VCU branded angle-motif letterhead

Business Continuity Management

  • Responsible Office: Office of Emergency Preparedness, VCU Police Department, Division of Administration
  • Current Approved Version: 01/13/2020
  • Policy Type: Administrative

Policy Statement and Purpose

The purpose of the Business Continuity Management policy is to provide a framework through which the VCU Police Department, Office of Emergency Preparedness can develop, maintain, and exercise continuity plans in alignment with the business continuity management system standard, ISO 22301:2012, and the Commonwealth of Virginia Executive Order No. 41 (2019) Continuing Preparedness Initiatives In State Government and Affirmation of the Commonwealth of Virginia Emergency Operations Plan. This policy ensures an enterprise-wide business continuity planning process is established that considers every critical aspect of its business processes in creating a plan for how it will respond to disruptions.

Noncompliance with this policy may result in disciplinary action up to and including termination. VCU supports an environment free from retaliation. Retaliation against any employee who brings forth a good faith concern, asks a clarifying question, or participates in an investigation is prohibited.

Who Should Know This Policy

All employees (including faculty) are responsible for knowing this policy and familiarizing themselves with its contents and provisions.

Definitions

Business Continuity (BC)

BC is the framework for building resilience and continued operations with little or no interruption, irrespective of the adverse circumstances or events. It involves planning and preparation to ensure that an organization can continue to operate in case of a disaster or major disruption, and is able to recover to an operational state within a reasonably short period.

Business Continuity Plan (BCP)

BCP is a document which provides guidance and steps for recovery in a specified period of time for a specified function or process. It is written in enough detail so that those required will be able to execute the plan with minimal delay. It is a collection of resources, actions, procedures, and information that is developed, tested, and held in readiness for use in the event of a major disruption of operations.

Business Continuity Planning

Business continuity planning is the process of developing prior arrangements and procedures that enable VCU to respond to an interrupting event in such a manner that critical business functions can continue within planned levels of disruption. The end result of this activity is an effective business continuity plan (BCP).

Business Impact Analysis (BIA)

BIA is a detailed assessment of the possible consequences of a disruption of an essential function and collects information needed to develop recovery strategies to help quickly resume operations.

Comprehensive Emergency Management Plan (CEMP)

A CEMP is a comprehensive emergency response plan developed to ensure appropriate response to and recovery from natural and man-made hazards. A CEMP is different from a business continuity plan. A CEMP provides guidance on what to do immediately before or during an emergency. A business continuity plan helps to minimize the impact on VCU’s business processes regardless of the incident and assists with a return to normal operations as soon as possible after the emergency.

Continuity of Operations Plan (COOP)

A COOP is a planning term previously used to indicate business continuity planning. A COOP is very similar to a BCP in that they are both created to help the organization recover from a disaster, however business continuity planning is used more by businesses or corporations and continuity of operations is used more by federal, state, and local governments.

Critical Functions

Critical functions are those that are necessary to life, health, safety and security of the campus community. These functions must continue at a normal or increased level during an incident. The life, health, safety and security functions will never close and will always require people on campus.

Disaster Recovery (DR) / Disaster Recovery Plans 

DR plans usually refers to specialized planning for computer and IT systems including plans for restoring critical IT services and equipment. This is a specialized sub-group of business continuity planning.

Emergency Operations Plan (EOP) 

For the purpose of this policy, the term EOP also refers to the university's Comprehensive Emergency Management Plan (CEMP)

Mission Essential Functions (MEFs)

MEFs are services, programs, or activities that are necessary to the on-going business of the university and would directly affect the creation, dissemination and preservation of knowledge if they were to be suspended for an extended period of time. Departmental essential functions are the primary services, programs, or activities that a department preforms. They are the core activities of a department. Stopping them for an extended period of time would directly affect the success of the department.

Recovery Time Objective (RTO)

RTO is the maximum length of time that a specific business function or resource can be unavailable before causing significant disruption of operations. Also referred to as maximum allowable downtime.

Risk Assessment (RA)

A risk assessment is a process to identify potential hazards and analyze what could happen if a hazard occurs.

State of Readiness

A position of preparedness, and ready to act quickly and efficiently.

VEOCI

A software solution implemented by the VCU Police Department, and VCU Department of Safety and Risk Management as a tool for crisis management, emergency response, and business continuity planning. 

Contacts

The VCU Police Department, Office of Emergency Preparedness officially interprets this policy. VCU Police Department, Office of Emergency Preparedness is responsible for obtaining approval for any revisions as required by the policy Creating and Maintaining Policies and Procedures through the appropriate governance structures. Please direct policy questions to VCU Police Department, Office of Emergency Preparedness, director of emergency preparedness.

Policy Specifics and Procedures

BCP Lifecycle

This policy provides a standard process for the development, testing and maintenance of initial response, business continuity and business recovery plans at VCU. This policy incorporates all aspects of the business continuity plan (BCP) lifecycle as follows: 

1. Risk Assessment. During the risk assessment step, each university department will identify, assess and rank various hazards based on the probability of occurrence and the level of disruption that will be caused to the department's operation, and consider how each hazard may affect property, business, and people working in the department and any clients they may serve, as well as the university at large. Hazards will be reviewed by the Director of Emergency Preparedness who will provided context though definitions, recent events, and various threat scenarios. This will result in a range of outcomes that may require significant business impact analysis (BIA) and recovery strategies to be developed and supported with resources. University departments will conduct an analysis of the risk assessment information to develop a prioritized list of the mission essential functions (MEFs), with the most critical at the top.

2. Understanding the Organization: Business Impact Analysis (BIA). The BIA refers to the process of determining, assessing and evaluating the potential effects of an interruption or stoppage of critical operations, functions and processes of the business due to an accident, emergency, or disaster. It is a systematic method of predicting the possible and probable consequences of these disruptions, usually with a worst-case scenario perspective. The BIA is considered to be at the center of disaster recovery planning, particularly for the minimization of risks in case operational interruptions or disruptions resulting from disasters and similar incidents.

a. Each department is to determine the MEFs and essential resources of the department. Essential functions are those services, programs, or activities that are necessary to on-going business and would directly affect the success of the department if they were to stop for an extended period of time. MEFs will serve as a guide for how to restart operations following a disaster or major disruption. In general, there should be four to six essential functions, more if it is a highly complex department or unit.

b. Each department is responsible for the administration of university MEFs and are expected to be as thorough as possible in outlining requirements and identifying interdependencies for each function. Consider how the function may need to be altered or modified in the event of a significant disruption from any of the top hazards described in the risk assessment.

c. Each department is to conduct a BIA for each MEF to assess and document potential impacts and negative consequences of a disaster or major disruption on the function. A BIA is completed for each mission essential function to help assess and document potential impacts and negative consequences of a disaster or major disruption on the function. Completing a BIA also helps establish recovery priorities, and recovery time objectives (RTOs) by looking at dependencies, peak periods, harmful consequences, and financial risks.

d. Each department is to consider the human and technology resources required to maintain optimal level of operations.

e. Each department is to establish and finalize the RTOs, or the length of time needed to recover the process or function and bring the business operations back to normal, or as close to it as possible.

3. Determining the BCP Recovery Strategies: 

Recovery strategies are alternate means to restore business operations to a minimum acceptable level following a business disruption and are prioritized by the RTO developed during the business impact analysis. Recovery strategies require resources including people, facilities, equipment, materials and information technology. An analysis of the resources required to execute recovery strategies must be conducted by each department to identify gaps. Each department must:

a. Perform an identification of risk, and develop risk treatment strategies across business areas. Determine internal causes of interdependencies can include line of business dependencies, telecommunication/IT links, and/or shared resources.

b. Document strategies and procedures to maintain, resume, and recover critical business functions and processes.

c. Describe the immediate steps to be taken during an event in order to minimize the damage from a disruption, as well as the action necessary to recover.

4. Develop and Implement the BCP: 

VEOCI, a crisis management and software solution will be used to, develop university business continuity plans, and keep the plans up to date, ensuring the readiness of mission essential functions across the university. Once the planning (BIA and risk assessment) and meetings are complete, each Business Continuity Plan (BCP) will be entered into VEOCI by the responsible department designee. Contact the VCU director of emergency preparedness for access to VEOCI. Training is available. Each department must:  

a. Describe the types of events that would lead up to the formal declaration of a disruption and the process for invoking the BCP.

b. Determine the format of the BCP, i.e. executive summary, objectives and scope, summary of findings, recovery activities.

5. Exercising, Maintaining and Reviewing:

Once the BCP is finalized, training and testing will be conducted by the director of emergency preparedness to ensure all department staff are familiar with it. A continuity planning committee consisting of personnel who would be involved during, and after a disaster or major disruption will be formed by the director of emergency preparedness. The BCP will be adjusted by each department as needed following training and/or actual events.

a. Timely Review and Maintenance: Reviewing all BCPs and related documentation will occur on an annual basis and is the responsibility of each department plan owner. The purpose of reviewing is to ensure the plan remains current and up to date, and to maintain a state of readiness. The maintenance schedule will be overseen by the VCU director of emergency preparedness.

b. Training and Exercises: Annual testing will be coordinated by the director of emergency preparedness for all departments. Testing methods vary from minimum preparation (no notice drills) and resources to the most complex (full scale). Each has its own characteristics, objectives, and benefits. The type of testing employed should be determined by its experience with business continuity planning, size, complexity, and nature of its business. Examples of testing methods in order of increasing complexity include tabletop exercises, functional exercises and full scale exercises.

Forms

There are no forms associated with this policy and procedures.

Related Documents

1. Societal security -- Business continuity management systems -- Requirements, ISO 22301:2012: https://www.iso.org/standard/50038.html

2. The Commonwealth of Virginia Executive Order No. 41 (2011) Continuing Preparedness Initiatives In State Government and Affirmation of the Commonwealth of Virginia Emergency Operations Plan: http://digitool1.lva.lib.va.us:8881/exlibris/dtl/d3_1/apache_media/L2V4bGlicmlzL2R0bC9kM18xL2FwYWNoZV9tZWRpYS83MTcyNTk=.pdf

3. The VCU Continuity of Operations Plan (COOP) April 2019. Available from the VCU Division of Emergency Preparedness upon request.

4. The VCU Crisis Emergency Management Plan (CEMP) October 2018. Available from the VCU Division of Emergency Preparedness upon request.

Revision History

This policy supersedes the following archived policies

Approval/Revision DateTitle
None - new policy  

FAQ

There are no FAQ associated with this policy and procedures.