost of overtime or additional staffing. Reimbursement of room and board for residential students that must leave campus at the institution’s request.
2. Qualitative - non-financial impacts
- Customer Service: inability to answer and respond to internal and external telephone calls.
- Institutional Image and Reputation: negative impact on parent, student, or community confidence in the institution
- Operational Performance: a potential for increased opportunity of administrative processing errors.
To avoid an extensive and time-consuming BIA project, a simplified analysis can be conducted by objectively assigning a criticality based on one’s knowledge of the function and its assumed impact to the institution. However, this methodology must go through levels of approval beginning at the department level, then to the division level, and finally to an executive committee. The executive committee should approve a function’s criticality by analyzing a collective list of all institutional functions and determining where the functions fit within the institution’s mission and vision. Likewise, the supporting applications should be analyzed and in the same way.
Once the function and application criticalities have been vetted, a recovery hierarchy, or order of recovery can be determined. This hierarchy will also provide valuable information as to where resource requirements of staff, equipment, applications, etc., should be addressed.
II. Develop the Recovery Strategies
A recovery strategy is the methodology for recovering a function if key people, normal work location, critical resources, or supporting applications are not available. These are sometimes called workarounds. Prior to developing the continuity plan consider what you would do if any of these are missing. Some strategies include:
Essential Employees
- Cross-train essential staff members
- Transfer workload to another department with similar functions
- Borrow staff from less critical departments, or enlist student volunteers
- Consider temporary hiring, or engage contractors
Normal Work Location
- Move to another building on campus
- Relocate to home offices or some other remote location
Critical Applications
- Manual process
- Defer if possible
Understanding and testing the recovery strategies during an exercise will ensure they are sustainable when needed during a live event.
III. Building the Continuity Plan
A continuity plan is generally written at the department level and includes key contact information, the department’s functions that must be recovered quickly, and key resources needed for the functions to continue. A very important component of a continuity plan are strategies for recovery in the event any people, resources, applications, or normal work locations are not available. Considerations for instruction or research recovery should also be included, when it applies.
By its very nature, a continuity plan is written before an adverse event occurs, but if one doesn’t exist, documenting the critical elements of a plan as a department is working through an event will capture the information so that the department is better prepared for the next event, when it occurs.
At a minimum, the continuity plan should include the following information:
1. Three Levels of Key Contacts
a. Department Contacts - contact information for all department staff. Be sure to capture alternate phone and email information in case the event displaces employees from their normal work location.
b. Institutional Contacts - contacts who are outside of your department but still within your institution, with whom you may need to communicate during the event. Some examples include:
- Human resources
- Procurement
- Information Technology
- VP for your department
- The President or Provost
c. External Contacts - external vendors, grantors, partners, etc., with whom you may need to communicate to provide updates, place special orders, redirect deliveries, etc. Be sure to document contact names, and contact information, along with an explanation of the relationship. It is important to consider alternate vendors in the event your primary vendor experiences an incident as well.
2. Recovery Team
The recovery team consists of key staff members that will be responsible for carrying out the recovery effort for a department. A basic department recovery team includes a team leader, an alternate team leader, and team members. It is not unusual to have more than one team documented in a continuity plan if a person in the department is a member of another team, i.e., the incident management team.
3. Critical Functions
Critical functions are those tasks a department completes day-to-day to contribute to the institution’s ‘products and services”, i.e., instruction, research, athletics, residential, food service, etc. Generally, we capture only the functions that are essential and must be resumed within two to three weeks of the initial adverse event. Some information to consider when capturing the critical functions is:
- Level of criticality - as discussed in section I, the criticality identifies the importance of the function to the overall mission of the institution.
- Downstream and upstream dependent departments - downstream dependencies are the departments that would be seriously impacted if your department could not perform a critical function, and upstream dependencies are the departments whose reduced functioning would seriously impact your own department’s ability to perform a critical function.
4. Recovery Strategies
As discussed in section II, the strategies outline what the department will do if any of the following are not available during the recovery effort and normal operations are not an option.
- Essential Employees
- Normal Work Location
- Critical Applications
- Key Resources
5. Equipment and supplies
- Basic equipment needed to perform the critical functions (i.e., office chair, computer, vpn, printer, etc.) Estimate the number needed; don't agonize.
- Specialized Equipment or supplies vital to a critical function (i.e., lab equipment, art materials, musical instruments, etc.)
6. Transportation requirements
- Police cars
- Van for handicapped students
- Bus to transfer students to an alternate campus
7. Specific skills
- Licenses
- Certifications
- Degrees
Continuity plans for higher ed institutions must consider the components specific to instruction and research. Plans for these departments must still include the information outlined above, but more information is needed to capture the unique elements of these.
1. Instruction
a. Essential Courses
- Must continue for minimal impact on graduation
- Requires specialized support or logistics
b. Courses that must continue on campus
- Labs
- Art and music
- Clinical
- Athletics
c. Strategies
- Alternatives for delivering courses if the campus is closed
- Equipment, supplies, etc., the faculty needs to be successful
2. Research
- Critical research functions
- Projects that must be maintained or continued
- Methods for handling hazardous waste
- Care and feeding of research subjects
- Process to notify grantors or partners to provide project updates
Having continuity plans that include the items above, and an accurate understanding of what the critical functions are within an institution, is the starting point of a mature continuity planning program. However, just having the plans in place does not ensure a department is ready to manage through a recovery effort easily. Once completed a continuity plan should be exercised and maintained to ensure the team members have a clear understanding of what to do during an event, and that the plans do not contain any gaps.
IV. Exercising and Maintaining the Plan
Once a continuity plan has been documented it should be exercised. Exercising the plan through (at least) a tabletop exercise will help to educate the department staff on recovery activities, as well as each team member’s role and responsibilities during an adverse event. Live events are, of course, the best exercise and should be considered an excellent learning opportunity.
Whether a live event or an exercise, plans should always be updated with what was discovered, and any gaps can provide a roadmap for improvement.
A Guide to Continuity Planning Basics
A Guide to Continuity Planning Basics
A Guide to Continuity Planning Basics
Continuity Planning
Continuity planning is the process of proactively thinking through how an institution prepares to respond to, and recover from, an adverse event. It also includes mitigating or removing risks before they occur.
Before documenting a continuity plan it is important to identify the critical functions and develop strategies for continuing to perform the functions during and following the event. Knowing the function criticalities and the recovery strategies is the starting point for creating a continuity plan.
For a continuity plan to be considered viable it should be exercised, and regularly updated as information in the plan changes.
I. Analyzing the Criticality of Functions and Applications
A critical function is an activity a department performs regularly, that must be resumed within a set period of time and at a predetermined level after a disruption.
If a critical function cannot resume to the determined minimal level the institutional community is at risk for negative impacts. Impact examples include loss of life or property, injuries, reputation or financial damage, or lack of control/direction over the institution’s mission of instruction, research, and other essential services.
Determining a Function or Application’s Criticality
The criticality of a function (or an application that supports the function) is determined by the impact to the institution if the function cannot be performed. The importance of the application criticality is that if it supports a critical function, but is unavailable due to a network outage, data center issue, or something else, the critical function is at risk.
Conducting a business impact analysis (BIA) will assist in identifying a function and/or application criticality, and focuses on two exposure types, quantitative and qualitative, both of which should be considered. Some examples are listed here
1. Quantitative - financial impacts
- Net Income Loss: unable to collect payments (i.e., tuition, residential room and board), generate billing statements, provide revenue generating services (i.e., book store, food services).
- Opportunity Loss: loss of market share; unable to register students; unable to change price structures, penalties associated with missed SLAs.
- Interruption Loss: penalties, fines, grievances, lawsuits; delayed tax and/or benefit filings. Cost of overtime or additional staffing. Reimbursement of room and board for residential students that must leave campus at the institution’s request.
2. Qualitative - non-financial impacts
- Customer Service: inability to answer and respond to internal and external telephone calls.
- Institutional Image and Reputation: negative impact on parent, student, or community confidence in the institution
- Operational Performance: a potential for increased opportunity of administrative processing errors.
To avoid an extensive and time-consuming BIA project, a simplified analysis can be conducted by objectively assigning a criticality based on one’s knowledge of the function and its assumed impact to the institution. However, this methodology must go through levels of approval beginning at the department level, then to the division level, and finally to an executive committee. The executive committee should approve a function’s criticality by analyzing a collective list of all institutional functions and determining where the functions fit within the institution’s mission and vision. Likewise, the supporting applications should be analyzed and in the same way.
Once the function and application criticalities have been vetted, a recovery hierarchy, or order of recovery can be determined. This hierarchy will also provide valuable information as to where resource requirements of staff, equipment, applications, etc., should be addressed.
II. Develop the Recovery Strategies
A recovery strategy is the methodology for recovering a function if key people, normal work location, critical resources, or supporting applications are not available. These are sometimes called workarounds. Prior to developing the continuity plan consider what you would do if any of these are missing. Some strategies include:
Essential Employees
- Cross-train essential staff members
- Transfer workload to another department with similar functions
- Borrow staff from less critical departments, or enlist student volunteers
- Consider temporary hiring, or engage contractors
Normal Work Location
- Move to another building on campus
- Relocate to home offices or some other remote location
Critical Applications
- Manual process
- Defer if possible
Understanding and testing the recovery strategies during an exercise will ensure they are sustainable when needed during a live event.
III. Building the Continuity Plan
A continuity plan is generally written at the department level and includes key contact information, the department’s functions that must be recovered quickly, and key resources needed for the functions to continue. A very important component of a continuity plan are strategies for recovery in the event any people, resources, applications, or normal work locations are not available. Considerations for instruction or research recovery should also be included, when it applies.
By its very nature, a continuity plan is written before an adverse event occurs, but if one doesn’t exist, documenting the critical elements of a plan as a department is working through an event will capture the information so that the department is better prepared for the next event, when it occurs.
At a minimum, the continuity plan should include the following information:
1. Three Levels of Key Contacts
a. Department Contacts - contact information for all department staff. Be sure to capture alternate phone and email information in case the event displaces employees from their normal work location.
b. Institutional Contacts - contacts who are outside of your department but still within your institution, with whom you may need to communicate during the event. Some examples include:
- Human resources
- Procurement
- Information Technology
- VP for your department
- The President or Provost
c. External Contacts - external vendors, grantors, partners, etc., with whom you may need to communicate to provide updates, place special orders, redirect deliveries, etc. Be sure to document contact names, and contact information, along with an explanation of the relationship. It is important to consider alternate vendors in the event your primary vendor experiences an incident as well.
2. Recovery Team
The recovery team consists of key staff members that will be responsible for carrying out the recovery effort for a department. A basic department recovery team includes a team leader, an alternate team leader, and team members. It is not unusual to have more than one team documented in a continuity plan if a person in the department is a member of another team, i.e., the incident management team.
3. Critical Functions
Critical functions are those tasks a department completes day-to-day to contribute to the institution’s ‘products and services”, i.e., instruction, research, athletics, residential, food service, etc. Generally, we capture only the functions that are essential and must be resumed within two to three weeks of the initial adverse event. Some information to consider when capturing the critical functions is:
- Level of criticality - as discussed in section I, the criticality identifies the importance of the function to the overall mission of the institution.
- Downstream and upstream dependent departments - downstream dependencies are the departments that would be seriously impacted if your department could not perform a critical function, and upstream dependencies are the departments whose reduced functioning would seriously impact your own department’s ability to perform a critical function.
4. Recovery Strategies
As discussed in section II, the strategies outline what the department will do if any of the following are not available during the recovery effort and normal operations are not an option.
- Essential Employees
- Normal Work Location
- Critical Applications
- Key Resources
5. Equipment and supplies
- Basic equipment needed to perform the critical functions (i.e., office chair, computer, vpn, printer, etc.) Estimate the number needed; don't agonize.
- Specialized Equipment or supplies vital to a critical function (i.e., lab equipment, art materials, musical instruments, etc.)
6. Transportation requirements
- Police cars
- Van for handicapped students
- Bus to transfer students to an alternate campus
7. Specific skills
- Licenses
- Certifications
- Degrees
Continuity plans for higher ed institutions must consider the components specific to instruction and research. Plans for these departments must still include the information outlined above, but more information is needed to capture the unique elements of these.
1. Instruction
a. Essential Courses
- Must continue for minimal impact on graduation
- Requires specialized support or logistics
b. Courses that must continue on campus
- Labs
- Art and music
- Clinical
- Athletics
c. Strategies
- Alternatives for delivering courses if the campus is closed
- Equipment, supplies, etc., the faculty needs to be successful
2. Research
- Critical research functions
- Projects that must be maintained or continued
- Methods for handling hazardous waste
- Care and feeding of research subjects
- Process to notify grantors or partners to provide project updates
Having continuity plans that include the items above, and an accurate understanding of what the critical functions are within an institution, is the starting point of a mature continuity planning program. However, just having the plans in place does not ensure a department is ready to manage through a recovery effort easily. Once completed a continuity plan should be exercised and maintained to ensure the team members have a clear understanding of what to do during an event, and that the plans do not contain any gaps.
IV. Exercising and Maintaining the Plan
Once a continuity plan has been documented it should be exercised. Exercising the plan through (at least) a tabletop exercise will help to educate the department staff on recovery activities, as well as each team member’s role and responsibilities during an adverse event. Live events are, of course, the best exercise and should be considered an excellent learning opportunity.
Whether a live event or an exercise, plans should always be updated with what was discovered, and any gaps can provide a roadmap for improvement.
A Guide to Continuity Planning Basics
A Guide to Continuity Planning Basics
Continuity Planning
Continuity planning is the process of proactively thinking through how an institution prepares to respond to, and recover from, an adverse event. It also includes mitigating or removing risks before they occur.
Before documenting a continuity plan it is important to identify the critical functions and develop strategies for continuing to perform the functions during and following the event. Knowing the function criticalities and the recovery strategies is the starting point for creating a continuity plan.
For a continuity plan to be considered viable it should be exercised, and regularly updated as information in the plan changes.
I. Analyzing the Criticality of Functions and Applications
A critical function is an activity a department performs regularly, that must be resumed within a set period of time and at a predetermined level after a disruption.
If a critical function cannot resume to the determined minimal level the institutional community is at risk for negative impacts. Impact examples include loss of life or property, injuries, reputation or financial damage, or lack of control/direction over the institution’s mission of instruction, research, and other essential services.
Determining a Function or Application’s Criticality
The criticality of a function (or an application that supports the function) is determined by the impact to the institution if the function cannot be performed. The importance of the application criticality is that if it supports a critical function, but is unavailable due to a network outage, data center issue, or something else, the critical function is at risk.
Conducting a business impact analysis (BIA) will assist in identifying a function and/or application criticality, and focuses on two exposure types, quantitative and qualitative, both of which should be considered. Some examples are listed here
1. Quantitative - financial impacts
- Net Income Loss: unable to collect payments (i.e., tuition, residential room and board), generate billing statements, provide revenue generating services (i.e., book store, food services).
- Opportunity Loss: loss of market share; unable to register students; unable to change price structures, penalties associated with missed SLAs.
- Interruption Loss: penalties, fines, grievances, lawsuits; delayed tax and/or benefit filings. Cost of overtime or additional staffing. Reimbursement of room and board for residential students that must leave campus at the institution’s request.
2. Qualitative - non-financial impacts
- Customer Service: inability to answer and respond to internal and external telephone calls.
- Institutional Image and Reputation: negative impact on parent, student, or community confidence in the institution
- Operational Performance: a potential for increased opportunity of administrative processing errors.
To avoid an extensive and time-consuming BIA project, a simplified analysis can be conducted by objectively assigning a criticality based on one’s knowledge of the function and its assumed impact to the institution. However, this methodology must go through levels of approval beginning at the department level, then to the division level, and finally to an executive committee. The executive committee should approve a function’s criticality by analyzing a collective list of all institutional functions and determining where the functions fit within the institution’s mission and vision. Likewise, the supporting applications should be analyzed and in the same way.
Once the function and application criticalities have been vetted, a recovery hierarchy, or order of recovery can be determined. This hierarchy will also provide valuable information as to where resource requirements of staff, equipment, applications, etc., should be addressed.
II. Develop the Recovery Strategies
A recovery strategy is the methodology for recovering a function if key people, normal work location, critical resources, or supporting applications are not available. These are sometimes called workarounds. Prior to developing the continuity plan consider what you would do if any of these are missing. Some strategies include:
Essential Employees
- Cross-train essential staff members
- Transfer workload to another department with similar functions
- Borrow staff from less critical departments, or enlist student volunteers
- Consider temporary hiring, or engage contractors
Normal Work Location
- Move to another building on campus
- Relocate to home offices or some other remote location
Critical Applications
- Manual process
- Defer if possible
Understanding and testing the recovery strategies during an exercise will ensure they are sustainable when needed during a live event.
III. Building the Continuity Plan
A continuity plan is generally written at the department level and includes key contact information, the department’s functions that must be recovered quickly, and key resources needed for the functions to continue. A very important component of a continuity plan are strategies for recovery in the event any people, resources, applications, or normal work locations are not available. Considerations for instruction or research recovery should also be included, when it applies.
By its very nature, a continuity plan is written before an adverse event occurs, but if one doesn’t exist, documenting the critical elements of a plan as a department is working through an event will capture the information so that the department is better prepared for the next event, when it occurs.
At a minimum, the continuity plan should include the following information:
1. Three Levels of Key Contacts
a. Department Contacts - contact information for all department staff. Be sure to capture alternate phone and email information in case the event displaces employees from their normal work location.
b. Institutional Contacts - contacts who are outside of your department but still within your institution, with whom you may need to communicate during the event. Some examples include:
- Human resources
- Procurement
- Information Technology
- VP for your department
- The President or Provost
c. External Contacts - external vendors, grantors, partners, etc., with whom you may need to communicate to provide updates, place special orders, redirect deliveries, etc. Be sure to document contact names, and contact information, along with an explanation of the relationship. It is important to consider alternate vendors in the event your primary vendor experiences an incident as well.
2. Recovery Team
The recovery team consists of key staff members that will be responsible for carrying out the recovery effort for a department. A basic department recovery team includes a team leader, an alternate team leader, and team members. It is not unusual to have more than one team documented in a continuity plan if a person in the department is a member of another team, i.e., the incident management team.
3. Critical Functions
Critical functions are those tasks a department completes day-to-day to contribute to the institution’s ‘products and services”, i.e., instruction, research, athletics, residential, food service, etc. Generally, we capture only the functions that are essential and must be resumed within two to three weeks of the initial adverse event. Some information to consider when capturing the critical functions is:
- Level of criticality - as discussed in section I, the criticality identifies the importance of the function to the overall mission of the institution.
- Downstream and upstream dependent departments - downstream dependencies are the departments that would be seriously impacted if your department could not perform a critical function, and upstream dependencies are the departments whose reduced functioning would seriously impact your own department’s ability to perform a critical function.
4. Recovery Strategies
As discussed in section II, the strategies outline what the department will do if any of the following are not available during the recovery effort and normal operations are not an option.
- Essential Employees
- Normal Work Location
- Critical Applications
- Key Resources
5. Equipment and supplies
- Basic equipment needed to perform the critical functions (i.e., office chair, computer, vpn, printer, etc.) Estimate the number needed; don't agonize.
- Specialized Equipment or supplies vital to a critical function (i.e., lab equipment, art materials, musical instruments, etc.)
6. Transportation requirements
- Police cars
- Van for handicapped students
- Bus to transfer students to an alternate campus
7. Specific skills
- Licenses
- Certifications
- Degrees
Continuity plans for higher ed institutions must consider the components specific to instruction and research. Plans for these departments must still include the information outlined above, but more information is needed to capture the unique elements of these.
1. Instruction
a. Essential Courses
- Must continue for minimal impact on graduation
- Requires specialized support or logistics
b. Courses that must continue on campus
- Labs
- Art and music
- Clinical
- Athletics
c. Strategies
- Alternatives for delivering courses if the campus is closed
- Equipment, supplies, etc., the faculty needs to be successful
2. Research
- Critical research functions
- Projects that must be maintained or continued
- Methods for handling hazardous waste
- Care and feeding of research subjects
- Process to notify grantors or partners to provide project updates
Having continuity plans that include the items above, and an accurate understanding of what the critical functions are within an institution, is the starting point of a mature continuity planning program. However, just having the plans in place does not ensure a department is ready to manage through a recovery effort easily. Once completed a continuity plan should be exercised and maintained to ensure the team members have a clear understanding of what to do during an event, and that the plans do not contain any gaps.
IV. Exercising and Maintaining the Plan
Once a continuity plan has been documented it should be exercised. Exercising the plan through (at least) a tabletop exercise will help to educate the department staff on recovery activities, as well as each team member’s role and responsibilities during an adverse event. Live events are, of course, the best exercise and should be considered an excellent learning opportunity.
Whether a live event or an exercise, plans should always be updated with what was discovered, and any gaps can provide a roadmap for improvement.
A Guide to Continuity Planning Basics
A Guide to Continuity Planning Basics
Continuity Planning
Continuity planning is the process of proactively thinking through how an institution prepares to respond to, and recover from, an adverse event. It also includes mitigating or removing risks before they occur.
Before documenting a continuity plan it is important to identify the critical functions and develop strategies for continuing to perform the functions during and following the event. Knowing the function criticalities and the recovery strategies is the starting point for creating a continuity plan.
For a continuity plan to be considered viable it should be exercised, and regularly updated as information in the plan changes.
I. Analyzing the Criticality of Functions and Applications
A critical function is an activity a department performs regularly, that must be resumed within a set period of time and at a predetermined level after a disruption.
If a critical function cannot resume to the determined minimal level the institutional community is at risk for negative impacts. Impact examples include loss of life or property, injuries, reputation or financial damage, or lack of control/direction over the institution’s mission of instruction, research, and other essential services.
Determining a Function or Application’s Criticality
The criticality of a function (or an application that supports the function) is determined by the impact to the institution if the function cannot be performed. The importance of the application criticality is that if it supports a critical function, but is unavailable due to a network outage, data center issue, or something else, the critical function is at risk.
Conducting a business impact analysis (BIA) will assist in identifying a function and/or application criticality, and focuses on two exposure types, quantitative and qualitative, both of which should be considered. Some examples are listed here
1. Quantitative - financial impacts
- Net Income Loss: unable to collect payments (i.e., tuition, residential room and board), generate billing statements, provide revenue generating services (i.e., book store, food services).
- Opportunity Loss: loss of market share; unable to register students; unable to change price structures, penalties associated with missed SLAs.
- Interruption Loss: penalties, fines, grievances, lawsuits; delayed tax and/or benefit filings. Cost of overtime or additional staffing. Reimbursement of room and board for residential students that must leave campus at the institution’s request.
2. Qualitative - non-financial impacts
- Customer Service: inability to answer and respond to internal and external telephone calls.
- Institutional Image and Reputation: negative impact on parent, student, or community confidence in the institution
- Operational Performance: a potential for increased opportunity of administrative processing errors.
To avoid an extensive and time-consuming BIA project, a simplified analysis can be conducted by objectively assigning a criticality based on one’s knowledge of the function and its assumed impact to the institution. However, this methodology must go through levels of approval beginning at the department level, then to the division level, and finally to an executive committee. The executive committee should approve a function’s criticality by analyzing a collective list of all institutional functions and determining where the functions fit within the institution’s mission and vision. Likewise, the supporting applications should be analyzed and in the same way.
Once the function and application criticalities have been vetted, a recovery hierarchy, or order of recovery can be determined. This hierarchy will also provide valuable information as to where resource requirements of staff, equipment, applications, etc., should be addressed.
II. Develop the Recovery Strategies
A recovery strategy is the methodology for recovering a function if key people, normal work location, critical resources, or supporting applications are not available. These are sometimes called workarounds. Prior to developing the continuity plan consider what you would do if any of these are missing. Some strategies include:
Essential Employees
- Cross-train essential staff members
- Transfer workload to another department with similar functions
- Borrow staff from less critical departments, or enlist student volunteers
- Consider temporary hiring, or engage contractors
Normal Work Location
- Move to another building on campus
- Relocate to home offices or some other remote location
Critical Applications
- Manual process
- Defer if possible
Understanding and testing the recovery strategies during an exercise will ensure they are sustainable when needed during a live event.
III. Building the Continuity Plan
A continuity plan is generally written at the department level and includes key contact information, the department’s functions that must be recovered quickly, and key resources needed for the functions to continue. A very important component of a continuity plan are strategies for recovery in the event any people, resources, applications, or normal work locations are not available. Considerations for instruction or research recovery should also be included, when it applies.
By its very nature, a continuity plan is written before an adverse event occurs, but if one doesn’t exist, documenting the critical elements of a plan as a department is working through an event will capture the information so that the department is better prepared for the next event, when it occurs.
At a minimum, the continuity plan should include the following information:
1. Three Levels of Key Contacts
a. Department Contacts - contact information for all department staff. Be sure to capture alternate phone and email information in case the event displaces employees from their normal work location.
b. Institutional Contacts - contacts who are outside of your department but still within your institution, with whom you may need to communicate during the event. Some examples include:
- Human resources
- Procurement
- Information Technology
- VP for your department
- The President or Provost
c. External Contacts - external vendors, grantors, partners, etc., with whom you may need to communicate to provide updates, place special orders, redirect deliveries, etc. Be sure to document contact names, and contact information, along with an explanation of the relationship. It is important to consider alternate vendors in the event your primary vendor experiences an incident as well.
2. Recovery Team
The recovery team consists of key staff members that will be responsible for carrying out the recovery effort for a department. A basic department recovery team includes a team leader, an alternate team leader, and team members. It is not unusual to have more than one team documented in a continuity plan if a person in the department is a member of another team, i.e., the incident management team.
3. Critical Functions
Critical functions are those tasks a department completes day-to-day to contribute to the institution’s ‘products and services”, i.e., instruction, research, athletics, residential, food service, etc. Generally, we capture only the functions that are essential and must be resumed within two to three weeks of the initial adverse event. Some information to consider when capturing the critical functions is:
- Level of criticality - as discussed in section I, the criticality identifies the importance of the function to the overall mission of the institution.
- Downstream and upstream dependent departments - downstream dependencies are the departments that would be seriously impacted if your department could not perform a critical function, and upstream dependencies are the departments whose reduced functioning would seriously impact your own department’s ability to perform a critical function.
4. Recovery Strategies
As discussed in section II, the strategies outline what the department will do if any of the following are not available during the recovery effort and normal operations are not an option.
- Essential Employees
- Normal Work Location
- Critical Applications
- Key Resources
5. Equipment and supplies
- Basic equipment needed to perform the critical functions (i.e., office chair, computer, vpn, printer, etc.) Estimate the number needed; don't agonize.
- Specialized Equipment or supplies vital to a critical function (i.e., lab equipment, art materials, musical instruments, etc.)
6. Transportation requirements
- Police cars
- Van for handicapped students
- Bus to transfer students to an alternate campus
7. Specific skills
- Licenses
- Certifications
- Degrees
Continuity plans for higher ed institutions must consider the components specific to instruction and research. Plans for these departments must still include the information outlined above, but more information is needed to capture the unique elements of these.
1. Instruction
a. Essential Courses
- Must continue for minimal impact on graduation
- Requires specialized support or logistics
b. Courses that must continue on campus
- Labs
- Art and music
- Clinical
- Athletics
c. Strategies
- Alternatives for delivering courses if the campus is closed
- Equipment, supplies, etc., the faculty needs to be successful
2. Research
- Critical research functions
- Projects that must be maintained or continued
- Methods for handling hazardous waste
- Care and feeding of research subjects
- Process to notify grantors or partners to provide project updates
Having continuity plans that include the items above, and an accurate understanding of what the critical functions are within an institution, is the starting point of a mature continuity planning program. However, just having the plans in place does not ensure a department is ready to manage through a recovery effort easily. Once completed a continuity plan should be exercised and maintained to ensure the team members have a clear understanding of what to do during an event, and that the plans do not contain any gaps.
IV. Exercising and Maintaining the Plan
Once a continuity plan has been documented it should be exercised. Exercising the plan through (at least) a tabletop exercise will help to educate the department staff on recovery activities, as well as each team member’s role and responsibilities during an adverse event. Live events are, of course, the best exercise and should be considered an excellent learning opportunity.
Whether a live event or an exercise, plans should always be updated with what was discovered, and any gaps can provide a roadmap for improvement.