1. move to top

    Title

    Business Continuity Planning

    1. move to top

      Policy

      Business continuity management is ensuring the continuity or uninterrupted provision of critical operations and services. Business continuity management is an ongoing process with several different but complementary elements, including disaster recovery, business recovery, business resumption, contingency planning, and crisis management.

      It is the policy of University of Texas at Arlington (UT Arlington) to maintain the capability to continue the primary missions of research, teaching, and public service despite potentially disruptive events. In order to achieve this capability, the UT Arlington Office of Emergency Management & Business Continuity (OEMBC) directs a comprehensive disaster management program that incorporates elements of safety, security, emergency management, disaster preparedness, mutual aid agreements, administrative, recovery, and communication for all university entities.

      1. Rationale

        Business continuity plans play a vital role in the all-hazards disaster preparedness approach for UT Arlington. It is through business continuity management and planning, that UT Arlington mission critical entities develop the necessary understanding of their core business processes and interdependencies required for effective prevention of and response to operational disruptions.

      2. Scope

        This policy applies to mission critical departments, offices, centers, services, etc., as defined by the Executive Policy Group, which includes:

        • president,
        • provost / vice president for Academic Affairs,
        • vice president for Administration and Campus Operations,
        • vice president for Business Affairs and Controller,
        • vice president for Communications, and
        • vice president for Human Resources,

        and located in UT Arlington owned properties, jointly owned facilities, and UT Arlington-leased spaces that are under the control of UT Arlington operations and staff. This policy applies to mission critical UT Arlington entities under contractual obligation with affiliated institutions or in any location where a UT Arlington entity has a contractual obligation to fulfill.

      3. Forms and Tools/Online Processes
        1. To assist UT Arlington units with completing a business impact analysis and a business continuity plan, the OEMBC utilizes the UTA Ready program. All users will be able to access their continuity plans through the UT Arlington network.

        2. Access to the UTA Ready system requires the user to request authorization from the OEMBC. The employees' Net ID and password will be used to log into the UTA Ready system.

          The web address is: https://us.ready.kuali.org/uta

      4. Website Address For This Policy

        http://www.uta.edu/policy/hop/adm/5/306

      5. Responsibilities
        1. Business continuity management responsibilities apply to all units which are mission critical to the campus, organizational units, and departments.

          1. All University mission critical units are required to have a completed plan that includes procedures for operational continuity to ensure UT Arlington is able to provide critical services.

          2. Administrative units include both centralized as well as distributed organizations, departments, and divisions that support the research, academic, and public service functions of UT Arlington.

          3. Academic units include all colleges, schools, departments, research programs, programs and centers that serve the primary mission of UT Arlington through its teaching/instruction, research, and public service activities.

          4. All mission critical units should ensure that they have an updated Business Continuity Plan, have reviewed their plan with their employees, and have conducted an exercise each year. These critical elements may be subjected to periodic reviews by Internal Audit, other agencies or entities to ensure compliance.

            The following are the mission critical units mentioned above:

            • Academic Colleges & Schools
            • Administration and Campus Operations
            • Admissions, Records, & Registration
            • Center for Distance Education
            • Counseling Services
            • Division for Enterprise Development
            • Environmental Health & Safety
            • Financial Aid, Scholarships and Veteran’s Affairs
            • Fort Worth Center-Santa Fe Station
            • Student Health Services
            • Human Resources
            • Library
            • Mav Express-Campus Card Operations
            • Nanofab Center
            • Office of Business Affairs / Business Services

              • Asset Management & Central Receiving
              • Bursar Services
              • Desktop Support / Accounting / Student Financials / Accounts Payable / Procurement / Collections / Grants & Contracts / Web Publications
              • Mail Service
              • Office of Budgets and Financial Planning
              • Payroll Services
              • Tuition & Fees
            • Office of Facilities Management
            • Office of Information Technology
            • Police

              • Administration

                • Payroll & Budgeting / Crime Prevention / Property & Evidence / Accreditation/Records / Training / Hiring & Selection
              • Communication
              • Emergency Management
              • Key Control
              • Parking
              • Security Operations
              • Transportation
            • Provost Office
            • Research Administration
            • Student Affairs
            • UT Arlington Research Institute
            • Testing Services
            • University Advising Center
            • University College Programs
            • University Communications
            • University Housing
        2. Office of Emergency Management & Business Continuity
          1. The OEMBC provides expertise and oversight for the development and maintenance of the UT Arlington business continuity program and creates a back-up centralized location for documentation of all business continuity plans, training, and exercises. All UT Arlington business continuity plans will be created, stored, and updated utilizing the UTA Ready system. The Office of Information Technology is the only department that will be the exception to the rule. They will not be a part of the UTA Ready system, but will have a plan stored in another location. Their plan will be integrated into the UTA Ready process as they are a critical function to all departments. The primary location of plans and documentation should be in the respective units. Business continuity management training, orientation, and support is available to UT Arlington units at least annually.

          2. OEMBC has the primary responsibility of coordinating the identification of risks and to assist in determining what impact these risks have to overall business operations. The OEMBC is to develop and maintain an overarching business continuity plan based on these identified risks and documents recovery strategies and procedures that are reviewed, approved, and updated on an annual basis. The determination of risk, strategies, and procedures will be based on identifying critical functions necessary to continuing University service delivery.

          3. The Office of Information Technology and the OEMBC will ensure that the business impact analysis coordinates with the business continuity tool with regards to terminology of functional delays (i.e., critical, essential, delayed, and suspended).

          4. The OEMBC is responsible for the development of the overarching business continuity plan which contains the following elements:

            • Authority
            • Purpose and Scope
            • Risk Assessment
            • Business Impact Analysis
            • Explanation of Terms
            • Situation and Assumptions
            • Concept of Operations
            • Organization and Assignment of Responsibilities
            • Direction and Control
            • Readiness Levels
            • Administration and Support
            • Plan Development and Maintenance
            • Support Documentation
        3. Procedures
          1. It is required that each vice president/provost, dean, director, department chair, or supervisor assume responsibility for the operational continuity in their respective units. Procedures of the development of a BCP include but are not limited to:

            1. Identify and prioritize critical business processes.

            2. Regular assessment of the potential impact of various types of events/disasters.

            3. Define departmental responsibilities and emergency arrangements.

            4. Document all procedures and responsibilities.

            5. Communicate business continuity and recovery plans to all necessary individuals.

            6. Participate in an annual business continuity exercise of their continuity and recovery plans.

            7. Identify gaps, best practices and updates within their plan after an exercise and share findings with OEMBC for implementation into the After Action Report (ARR). Findings reported in the AAR should have a timeline for correction/implementation and identification of who is responsible for the corrective action.

            8. Direct an annual review of business continuity and recovery plans to ensure they are complete and up-to-date.

          2. OEMBC assists and consults with departments on campus to ensure that department business continuity plans are completed. OEMBC provides guidance, direction, and support as part of a cooperative effort for planning.

          3. All planning will rely on the input from the staff and faculty of each department to ensure a proper level of consideration is given to all aspects of those units critical operations. The actual plan will be written by a member of the department as designated by the unit leader.

      1. move to top

        Definitions

        Business Continuity Planning: The advance planning and preparations which are necessary: to identify the impact of potential losses; to formulate and implement viable recovery strategies; to develop recovery plan(s) which ensure continuity of organizational services in the event of an emergency or disaster; to administer a comprehensive training, testing, and maintenance program.

        Business Continuity Program: An ongoing process supported by senior management and funded to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and recovery plans, and ensure continuity services through personnel training, plan testing and maintenance.

        Business Impact Analysis: A management level analysis, which identifies the impacts of losing company resources. The Business Impact Analysis (BIA) measures the effect of resource loss and escalating losses over time, in order to provide senior management with reliable data upon which to base decisions on risk mitigation and continuity planning.

        Business Recovery Plan: A collection of procedures and information which is developed, compiled, and maintained in readiness for use in the event of an emergency or disaster.

        Business Resumption: The process of planning for and/or implementing the restarting of defined business processes and operations following a disaster. This process commonly addresses the most critical business functions within BIA specified timeframes.

        Crisis Management: The overall coordination of an organization's response to a crisis, in an effective, timely manner, with the goal of avoiding or minimizing damage to the organizations' profitability, reputation, and ability to operate.

        Disaster Recovery Planning: The management approved document that defines the resources, actions, tasks, and data required to manage the technology recovery effort. Usually refers to the technology recovery effort.

        Exercise: An exercise is a focused practice activity that places the participants in a simulated situation requiring them to function in the capacity that would be expected of them in a real event. Its purpose is to promote preparedness by testing policies and plans and training personnel. Exercise types include: orientations, drills, tabletops, functional, and full-scale.

        OEMBC: Office of Emergency Management & Business Continuity is responsible for maintaining and updating plans and policies, training, facilitating exercises, and evaluating completed elements.

        UTA Ready: Web application to collect and preserve data for business continuity planning.

        1. move to top

          Relevant Federal and State Statutes

          1. 1 Texas Administrative Code §202.70

            The Code establishes the Security Standards Policy and states that it is the policy of the State of Texas that Information Resources residing in the various agencies of state government are strategic and vital assets belonging to the people of Texas. Assets of U. T. System must be available and protected commensurate with their value and must be administered in conformance with federal and state law and U. T. System Regents' Rules and Regulations. Information resources shall be available when needed. Continuity of information resources supporting critical governmental services shall be ensured in the event of a disaster or business disruption.

          2. 1 Texas Administrative Code §202.74

            Business Continuity Planning, part of the Security Standards for Institutions of Higher Education issued by the Department of Information Resources (DIR), covers all business functions of an institution of higher education and it is a business management responsibility. Institutions of higher education shall maintain written Business Continuity Plans so that the effects of a disaster will be minimized, and the institution of higher education will be able to either maintain or quickly resume mission-critical functions. The institution of higher education head or his or her designated representative(s) shall approve the Plan. The Plan shall be distributed to key personnel and a copy stored offsite. Elements of the department/unit plan should include the following:

            • Departmental Information
            • Critical Functions
            • Information Technology
            • Faculty Preparedness if applicable
            • Key Resources
            • Action Items
            • List of Key Documents if applicable
          1. move to top

            Relevant UT System Policies, Procedures, and Forms

             

            1. move to top

              Who Should Know

              University departments, offices, and deans of schools should know about business continuity planning as they prepare for administrative and academic continuity.

              1. move to top

                UT Arlington Office(s) Responsible for Policy

                Office of Emergency Management

                1. move to top

                  Dates Approved or Amended

                  February 6th, 2013

                  1. move to top

                    Contact Information

                    All questions concerning the UT Arlington Business Continuity Policy should be directed to the Office of Emergency Management, emergency management coordinator.