Presentation on theme: "CAUBO Annual Meeting Winnipeg, Manitoba June 16, 2008 Concurrent Session Business Continuity and IT Disaster Recovery: Ensuring an Integrated Approach."— Presentation transcript:
CAUBO Annual Meeting Winnipeg, Manitoba June 16, 2008 Concurrent Session Business Continuity and IT Disaster Recovery: Ensuring an Integrated Approach
Overview of Presenters Gerry Miller University of Manitoba Philip Stack Associate Vice President Risk Management Services University of Alberta
Presentation Outline Part 1 Overview of Integrated Emergency Management Part 2 IT Disaster Recovery
“An emergency will occur at some point in the history of the university. Never assume it only happens to someone else.” (1999 Harrell, G. North Carolina Hurricane) ___________________________________________ “The Whole Place is Underwater!” Teaching, research completely halted by rising floodwaters Another Campus Shooting University mourns. President under fire for lack of preparation Radiation Leak Stuns Administrators University authorities didn’t even know the dangers, says prof
Unexpected Unscheduled Unplanned Unprecedented Definitely Unpleasant “It’s not a matter of whether a disaster or emergency scenario will confront a campus but when. I have confronted numerous emergency situations requiring rapid decisions, such as several campus evacuations and extended closures that threatened the institution’s academic program. Dealing with the long-term trauma people faced was a humbling and daunting experience. “Our decision to create comprehensive plans and to continually monitor and update these plans has proved to be one of the best uses of our time and resources.” John Cavanaugh, President University of West Florida An Emergency at the University/College 5
Why Worry about Emergency Management? 1/2 Society’s Tolerance - more informed, wiser society not willing to accept uncertainty as in the past. Institutional Accountability – to the Community, the Board, Government, to Us. New legislation closes gaps for corporate immunity e.g. the directing mind. Legal Risk - an act or lack of an act could land the University in court and someone potentially with a record. The trend to hold the University responsible for failing to take reasonable steps to prevent a crisis. Or, for failing to be adequately prepared to manage a crisis situation. Making emergency preparedness a priority may require building crisis management into job descriptions, personnel evaluations and audits. - Poland (1994) 6
Why Worry About Emergency Management? 2/2 Reputation - Potential damage to the University’s reputation, and, just as important, damage to your own reputation. Fragile - The systems may be overloaded and the infrastructure easily broken. Large interdependencies can result in disastrous failures e.g. power outage in eastern Canada and USA, failure of the IT system, failure of communications. Educational institutions - are not exempt from regulations e.g. WH&S/OH&S and the need to provide a safe environment. They may be different in inherent risks and operational risks – but they are still accountable. “The key to risk management is delivering risk information, in a timely and succinct fashion, while assuring that key decision makers have the time, the tools, and the incentive to act upon it…it follows that the biggest single responsibility of the risk management function is intelligent communication”. Kloman, Felix. (Risk Management Reports, 2001) 7
What are we trying to achieve? 1.Integrated Emergency Management Program 2.Involvement of Faculties, Departments and Planning 3.Business Continuity including Pandemic readiness 4.Enhancing Emergency Preparedness and Management components
Preparedness ResponseRecovery Prevention- Mitigation The Goal Increase readiness Building capacity and reliability University wide approach Systems, adaptable and flexible Emergency management principles Strengthen practices and decision making Protect the core businesses
Level 1 Initial Emergency Response Faculty/Depart ment Action Disaster/ Major Emergency/ Outage Level 2 or 3 EOC Activation CMT Activation Faculty/Department Unit Action Plan Assessment Recovery Restoration Resumption Continuity Internal and External Stakeholders Normal Operations Prevention Plans Preparedness Training When The Wheels Come Off ! IEMP
University of Alberta Crisis Communications Plan University of Alberta Emergency Master Plan Faculty/Department Action Plan Department/Unit Action Plan University’s Integrated Emergency Management Program University’s Integrated Emergency Management Program Health Authorities Emergency Response Departments Government Agencies Layered Planning and Interoperability
12 Administration and Maintenance Risk, Prevention, Preparedness Action Plans: Response, Recovery, Res. Roles, Responsibilities, Checklists Incident Command System and SOPs Incident Command System Appendix Post Incident Measures Resources and Forms Emergency Contacts - In/Ex Activation and Notification, Operation U of A Integrated Emergency Management Program General, Introduction, Policy, Overview Loss of Critical vendor Loss of IT, Communications Loss of Utilities Loss of People Capacity Loss of Equipment/Vehicles Loss of Facility/ Office/Workspace Business Continuity - Action Plans Emergency Master Plan & Faculty/Department Action Plans. Contingency Plans, Alternative Measures, Mitigation and Protection Crisis Communication Plan and Teams Supporting: Preparedness, Response, Recovery and Resumption - University wide Business Continuity Planning
Business Continuity to Action Plans Phased Development: 1.Analysis 2.Alternate Measures, Solutions and Strategies 3. Implementation (Faculty/Department: Emergency Operations Plan/Action Plan) 4. Maintenance How do you get there?
14 Business Impact Analysis Critical business services Work flows Maximum acceptable downtime Vital records and documents Priorities for recovery and resumption Interdependencies Planning For A Catastrophe Is Positive Thinking. Not Thinking Is A Disaster! Caring, Protecting, Responsible
15 Scenario Planning Loss of access Loss of utility Loss of facility Loss of people Loss of IT and or Telecommunications Loss of critical vendor How to Recover Lost Business Services and Functions Caring, Protecting, Responsible
16 University and Risks Risk of fire, flood, tornado: Water, structural damage Risk of crime, disorder, terrorism : Theft, bomb threat, work place violence, civil disturbance, hostage, shooter, fraud Public Health Emergency: avian pandemic, meningitis Risk to utilities: High temperatures, High or low humidity Risk to environment: Mold and mildew, pests, asbestos Risk of hazards on roads Human error IT risks Financial Risks Regulatory Risks Reputation Risk You are in the Risk Management Business!
17 Potential Consequences Health, safety and security Injuries or loss of life Animal care Specimens, data, vital records Legal Regulatory Financial Infrastructure Reputation Loss of students Loss of Faculty and Staff Loss of collections Loss of valuable documents Morale Risk Does Not Respect Boundaries!
18 Risk Analysis Tool Risk: What can go wrong? How likely is it? What are the consequences? Source: Natural Technical Man-Made Caring, Protecting, Responsible
19 Response Staff U of A PHR Strategy Crisis Communications Plan U of A Integrated Emergency Management Program U of A Emergency Master Plan Faculties Research Administration Facilities and Operations Essential Services Animal care Labs Teaching IT and Records Campus Security EH&S Power Human Resources Water Planning Residence Services Communications Heat Staff Sponsors Finance Payroll Redeployment Grounds Buildings Operations Communications Perishables IT Analysis and Action Plans
Integrated Emergency Management Program - Model Leadership and Commitment Risk Management Culture Risk Management Culture Functions, Services, Systems and Processes Ready, Resilient and Robust University
Incident Command System – The Building Blocks Command Command Staff General Staff Doers Thinkers GettersPayers 21 First Responders
Sample Emergency Operations Centre EOC Director University President University Emergency Policy Group: VPs and General Counsel Finance & Administration Section Chief Operations Section Chief Liaison Officer Faculty and Deans Liaison Officer: Internal/External Public Information Officer Registrar Public Safety HR Facilities Management Student/Residents Services Financial Services Risk Mgnt & Insurance Contracts EOC Coordinator Planning and Intelligence Section Chief Documentation Unit leader Situation Status Demobilization Logistics Section Chief Facilities Management IT & Telecomm Supply Management Capital Projects Resource Tracking Deputy EOC Director Financial Services 22
Emergencies prompt a change in management style From Consultative to Command and Control “You’ve got to take stock of the damage and how you’ll recover from it. You’ve also got to take stock of your human resources, who’s available and what’s their work capacity. Remember that damage isn’t just physical. Take stock of outside resources. Who can help? The big thing: Take control. As president, as a CIO, you’re in the best position to look out for your own institution. Don’t rely upon FEMA (Emergency Management Alberta, Public Safety Canada ). Don’t rely upon the government. Don’t rely upon the state (province). Take control of the situation.” John Lawson, VP Information Technology and CIO, Tulane Management Style During an Emergency at a University 23
In Summary Leadership commitment Integrated approach Build a risk culture Train and exercise
Here‘s why we need to be ready for emergencies...