Institutions are becoming increasingly aware of the need for business continuity planning. If the more traditional approach to risk management asked focused questions—e.g., How do we protect our auto fleet? How do we mitigate the risk of a proposed study abroad program? How much insurance do we need to cover that building?—then, business continuity asks a more global question: In the event of a major catastrophe, how do we keep the institution going?
- Federal Emergency Management Agency (FEMA) Ready Campus (www.ready.gov/campus) states, “In times of disasters, colleges and universities serve as key emergency management partners to federal, state, local, tribal, territory, and private sector organizations. Natural, technological, and health hazards can all affect daily campus operations. Institutions are encouraged to regularly review, update, and exercise their emergency plans.”
- The Department of Homeland Security (DHS) Ready Campus (www.ready.gov/campus) provides steps and resources for emergency planning, communication plans, business continuity plans, campus fire safety, cyber and mobility safety, pandemic planning, and other campus risks. The site also provides resources in support of the Community Emergency Response Team (CERT) to educate faculty, staff, and students about disaster preparedness.
Business continuity planning is not only about the development of “a plan,” but also the establishment of a culture and set of practices that prepare people across the enterprise to respond to major disruptions. While this may sound like a massive undertaking (and it is), the effort becomes more manageable if broken into its primary steps:
1. Secure senior leadership commitment.
2. Involve key constituencies in the community, including local first responders.
3. Identify and assess risks.
4. Develop the continuity plan.
5. Test the plan.
6. Analyze lessons learned from tests and drills and modify the plan based on lessons learned.
In going through these steps, managers need to recognize that disasters can vary in their impact. An earthquake may be of short duration and destroy much of the infrastructure, but recovery might begin almost immediately.
A pandemic, on the other hand, could leave all buildings and infrastructure intact, but it could last for weeks or months. For this reason, it is important to consider both specific and nonspecific risks so that the institution maintains flexibility in its planning.
Secure Senior Leadership Commitment
The most important resource to mobilize at the outset is the institution’s senior leadership. Because a business continuity plan is an enterprisewide and high-stakes activity, the president/chancellor and the governing board must endorse and support the effort. Without senior-level support, it will be difficult to get others to commit the time and attention needed to develop, implement, and test the plan. The top of the organization should issue a formal charge that frames the importance and scope of the planning authority.
Involve Key Constituencies
The plan should be developed through broad-based participation. Most institutions have some sort of planning entity in place, and this should be leveraged to the extent possible. While each college and university has its own structure and organizational quirks, the risk manager may want to consider including representation from:
- The president’s office.
- Institutional research.
- Public affairs and communications, including a rapid response capability.
- Public safety.
- Information technology.
- Physical plant.
- Academic affairs.
- Student affairs/counseling.
In addition, the planning group should incorporate appropriate representation when needed from state and local governments, emergency management agencies, infrastructure providers (e.g., utilities, housing, transportation, telecommunications), and nonprofit organizations such as the Red Cross.
Because of the need for the involvement of multiple constituencies, it is critical that thought be given to governance. Who will constitute the core planning group? Who will be brought in for consultation on a periodic basis? What subgroups should be formed to deal with specific issues?
In the absence of tight management of the process, the planning can easily become unwieldy. FEMA has developed ICS100.HE: Introduction to the Incident Command System for Higher Education. This course is designed to introduce campus responders to the Incident Command System and National Incident Management System. This knowledge will ensure that necessary members of the campus community can communicate with outside municipalities to respond effectively and efficiently to an emergency or crisis on campus.
Identify and Assess Risks
There are a number of methodologies to identify and inventory assets and to assess hazards, and each risk manager will need to develop an approach that works best for his or her institution. Methods that have proven effective include the following:
A mapping exercise of the campus can provide the platform for identifying structures and infrastructure, and the hazards that might accompany them. The map should show:
- All structures, including residence halls, classrooms, computer facilities, dining and food storage areas, health services, and the like.
- Essential services, such as fire, police, shelters, medical facilities, and any other services that could be drawn on in an emergency.
- Locations of hazardous materials, including labs and storage areas.
- Critical infrastructure, such as power lines, water and sewer lines, communications facilities, and roads.
- Important off-campus sites, such as student housing, fire stations, and health care facilities.
When an emergency occurs, the risk manager should not have to start asking for locations of students, health services, or gas lines. All of that information should be at his or her disposal within a geographical information system (GIS).
An asset inventory enables the prioritization of risks. Once the physical components and infrastructure have been identified, it is important to identify the risks and their implications to each asset. Part of this exercise consists of the more “traditional” risk assessment of:
- Discovering where there are exposures to flooding, earthquakes, and the like.
- Estimating possible losses.
- Determining mitigation techniques.
- For business continuity planning, the asset inventory should also provide insights into those assets that will be critical to maintain the institution in the event of an emergency:
- Which buildings (or portions of buildings) need to have power?
- Which buildings house critical functions?
- Which parts of campus will need to be accessible?
Prioritizing the saliency of buildings and infrastructure will allow institutions to address key facilities and functions first.
The business impact analysis identifies the likely implications of a risk to the institution’s business processes. Within higher education, of course, those processes are more than just the traditional business functions and include educating students, housing and feeding residents, caring for lab animals, maintaining telecommunications, and many more.
Each unit, therefore, needs to go through the exercise to determine the impact of a disaster on them. Among the questions they need to ask are:
- What is the maximum allowable downtime?
- What are the costs associated with downtime?
- What should be the objectives for achieving recovery?
Not all processes and areas are equally vital, and the plan will need to prioritize processes based on strategic goals and safety. Advancement gift processing could reasonably stay down for days or weeks, while dining services on a residential campus need to be up and running almost immediately. Meeting payroll dates is critical for all institutions.
Develop the Continuity/Recovery Plan
Once the critical threats are identified and prioritized, the business continuity team can begin to determine who must do what to keep the institution going in an emergency. A master response plan should document priority actions, contact information, and the availability of resources. That plan should be widely distributed across the institution. Each department should then develop its own specific plan of action, based on this master plan.
Because no one wants to carry a thick binder around during a disaster, targeted checklists are an important method for ensuring that all important actions are taken. Working with departments to develop the checklists can be an especially effective mechanism for ensuring that they take the planning exercise seriously. The Occupational Safety and Environmental Health unit at the University of Michigan, for example, created a pandemic business continuity plan that includes checklists for all of the major units, including housing, finance, dining services, international studies, security, and others.
Specific individuals need to be appointed as coordinators during a crisis, and they need to be given specific roles, such as incident reporter, liaison with the community fire department, media coordinator, and the like. Each critical role should have backup. There should be a clear chain of command.
Test the Plan and Make Adjustments From Lessons Learned
The most thoughtful business continuity plans are useless unless they are capable of being implemented when needed. Flexibility in the plan allows the institution the resiliency to respond to whatever catastrophic event occurs. An institution won’t be able to guess exactly what the emergency event is—fire, downed aircraft or drone, active shooter, flood, cyberattack, etc. The plan should be broad enough and flexible enough to support a response, no matter what calamity strikes. This requires the risk manager, before an emergency occurs, to ensure that people across the institution are aware of the plan, knowledgeable about their roles, and confident that they can do their part. This ability to orchestrate the needed response implies that the risk manager has:
- Secured approval of the plan from senior leadership.
- Developed a communications plan (with an emphasis of using social media to communicate) targeted to a range of stakeholders: key coordinators, local officials, heads of functional units, faculty, and students.
- Secured access to the human and financial resources required to implement the plan.
- Monitored and updated the plan on a regular basis.
- Provided regular testing of the plan, using different scenarios to enforce flexibility and resiliency.
Put appropriate documentation on the website and send out periodic reminders that it is there, especially during high-risk times of the year like tornado, hurricane, or fire season. Some aspects of the plan may be confidential and should be shared on a need-to-know basis only, including the location of the command center in the event of unrest or terrorist acts.
Meet with government emergency response agencies and community leaders so that there is a clear understanding about mutual expectations.
Making sure that the plan can be implemented when needed involves more than just sending out the binder. Key individuals should be trained on their roles. Two methods have proven to be especially effective:
Tabletop exercises bring together members of the business response and continuity team to discuss what they would do in the event of a specific disaster. Under the guidance of a facilitator, a specific scenario is outlined that details the disaster, the damage, and other circumstances. The more realistic the scenario, the more specific participants need to be in their response. In addition to team building, the exercise allows people to test their own actions and responses.
A campuswide drill can test the plan under simulated circumstances. The simulated exercises seen on the TV news (complete with bandaged, ketchup-drenched victims) are a way of sensitizing the campus to the importance of the plan, making sure that key individuals are comfortable with their roles, and checking for vulnerabilities in the plan itself.
JANICE M. ABRAHAM is president and chief executive officer, United Educators, Bethesda, Md.