Guide to Business Continuity and Recovery Planning on Campus
Guide to Business Continuity and Recovery Planning on Campus Table of Contents Guide to Business Continuity and Recovery Planning on Campus 2 Introduction 4 Critical Functions 8 Communications 12 Technology & Utilities 18 Academics & Research 24 Continuity & Recovery 30 Employee Preparedness 34 Conclusion Treasury & Risk Management Services Campus Box 1100 104 Airport Drive, Suite 2700 Chapel Hill, NC 27599-1100 P 919.962.6681 F 919.962.0636 E-mail: [email protected] April 2009 http://finance.unc.edu/treasury--risk-management/risk-management/welcome.html 1 Introduction Welcome to UNC Chapel Hill’s “Guide to Business Continuity and Recovery Planning on Campus.” As you pursue academic and research excellence on campus, we are pleased that you are taking time to ensure your department is prepared to respond to various types of operational interruptions. This Guide will help you plan not only for major disasters (e.g. total loss of a building) but also lesser interruptions to service (e.g. the computers are down). It puts planning in perspective and makes it more likely that crisis response will run smoothly. The goals of business continuity and recovery are: To ensure that maximum possible service levels are maintained during a crisis, and To ensure that departments recover from interruptions as quickly as possible. Business continuity plans must be reasonable, practical and achievable. We are not planning for every possibility that could cause an interruption; instead we are planning for the effects of any interruption. For example, your building may be unavailable for many reasons (fire, flood, wind damage, etc.), but the effect is still the same: you cannot work in that location. Generally speaking, however, we need four things to do our jobs on campus: employees/staff, utilities, telecommunications, and a facility in which to work. Some offices also need specialized equipment. The template that follows will address each of these needs and guide you through your planning process. 2 The University of North Carolina at Chapel Hill The time to repair the roof is when the sun is Before you go further into this Guide, it would be helpful to consider what risks your department might face. Is your building prone to flooding due to heavy rains? Are there chemicals or other substances in your building that might make it more likely to experience a fire? Is there a chance that enrollment in your department’s program could significantly decrease or could the department experience a loss of faculty? Would your co-workers or staff be affected by ice or snow storms? You could let your imagination run wild with potential risks! Some of them are more probable than others – perhaps they have happened before or perhaps you are aware of imminent problems. What are the most likely risks your department faces? Consider these risks as you complete the Guide. Your department may be able to plan for that risk now by finding strategies to reduce the risk or reduce its effects. It is important to review these risks annually to gauge your continuity and recovery progress. As more mitigation strategies are implemented, the risks will diminish or change, as will their potential effects, and your department will be better prepared for interruptions. Set a date to review risks and the plan each year (such as the first of the new calendar year or when daylight savings time begins). We suggest that you discuss identified risks and their potential effects with your leadership and your co-workers or staff. The following template is meant to be completed as a collaborative effort, so sharing ideas and discussing options is a great way to start. A PDF version of this Guide is available on the University’s Risk Management Services web page (http://finance.unc.edu/treasury--risk-management/ risk-management/welcome.html). Update as needed, print and include it, along with any other pertinent information, in the folder at the back of this booklet. shining. – John F. Kennedy, 35th US president (1917 – 1963) How to Use the Guide The following pages consist primarily of inquiries for you to consider and room for you to record your responses. Most pages include a sidebar as well in which you will find information that better defines the section or offers additional tips and tricks. Completion of the Guide will provide your department with a basic continuity and recovery plan. We encourage you and your team to discuss your own continuity and recovery preparedness, then include any extra information you believe would be valuable at the back of the Guide. If you have any questions about the Guide, or if you need additional assistance in your continuity and recovery planning, please contact Risk Management Services at 962-7360 or at [email protected]. Good luck and good planning!! http://finance.unc.edu/treasury--risk-management/risk-management/welcome.html 3 Critical Functions What does your department receive funding or payment to do? What are the priority operations for your department? Some departments may define critical functions as those whose loss would cause adverse effects on their students, patients or clients. Some might determine this based on loss of income or loss of important research. Briefly identify your department’s critical functions below. (We will explore in more detail in the following pages.) Identify who should be contacted if this function is in jeopardy. #1 Critical Function During a crisis or disaster, a department should strive to maintain as high a level of operations as possible. By identifying your critical Primary Contact RTO Secondary Contact Name Phone Number Alternate Number functions, you can better determine #2 Critical Function which staff, materials, procedures and RTO equipment are absolutely necessary to keep your department functioning. Primary Contact Also, consider how long before you would need to resume operations Name to prevent significant loss of service, Phone Number revenue, or materials. Would this be Alternate Number Secondary Contact days or hours? This is your Recovery Time Objective (RTO). You can put #3 Critical Function RTO your critical functions in order based upon their RTOs. Primary Contact Name Phone Number Alternate Number 4 The University of North Carolina at Chapel Hill Secondary Contact #1 Critical Function (Please explain this function in more detail, including any mitigating factors in place.) If you can’t specify what you intend to achieve or produce, how can you What would be the effect of loss of staff (due to public health concerns, furloughs, adverse weather, etc.) on this function? What is your continuity strategy for this risk? produce it? – Mel Gosling, Founder of Merrycon, Business Continuity Consultancy What would be the effect of loss of utilities (i.e. water, electricity) on this function? What is your continuity strategy for this risk? Mitigate: What would be the effect of loss of telecommunications (i.e. phones, computers, internet access) on this function? What is your continuity strategy for this risk? • To conserve, protect, record • To limit the adverse effects of natural or technological hazard • To moderate in force or intensity What would happen if there was an entire loss of facility (due to fire, tornado, gas release, etc.)? What is your continuity strategy for this risk? • To make less severe What steps can you take now to mitigate impact on your operations? http://finance.unc.edu/treasury--risk-management/risk-management/welcome.html 5 Notes: #2 Critical Function (Please explain this function in more detail, including any mitigating factors in place.) What would be the effect of loss of staff (due to public health concerns, furloughs, adverse weather, etc.) on this function? What is your continuity strategy for this risk? What would be the effect of loss of utilities (i.e. water, electricity) on this function? What is your continuity strategy for this risk? What would be the effect of loss of telecommunications (i.e. phones, computers, internet access) on this function? What is your continuity strategy for this risk? What would happen if there was an entire loss of facility (due to fire, tornado, gas release, etc.)? What is your continuity strategy for this risk? 6 The University of North Carolina at Chapel Hill #3 Critical Function (Please explain this function in more detail, including any mitigating factors in place.) I never saw a wreck never have been wrecked and nor was I ever in any predicament that threatened to end What would be the effect of loss of staff (due to public health concerns, furloughs, adverse weather, etc.) on this function? What is your continuity strategy for this risk? in disaster. – Captain Edward Smith in 1907 (Captain of the Titanic, which sank in 1912) What would be the effect of loss of utilities (i.e. water, electricity) on this function? What is your continuity strategy for this risk? What would be the effect of loss of telecommunications (i.e. phones, computers, internet access) on this function? What is your continuity strategy for this risk? What would happen if there was an entire loss of facility (due to fire, tornado, gas release, etc.)? What is your continuity strategy for this risk? http://finance.unc.edu/treasury--risk-management/risk-management/welcome.html 7 Communications Communication is the most frequent point of failure in every disaster event. Poor communication is usually at the top of customer and staff complaints. It is important, therefore, for you to carefully consider the items below and implement a schedule for testing your communication plan for an unexpected event. A communication plan should include the following areas: Audience. Who should receive the communication? Responsibility. Who is responsible for the communication? Medium. In what way will your message be delivered? Content. What information will your message include? Who, what, where, when, why and how? Timing/Frequency. How often will information be presented or updated? Make a list of your department’s most important customers and all students/staff/ faculty. Proactively plan to communicate regularly with them before, during and after an incident. Share with them your crisis communication plan. Just because quiet the river is does not mean the The first priority in a disaster or significant interruption is to communicate with your department’s leadership to let them know what has happened and to receive guidance as necessary. The next priority is to communicate with your staff/faculty. Campus leadership also needs to be notified so they can assist with alerting the public if necessary. Departmental Leadership crocodiles have left. – Malay proverb Name Head of Operations First Successor Second Successor Third Successor 8 The University of North Carolina at Chapel Hill Phone Number Alternate Number Call Tree Notes: Below is an example of a call tree. This can be easily created in an Excel file. A sample is also available from the University’s Risk Management Services home page. You can modify the sample call tree to fit your department’s particular needs. Call tree drills should be conducted at least every six months or whenever there is significant staff turnover. If you are conducting a drill, you must say, “This is a test of the [department name] call tree.” This will discourage unnecessary panic. The call tree is activated when the head of operations contacts the directors. The directors then contact the first member of their staff (Staff 1), who contacts the next staff member (Staff 2), etc. The last staff member calls back to the director to assure that all employees have been contacted. The directors, in turn, report back to the head of operations. An absence of call backs indicates that the call tree failed and needs to be conducted again, perhaps with the directors Head of calling each staff member personally. Operations Director A Director B Director C Staff 1 Staff 1 Staff 1 Staff 2 Staff 2 Staff 2 Staff 3 Staff 3 Staff 3 Staff 4 Staff 4 Staff 4 Director A Director B Director C Head of Operations It is important to train staff on how the call tree works so they will know what to expect and what is expected of them. Three significant tips: Write down the message so you can be confident that you are relaying the appropriate information. If the caller reaches an answering machine, leave a message and then call the next person on the call tree to keep it going. If no one answers, call the next person on the call tree. Make a note of the person who didn’t answer and try again later. http://finance.unc.edu/treasury--risk-management/risk-management/welcome.html 9 Responsibilities Determine ahead of time whose responsibility it is to communicate with different audiences: Who will communicate with campus leadership? Who will communicate with the Department of Public Safety, Facilities Services, Energy Services or the Department of Environment Health and Safety? Who will communicate with Risk Management Services? Who will communicate with faculty/staff? Who will communicate with students? Who will communicate with the public? If the phone systems fail, use e-mail or mobile phones to contact all students/faculty/staff, vendors, patients, and customers. Inform them that they may contact your department through e-mail or by contacting a designated mobile phone number. Medium Effective crisis communication relies on “push,” where the information is pushed, or disseminated, to the audience via phone, e-mail, radios, etc. You might supplement that with the “pull” method, in which information is made available, but your audience has to find it. A Web site is a good example of the“pull”method of communication. If you intend to use the department’s Web site for providing updates, be sure to inform your audiences of that plan and give them the appropriate URL address before and during the event. Before a crisis, as your department shares information about continuity and recovery planning, you may use newsletters, intranets, staff meetings, and other communication tools. The purpose is to make sure that information is fully shared and understood, so using a variety of communication mediums is appropriate. 10 The University of North Carolina at Chapel Hill In the event of a crisis, what are some of the mediums you are prepared to use to communicate with your audiences? Phone Lines Cellular Phones Pagers Blackberry and other PDAs E-mail Call Tree External e-mail (i.e. AOL, gmail) Departmental Web site University Web site (AlertCarolina.unc.edu) Instant Messenger Services Fax Lines Direct Connect (e.g. Nextel) Other external Web presence Content and Timing Keep initial crisis messages simple, reporting only what is known without speculation. Remember to be clear and concise, but compassionate, i.e. express appreciation for the inconvenience or the concern the audience is experiencing. Explain that you will provide more information as it becomes available. Direct them to the department’s Web site for updates if appropriate. Follow through by scheduling times to continue communicating and provide the additional information as promised. If the situation has not changed, communicate that fact. Failure to communicate effectively and frequently may escalate anxieties and contribute to further problems. Additional Notes http://finance.unc.edu/treasury--risk-management/risk-management/welcome.html 11 Technology & Utilities In this exciting age of technological advances, it is difficult to imagine how we could possibly work without our computers and Internet access. Computer and system crashes can seriously jeopardize our productivity. What if software and data are not accessible or are corrupted? What if equipment (hardware) has malfunctioned or is destroyed? How would the department function if the mainframe, network and/or Internet access were not available? What critical interdependencies exist between internal systems, applications and business processes? (What other departments depend on the work your department produces?) Although we are rarely in a position to prevent such events, we can, at a minimum, create plans and strategies to mitigate the potential impact. For example, maintain a list of vital records and ensure that electronic copies are maintained on more than one computer and/or on more than one system (i.e. copies on the director’s home computer, in another department or on separate disk or flash drive). These documents can be retrieved and recreated quickly if needed. For a moment, nothing happened. Then, after a second or so, nothing In the event of a network problem in which you cannot access your software, files or e-mails, contact the specialized IT support within your department or School to establish the nature and duration of the problem. This will help you decide whether or not to retrieve your vital records from their backup location and what actions can be continued. List the contact information below: School/Department IT Support: continued to happen. – Douglas Adams, author (1952-2001) 12 The University of North Carolina at Chapel Hill Make copies and a list of important documents and store them somewhere other than your office to ensure they are retrievable in the event of system of computer crash. (Some examples include continuity plans, insurance policies, financial account information, laboratory/research notes, gradebooks, etc.) Document Name (and file name) Backup Location 1 2 3 4 5 6 Consider your options, and then record your plan below for ensuring back up of your department’s electronic information. Include key contact names and numbers to ensure that the information remains available to your department even if there is staff turnover. The University’s Information Technology Services (ITS) offers assistance with comprehensive data back up. They can offer guidance about available solutions that may backup your entire department’s computers or even just one. Recovery would be available even if hard drives are corrupted or computers are stolen. Consult with your department’s information technology experts or contact ITS at 962-HELP, or review information about the program at http://help.unc.edu/5662. http://finance.unc.edu/treasury--risk-management/risk-management/welcome.html 13 Familiarize yourself with assistance offered by Information Technology Services (ITS). The department offers computer repair and loaner services through the Computer Repair Center. You may review this service at http://help.unc.edu/5966 or by contacting the ITS Help Desk at 962-HELP. Maintain an inventory of your hardware and software to assist you in rapid recovery in the event of a disaster. Also, consider insuring your computer hardware. Contact Risk Management Services at [email protected] or 962-7360 for assistance. Computer Hardware Inventory Hardware (CPU, Monitor, Printer) 14 Hardware Size, RAM & CPU Capacity The University of North Carolina at Chapel Hill Model Serial Number Notes: Computer Software Inventory Program (unique to your department) Vendor Contact Information License Number http://finance.unc.edu/treasury--risk-management/risk-management/welcome.html 15 Loss of Utilities In an office setting, when power is out, the safest strategy is usually to promptly exit the building. It may be wise to provide flashlights to your staff for just such an event. The Emergency Coordinator for your building or section should guide your evacuation efforts. If you do not have an Emergency Coordinator for your building or department, contact an EHS Fire Safety Professional at 962-5708 or 962-5728. Online training is available for new and continuing Emergency Coordinators. Who is your Emergency Coordinator? Name Phone Number Loss of utilities may significantly affect campus research laboratories. Laboratory directors are encouraged to consult with the Department of Environment, Health and Safety (962-5507) to develop effective and safe plans for emergency shutdown and/or potential continuity strategies. In addition, departments that host laboratory animals have special heating, cooling and air quality needs. They, too, are encouraged to consult with the Department of Environment, Health and Safety for best practices in the event of a utility outage. To find out the extent and likely duration of a utility service outage, contact Energy Services at 962-8394. If there is a water outage or sewer backup, contact Energy Services at 962-3456. (After hours emergencies should be reported at 962-1167.) The University maintains an emergency freezer service through Facility Services. In the event of a failure in a laboratory freezer, contact Facility Services (HVAC) at 962-3456. In the evenings this number will automatically transfer the caller to the Department of Public Safety. Many investigators choose to have their freezers connected to the Freezer Alarm system on campus. If the freezer fails for whatever reason, an alarm sounds in the Department of Public Safety, whose staff then contacts the person identified as responsible for the freezer. If your department is interested in this option, contact Facility Services to discuss your need, costs, expectations and responsibilities (962-3456). Alternatively, to prevent loss and to assure research continuity, a department can contract with an external bio-repository to house their freezers or portions of their work in progress. More information about this service is available through the UNC Lineberger Comprehensive Cancer Center. Contact the Tissue Culture Facility Director at 966-4324. Notes regarding follow up (include emergency contact numbers for the biorepository, if used): 16 The University of North Carolina at Chapel Hill Some offices and buildings have “red outlets,” which are emergency power outlets connected to a backup power system. If you need help understanding this service, or if you want to be considered for installation of red outlets, contact the Help Desk at Facility Services (962-3456). They will connect you with Fire & Life Safety personnel, who can advise you in this effort. If you have, or think you need, a generator, discuss with your department or School’s facility director or contact Facility Services at 201-2782. If you have a generator, determine where your department is on the campus priority list, learn more about what to expect in the event of large scale crisis, and determine what equipment would be powered by the generator. If you have one or more generators, and either should fail, be prepared to tell Facility Services personnel exactly what type of replacement generator you would need. You can discuss this with your department or School’s facility director or contact Facility Services for guidance in determining this information. Model Load Adapter Fuel per hour Additional Notes http://finance.unc.edu/treasury--risk-management/risk-management/welcome.html 17 Academics & Research Academic Continuity Academic continuity is vitally important because it focuses on the core business of higher education: providing students with the opportunity to learn. In the event of a disaster on campus, or other significant interruption, it may be necessary to provide alternative means of instruction. The checklists below provide faculty with ideas to improve their own preparedness for online, hybrid, or face-toface course formats. Prior to starting class: Record and backup student names, e-mail addresses, and phone contact information. Record e-mail and phone number of your director or other appropriate point of contact for your primary program or department. Prepare a backup working copy of your gradebook to ensure continuity of grading and reporting to students and administrators if your primary online gradebook is not available for an extended period of time. Back up critical teaching materials, including lectures, assignments, instructions, quizzes, discussion topics, the syllabus, schedule, and other artifacts. You may be able to provide these materials to your students via the Internet in the event of a significant classroom interruption. (You may not be able to save some materials such as reserved readings, library resources, etc.) Next week there can’t be any crisis. My schedule is already Consider creating an external Web presence in preparation for a disaster or significant interruption to campus Internet capabilities. Once Class Has Begun: full. – Henry Kissinger, former US Secretary of State (1923 - ) 18 The University of North Carolina at Chapel Hill Send a test e-mail message to the students in your class. This test message will help you identify any possible problems with spam filters or firewalls that may block receipt of your e-mails. If this should occur, ask the students to add you to their approved recipient list. Create a group distribution list based on your students’ e-mail contact information. Send students a welcome e-mail blast with your contact information and ask them to save the e-mail. Maintain a copy for your own records. This practice will ensure that both you and your students have each other’s current e-mail address. Let students know that it is critical for them to provide you with current e-mail and contact information throughout the semester. Remind students regularly about the importance of keeping backup electronic copies of their assignments. Download students’ assignments when they are submitted so that you will always have ready access to them in the event of a system failure. Download and maintain copies of online discussions if possible. Stay informed about other technologies you may need to use temporarily to continue teaching and learning activities if your classroom were to remain inaccessible for an extended period of time. Let students know of your plans for continuing instruction and communication in the event of disaster or significant interruption. You may want to have the students test their ability to access any external Web sites you have created in preparation for such events. Course Continuity During an Interruption: Use the distribution list you created at the beginning of the semester to send an e-mail to students reminding them of when and how they may contact you. Let them know of any changes to your syllabus. Continue timely sharing of lectures and supporting materials by using your backup copies, and sharing via e-mail or your department’s Web page (if available). Post comments, materials and assignments on your external Web site if necessary. Consider excusing students from the requirement to interact, either online or through class participation, and ask them instead to submit individual contributions (especially if Web access is limited). If you adjust the requirements for interaction during the classroom interruption, prepare a synopsis of student submissions, add substantive comments, and send this information to all students via e-mail. If you supplement assignment information with Web postings, send that additional information to students via e-mail also and retain a copy. Consider setting up and learning how to use a telephone conference call or using an instant messaging/chat program. Use your backup gradebook if necessary. Communicate individual grading and feedback information to each student via e-mail and retain a copy. Consider posting classroom communications and lecture materials or conducting student discussions on Internet blogs or a wiki during a classroom or system interruption. Ensure that viewing and writing access is restricted to members of the class. In a wiki, you may be able to create individual student pages with restricted page-level access so that each student has a private space for communicating with you and/or submitting an assignment. Encourage students to communicate with each other as support for class teams if appropriate. Backup or print all e-mail and/or Web submissions and comments from students during the interruption. http://finance.unc.edu/treasury--risk-management/risk-management/welcome.html 19 Notes: Explore Additional Technologies Below is a list of optional technologies and tools you may want to investigate and/ or use if your class is interrupted. These tools are suggested only as alternatives and are not required for normal course activity. You may want to consult with your department’s Internet technology (IT) specialist and/or consider taking trainings offered by the University’s Information Technology Services (ITS). Centre for Learning & Performance Technologies Top 25 Teaching Resources 2008 Firefox delicious Google Reader gMail (Google Mail) Skype Google Calendar Google Docs iGoogle Slideshare flickr Voicethread Wordpress Web browser plus social bookmarking an RSS reader Webmail IM and voice call tool online calendar online office suite personal start page tool presentation sharing image hosting and sharing tool slideshow with audio blogging tool Audacity an audio/podcasting tool YouTube video hosting and sharing Jing screen capture/screencasting PBwiki wiki tool PollDaddy polling tool Nvu Web authoring (site) tool Yugma Web meeting tool Ustream live broadcasting tool Ning private, customized networking Freemind brainstorming tool eXe course/training creation tool Moodle course management system twitter micro-blogging tool See http://www.c4lpt.co.uk/25Tools/index.html If you have any doubt about how to handle the situations and responsibilities outlined in this section, seek the advice of your director. Consult with him/her to ensure that your plans for continuity do not constitute a substantial change in course requirements as described in the syllabus. Discuss your ideas with other faculty. 20 The University of North Carolina at Chapel Hill Research Continuity Name of Principal Investigators for laboratories addressed in this plan (if applicable): Project Location Chance favors the prepared Principal Investigator Office Phone / Pager E-mail – Louis Pasteur, chemist & microbiologist (1822 – 1895) Home / Cell Phones mind. Project Location Principal Investigator Office Phone / Pager E-mail Home / Cell Phones Project Location Principal Investigator Office Phone / Pager E-mail Home / Cell Phones Additional Notes http://finance.unc.edu/treasury--risk-management/risk-management/welcome.html 21 Clearly list all special equipment safety precautions in case personnel not familiar with the equipment must access the area. Include cell phone of knowledgeable personnel. Maintain detailed information regarding feeding/care of laboratory animals in case usual caregivers are unavailable and persons unfamiliar with your research must provide care. Label most valuable animal cages. Make any special notes below, but keep detailed information close to animal cages. Duplicate stocks, samples, or subsets that are temperature sensitive and crucial to the research mission. Store duplicates at a remote site in case of power or freezer loss at primary site. Location of remote site (on- or off-campus): Maintain off-site copies of essential vendor contact information, contact information for funding organizations/program officers, backup records of time and effort reporting, and the lab map and inventory list. Consider supplemental insurance for specific pieces of equipment that are critical to operations. Contact Risk Management Services to discuss options at [email protected] or 962-7360. Organize research materials for easy access/retrieval in case of emergencies. Label (using weather resistant labels) the most important materials. Designate an emergency rack whose contents will be taken first in the event of an evacuation. Ensure that temperature or time-sensitive equipment is equipped with failure alarms. Contact Facilities Services at 962-3456 for information about the University research alarm system. Ensure that freezers, refrigerators, incubators, etc. are on an emergency power supply. Be aware of the emergency generator power source for your area, including how long that power source can be relied upon. Ensure that research notes, letters, documents, spreadsheets, etc. are backed up to the network drive every day. Information (data or documents) that is stored on laptops should be routinely uploaded to the network drive. Consider storing copies of critical documentation and findings at an alternative location. Consider what portion of research efforts could be continued from home or other site, i.e. data analysis, summarizing findings, etc. Provide each clinical trial group with remote contact information in case University or Hospital telecommunications fail. 22 The University of North Carolina at Chapel Hill Peer-to-Peer Support Provide the name, location and contact information of a campus or local peer who might be willing and able to assist in your research continuity if an emergency occurs. This person may be able to provide storage space or key supplies in a crisis. Peer Name Institution Contact Information Peer Name Institution Contact Information Peer Name Institution Contact Information Additional Notes http://finance.unc.edu/treasury--risk-management/risk-management/welcome.html 23 Continuity & Recovery Scenario: It is the middle of the night when you get a call informing you that one or more of your department’s workspaces has been completed incapacitated. Let’s imagine there has been a major fire, hazardous gas release or similar event, which makes entry into the building impossible. Essentially, you have just lost your office, classroom or lab! This occurs, of course, at the worst possible time—a deadline is looming, classes are just starting (or ending), or at some other time that is critical to your department. What do you do? Where else could you work? What resources would you need? How would you recover? Continuity and recovery are not the same. Continuity planning prepares you to maintain your critical functions during a crisis. The academic plans your faculty have made are examples of continuity planning. Recovery planning helps you rebuild all of your typical functions in a more permanent location. Continuity and recovery do not begin after disaster strikes. They begin right now, with you and your co-workers completing this Guide. Your communications plan, the academic and research continuity efforts, computer backup and other mitigation strategies are the very first steps in continuity and recovery. The information you have collected in the previous sections will prepare you for a quick and effective continuity response and, finally, recovery. For small interruptions, such as emergency repairs or utility loss, refer to the phone numbers provided in the back of this Guide. Unfortunately, a large scale disaster may occasionally strike a campus, causing serious damage to one or more buildings. Sometimes University resources can be stretched thin, so your prior planning is essential to help your department recover quickly as well as to maintain the critical functions you previously identified. In a large scale disaster, perhaps when your department’s building is unavailable, continuity usually occurs in a different location. Let’s look at some of the issues and challenges your department might face at this critical time. Continuity – Relocating Consider the critical functions you described earlier in the first section of this Guide. If your department has an extremely short Recovery Time Objective, you may need a “hot site” where you can immediately move critical operations. A hot site would be equipped with everything your department needs to continue or resume operations, i.e. work stations and computers with duplicate software programs, vital records, supplies, special equipment, etc. A formal agreement would be in place with this space provider. 24 The University of North Carolina at Chapel Hill If you have a hot site, please complete the following: Location Main Contact Information Which of your critical functions could be completed from this site? Key supplies/equipment available What specialized equipment, forms or supplies would need to be acquired? Another option is to develop mutual aid agreements with other departments on campus that offer similar services or use similar equipment as your staff. You can store duplicates of vital records, backup supplies and other key materials you might need in their offices, and perhaps plan to use a conference room as your continuity site. Conversely, your department would offer the same help to the other department. These agreements do not need to be excessively formal, but there does need to be some documentation to denote the location, main contact persons, and what space and supplies would be available. Risk Management Services can help you facilitate these agreements. Location Main Contact Information http://finance.unc.edu/treasury--risk-management/risk-management/welcome.html 25 Which of your critical functions could be completed from this site? Key supplies/equipment available What specialized equipment, forms or supplies would need to be acquired? In the event of wide-scale destruction on campus, we strongly encourage you to have plans for off-campus relocation or, at least, some ready options. For example, a theater group may be able to use the stage at the Carrboro Arts Center or even a local high school. A research laboratory might make use of available space at North Carolina Central University or North Carolina State University. Office space may be available in hotel conference rooms. Employees might work from home. What are some options for your department? Contact these other locations now to discuss what availability you might be able to expect in the event of a crisis. 26 The University of North Carolina at Chapel Hill Remember to use your department’s communication plan to inform your many audiences of the new location and, if applicable, your limited services. What equipment would be needed at a continuity site to communicate with employees, students, vendors and customers? Is Web access available? A large-scale disaster on campus could disrupt or delay numerous campus services. In particular, Material and Disbursement Services (M&DS) recognizes that it may not be able to process all the purchasing and check request needs of the campus when its own functions may have been affected. Your department is encouraged to maintain contact information for its own specialized vendors, including persons or companies providing repair services to specialized equipment. In the event of a disaster on campus, you may need to contact them directly. Product Vendor Contact Information Material and Disbursement Services offers an Emergency Purchasing Card, which could be used in a large disaster. This would allow your department to purchase needed supplies without having to secure a check or purchase order from MD&S during a crisis. Your department would need to document its purchases carefully, of course, but, at least, the Emergency Purchasing Card would allow a quicker response to your department’s crisis situation. Contact the P-Card Officer for more information at 962-2255. http://finance.unc.edu/treasury--risk-management/risk-management/welcome.html 27 Recovery Once the University has determined that the crisis has passed, you may be asked to relocate your offices again, hopefully to a permanent location. To fully reestablish your department’s office or other work area, you will need a Recovery Inventory. The Recovery Inventory is created by assessing what equipment and supplies you currently have, and would potentially need to replace, to run at full operations. This could be computers and desks, file cabinets, specialized equipment, copy paper, etc. Equipment/Supply Number Possible Source If you have a more extensive list than can be accommodated above, simply include it in the folder at the back of this Guide. Ensure that your supervisor and select staff members have copies as well. Once the work area has been recovered, it is time to recover your department’s critical data. Work with your department’s information technology (IT) specialist or the University’s Information Technology Services (ITS) to retrieve data that has been backed up to the network drives or to the recovery company (Iron Mountain). Also, retrieve and reproduce any critical documents that may have been lost. Academics, laboratories and administrative offices may have very different tasks for recovering. List the tasks your department will need to complete to fully recover. 28 The University of North Carolina at Chapel Hill Additional Notes At the onset of an emergency, everyone’s IQ goes immediately to ‘0’. – Winston Scott, NASA Astronaut (1950 - ) Your staff and co-workers may be aversely affected by the same crisis that affects the campus. Please take time to assure their well-being before returning to full operations. http://finance.unc.edu/treasury--risk-management/risk-management/welcome.html 29 Employee Preparedness There is no more important resource on campus than human resources. After a disaster, computer backups and new facilities are useless without staff. For this reason, it is important to communicate with your employees, to identify your essential staff, and to help your employees better prepare themselves for emergencies. Before an incident or interruption occurs, share your department’s continuity and recovery plans with your staff and co-workers. They may offer additional ideas or options that could enhance planning. After an incident on campus, one of your priorities will be to communicate with your staff as soon as possible. You will want to update them on the effects of the incident and the current status of your department. You may also need to give them alternative work plans or information regarding relocation. In the Communications section of this Guide, you created a call tree. This should be updated at least every six months or whenever there has been significant change in staff. Test the call tree after each update. tendency The of an event to occur varies inversely with one’s preparation for it. After a serious storm or other event off campus, co-workers often worry about each other. Designate a phone number in your department where employees can leave an “I’m okay” or similar personal update message. This could be an administrator’s number or another designated number. Employee Update Number: In addition, ensure that your faculty and staff are aware of “Alert Carolina,” the University’s safety awareness program (www.alertcarolina.unc.edu). Encourage them to register their cell phones with the text messaging service to receive updates in case of imminent danger on campus. – David Searles, author (from Continuity Central) 30 The University of North Carolina at Chapel Hill Consider the minimum number of employees necessary for maintaining your department’s critical functions. In preparation for a pandemic or other communicable disease, please identify these essential staff members to your department’s HR Facilitator and to the Department of Environment, Health and Safety. Determine what cross-training may be needed to ensure backup for critical functions/roles if key personnel are unavailable. In the event that your facility is unavailable, some employees may be able to work from home. In the event of a sudden crisis, it would not be necessary to receive prior approval from the Office of Human Resources for staff to work from home, but it would be wise to develop some general good practices, such as providing daily updates of work completed, tracking hours worked, etc. This will be especially helpful when tracking Time and Effort reporting. Briefly describe your department’s work-at-home plan. Providing for your staff and co-workers’ well-being is recognized as one of the best ways to ensure effective recovery. If individuals and families are prepared, your department is better positioned in an emergency situation. Following a disaster, basic services such as electricity, gas, water, sewage treatment, and telephones may be out of service for days, a week, or longer. A key element of personal preparedness is the creation of a disaster supplies kit. At work: A work kit should be in one container and ready to “grab and go” in case it is necessary to evacuate the workplace. Keep some food (i.e. energy bars) and water in the kit, as well as first aid supplies, one day’s worth of essential medicines, a flashlight and whatever else you deem appropriate. You may want to have comfortable walking shoes at your workplace in case an evacuation requires walking long distances. In the car: In case you are stranded, keep a kit of emergency supplies in your car. This kit should contain food, water, first aid supplies, flares, jumper cables, and seasonal supplies. At home: A disaster supply kit should contain essential food, water, and supplies for family members (and pets) for at least three days. Keep the kit in a designated place and have it ready in case you have to leave your home quickly. Make sure all family members know where the kit is kept. Additionally, maintain supplies sufficient for up to two weeks in case your family needs to shelter in place (i.e. stay at home for an extensive period). More information about home planning is provided in the following pages. Encourage your staff and their families to get an emergency supply kit, make a family emergency plan, and be informed about different risks and appropriate responses. Go to www.ready.gov for more information. http://finance.unc.edu/treasury--risk-management/risk-management/welcome.html 31 Notes: Family Disaster Supply Kits Families and individuals should maintain at least two disaster kits as referenced above. The first, a “Go” kit, is for an incident in which it is necessary to flee the home, i.e. a gas release in the area, severe storm damage, fire, etc. Keep the entire kit in plastic storage containers or fill a book bag for each family member to carry. The second disaster kit is a “Shelter in Place” kit, which is larger and allows for an extended stay in the home, probably without utilities. Store this somewhere in or near the home. “Go” Kit (for 72 hours away from home) Water —at least one gallon daily per person for three days Food — at least enough for three days (non-perishable packaged or canned food/juices, snack foods, etc.) Manual can opener, cooking utensils/fuel, paper plates, plastic utensils Blankets/Pillows Seasonal clothing, rain gear, sturdy shoes First aid kit, medicines and prescription drugs Toiletries and hygiene items (toilet paper, tooth brush/paste, wipes, etc.) Special items for infants, sick or elderly (diapers, foods, medicines, etc.) Toys, books, games for children Flashlights with extra batteries Small tool kit Copies of essential family information (insurance policies, birth certificates, banking information, etc.) Cash — in case banks or ATMs are not operating Cell phone charger Pet care items —identification, food/water, carrier, leash Keep fuel tanks at least half-full at all times in family cars. Determine evacuation routes. Choose several destinations in different directions and at different distances. Be sure that all family members are aware of these plans. Designate an out-of-town contact to help facilitate communication between family members who are separated. 32 The University of North Carolina at Chapel Hill “Shelter in Place” Kit (for 7-10 days in the home) Water — At least one gallon per person/per day. Food —Stockpile non-perishable packaged or canned foods, bottled water and juices, snack foods, etc. Use a permanent marker to clearly mark expiration dates. Heat source —Consult with your local fire department for safest options. Manual can opener Cooking utensils/fuel, paper plates, plastic utensils First aid kit, medicines and prescription drugs —at least enough for 7-10 days Toiletries and hygiene items (toilet paper, tooth brush/paste, etc.) The only thing harder than planning for an emergency is explaining why you didn’t. – Anonymous Special items for infants, sick or elderly (diapers, foods, medicines, etc.) Toys, books, games for children Flashlights with extra batteries. Be especially careful if using candles for lighting. Fire extinguisher Tool kit, including wrench for turning off gas or water Dust masks, plastic sheeting and duct tape to help filter contaminated outside air Copies of essential family information (insurance policies, birth certificates, banking information, etc.) Pet care items —food/water, toys Battery-powered or hand crank radio and a NOAA weather radio with tone alert, and extra batteries for both Keep a document updated with all family member’s names, social security numbers, dates of birth and important medical information. Discuss evacuation and shelter-in-place plans with schools, work places and other locations you frequent. Schools, daycare providers, work places and apartment buildings should all have site-specific emergency plans that you and your family need to know about. http://finance.unc.edu/treasury--risk-management/risk-management/welcome.html 33 Conclusion After Action Reports It is important to document steps taken during any recovery, no matter the size or extent of the disruption. Use this information to evaluate your department’s response. Prepare a summary to share with leadership, co-workers and staff, including what worked well, what needed improvement, which phone numbers were out of date, etc., and conduct meetings with staff to discuss ways to improve your department’s response. Retain a copy of your notes on the recovery and your summary to review after the next incident occurs. This will help you document your department’s progress in becoming more prepared for continuity and recovery. Exercises and Tests Test your department’s continuity and recovery plan by conducting a tabletop exercise, i.e. a scenario-led discussion of planned responses, or a “live” exercise, in which essential personnel actually move to the designated recovery site and operate critical functions from there. You may also test portions of your plan by performing a call tree drill or by retrieving your backup computer files (ask your IT support person, or the University’s Information Technology Services, to help you). Please list your plan for tests and exercises. A good plan today is better than a perfect plan tomorrow. – George Patton, WWII Army General (1885 – 1945) 34 The University of North Carolina at Chapel Hill Distribution of Plan Maintain a current list of persons receiving copies of your department’s plan. These should include directors, supervisors, essential personnel, etc. Changes in the plan may significantly affect continuity and recovery actions, so it is imperative that all on the distribution list receive updated copies. Name Position Phone E-mail Plan Maintenance and Update Activity Tasks Frequency Plan update Review entire plan for accuracy. Discuss plan with leadership, co-workers and staff. Annually Plan update Incorporate lessons learned and changes in policy or planned activities. Discuss changes with leadership, co-workers and staff. After incidents Plan update Incorporate lessons learned and changes in policy or planned activities. After tests or exercises Distribution Distribute copies to appropriate persons. After updates http://finance.unc.edu/treasury--risk-management/risk-management/welcome.html 35 Record of Changes Version Number Date Brief Description of Changes Copies Distributed Approved by: Director’s Signature Version Number Date Date Brief Description of Changes Copies Distributed Approved by: Director’s Signature Version Number Date Date Brief Description of Changes Copies Distributed Approved by: Director’s Signature Version Number Date Date Brief Description of Changes Copies Distributed Approved by: Director’s Signature Version Number Date Date Brief Description of Changes Copies Distributed Approved by: Director’s Signature Version Number Date Date Brief Description of Changes Copies Distributed Approved by: Director’s Signature Version Number Date Date Brief Description of Changes Copies Distributed Approved by: Director’s Signature Version Number Date Date Brief Description of Changes Copies Distributed Approved by: 36 Director’s Signature The University of North Carolina at Chapel Hill Date Definitions Alternate Location A location, other than the normal facility, used to process data and/or conduct essential functions in the event of a disaster. Business Impact Analysis The process of determining the potential consequences of a disruption or degradation of critical and/or business functions. Cold Site An alternate site that is reserved for emergency use, but which requires the installation of equipment before it can support operations. Continuity of Operations Planning (COOP) The effort to assure that the capability exists to continue essential functions across a wide range of potential emergencies. Critical Functions Activities, processes or functions that could not be interrupted or unavailable without significantly jeopardizing the operation of an organization. Delegations of Authority Pre-delegated authorities for making policy determinations and decisions in crisis conditions, at alternate locations, etc., as appropriate. Essential Personnel Personnel designated by their division as critical to the continuity and/or resumption of essential functions and services. Facility A location or work space containing the equipment, supplies, and voice and data communication lines to conduct transactions required to conduct functions and business under normal conditions. Hot Site A fully-equipped facility, which includes stand-by computer equipment, environmental systems, communications capabilities and other equipment necessary to fully support a department’s immediate work and data processing requirements in the event of a disruption or a disaster. Recovery Time Objective (RTO) The period of time in which systems, applications or functions must be recovered after an outage to prevent significant impact on business or service responsibilities. Risk An ongoing or impending concern that has a significant probability of adversely affecting operations and business continuity. Risk Management The discipline that ensures that an organization does not assume an unacceptable level of risk. Shelter in Place The process of staying where you are and taking shelter, rather than trying to evacuate. Vital Records, Systems and Equipment Records, files, documents or databases, which, if damaged or destroyed, would cause considerable inconvenience and/ or require replacement or re-creation at considerable expense. For legal, regulatory or operational reasons these records cannot be irretrievably lost or damaged without materially impairing the organization’s ability to conduct business. Vulnerability The susceptibility of a department to a hazard. The degree of vulnerability to a hazard depends upon its risk and consequences. Warm Site An alternate work site which is only partially equipped. http://finance.unc.edu/treasury--risk-management/risk-management/welcome.html 37 Important Contact Numbers Access Control Bio-repository UNC Lineberger Comprehensive Cancer Center, Tissue Culture Facility Director 201-7748 966-4324 Computer back-up 962-HELP Computer Repair Center (and loaner service) 962-HELP Emergencies (police dispatch) 911 / 962-6565 Non-emergency assistance 962-8100 Emergency Coordinator Program 962-5728 Environment, Health and Safety (Department of ) 962-5507 Freezer Alarms 962-3456 Freezer Failure 962-3456 Generators 201-2782 Heating and cooling problems 962-3456 Human Resources (Office of ) 843-2300 HVAC Systems 962-3456 ITS Teaching & Learning 445-9474 Insurance 962-7360 Lab Safety 843-5331 P-Card Officer 962-2255 Public Safety (Department of ) After hours assistance 962-3951 962-8100 Red Outlets 962-3456 Risk Management Services 962-7360 Sewer backup 962-3456 Utility Service Outage After hours emergencies 962-8394 962-1167 Water Outage 962-3456 For any emergency assistance, call the UNC Department of Public Safety at 911. For a concern about a student, call the Dean of Students Office, 966-4042. For a concern about a co-worker, call the Employee Assistance Program, 929-2362. 38 The University of North Carolina at Chapel Hill Additional Notes There’s no need to fear the wind if your haystacks are tied down. – Irish Proverb http://finance.unc.edu/treasury--risk-management/risk-management/welcome.html 39 Additional Notes worry Don’t about the world ending today. It’s already tomorrow in Australia. – Charles Schultz, cartoonist (1922-2000) 40 The University of North Carolina at Chapel Hill Treasury & Risk Management Services Campus Box 1100 104 Airport Drive, Suite 2700 Chapel Hill, NC 27599-1100 P 919.962.6681 F 919.962.0636 E-mail: [email protected]
![Continuity of Operations Plan Template for Federal Departments and Agencies [Department/Agency Name]](http://cdn1.abcdocz.com/store/data/000168993_1-702738e0b9e279a2950b0fe40dc45561-250x500.png)
© Copyright 2024