Assessing your business continuity plan: 4 essential elements
- Review your plan to ensure effectiveness and alignment with institutional priorities.
- For a comprehensive review, include stakeholders across your institution.
- A wealth of resources exists to help you get started.
This year’s sudden pivot to remote work and learning has applied extreme stress testing to higher education’s business continuity plans (BCPs). In the wake of last spring’s unprecedented disruption, and with fall planning still in flux, it’s a perfect time to re-evaluate those plans to see if they were effective, sufficient, and aligned with your institution’s top priorities.
Let’s look at the key steps involved in conducting a business continuity plan (BCP) review.
1. Gather your team and establish an order of work
To conduct a comprehensive review and learn where the gaps are in your plan, you’ll need input from stakeholders across your institution. Ensure the steering committee includes representatives from the cabinet, IT, finance, faculty, student affairs (including residence life), academic affairs, facilities, continuing education, and other functional areas.
Ideally, the committee should meet quarterly, and more frequently during crisis mode. Whether led by the CIO’s office or a risk or security team, this diverse but focused committee—along with any business unit task forces that sit below it—should follow the same framework.
- Articulate roles, responsibilities, and tasks for BC steering committee members
- Interview internal SMEs and stakeholders for your business impact analysis (BIA) to learn about critical systems and acceptable downtimes
- Decide how to share assessment results and with whom
2. Establish the purpose and scope of your review
First things first: determine what your assessment will address. That means answering questions such as: Will your review include both your BCP and your disaster recovery (DR) plan? Which processes and procedures will be evaluated? Key focus areas might include:
- Remote work and collaboration. Were your employees able to access the systems and information they needed? Were they able to communicate effectively with each other, with students, and with other internal and external stakeholders?
- Student learning and self-service. Did your students have access to online learning tools and technology? What about academic advising, degree planning tools, and health and wellness resources?
- Systems availability. How did your infrastructure withstand the sudden shift? Were key IT functions available? Did you experience any cybersecurity issues or implement any temporary solutions that may have introduced risk?
3. Make a list of institutional objectives and priorities.
Did your plan correctly identify top institutional priorities through your business impact analyses, and did it lay out sufficient procedures to protect them? What other priorities should be included, accounting for core capabilities that change depending on the time of year (e.g. aid processing, graduation, and registration?). Consider the following:
- Continuity of communication platforms like email and videoconferencing
- Remote learning availability, access, and quality
- Financial transactions, including payroll, payment processing, and financial aid distribution
4. Evaluate the performance of your critical services, disaster recovery procedures, communications, and vendors.
What were your most critical functions, and were they restored within established maximum allowable downtimes (MADs)? Did those recovery windows prove realistic and appropriate for your institution? Key questions include:
- Which capabilities withstood the sudden shift to remote work and learning, and which didn’t?
- What previously unknown needs arose among students, staff, faculty, and leadership?
- Where were the gaps in internal and external communications?
- Were the most essential personnel, facilities, systems, and other assets correctly identified?
- Who could benefit from additional training?
- How did your critical support vendors perform, and do you understand their recovery capabilities and service levels?
- Do your existing plans include any redundant or conflicting systems or siloes?
- What is your plan for testing your updated BP and DR plans?
- Have you updated and distributed your call trees, crisis protocols, and contact info for critical vendors?
- Do you have a plan for continuous program monitoring and review (occurring at least annually)?
Good news: a wealth of resources exists to help you get started. EDUCAUSE, ISO, and NIST are key sources, and the ISO22301 framework provides a valuable roadmap to the process. Visit their sites for additional assessments, checklists, and best practices to guide you.