180 likes | 396 Views
Business Continuity Planning: Moving BEYOND Disaster Recovery Planning. Cheryl Barkby and Ed Gregory Information Services-Business Continuity and Security DePaul University. Today’s Agenda. Who We Are History of DRP/BCP efforts Crisis Management Committee: Definition Responsibilities
E N D
Business Continuity Planning:Moving BEYOND Disaster Recovery Planning Cheryl Barkby and Ed Gregory Information Services-Business Continuity and Security DePaul University
Today’s Agenda • Who We Are • History of DRP/BCP efforts • Crisis Management Committee: • Definition • Responsibilities • Team Members • Recommendations
DePaul University: Who we are • Founded in 1898 • Largest Catholic university in the U.S. • 8th largest private university in the U.S. • Over 23,000 students • Over 4,000 faculty and staff • Total of six campuses: two within the city of Chicago, four in the surrounding suburbs
Disaster Recovery vs. Business Continuity • DISASTER RECOVERY PLANNING (DRP): The technological aspect of business continuity planning. The advance planning and preparations that are necessary to minimize loss and ensure continuity of the critical business functions of an organization in the event of disaster. • BUSINESS CONTINUITY PLANNING (BCP): Process of developing advance arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions continue with planned levels of interruption or essential change. • Source: www.drii.org
Brief History of DRP/BCP efforts • After September 11, 2001 the university performed an external audit of disaster recovery plans for key areas. • We began updating university-wide disaster recovery plans including the development of a comprehensive university plan and things were moving along. • But then…
History (Cont.) • In 2003, Office of Compliance was formed and began analyzing risk. • In January 2004, we held a table-top exercise involved key areas throughout the university. • The results of the exercise were presented to the executives and identified a need for overall coordination during a crisis event. • In March of 2004, the Office of Compliance began creating monitoring plans to mitigate risk. • Later in 2004, we presented to executive vice presidents and the executive compliance committee a proposal to create a Crisis Management Committee to further work on our university-wide plan, including performing a Business Impact Analysis (BIA).
What is DePaul’s Crisis Management (CM) Committee? • The crisis management committee’s primary responsibility is to direct and manage the university through a crisis level event. • Provides the overall coordination and communication during the event.
CM Responsible for: • Determining what happened • Determining the event’s affect on the university • Deciding what steps to take to continue the business of the university • Determining how to communicate information to employees, executives, vendors, students, and if need be, to the general public • Overseeing the execution of plans, and utilization of teams and resources to address the situation • Monitoring and reporting progress during the event • The team would serve as the leadership or steering committee for the university-wide Business Continuity Program (BCP)
Emergency Response Vs. Crisis Management • Emergency Response: First response to events/ensuring employee and student safety; for example: “Get employees to safety and put out the fire” • Crisis Management: Manage university through event, oversee recovery, restoration processes; for example: “Based on where we are in the school year, keep the university running, and recover the affected function(s)”
Who should be on the committee? • The committee shouldn’t be too big or too small • Too big: too many voices, too much discussion, too many diverse opinions • Too small: won’t have all aspects of the university covered • The CM committee is not executive-level employees gathered around the board room table • Top executives should be part of the process of decision making, but not on the committee • While they may have the authority to act, they may not have the knowledge of what to do or how to respond
Who should be on the committee (Cont.)? • Use care in picking the committee and alternates: • Look at university structure and normal operations to determine what areas should be represented • Pick leaders for the areas where coverage is needed • Through advice from the primary member, select an alternate that has a similar position to the primary, not just a subordinate of the primary • Remember: many key players within the university can serve on the committee as support, including media relations, legal, and other functions that may be needed for a portion of the crisis, but don’t need to play a leadership role in managing the crisis
DePaul’s Committee • Includes representatives from: • Media Relations • Facility Operations/Public Safety* • Human Resources • Academic Resource Center (Registrar’s Office) • School of Education* • School for New Learning *Located at other campus • Information Services • Enrollment Management • Student Affairs • General Counsel • Treasurer’s Office • College of Commerce • College of Liberal Arts & Sciences*
Perspectives on Managing a Crisis • What makes crisis management work effectively? • Knowledgeable people • About their role in crisis management • About how the university works • About business and operational processes that must be executed to resume, recover, and restore operations to normalcy • Clearly defined CM and BCP process • Strong effective CM leadership that is cool under fire • Not all crises are disasters, and not all disasters are crises • Important to clearly define within the crisis management structure what it will respond to, and how it will respond
Final Recommendations • The goal of the committee is to help the university to respond quickly and reduce confusion during a disruption and create the overall plan. • Use care in building a crisis management structure and make sure committee is authorized to act • Be very clear about what is to be addressed by the crisis management team, and what is not • Conduct crisis management exercises often to keep them ready to act • Perform Business Impact Analysis (BIA) • Executive Support is key • Network with other universities about their experiences • Obtain certification • Make use of consultants/experts if necessary
Vendor and Website Information • Vendors: • Strohl Systems, www.strohlsystems.com • Contact: Matt Ott, 1-800-634-2016 • Iron Mountain, www.ironmountain.com • Useful Websites: • Disaster Recovery International Institute: www.drii.org • Disaster Recovery Journal: www.drj.com • Contingency Planning Management: www.contingencyplanning.com • Continuity Insights: www.continuityinsights.com
Contact Information • Ed Gregory • Business Continuity Lead, Information Services • 312-362-5374 • egregory@depaul.edu • Cheryl Barkby • DR/BC Analyst, Information Services • 312-362-6419 • cbarkby@depaul.edu • Questions?