Click on a question to view its answer.
Business Continuity is how business will operate when normal operating procedures are not possible and how to resume operations as quickly as possible after an emergency event. Emergency Operations (aka Emergency Response) are about the safety and security of individuals during an emergency event.
A BCP is like homeowner’s insurance. It is wise to have it, but the hope is that you will never have to use it. While we don’t like to think about it, the possibility of a major system outage, a data center demolished by a tornado, or a building fire that destroys everything in it is always upon us. A BCP helps to maintain core critical functions after an emergency or catastrophe, and is designed to bring operations back to as close to normal as possible after an event.
There are many ways to begin, and the staff in the Emergency Programs Office will guide you through the process. Many individuals find that actually getting into the OHIO Ready system and adding what limited information that initially comes to mind is a great way to get started. OHIO Ready is very intuitive and if you just fill in the blanks to the best of your ability and then PRINT the complete document - you will get a sense of what type of information the plan is asking for and you will also see "holes" where information is missing. At that point, you can go back into OHIO Ready and add the missing pieces of information as well as develop your responses. Interview sheets are available to assist if you are a person who likes to work details out on paper before it is entered electronically. These interview sheets can be duplicated and shared with others in your unit who may be able to help you identify critical functions and information needed for your plan.
There is a sample plan available for your review on the Ohio Ready Web Page https://www.ohio.edu/riskandsafety/continuity/index.cfm
This sample plan demonstrates what a completed plan will look like and may provide some ideas that may help you. If there is another unit on campus that you feel has similar duties/responsibilities, ask if you can view portions of their plan. It may be possible to share a completed plan with you.
This is a great question. The plan is best developed using a team approach. Obviously everyone on the team needs to provide input as well as understand the need for a Business Continuity Plan. The OHIO Ready system provides interview sheets that can be utilized to solicit co-worker input and support. One possibility would be to make copies of the above mentioned interview sheets for those who are going to be involved and ask them to "fill in the blanks" and return to you OR you could complete as much of the interview sheet as possible and then share your comments with others and ask them to help you with those areas where you need additional input.
Your supervisor should be involved from the beginning of the process. You should keep them involved along the way by sharing portions of the plan, seeking their input and direction. Once your plan is completed to the best of your ability, you should share the full plan with your supervisor and ask for assistance with final edits. Your supervisor will ultimately need to sign off on the plan so you want them to agree with what you have developed.
A good BCP is one that will provide the leadership of your department (and substitute leadership if need be) a clear sense of what functions need to be “brought back online” (re-established) quickly and efficiently after an incident or disaster, and also provides options and resources to help guide the process. A BCP will never be perfect because incidents will vary, but it should provide enough information that the person(s) responsible for restoration of services does not have to start from scratch.
The answer to both questions is yes! OHIO Ready is hosted off site and as long as you have access to an internet connection you can access your plan.
To change your password, log into the system and look at the upper right hand side of the page where the silhouette is shown. Click “account settings” and simply change your password.
Depending on your user credentials, you may be able to add additional users yourself.If you are not able to add users, please ask the Business Continuity Office to help. To add a new user, first search for the person by typing their last name in the “select a user” field. If the person is already in the Ohio Ready system, their name will show up and you can “add user to this plan”. If this method does not work, then most likely the person has never been invited to join OHIO Ready as a user. In that instance, select the blue “plus” sign and enter the person’s first & last name and email address. Click on the box “send an email invitation” and then click “create user”. NOTE: once the person accepts the invitation and sets up their user account, it may take 24-48 hours for the administrator to approve the addition.
At this point, there is no University policy that requires your department to complete a BCP however, BCPs will be required as part of the Internal Audit review process and your office might be marked with a deficiency if a plan is not in place.
OHIO Ready allows for only one unit head to be documented. For instances where there are more than one unit head, use the department description field to identify how the department is structured and list names of other unit heads in that location.
This is a tough question but most units add a total “body count” to the “other” category.
Because the university is so large and complex, it is best if individual units develop their own department specific evacuation and assembly point plans. https://www.ohio.edu/riskandsafety/docs/emergency/Campus_Emergency_Guide.pdf#page=26 When creating a plan for your unit, here are some general points to consider:
At this time, this field is optional, however future uses might be related to reimbursement of expenses that are directly related to an emergency situation.
Only your department can answer this question. There is no set number of critical functions required. Some units may have three, others may have ten. It really depends upon your individual unit and what duties you feel must be "functional" or accessible during/immediately following an emergency to bring your office back to a somewhat "normal" state of activity. Try to group like items into one critical function if possible (for instance, you might have a broad critical function called “accounting functions” or “records management” into which you can provide a description of a wide range of duties). Remember, the more critical functions that you list, the more there are to maintain. Sometimes it just makes sense to group similar activities together and other times they are distinctly different and you may want to detail the plans separately. This is a unit specific decision.
Any document that you might want to have as part of the plan can be uploaded to the BCP. This might include emergency contact list/call tree; vendor information; paper “work around” documents (if network is unavailable); forms; etc. DO NOT upload manuals, or large documents. Either save them to OneDrive, or other cloud based storage for efficient offsite access, or “point” to them within the document fields so that a third party will know where they can be found.
Think of water flowing down a river. Whatever happens upriver, affects those downriver. Your critical functions (projects, duties) depend on something or someone else. Upstream dependencies are processes, decisions, etc. that your office is reliant on happening before you can do a critical function. Your critical function may be waiting on deliverables from another office before it can continue. For example - the Ohio Information Network must be functional before you can access information from a shared drive. They (OIT) would then be an “upstream” dependency to any work requiring Ohio technology services. Another example is that you may be waiting on a list of students from the Registrar so you know who to contact for advising sessions. The Registrar’s Office is an upstream dependency in this instance.
Downstream dependencies are processes, decisions, duties or other units who depend on your processes. A downstream dependency for the Admissions Office would be Housing and Residence Life because Housing is dependent on students being admitted to the institution before a housing agreement/contract can be completed. In other words, your critical function must occur before another can begin. Another example would be grant funding. An office waiting for funds might be dependent on the approval and submission of a grant by the Office of Research and Sponsored Programs. Therefore the office is a "downstream" dependent of the actions of the higher level grant approval process.
There are some instances when identified staff could be permitted to perform work from home or another off site location. Please review Ohio Policies: 40.053 and 40.063. Depending upon job duties, working from home may require VPN access. For more information about VPN please contact the Office of Information Technology (740) 593-1222. Also, see “Information Technology Section” of this document for information about VPN and cloud based applications.
An action item is similar to a "to do" list. If you identify a shortfall in your plan and you need some time to work it out or you don't want an idea to get too far off the radar, you can add it to your action item list. An example might be if your office does not have an emergency contact list. You will want to complete one but may not have the time to do it right now. You can add it to your action item list and then adjust the flow (not yet started, in process, completed) as you work through the process. Your action items may also include a financial component (eg. need to build money into your budget) and your plan will then serve as a documented need that you can share with the budget unit manager.
Please choose from the list provided by Ohio University Office of Information Technology, all applications that you routinely use in your daily business functions. NOTE: This list was created by OIT. If you feel that an application is missing or should be on the list, please DO NOT ADD IT, instead, send an email to firstname.lastname@example.org and request that the application be reviewed for potential addition to the list.
If your office uses an application that is specific to your type of work and is not supported by Ohio University OIT unit, (cloud based, pay a monthly/yearly fee for usage), then it is a departmental application. If your office uses an application that is shared by a group of offices and nobody knows who “owns” it, please contact email@example.com for further instruction.
Answering these questions are difficult for some units. Please consult with your internal (departmental) technical support staff for answers to these questions as a starting point. If you do not have an internal technical support contact, perhaps you could contact either an individual that you department works with in OIT related to specific applications or whoever you call if you are having problems with the application. Vendors may also be helpful.
The university supports OneDrive as an alternative storage site for work related materials that are not HIPAA or FERPA compliant (see note). OneDrive provides a great way to retrieve materials from any location via an internet connection. Please contact the Office of Information Technology via footprints for more information https://www.ohio.edu/oit/help/index.cfm
The information security office recommends no plain text passwords be stored locally. To store passwords in the cloud, it is recommended to store the passwords in an encrypted file such as a KeePass file or a password protected document. The key or password to open the file should be stored in a separate location.
VPN stands for “Virtual Private Network”. This allows users to access the OIT network system just like the user would if they were on campus. To inquire about obtaining VPN access, contact the OIT service desk (740) 593-1222 and a service ticket will be created.
Each department must decide the answer to this question. Normally, classes that are broad based (needed for many majors), and those that are specifically needed to graduate would be considered high priority to continue following an emergency.
Special teaching issues are those non-traditional classroom instructional methods such as: clinicals, lab practicums, student teaching, community/field based activity, etc. Special situations that may warrant a bit more planning and coordination if those site locations were lost in the event and may not be as easily continued in an alternative mode.
LMS stands for learning management system. Blackboard serves as an LMS at OHIO.
Think of it this way, if you needed a replacement instructor quickly, could you get your hands on a syllabus for that particular class?
Most individuals have coworker and vendor phone numbers readily available in their cell phones, so that they can contact them quickly if needed. However, what if another person (upper administration/temporary replacement staff/3 rd party contractor) needs this information during an emergency and you/your staff are not available?
If you have a main telephone line that is normally answered during business hours by a staff person, what happens if that person is out of the office during the emergency? What is the plan for retrieving voice mail messages that are left on that line? If this same staff member normally takes care of changing the main line voice recording, what is the plan to record an “emergency” greeting that redirects callers to another office or provides them instructions on how to obtain the information they are requesting if that staff member is not available?
During an emergency, it is often necessary to put temporary instructions on a web page to direct/redirect individuals to needed service locations, call centers, distribution/pick up points, etc.
There are some applications/systems that provide only one password per institution/department. Often this password is kept very secure and only shared by a very limited number of staff. If the individuals who hold this password are not available, how will business continuity continue? See OIT section for ways to secure this password.
Leadership succession might be better worded as “designated back-up” for critical positions.
It depends on what you will be working on from home and where it is stored. See Information Technology FAQ.
In this area, please list teams/groups/committees that the department normally works with for business purposes and who could help advise/guide the restoration of your primary business duties should the normal staff not be available.
If a department needed to find temporary assistance in order to restart their office responsibilities, what skills would be needed? Keep in mind that sometimes there are staff within the institution that can be temporarily reassigned and sometimes it might be necessary to hire from an outside agency. I like to think of this page as a “tear out” sheet that you could quickly remove from your plan and hand it to whoever is going to seek out temporary staffing.
The goal of this particular set of questions is to inform institutional/departmental leadership of offices/units that MAY have staff who would be temporarily reassigned to another unit during a crisis. I am hoping that this section if better developed in future application revisions.
Outside of your immediate office, who do you work with on a regular basis? Most offices regularly interact with other offices within the institution for collaborative efforts, troubleshoot, or plan coordinated business activities. List these individuals and make a comment as to why this person would be resourced/or what expertise they provide in relationship to your business practice.
Who are the EXTERNAL partners who have a vested interest in your department/office’s success or who you might need to resource during an emergency? Another way of thinking about it is who you might need to call on a Saturday afternoon, should an emergency occur in your area. This list would include vendors, donors, service providers, granting agency contact, state agencies, contacts from other institutions, local health care agencies, etc.
The best way to decide the answer to this question is what vital records or databases (either paper or electronic format) are essential to continuing operations during and after an emergency? Would you need prompt access to these documents order to take immediate action or to make contingency plans. If so, I would attach document to the plan because office space may not be accessible or campus network may not be available for a period of time. Examples include: an emergency contact list, a list of vendors that you would need to call to deliver emergency supplies or stakeholders who might need notified. Do not attach large, lengthy documents. Instead, simply identify what and where this information is stored so that it can be accessed later. Consider OneDrive or another cloud based storage as an alternative/back up location for large documents (see IT section).
This particular question is directed to those units (research, facilities management, etc.) who have specific utility needs that fall outside the standard electric, water, heating and cooling.
Once the plan is as thorough and complete as you can make it at the time, AND AFTER unit leadership/ supervisor has reviewed it and provided comment and/or edits, it is ready for sign off. The sign off is a simple process but will require that the person with that authority have a user account.
Yes. The BCP is a living document and should be updated and expanded as opportunity arises. For instance, if there is a crisis or emergency at another institution and you think to yourself "what would we do if that happened here"? It might be a good time to make an edit your BCP and document what your plan of recovery would be in a similar situation. There is also a yearly review period where you will be asked to look at your BCP and make appropriate edits.
Once the plan is completed, it should be SHARED with others in your department. We recommend printing off a copy for the office, and also one for each key staff member. Ask them to take their copy home in the event that it is needed during non-business hours. You may want to email them a PDF of the document as well. The idea is that everyone has an easily accessible copy so that can be utilized if needed.
Once per year all plans should be reviewed and updated. There may be new staff who need to be added, or processes that have changed. Also, the plan should be updated anytime that there is an incident that prompts discussion or thoughts on how a process should be conducted if an emergency should occur.
Testing, training and exercises are designed to familiarize staff members with their roles and responsibilities during a distruptive event and also ensure that systems and equipment are maintained in a constant state of readiness. Managers can be creative when it comes to BCP readiness exercises and create practice scenario's such as power outages, server failure, tornado damage, etc. After identifying a scenario, discuss it during a department meeting and talk through how each critical function would be affected and allow employees to react to the situation. Testing the BCP will validate the documented plans, policies, procedures and systems; identify deficiencies in the BCP and allow for subsequent correction. The Office of Emergency Programs https://www.ohio.edu/riskandsafety/emergencyprograms/ is available to facilitate table top exercises or can provide you with examples. Often it is helpful to partner with other offices when scheduling a drill. Evaluate your unit's performance and then make edits/corrections or changes to the BCP as necessary.