Business Continuity Planning – Not Just for IT Anymore
By Terry Calhoun
Actually, IT has a major role to play in institution-wide business and learning continuity for two reasons: (a) of all departments on campus, the IT department already stands the best chance of having its own business continuity plan that works, and (b) when you talk or think about institution-wide business and learning continuity, you don’t get very far before you realize that IT has a central role to play. Basically, if your IT d'esn’t work, you don’t have any business or learning continuity except for in the smallest and most specialized of situations.
My boss, Jolene L. Knapp, CAE, executive director of the Society for College and University Planning (SCUP) was privileged to be invited and attend the EDUCAUSE Business Continuity Summit in August. EDUCAUSE has posted “A Report on the Business Continuity Summit” on its Web site for anyone to read. I recommend it.
Until fairly recently you might find on many campuses some sort of “crisis communications plan,” or “disaster recovery plan,” or “emergency management plan.” Typically those have been the purview of health and safety officials, campus police, or public relations – with connections primarily to telephone folks and physical facilities managers. But you won’t find many “business continuity plans” (BCP); I know, I have looked, and looked, and looked.
When my staff or I do find such a plan, it is almost invariably one that pertains to the IT infrastructure. Why? My best guess is that techies think naturally in systems theory, tend to cover their bases, and have a fairly easily defined realm of authority. Another reason might be that in order to have a good business continuity plan, you must have good IT and you must work closely with IT staff. Nowadays that’s kind of like the minimum required to get going.
So, at the summit, Ron Janofsky, an ECAR fellow, reported on a recent survey of CIOs. One of its major findings was that there is a paucity of good business continuity planning going on in higher education. Another is that there is widespread pessimism “about business and academic units’ ability to carry out essential operations in the absence of IT systems and services.” There followed a case study presentation about George Washington University and a panel discussion with several distinguished panelists, including the executive director of Microsoft’s homeland security department and SCUP member Wendell Brase of the University of California, Irvine.
You really should read the brief (4 pages) report. Just the paragraph-long “Discussion Summary” points are quite valuable. I’ll try to reduce each one to a bullet point:
- BCP should integrate every operation on campus in a way that business continuity thinking is a normal part of all processes.
- BCP should be “owned” by top campus leadership, should be tied to the strategic plan and the institutional mission, and should not be seen as an “IT issue.” It should be noted that many changes resulting from good BCP are positive in all ways, not just in institutional sustainability.
- A comprehensive risk analysis and assessment is the place to start.
- Plans are not as important as the planning process, and plans must constantly be tested and improved.
- Virtual learning is most easily protected, especially with partnerships among several institutions for server backups and the like. Even classroom learning could have Internet-based backup plans.
- BCP costs should be built in to every budget from the beginning of the budgeting process and those costs reviewed regularly.
- Safety of people is first, followed by good communications. IT departments at institutions that have been affected by disasters often find that IT gets back to work long before “core business and institutional mission” d'es.
EDUCAUSE will be finding a number of ways to share what was learned at the summit in the next year, so stay tuned. Already there’s been a webcast with David Schwartz of GWU, Going Beyond Recovery to Continuity: Lessons Learned, which you can view as an archived event in the Educause Live archives.
And if you happen to be a provost at a four-year school or the president of a two-year college, stay tuned for an electronic survey headed your way from SCUP in the next month. I’m the staff liaison for a SCUP project that will reproduce on a larger scale the 2004 survey of institutional Crisis Planning and Management (CPM) on campuses. A brief report on that earlier survey was published in the January-February 2006 issue of Change magazine: “How Prepared are America’s Colleges and Universities for Major Crises?”
CPM is kind of the center of the Web for campus preparedness for any crisis. For one thing, it addresses not only physical or biological disasters, but any kind of urgent situation that can damage property, people, or the institution’s reputation. For another, it is the place where all of the other plans can be linked together, whether Crisis Communications Plans, Disaster Recovery Plans, Emergency Management Plans, or others. Think of it as the overall strategic plan for crises of all sorts, which itself links to the strategic vision and mission of the institutions; which certainly includes Business Continuity Planning!
All of this will take money, which almost no institution has on hand. No one’s sure where the money will come from. We’re all getting more interested, of course, as we learn of crises everywhere: chancellors committing suicide, sports team sex parties, hurricanes, earthquakes, terrorist attacks, bird flu, etc.
Will the federal government straighten out its priorities and lend some financial support? More likely, once they pay attention, boards and presidents will learn that institutions which face a crisis and have in place a Crisis Management Plan that is well-executed, will be able to translate into significant dollars what was saved by spending the money that paid for those planning processes.
