Professional Documents
Culture Documents
02 05 2008BusinessContinuityWorkbook
02 05 2008BusinessContinuityWorkbook
CONTINUITYPLANNINGAND
MAJORHEALTHEMERGENCY
PLANNING
Page1of59UniversityofAlbertaEPBCWorkbook02-05-2008
TableofContents
1. Introduction
1.1 MessagefromtheProvost
1.2 IntegratedEmergencyManagementProgram
1.3 OverviewofEmergencyPreparednessandBusinessContinuity
1.4 MajorHealthEmergencyPlanning(PandemicInfluenza)
2. Phase1ofWorkbook-ConductAnalysisofYourServicesandFunctions
2.1 FacultyorDepartmentInformation
2.2 DevelopProjectTeam
2.3 ConductaBusinessImpactAnalysis
2.3.1 IdentifyMajorServicesandFunctions
2.3.2 IdentifytheCriticalServicesandFunctionsFromYourList
3. Phase2ofWorkbookDevelopSolutionsandStrategiesForResumptionofYour
CriticalServicesandFunctions.IdentifyHazards,RisksandVulnerabilities
3.1Strategizesolutionstoserviceoutages
o SelectRecoveryandResumptionStrategies
o DetermineRecoveryTimeObjectivesforselectedRecoveryStrategies
o DevelopActionPlansforImplementingStrategies
3.2 DetermineRisksandVulnerabilities
3.2.1Mitigation/CounterMeasuresandVulnerabilityIdentification
3.3ContactListsforPersonnel
Internal
Allfaculty/departmentstaff
Listessentialpersonnelasapplicable
External
KeyPartners
KeyVendors
KeyCustomers
3.4 Listminimumresourcesneededtorecoverandresumecriticalservicesandfunctions
o Equipment
o Facilities
o Vehicles
o SpecialNeeds
4. AppendicesinWorkbook
4.1AppendixASlideofUpstreamandDownstreamInterdependencies
4.2AppendixBMaximumAcceptableDowntimeofaService
4.3AppendixCPublicHealthResponseStrategyDocument
4.4AppendixDVitalRecords,InformationTechnologyandTelecommunications
EndofWorkbook
Page2of59UniversityofAlbertaEPBCWorkbook02-05-2008
NextPhaseofDevelopmentandWorkbookTemplateforUnitActionPlan
(Tobedeveloped)
5. Phase3Implementation
a. CompletetheFaculty/DepartmentActionPlan/EmergencyOperationsPlanTemplate
b. ConductTrainingforFaculty/Department
c. EvaluatetheFaculty/DepartmentActionPlan
d. ImplementtheFaculty/DepartmentActionplan
6. Phase4Maintenance
a. DevelopMaintenanceProgramfortheFaculty/DepartmentActionPlan
b. DevelopChangeManagementProcess
c. Completeprogramaudits
Acknowledgements:
Wewouldliketoacknowledgethatmaterialfromthefollowinginstitutions(seelistbelow)havebeen
referencedduringthedevelopmentofsomeofourEmergencyPreparednessandBusinessContinuity
Planningdocuments.
List:UniversityofCalifornia,Berkeley,UniversityofCaliforniaDavis,ArizonaState,UniversityofColorado,
UniversityofMichigan,UniversityofNorthCarolinaandtheCommonwealthofAustralia,BusinessContinuity
Management.
Page3of59UniversityofAlbertaEPBCWorkbook02-05-2008
SAMPLEONLY
1.1MessagefromthePresident/Provost
PurposeandScopeforaFaculty/DepartmentEmergencyPreparednessandBusinessContinuityPlan
TofulfillourDaretoDiscovermandateandtosupporttheCornerstonesbuildingandsustainingourfuture,theUniversityofAlberta
needstobeasresilientaspossiblewhendisastersormajorbusinessinterruptionsstrike.Arobustemergencymanagement
programisrequiredwhenunplannedeventsnegativelyimpactourcorebusinessesandtheabilitytodelivercriticalservices.In
addition,theUniversityhasanobligationtothestudents,staff,faculty,thecommunityandtheProvincialAuditorGeneraltodevelop
andimplementemergencypreparednessandbusinesscontinuityplans.TothatendtheUniversityhasimplementedanemergency
preparednessandbusinesscontinuitypolicy,developedasteeringcommitteeandiscommittedtodevelopinganIntegrated
EmergencyManagementProgram(IEMP).TheIEMPwillbecomprisedofplans,standards,training,exercises,performancecriteria
andachangemanagementprocessfortheprogram.ThegoalistohaveaprogramthatpositionstheUniversitytobeasreadyas
possibletorespond,recoverandresumeourcriticalserviceswhenimpactedbyadisasterormajorbusinessinterruption.That
meansallDepartments,FacultiesandUnitsmusthaveanemergencypreparednessandbusinesscontinuityplanthatwillbea
componentoftheoverallUniversityprogram.Inanefforttohelpyouandyourteamdevelopaplanwehavededicatedsome
resourcestoassistinthedevelopmentandimplementationofyourplan.
Thepurposeofpreparing,implementingandmaintainingaFaculty/DepartmentEmergencyPreparednessandBusinessContinuity
(EPBC)Planistoensurereasonableandpracticaldeliveryofourcorebusinessesintheeventofadisasterorinterruption/outageof
acriticalserviceorfunction.Disastersandmajoroutagescanarisefromseveralsources;naturaldisasters,human-madebusiness
interruptions,technologicalfailuresandfinancialcollapses.AcomprehensiveProgramattheUniversityincludeselementssuchas.
Preparedness,prevention,contingencymeasures,response,assessment,recoveryandresumption.Associatedwiththekey
programelementsistheneedfordocumentcontrol,changemanagementprocedures,communication,trainingandexercises.
Theintentoftheplanistoprovidetheframeworkforthepre-emergencyanalysisandstrategiesandtheorganizationalstructure
completewithrolesandresponsibilitiestoexecutetheplan.Detailswithintheplanwilldescribetherecoveryandresumption
elementsoftheFacultyorDepartment.RecoveryplanningfocusesonthesetofactionsaDepartmentmusttaketorestore
services/functionsandreturntoasnearasnormaloperationsintheshortestperiodoftime.Theprocessfordevelopingtheplan
usesasystematicmeansofanalyzingthecriticalservicesandfunction,determiningthedowntimebeforeourcorebusinessesare
impactedandhighlightingthecommonelements,interdependenciesandsinglepointsiffailurethatcouldoccurduringadisasteror
majoroutage.Ratherthanhavingafocusonthedisastereventitselfe.g.amajorstructurefire,theprocessseeksout
commonalitiessuchas:lossoffacilities,lossofaccesstofacilities,lossofpersonnel,lossofinformationandlossofequipment.
ThekeycomponentofaFacultyorDepartmentplanisthedevelopmentofalternativemeasuresorcontingencyplansdesignedto
maintaintheDepartmentsservicesandfunctionswhendisasterstrikesorweexperienceamajoroutage.Yourplanwillprovide
detailswithrespecttoactionstobetakenbytheFacultyorDepartmentsuchas,activationoftheplanandidentificationofkey
personnelandresources(internalandexternaltotheUniversity)inorderforthedepartmenttoresumeserviceswithinadefined
periodoftime.Yourplanwillbedesignedtoprovidetimelyefficientandcontrolledresponse,recoveryandrestorationofcritical
servicesandoperations.
TheUniversityEmergencyMasterPlanwillformthebasedocumentforthedevelopmentoftheFacultyandDepartmentEPBC
plans.Consistencyinformat,structureandexecutionoftheplansisrequiredtosupporttheintegratedmodelofmanagingtherisks
toourcorebusinesseswhenamajoremergencyimpactstheUniversityortheregion.Itistheintenttohavethetemplatesandplans
webbased,userfriendly,currentandreadilyaccessible.AWorkbookhasbeencreatedtoassistinthedevelopmentand
implementationofyourplan.ThetargetistohaveallUniversityplanscompletedandinplaceonorbeforeDecember,2007.
Dated: Signed:
___________________________________________ _____________________________________________
Page4of59UniversityofAlbertaEPBCWorkbook02-05-2008
1.2IntegratedEmergencyManagementProgram
TofulfillourDaretoDiscoverandDaretoDelivermandatesandtosupporttheCornerstonesforbuildingand
sustainingourfuture,theUniversityofAlbertaisdevelopingaprogramthatwillensuretheUniversityisas
robustandresilientaspossiblewhendisastersormajorbusinessinterruptionsstrike.Acomprehensive
managementprogramisrequiredwhenunplannedeventsnegativelyimpacttheUniversitysabilitytodeliver
criticalservicesandchallengeustomaintainorderduringchaoticandturbulenttimes.TheUniversityhasan
obligationtothestudents,staff,faculty,andthecommunitytodevelopanIntegratedEmergencyManagement
Program(IEMP).
The Integrated Emergency Management Program is a dynamic, proactive, system based, team driven
approach to understanding, managing and communicating during a major emergency or business
outage/interruption.Itisaboutmakingcriticaldecisionsthatwillcontributetothecontinuityofcriticalservices
supporting the core businesses and the overall goals and objectives of the University. The program is a
substantial contributor to the Universitys enterprise wide risk management strategy. Through a scenario
planning process, the analysis and identification of risk exposures and vulnerabilities and pre-emergency
planningactivities,theUniversitywillbebetterpositionedtoimplementpreventativemeasures.
TothatendtheprogramwillbuildcapacityintotheUniversitytoimplementpreventionmeasureswhileatthe
sametimeareabletomanagethroughandrecoverfromanemergency.Theprogramwillimproveteamwork,
enhancetrustandbuildpartnershiprelationsinternallyandwithimportantexternalorganizations.Theresults
willincreasetheUniversitycommunitysconfidenceinemergencymanagementandwillprovideaboosttothe
Universitys integrity and reputation
1.3EmergencyPreparednessandBusinessContinuity
The University has implemented an Emergency Preparedness and Business Continuity Procedure enabled
through a Risk Management Policy, developed a steering committee and is committed to developing an
Integrated Emergency Management Program. The desired state includes all faculties and departments
conductingemergencypreparednessandbusinesscontinuityplanningandthedevelopmenttheirrespective
Unit Action Plan. The Unit Action Plans will be components of the overall university integrated emergency
management program. To that end the University has dedicated resources to assist in the development and
implementationoffacultyordepartmentactionplans.
Thecurrentfocusinthedevelopmentoftheintegratedplanforemergencypreparednessandmanagementis
onbusinesscontinuityplanningwithinthefacultiesanddepartments.Withconcentrationonelementssuch
as,identificationofcriticalservices,interdependencies,maximumacceptabledowntimes,recoverytime
objectivesandvulnerabilities,aphasedapproachtothedevelopmentofafacultyordepartmentunitaction
planhasbeenimplemented.Themethodologiesappliedtoconductthebusinesscontinuityplanninginclude
thedevelopmentofauniversityworkbook,awarenesspresentations,developmentofworkteamsandthe
deliveryofworkshopswithinthefacultiesanddepartments.Ratherthanhavingafocusonthedisasterevent
itselfsuchasamajorstructurefire,theprocessseeksoutcommonalitiesthatincludelossoffacilities,lossof
accesstofacilities,lossofpersonnel,lossofinformationtechnology,lossofequipmentandlossofakey
vendor.
KeyprinciplesofEPBCplansandoutcomesoftheplanningprocessinclude:
Theoutcomeoftheanalysisandplanningprocessesmustproduceplansthatarerealistic,practical,
achievableandreasonablefortheUniversitytouphold.
TheidentificationandassessmentofrisksacrosstheUniversitywillproduceatotalriskindexthatwillprovide
thebasisfordevelopingcostbenefitanalysisandbusinesscasesforeliminating,reducingormitigating
therisks.
Page5of59UniversityofAlbertaEPBCWorkbook02-05-2008
Emergencypreparedness,response,recoveryandresumptionareallcomponentsofbusinesscontinuityat
theuniversity.
Plansarebuiltfromthebottomupinthedepartmentsandfacultieswithcommitmenttotheplanningand
desiredfuturestatecomingfromtheUniversityExecutivesandDeans.
Eachdepartmentorfacultywilldesignateapositionhavingtheresponsibilitytodevelop,implementand
maintaintherespectiveunitactionplan.
1.4MajorHealthEmergencyPlanning(PandemicPlanning)
AppendixCoftheworkbookprovidesaplanningformtoanalyzeandpreparefortheimpactsofamajor
healthemergencysuchasanavianinfluenzapandemic.
Page6of59UniversityofAlbertaEPBCWorkbook02-05-2008
2.PHASEIANALYSIS
2.1BusinessContinuityPlanDevelopment
Faculty:___________________
Department::_______________
HISTORYOFTHISPLAN
Name Date
Originalsubmission
-ReviewedbyDeanofFaculty
orVPofDepartment
Mostrecentupdate
BusinessContinuityPlan
Communicatedtostaff
DepartmentInformation
NameofFaculty,Department(orSubUnitwithinaFacultyorDepartment)
NumberofStaff(headcount,approximationisOK)
o Full-time:
o Part-time:
o Student-Staff(ifthereisorwillbeinvolvementinemergencymanagement):
Location(s)ofOffices,Facilities(notebuildingsonly):
WhatistheprimarymissionofthisFacultyorDepartment?
Theprimarycontactforthisplanis:______________________________________________.
Thealternatecontactforthisplanis:_____________________________________________.
Page7of59UniversityofAlbertaEPBCWorkbook02-05-2008
2.2BusinessContinuityPlanningTeam
Identifythepeoplethatwillputthisplantogether.
KeyUniversity
Personnel:
TeamMember
(Alternate
Leader)
TeamMember
TeamMember
TeamMember
TeamMember
TeamMember
TeamMember
TeamMember
TeamMember
Page8of59UniversityofAlbertaEPBCWorkbook02-05-2008
BusinessContinuityPlanning
2.3BusinessImpactAnalysisModel1
1. IdentificationofFunctionsandCriticalServices.
2.IdentificationofInterdependencies
Faculty/
Department
Business
Objectivesand
Successfactors
Identified
MajorService/
Function
CriticalService/
Function#1
IdentifyFaculty/Department
MajorServicesandFunctionsOnLeft Side
PrioritizetheListonRight Side.Listinterdependencies.
CriticalServiceorFunction
Aserviceorfunctioncriticaltotheconductoflearning,discovery
andthesafetyandsecurityofpeople.
Itslossoroutagewouldcauseanextremeinterruption
tothebusiness,havesignificantfinancialimplications
andorthreatenthehealthorsafetyofaperson.Restorationof the
serviceorfunctionbecomesapriorityafteradisaster
ormajoroutage
Prioritize
MajorService/
Function
MajorService/
Function
MajorService/
Function
CriticalService/
Function#2
CriticalService/
Function#3
CriticalService/
Function#4
Learning
Citizenship Discovery
Safety&
Security
UofABusinessContinuityForm0002
ID
Faculty/
Department
Business
Objectivesand
Successfactors
Identified
MajorService/
Function
CriticalService/
Function#1
IdentifyFaculty/Department
MajorServicesandFunctionsOnLeft Side
PrioritizetheListonRight Side.Listinterdependencies.
CriticalServiceorFunction
Aserviceorfunctioncriticaltotheconductoflearning,discovery
andthesafetyandsecurityofpeople.
Itslossoroutagewouldcauseanextremeinterruption
tothebusiness,havesignificantfinancialimplications
andorthreatenthehealthorsafetyofaperson.Restorationof the
serviceorfunctionbecomesapriorityafteradisaster
ormajoroutage
Prioritize
MajorService/
Function
MajorService/
Function
MajorService/
Function
CriticalService/
Function#2
CriticalService/
Function#3
CriticalService/
Function#4
Learning
Citizenship Discovery
Safety&
Security
UofABusinessContinuityForm0002
ID
Step1IdentifyyourFacultyorDepartmentsmajorfunctions/services.
Step2Determineyourcriticalservicesfromthelistdeveloped.
Step3Prioritize(rank)yourcriticalservices.
Step4Listkeyinterdependenciesbetweenfaculties,departments,unitsandmajorsuppliers
Page9of59UniversityofAlbertaEPBCWorkbook02-05-2008
2.3.1IDENTIFYINGYOURMAJORSERVICES
IDENTIFYYOURSERVICES:
Thefirstcolumnontheleftbelowasksyoutolistyourdepartmentsmajorservices/functions.Thesecondcolumnasksyou
whichofthesearecriticalandtoranktheminpriorityagainstsupportfortheUniversityscorebusinesses.Thethirdcolumnis
tonotethekeydependencyyourfaculty/departmentmayhaveonanotherdepartmentinordertodeliveryourcriticalservice.
Focusoncriticalservicesandfunctionsonly.
YOURUNITSMAJOR
SERVICES/FUNCTION
Prioritize/Rank
asCritical
Service/Function
IdentifyanyInterdependenciesonother
Faculty/Departments/Units/MajorSupplier
Guidanceonlistingyour
services/functions
Guidanceonjudgingwhetheraservice/functioniscritical
Identifyservicesandfunctions,not
processes.
Examplesofservices/functions:
o Teaching
o Payingemployees
o Studentadmissions
o Laboratoryresearchand
discovery
o CommunicationsControl
Centre,monitoringand
dispatching
o Providingmealsfor
residentsofuniversity
housing.
o Securitychecksandpatrols
Rememberitistheoutcomeofyour
criticalservices/functionsweare
identifying.E.g.providemealsto
studentsinresidence.
DefinitionofcriticalWecallaservice/functioncriticalifitis
essentialtosupportinglearning,discovery,citizenshipandasafe
andsecureenvironment.Morespecifically,acritical
service/functionisonethatmustbere-started,withinatimeperiod
definedastherecoverytimeobjectivepost-outage,inorderto
enablelearning,discovery,citizenship,safetyandsecurityto
continue.
Interdependencies.Insomecases,yourdeliveryofservicesmay
bedependentonthoseprovidedbyadifferentfacultyor
department.Notethedepartmentandtheservicethatimpactsyour
criticalservice.
RemainFocusedandThinkBigPicture.Prioritizeyourcritical
servicesandfunctionsremainingfocusedonmaintainingthe
Universityscorebusinessesduringanoutageordisaster.
Analyzinganddevelopingpre-plansintheeventofadisasteror
majoroutagewillassistusduringthechaoticfirststageofamajor
unplannedevent;guideusthroughrecoveryandresumptionofour
corebusinesses.
Ifthereisareasonthatyourservice/functionmustberecovered
immediatelye.g.regulatoryrequirement,includethatinthecritical
prioritization.
Page10of59UniversityofAlbertaEPBCWorkbook02-05-2008
BusinessContinuityPlanning
BusinessImpactAnalysisModel2
Determining:MaximumAcceptableDowntime
&Restarting(RTO)YourCriticalService
DeterminingCriticalTimes
IdentifyingPreventionMeasures,Redundancy,RecoveryandContractualArrangements
Determiningamaximumacceptabledowntime(MAD)foryourcriticalservicewhenanoutageoccursis
importantindefiningthenegativeconsequencesthatimpacttheuniversity.Howlongcantheservicebeout
beforeharmfulconsequencesoccur?
YourDepartment:
Impactedbya
MajorOutageor
Emergency
Event
Faculty
Department
Service/Function
Faculty
Department
Service/Function
Faculty
Department
Service/Function
Faculty
Department
Service/Function
#1Faculty
Department
Service/Function
#4Faculty
Department
Service/Function
#3Faculty
Department
Service/Function
#2Faculty
Department
Service/Function
Prevention
Controlsinplace
ContingencyPlans
Inplace
Redundancy
Measuresin
place
ExternalSupplier
Involved
Contractual
Agreements
Inplace
UofABusinessContinuityForm0005
Prevention
Controlsinplace
Redundancy
Measures
Response
System
Recovery
Measures
Priority
Service
MaximumAcceptable
DowntimeBeforeImpact
OnLearning,Discovery,
Citizenship
and
SafetyandSecurity
0-8
hours
9-24
hours
25-72
hours
4-14
days
15-30
days
0hours 30+
days
Prevention
Preparedness
Redundancy
Contingencies
Jan. Feb. Mar. May June July April Aug. Sept. Oct. Nov. Dec.
Upstream/
Inputs
Downstream/
Outputs
Learning
Citizenship Discovery
Safety&
Security
Event Occurs
YourDepartment:
Impactedbya
MajorOutageor
Emergency
Event
Faculty
Department
Service/Function
Faculty
Department
Service/Function
Faculty
Department
Service/Function
Faculty
Department
Service/Function
#1Faculty
Department
Service/Function
#4Faculty
Department
Service/Function
#3Faculty
Department
Service/Function
#2Faculty
Department
Service/Function
Prevention
Controlsinplace
ContingencyPlans
Inplace
Redundancy
Measuresin
place
ExternalSupplier
Involved
Contractual
Agreements
Inplace
UofABusinessContinuityForm0005
Prevention
Controlsinplace
Redundancy
Measures
Response
System
Recovery
Measures
Priority
Service
MaximumAcceptable
DowntimeBeforeImpact
OnLearning,Discovery,
Citizenship
and
SafetyandSecurity
0-8
hours
9-24
hours
25-72
hours
4-14
days
15-30
days
0hours 30+
days
Prevention
Preparedness
Redundancy
Contingencies
Jan. Feb. Mar. May June July April Aug. Sept. Oct. Nov. Dec.
Upstream/
Inputs
Downstream/
Outputs
Learning
Citizenship Discovery
Safety&
Security
Event Occurs
Page11of59UniversityofAlbertaEPBCWorkbook02-05-2008
2.3.2MADMAXIMUMACCEPTABLEDOWNTIMEofaSERVICE
Determining:MaximumAcceptableDowntime
&restartingYourCriticalService(seeAppendixBforguidance)
o Inthetablebelow,listyourcriticalservicesyouidentifiedandprioritizedalready.Listthemin
priorityorderstartingwiththemostimportant.Thencheckoffthetimeareathatservicecanbe
downbeforenegativeconsequencesoccur.
o TherecoverytimeobjectiveshouldbeashortertimeperiodthantheMAD.Identifythattime.
WhatistheMADbeforenegativeconsequences
occur?
RecoveryTime
Objective(RTO)
TimelineRange
CriticalServicesas
rankedfromPage8
0-8
hours
9-24
hours
25-72
hours
4-14
days
15-30
days
30+
days
Whenyourservice
willbeupand
runningagain
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Page12of59UniversityofAlbertaEPBCWorkbook02-05-2008
3.BUSINESSCONTINUITYPHASE2
3.1SOLUTIONS,STRATEGIESANDRISKANALYSIS
BusinessContinuityPlanning
CriticalService#1:
MAD:
KeyUniversityPersonnel:
Office
Phone
Cell
Phone
Home
Phone
E-mail
PrimaryContact:
AlternateContact#1:
AlternateContact#2:
ContractPersonnel(ifimportantto
theprovisionoftheservice):
Descriptionofthiscriticalservice
Responsiblestaff(keycontactresponsiblefortheprovisionofthisservice)
Upstreamdependencies:(Whatotherunitsorsystems,outsideyourcontrol,havetobeoperationalbeforeyoucan
performthiscriticalfunction?)(seeappendixAattheendofthispackagefortwographstoaidyouinmakingthese
decisions)
Downstreamdependencies:(Whatunitsorsystemswillbeaffectedbyfailureofthiscriticalfunction?)
PeakPeriods
Page13of59UniversityofAlbertaEPBCWorkbook02-05-2008
1.Howwouldyoucarryoutthiscriticalserviceifyourusualspace/facility/officewasnotavailable?
I.e.youmayconsiderscenariossuchas:yourofficewasnotaccessible,yourbuildingwasnot
accessibleoryourbuildingwasdestroyed.
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
8.
2.Howwouldyoucarryoutthiscriticalserviceiftheusualequipmentorvehicleswerenotavailable?
I.e. desk top computers, laptops, diagnostic equipment, specialized tools, delivery vehicles etc.
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
8.
3.Howwouldyoucarryoutthiscriticalserviceifsomestaffwerenotavailable?
Alternatemeasures/contingencyplans:
1.BrainstormherebutreferenceandcompleteAppendixCforstructuredanalysisprocess.
4.Howwouldyoucarryoutthiscriticalserviceifcomputernetworks(Universitynetworksuchas
providethroughAICTorinternaldepartmentnetwork)andtelecommunicationswerenotavailable?
NOTE:RespectiveITandTelecommunicationsstaffreferenceAppendixDtoanalyzeyourservicestodevelop
yourcontingencyandrecoverymeasures.
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
5.Howwouldyoucarryoutthiscriticalserviceifanoutageofutilitiesoccurred?
(Note:Utilities(F&O)isresponsibleforpower,waterandnaturalgastothebuildingfootprint.)
Alternatemeasures/contingencyplans:
Naturalgas
Water
Electricity
Heat/Steam
Cooling
Page14of59UniversityofAlbertaEPBCWorkbook02-05-2008
6.Howwouldyoucarryoutthiscriticalserviceiftherewasalossofacriticalvendor?
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
8.
7.OtherCriticalSinglePointsofFailureorShowStoppersnotcapturedabove?
8.AdditionalRisksGeneratedbyImplementingAlternateMeasures/ContingencyPlans
I.e.areyouaddinganewhazardtotheworkenvironmentthroughtheimplementationofyour
alternate/contingencymeasure?
1.
2.
3.
4.
5.
6.
7.
9.PolicyExceptionsneededforImplementingAlternateMeasures/ContingencyPlans
1.
2.
3.
4.
5.
CriticalService#2
MAD:
KeyUniversityPersonnel:
Office
Phone
Cell
Phone
Home
Phone
E-mail
PrimaryContact:
AlternateContact#1:
AlternateContact#2:
ContractPersonnel(ifimportantto
theprovisionoftheservice):
Descriptionofthiscriticalservice
Page15of59UniversityofAlbertaEPBCWorkbook02-05-2008
Responsiblestaff(keycontactresponsiblefortheprovisionofthisservice)
Upstreamdependencies:(Whatotherunitsorsystems,outsideyourcontrol,havetobeoperationalbeforeyoucan
performthiscriticalfunction?)(seeappendixAattheendofthispackagefortwographstoaidyouinmakingthese
decisions)
Downstreamdependencies:(Whatunitsorsystemswillbeaffectedbyfailureofthiscriticalfunction?)
PeakPeriods
1.Howwouldyoucarryoutthiscriticalserviceifyourusualspace/facility/officewasnotavailable?
I.e.youmayconsiderscenariossuchas:yourofficewasnotaccessible,yourbuildingwasnot
accessibleoryourbuildingwasdestroyed.
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
8.
2.Howwouldyoucarryoutthiscriticalserviceiftheusualequipmentorvehicleswerenotavailable?
I.e. desk top computers, laptops, diagnostic equipment, specialized tools, delivery vehicles etc.
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
8.
Page16of59UniversityofAlbertaEPBCWorkbook02-05-2008
3.Howwouldyoucarryoutthiscriticalserviceifsomestaffwerenotavailable?
Alternatemeasures/contingencyplans:
1.BrainstormherebutreferenceandcompleteAppendixCforstructuredanalysisprocess.
4.Howwouldyoucarryoutthiscriticalserviceifcomputernetworks(Universitynetworksuchas
providethroughAICTorinternaldepartmentnetwork)andtelecommunicationswerenotavailable?
NOTE:RespectiveITandTelecommunicationsstaffreferenceAppendixDtoanalyzeyourservicestodevelop
yourcontingencyandrecoverymeasures.
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
5.Howwouldyoucarryoutthiscriticalserviceifanoutageofutilitiesoccurred?
(Note:Utilities(F&O)isresponsibleforpower,waterandnaturalgastothebuildingfootprint.)
Alternatemeasures/contingencyplans:
Naturalgas
Water
Electricity
Heat/Steam
Cooling
6.Howwouldyoucarryoutthiscriticalserviceiftherewasalossofacriticalvendor?
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
8.
7.OtherCriticalSinglePointsofFailureorShowStoppersnotcapturedabove?
8.AdditionalRisksGeneratedbyImplementingAlternateMeasures/ContingencyPlans
I.e.areyouaddinganewhazardtotheworkenvironmentthroughtheimplementationofyour
alternate/contingencymeasure?
1.
2.
3.
4.
5.
6.
7.
Page17of59UniversityofAlbertaEPBCWorkbook02-05-2008
9.PolicyExceptionsneededforImplementingAlternateMeasures/ContingencyPlans
1.
2.
3.
4.
5.
CriticalService#3
MAD:
KeyUniversityPersonnel:
Office
Phone
Cell
Phone
Home
Phone
E-mail
PrimaryContact:
AlternateContact#1:
AlternateContact#2:
ContractPersonnel(ifimportantto
theprovisionoftheservice):
Descriptionofthiscriticalservice
Responsiblestaff(keycontactresponsiblefortheprovisionofthisservice)
Upstreamdependencies:(Whatotherunitsorsystems,outsideyourcontrol,havetobeoperationalbeforeyoucan
performthiscriticalfunction?)(seeappendixAattheendofthispackagefortwographstoaidyouinmakingthese
decisions)
Downstreamdependencies:(Whatunitsorsystemswillbeaffectedbyfailureofthiscriticalfunction?)
PeakPeriods
Page18of59UniversityofAlbertaEPBCWorkbook02-05-2008
1.Howwouldyoucarryoutthiscriticalserviceifyourusualspace/facility/officewasnotavailable?
I.e.youmayconsiderscenariossuchas:yourofficewasnotaccessible,yourbuildingwasnot
accessibleoryourbuildingwasdestroyed.
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
8.
2.Howwouldyoucarryoutthiscriticalserviceiftheusualequipmentorvehicleswerenotavailable?
I.e. desk top computers, laptops, diagnostic equipment, specialized tools, delivery vehicles etc.
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
8.
3.Howwouldyoucarryoutthiscriticalserviceifsomestaffwerenotavailable?
Alternatemeasures/contingencyplans:
1.BrainstormherebutreferenceandcompleteAppendixCforstructuredanalysisprocess.
4.Howwouldyoucarryoutthiscriticalserviceifcomputernetworks(Universitynetworksuchas
providethroughAICTorinternaldepartmentnetwork)andtelecommunicationswerenotavailable?
NOTE:RespectiveITandTelecommunicationsstaffreferenceAppendixDtoanalyzeyourservicestodevelop
yourcontingencyandrecoverymeasures.
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
5.Howwouldyoucarryoutthiscriticalserviceifanoutageofutilitiesoccurred?
(Note:Utilities(F&O)isresponsibleforpower,waterandnaturalgastothebuildingfootprint.)
Alternatemeasures/contingencyplans:
Naturalgas
Water
Electricity
Heat/Steam
Cooling
Page19of59UniversityofAlbertaEPBCWorkbook02-05-2008
6.Howwouldyoucarryoutthiscriticalserviceiftherewasalossofacriticalvendor?
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
8.
7.OtherCriticalSinglePointsofFailureorShowStoppersnotcapturedabove?
8.AdditionalRisksGeneratedbyImplementingAlternateMeasures/ContingencyPlans
I.e.areyouaddinganewhazardtotheworkenvironmentthroughtheimplementationofyour
alternate/contingencymeasure?
1.
2.
3.
4.
5.
6.
7.
9.PolicyExceptionsneededforImplementingAlternateMeasures/ContingencyPlans
1.
2.
3.
4.
5.
CriticalService#4
MAD:
KeyUniversityPersonnel:
Office
Phone
Cell
Phone
Home
Phone
E-mail
PrimaryContact:
AlternateContact#1:
AlternateContact#2:
ContractPersonnel(ifimportantto
theprovisionoftheservice):
Descriptionofthiscriticalservice
Page20of59UniversityofAlbertaEPBCWorkbook02-05-2008
Responsiblestaff(keycontactresponsiblefortheprovisionofthisservice)
Upstreamdependencies:(Whatotherunitsorsystems,outsideyourcontrol,havetobeoperationalbeforeyoucan
performthiscriticalfunction?)(seeappendixAattheendofthispackagefortwographstoaidyouinmakingthese
decisions)
Downstreamdependencies:(Whatunitsorsystemswillbeaffectedbyfailureofthiscriticalfunction?)
PeakPeriods
1.Howwouldyoucarryoutthiscriticalserviceifyourusualspace/facility/officewasnotavailable?
I.e.youmayconsiderscenariossuchas:yourofficewasnotaccessible,yourbuildingwasnot
accessibleoryourbuildingwasdestroyed.
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
8.
2.Howwouldyoucarryoutthiscriticalserviceiftheusualequipmentorvehicleswerenotavailable?
I.e. desk top computers, laptops, diagnostic equipment, specialized tools, delivery vehicles etc.
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
8.
Page21of59UniversityofAlbertaEPBCWorkbook02-05-2008
3.Howwouldyoucarryoutthiscriticalserviceifsomestaffwerenotavailable?
Alternatemeasures/contingencyplans:
1.BrainstormherebutreferenceandcompleteAppendixCforstructuredanalysisprocess.
4.Howwouldyoucarryoutthiscriticalserviceifcomputernetworks(Universitynetworksuchas
providethroughAICTorinternaldepartmentnetwork)andtelecommunicationswerenotavailable?
NOTE:RespectiveITandTelecommunicationsstaffreferenceAppendixDtoanalyzeyourservicestodevelop
yourcontingencyandrecoverymeasures.
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
5.Howwouldyoucarryoutthiscriticalserviceifanoutageofutilitiesoccurred?
(Note:Utilities(F&O)isresponsibleforpower,waterandnaturalgastothebuildingfootprint.)
Alternatemeasures/contingencyplans:
Naturalgas
Water
Electricity
Heat/Steam
Cooling
6.Howwouldyoucarryoutthiscriticalserviceiftherewasalossofacriticalvendor?
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
8.
7.OtherCriticalSinglePointsofFailureorShowStoppersnotcapturedabove?
8.AdditionalRisksGeneratedbyImplementingAlternateMeasures/ContingencyPlans
I.e.areyouaddinganewhazardtotheworkenvironmentthroughtheimplementationofyour
alternate/contingencymeasure?
1.
2.
3.
4.
5.
6.
7.
Page22of59UniversityofAlbertaEPBCWorkbook02-05-2008
9.PolicyExceptionsneededforImplementingAlternateMeasures/ContingencyPlans
1.
2.
3.
4.
5.
CriticalService#5
MAD:
KeyUniversityPersonnel:
Office
Phone
Cell
Phone
Home
Phone
E-mail
PrimaryContact:
AlternateContact#1:
AlternateContact#2:
ContractPersonnel(ifimportantto
theprovisionoftheservice):
Descriptionofthiscriticalservice
Responsiblestaff(keycontactresponsiblefortheprovisionofthisservice)
Upstreamdependencies:(Whatotherunitsorsystems,outsideyourcontrol,havetobeoperationalbeforeyoucan
performthiscriticalfunction?)(seeappendixAattheendofthispackagefortwographstoaidyouinmakingthese
decisions)
Downstreamdependencies:(Whatunitsorsystemswillbeaffectedbyfailureofthiscriticalfunction?)
PeakPeriods
Page23of59UniversityofAlbertaEPBCWorkbook02-05-2008
1.Howwouldyoucarryoutthiscriticalserviceifyourusualspace/facility/officewasnotavailable?
I.e.youmayconsiderscenariossuchas:yourofficewasnotaccessible,yourbuildingwasnot
accessibleoryourbuildingwasdestroyed.
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
8.
2.Howwouldyoucarryoutthiscriticalserviceiftheusualequipmentorvehicleswerenotavailable?
I.e. desk top computers, laptops, diagnostic equipment, specialized tools, delivery vehicles etc.
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
8.
3.Howwouldyoucarryoutthiscriticalserviceifsomestaffwerenotavailable?
Alternatemeasures/contingencyplans:
1.BrainstormherebutreferenceandcompleteAppendixCforstructuredanalysisprocess.
4.Howwouldyoucarryoutthiscriticalserviceifcomputernetworks(Universitynetworksuchas
providethroughAICTorinternaldepartmentnetwork)andtelecommunicationswerenotavailable?
NOTE:RespectiveITandTelecommunicationsstaffreferenceAppendixDtoanalyzeyourservicestodevelop
yourcontingencyandrecoverymeasures.
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
5.Howwouldyoucarryoutthiscriticalserviceifanoutageofutilitiesoccurred?
(Note:Utilities(F&O)isresponsibleforpower,waterandnaturalgastothebuildingfootprint.)
Alternatemeasures/contingencyplans:
Naturalgas
Water
Electricity
Heat/Steam
Cooling
Page24of59UniversityofAlbertaEPBCWorkbook02-05-2008
6.Howwouldyoucarryoutthiscriticalserviceiftherewasalossofacriticalvendor?
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
8.
7.OtherCriticalSinglePointsofFailureorShowStoppersnotcapturedabove?
8.AdditionalRisksGeneratedbyImplementingAlternateMeasures/ContingencyPlans
I.e.areyouaddinganewhazardtotheworkenvironmentthroughtheimplementationofyour
alternate/contingencymeasure?
1.
2.
3.
4.
5.
6.
7.
9.PolicyExceptionsneededforImplementingAlternateMeasures/ContingencyPlans
1.
2.
3.
4.
5.
CriticalService#6
MAD:
KeyUniversityPersonnel:
Office
Phone
Cell
Phone
Home
Phone
E-mail
PrimaryContact:
AlternateContact#1:
AlternateContact#2:
ContractPersonnel(ifimportantto
theprovisionoftheservice):
Descriptionofthiscriticalservice
Page25of59UniversityofAlbertaEPBCWorkbook02-05-2008
Responsiblestaff(keycontactresponsiblefortheprovisionofthisservice)
Upstreamdependencies:(Whatotherunitsorsystems,outsideyourcontrol,havetobeoperationalbeforeyoucan
performthiscriticalfunction?)(seeappendixAattheendofthispackagefortwographstoaidyouinmakingthese
decisions)
Downstreamdependencies:(Whatunitsorsystemswillbeaffectedbyfailureofthiscriticalfunction?)
PeakPeriods
1.Howwouldyoucarryoutthiscriticalserviceifyourusualspace/facility/officewasnotavailable?
I.e.youmayconsiderscenariossuchas:yourofficewasnotaccessible,yourbuildingwasnot
accessibleoryourbuildingwasdestroyed.
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
8.
2.Howwouldyoucarryoutthiscriticalserviceiftheusualequipmentorvehicleswerenotavailable?
I.e. desk top computers, laptops, diagnostic equipment, specialized tools, delivery vehicles etc.
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
8.
3.Howwouldyoucarryoutthiscriticalserviceifsomestaffwerenotavailable?
Alternatemeasures/contingencyplans:
1.BrainstormherebutreferenceandcompleteAppendixCforstructuredanalysisprocess.
Page26of59UniversityofAlbertaEPBCWorkbook02-05-2008
4.Howwouldyoucarryoutthiscriticalserviceifcomputernetworks(Universitynetworksuchas
providethroughAICTorinternaldepartmentnetwork)andtelecommunicationswerenotavailable?
NOTE:RespectiveITandTelecommunicationsstaffreferenceAppendixDtoanalyzeyourservicestodevelop
yourcontingencyandrecoverymeasures.
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
5.Howwouldyoucarryoutthiscriticalserviceifanoutageofutilitiesoccurred?
(Note:Utilities(F&O)isresponsibleforpower,waterandnaturalgastothebuildingfootprint.)
Alternatemeasures/contingencyplans:
Naturalgas
Water
Electricity
Heat/Steam
Cooling
6.Howwouldyoucarryoutthiscriticalserviceiftherewasalossofacriticalvendor?
Alternatemeasures/contingencyplans:
1.
2.
3.
4.
5.
6.
7.
8.
7.OtherCriticalSinglePointsofFailureorShowStoppersnotcapturedabove?
8.AdditionalRisksGeneratedbyImplementingAlternateMeasures/ContingencyPlans
I.e.areyouaddinganewhazardtotheworkenvironmentthroughtheimplementationofyour
alternate/contingencymeasure?
1.
2.
3.
4.
5.
6.
7.
9.PolicyExceptionsneededforImplementingAlternateMeasures/ContingencyPlans
1.
2.
3.
4.
5.
Page27of59UniversityofAlbertaEPBCWorkbook02-05-2008
3.2IdentifyingHazards,RankingRisksandDeterminingVulnerabilities
HazardIdentification,RiskAssessment,VulnerabilitiesandEmergencyManagement
Introduction
Bestpracticeindicatesthattobeasreadyasreasonablypracticaltomanagepotentialemergencies,anorganization
mustidentify,analyzeandassessthepotentialhazardsandrisksitfaces.Riskassessmentisrecognizedasacritical
componentofanemergencymanagementprogram.Theoutcomesofariskassessmentareusedasthebasisfor
decisionmakingrelatedtotheriskappetiteoftheorganizationandthemeasurestakentodealwithresidualriski.e.the
riskthatcannotbeeliminatedandisinherenttooperatingthebusiness.
Theriskanalysisandassessmentprocessproducestheriskprofilefortheorganization.Theriskprofilewillassistthe
organizationindevelopmentrisktreatmentandemergencymanagementprograms.Theoutcomesoftheplansare
designedtoeliminate,reduce,mitigate,control,transfertheriskandhaveplansinplacetodealwithemergency
conditions.
Diagram1:ARiskManagementProcess
Assess &Rank
Risks
I dent if yRi sks
Develo pR isk
Manag ement St rat eg y
Al locat eRe sour ces
andI mp le ment
Meas ure Resu lt s
What Risks Do We Face?
What is the Relative
Importance of the Risks
we Face Which Can or
Should we Try to
Manage?
How Will we
Manage These
Risks? What
Tools and
Strategies?
The Process of
Implementing the Risk
Management Tools we
Have C hosen to Use
Measuring Results and
Recalibrating to Reflect
Experience
Ris k Manage ment and
E me rgenc y Servic es
Fra mework for Planning
Service Level St rat egies
Theriskassessmentprocessproducestheriskprofilefortheorganization.Theriskprofilewillassisttheorganizationin
developmenttherisktreatmentplans.Theoutcomesoftheplansaredesignedtoeliminate,reduce,mitigate,controlor
transfertherisk.
Page28of59UniversityofAlbertaEPBCWorkbook02-05-2008
Purpose
Thepurposeofidentifyinghazards,analyzingandassessingriskwithintheintegratedemergencymanagement
programistoassistindevelopinghazardspecificemergencymanagementplansthatwillbeincludedintheEmergency
OperationsPlan(EOP)sectionofthefacultyordepartmentprogram.ExamplesofplansthatwillbeincludedintheEOP
include:evacuationplans,bombthreatplans,chemicalspill/releaseplansandamedicalresponseplan.
ThehazardidentificationandriskassessmentprocessalignstheUniversitysIntegratedEmergencyManagement
Program(IEMP)withStandardsintheemergencymanagementindustry.Thisprocess
meetstheintentofChapter5,Section5.3RiskAssessmentoftheNationalFire
ProtectionAssociation1600:StandardonDisaster/EmergencyManagementand
BusinessContinuityPrograms.
EmbeddedintheIEMPistheconceptofanallhazardsapproachtoemergency
management.Theallhazardsapproachincludesfeaturessuchas:coordinatedemergencymanagementsystems,
collaborationwithexternalresponseagenciesandpartners,consistentcommandandcontrolstructuresandcommon
languageregardlessofthetypeofemergency.Theallhazardsapproachwillproduceemergencymanagementplans
thataddressthehazardsandpotentialemergenciesthatmaybeexpectedbutatthesametimeremainflexibletoadapt
totheunknown.
Riskcanbetheresultof
surprises,of
badplanning,noplanningor
simplynoaction.
RiskandEmergencyManagementTerminologyforIdentificationandAssessmentProcess
Tobestapproachtheprocessofhazardidentification,riskanalysisandassessmentasetofcommontermsand
definitionsisarequirement.
WhatisRiskAssessment
Riskassessmentistheprocessofevaluatingriskandapplyingriskestimatestodecideonmanagementstrategiesand
actions.
Hazard
Acondition,material,workprocessorsituationwiththepotentialforcausinganundesirableconsequencesuchasharm
topeople,animalsandtheenvironment.Thehazardhasthepotentialtocauseloss.
Example:Gasolineisahazardifmishandledandofsufficientquantityandignitionoccurscancauseinjuryanddamage
topeople,propertyandtheenvironment.
Hazardscanbegroupedunderbroadbasedtermsthatassistwithriskassessmentforaparticularinstitutionora
segmentoftheinstitution.Forexample:
NaturalHazardscaninclude:Tornado,Drought,Flood,IceStorm,Earthquake
Technicalhazardscaninclude:Utilityfailuresuchaslossofelectricity,Telecommunicationsfailure,ITfailure,
Structuralfailure/collapse,firealarmsystemfailure,hazardousmaterialspill/release
HumanRelatedHazardscaninclude:Arson,Robbery,Violentacts,Medicalemergency/PublicHealth
Emergency,Sabotage,ActsofTerrorism
Financialhazardscaninclude:Lossofrevenue,Lossofgovernmentfunding,Substantialfinesorlegalaction
HazardousIncident
Anundesiredandunplannedeventthatresultsininjuriestopeople,damagetoproperty,harmtotheenvironmentand
aninterruptiontothedeliveryofcriticalservices.
Example:Thesuddenfailureofapropanestoragetankresultinginareleaseofpropanetotheenvironmentand/oran
ignitionofthepropane.
Page29of59UniversityofAlbertaEPBCWorkbook02-05-2008
Risk
Ameasureoftheprobabilityandseverityofadverseeffectsoftheundesiredorunplannedevent.Thechanceof
somethinghappeningthatwillhaveanimpactupontheinstitutionsservicesandobjectives.Asrelatedtoemergency
managementriskisusedtodescribethelikelypotentialofharmfulconsequencesandnegativeimpactsresultingfroma
hazardinoraroundtheUniversityandtheinteractionwithpeople,structures,theenvironmentandservices.
Example:Thechance(probability)ofbeingkilled(severity)inanautomobileaccident.
Probability
Ameasureofhowlikelyitisthataneventwilloccurduringsome
periodoftimeorotherdefinedparameter.
UniversityandRisks
Riskoffire
Riskofdeathandinjuries
Riskofcrimeanddisorder
Riskofterrorism
Risktowatersupplies
Risktohazardouswastedisposal
Riskofvehicleaccidents
Riskofhazardsonroads,streets,in
parks
Risktocriticalinfrastructure
Risktoreputation
Riskofmarketfailure
Riskofpolitics
Example:Thechancesofwinningalotteryaredescribedasa
probabilitye.g.1inamillionchancesofwinningthebigprize.
Severity
Severityisameasureofhowserioustheadverseeffectsor
consequencesoftheeventare.Howbadcanitbe?
Example:
Anaccidentcanproducetwocommonlyreferredtodegreesof
severity:afatalityoraninjury.
Consequence
Themainoutcome(s)oftheeventassociatedwiththehazard
Example:Thesuddenfailureofapropanetankcausesareleaseof
propanetotheatmospherethatignitesinanexplosionthatinjures
peopleandcausespropertydamage.
Acceptingadefinedlevelofrisk
meansthatyourorganization
hasimplemented
policiesandproceduresfor
assessing,evaluating,monitoring
andreportingrisk.
Italsomeansthatyourorganization
canreactrapidly
todynamicchangeinrisk,
recognizeunacceptablelevels
andrespondtoreducetheexposure.
AdverseEffects
Thepotentialforrisktoproduceanemergencyconditioncanproducea
varietyofadverseeffectssuchas:
Healthandsafetyimpactsonpeopleand/oranimals
Propertydamage
Environmentalharm
Economicloss
Damagetoreputation
Businessinterruptions
RiskAnalysis
Theestimationoftheriskmeasuresdescribingthechanceofanundesiredeventoccurringandtheseverityofits
consequences.
RiskMitigation
Thereductionofriskthroughmeasuresthatreducetheprobabilityandseverityofapotentialundesiredevent.The
measurestakentoprepareforresidualriskrelatedtooperationsofthebusiness.
Example:Fireevacuationplans.
Page30of59UniversityofAlbertaEPBCWorkbook02-05-2008
RiskManagement
Thepolicies,proceduresandpracticesappliedtoanalyze,assessandcontrolrisk.
RiskControl
Theminimizationofriskexposurethroughtheimplementationofriskmitigationmeasuresordelegationofliability.
Emergency
Aneventorconditionthatisrealorimminentwhichthreatensorimperilsthehealth,safetyandsecurityofpeople,can
causedamagetobuildingsandstructures,canharmtheenvironment,disruptcriticaloressentialservicesatthe
Universityandnegativelyimpacttheinstitutionsreputation.
EmergencyManagement
Theactivationofresponseteams,theexecutionofprotocols,implementationofcontingencymeasures,applicationofa
commandandcontrolsystemandrecoveryactionstomanageriskstotheUniversity.
Event
Acondition,situationorincidentthatoccursonorneartheUniversityduringaperiodoftimethatresultsinsomeformof
responsebytheUniversity
Diagram2:RiskExposures,RiskFactors,RiskManagement
Publ ic
Sector
IRM
Systems
Processes
Procedures
Risk
Tol erance
Risk
Profi l e
Governance
and
Pol icies
Labour
Contracts
IT Systems
Failures
Performance
Construction
Asset
Integrity
Legal/Liability
Natural
Disaster
Consumer
Environment
Risk Exposures
Risk Factors and
Risk Management
Elements
Critical
Infrastructure
Business
Interruption
Political
Regulations
Transport-
ation
Water
Sewer
Personnel
Loss
Public
Safety
Social
Services
Housing
Page31of59UniversityofAlbertaEPBCWorkbook02-05-2008
ProcessforIdentificationandRiskAssessment
IdentifyingandassessingriskisakeyelementoftheemergencymanagementprogramfortheUniversity.Throughthe
identificationandassessmentprocess,areasofvulnerabilitythatcouldleadtopotentiallossestopeople,property,the
environmentornegativeimpactsontheoperationoftheleisurecenterwillbehighlighted.Preventionmeasures,
mitigationactionsandcontingencyplanswillbeidentifiedinthesectionincludingtherisktreatmentplans.
ThegoalisthedevelopmentofariskprofilefortheUniversityusingasimplefive-stepprocessforidentificationand
assessmentofrisks.Anoutcomeoftheassessmentistherankingoftherisksidentifiedi.e.prioritizationoftherisks
suchthatmitigationmeasurescanbedevelopedandimplemented.Thefive-stepprocessthatfollowsincludes
examplesrelatedtoeachstepthatactasatrainingcomponentoftheprogramforhazardidentificationandrisk
assessment.
3.2DeterminingRisksandVulnerabilities
HazardIdentification,RiskAssessmentandVulnerabilityAnalysisSteps
Afivestepprocesstoanalyzeandranktheriskstoyourfaculty/department/unitisprovided.Examplesrelatedtoeach
stepintheriskanalysisprocessareincluded.
Step1
Column1inthefollowingtableliststhepotentialnatural,humanmade,technicalandfinancialhazardsthatcouldresult
inmajoremergencies,disastersorbusinessinterruptionsthatcouldnegativelyimpacttheUniversity.
Thistableismeanttobeflexibleandadaptabletoyourdepartment/facultyorunit.Ifyouwanttoaddotherspecificrisks
pleasejustaddtothelistinthepertinentsector.Ifyouarefillingthisoutelectronicallyitisrecommendedthatyouprint
pages35-38tohelpyoufilloutthetable,itwillsimplifytheprocessgreatlywhendoingso.
Column1
MajorEmergency,Disaster
Sector
Column2
Probability
Column3
Severity
Column4
Risklevel
Column5
Ranking
Natural
WildFire
Flood
ColdWave
IceStorm
SevereStormRain/Snow
Tornado
Earthquake
Lightning
HeatWave/Drought
Page32of59UniversityofAlbertaEPBCWorkbook02-05-2008
Technical
UtilitiesFailure
i.e.water,naturalgas,power,
steam,wasteremoval
Telecommunications
SystemFailure
ITInfrastructure
Disruption
i.e.virus,lossofnetwork,loss
ofequipment
Criticalequipmentfailure
ITSecurityBreach/Theft
Flooding(Internal)
StructureFire/Explosion
StructuralCollapse
HazardousMaterial
Release/Spill
AircraftCrashonUniversity
Newrisknotlistedin
template:
(pleaseaddhere)
Newrisknotlistedin
template:
(pleaseaddhere)
HumanRelated
Sabotage
i.e.deliberateacttodisrupta
system,aprogram,an
applicationorotherwork
process,
Arson(criminalactivity)
LabourInterruption
i.e.workstoppage,deliberate
slowdown,strike
Riot/Civil/SportsEvent
Disruption
PublicHealthEvent
i.e.flupandemic,outbreakof
norovirus,meningitis
WorkplaceViolence
(internalsource)
ViolentAct
(fromexternalsource)
Page33of59UniversityofAlbertaEPBCWorkbook02-05-2008
LossofSenior
Management
TransportationEvent(e.g.
busaccident,heavy
equipmentvehicleaccident,
pipelinebreachother)
Theftofassetse.g.robbery,
fraud,stolenpropertyother,
ActofIndustrialespionage
Terrorism
BombThreat
SuspiciousPackage
(receivedattheuniversity)
ActiveShooteroncampus
Animal/Crop
Vandalism/Disruption/
Release/Contamination
HostageTakingEvent
BioterrorismEvent
Protester/ActivistAction
Involvingviolence
Financial
LossofGovernment
Funding
LossofResearchFunding
LossofStudentRevenue
LossofAsset
LegalAction/Fines
InstitutionalReputation
BadMediaPress
Communityoutrage
Studentoutrage
Page34of59UniversityofAlbertaEPBCWorkbook02-05-2008
Step2-WorkingThroughColumn2
UsetheProbabilityMatrixbelowtodeterminetheprobabilityofoccurrenceforeachofthepotentialhazardsandrisks
identifiedincolumn1thatcouldimpacttheUniversity.Onemethodofassessmentinvolvesthereferencingofany
historicalrecordsofeventsthathaveoccurredattheUniversityorintheregionhavingthepotentialtoimpactthefacility.
Rememberthisisyoursubjectivequalitativesenseregardingriskassessment.
ProbabilityMatrix
Probability
DescriptiveWord
Definition
Frequent
Likelytooccurrepeatedly
Probable
Likelytooccurseveraltimes
Occasional
Likelytooccursometime
Remote
Notlikelytooccur
Improbable
Probabilityofoccurrenceisextremelyremote
Asyouexaminethepotentialemergencythatcouldoccurassesstheprobabilityoftheeventoccurringandinsertthe
descriptivewordinofyourworkingtable.
Example:TablewithColumn2Completed
BasedontheProbabilityMatrixColumn2hasbeencompletedinthetablebelow.
Column1
Major
Emergency,
Disaster
Sector
Column2
Probability
Column3
Severity
Column4
Risklevel
Column5
Ranking
Natural
Fire Probable
Tornado Occasional
Technical
Burstwaterpipe Occasional
Manmade
Riot Remote
Financial
Legalaction/fines Improbable
Page35of59UniversityofAlbertaEPBCWorkbook02-05-2008
Step3WorkingThroughColumn3
UsetheSeverityMatrixbelowtoidentifytheprobableconsequencesofeachhazardthatcouldresultinanemergency
eventthatcouldimpactyouroperations.Selectthemostaccurateseveritylevel(catastrophic,critical,marginalor
negligible)andrecordinColumn3.
SeverityMatrix
SEVERITY
LEVEL
Human
Impact
Impacton
Animals/Res
earch
Specimens
Property
Damage
Environment
al
Impact
Reputation
Damage
Financial
Impact
Non
Compliance
(with
legislation,
policy,
procedure)
C
A
T
A
S
T
R
O
P
H
I
C
Fatalitiesinvolved.
Verylargenumberof
peopleaffected.
Multipleserious
injuries.Lossof
somekeystafffor
morethan1week.
Extensiveloss
ofanimals.
Longterm
researchlost.
Specimensnot
recoverable.
Extensive
damageto
structuresand
infrastructures
.Widespread
displacement
ofpeople
(>500)
Seriouslong
termimpacton
environmentwith
somepermanent
damage
Serious
damageto
University
reputation.
Extensive
adverse
commentson
campus.
Media
relentlessin
damaging
reports.
Serious
impacton
University
economics.
Financial
lossin
excessof
$10million
Extensivelegal
actionagainst
theUniversity
involving,
criminaland
civillitigation.
Government
inquirycalled.
Senior
executives
impacted.
C
R
I
T
I
C
A
L
Potentialfatalities.
Significantnumber
ofpeopleaffected.
Multipleinjuries.
Temporarylossof
somekeystafffor
morethan1day.
Significant
impacton
animalhealth
andwelfare
andresearch
projects.Some
specimensat
riskofloss.
Significant
damageto
structures
and/or
infrastructure.
Somepeople
displaced
(<500)
Significant
impacton
environmentwith
mediumtolong
termeffects
Significant
adverse
commentson
campus.
Significant
interestfrom
external
media.Press
comments
negativeand
harmfulto
University
reputation
Significant
impacton
University
economics.
Financial
loss
between$1
$10million
Limitedlegal
actionagainst
theUniversity
relatedto
breachof
contractual
obligationsor
applicableacts
and
regulations.
M
A
R
G
I
N
A
L
Nofatalities.Small
numberofpeople
affected.Small
numberofminor
injuries.Somekey
staffunavailablefor
afewhours
Limitedimpact
onanimal
healthand
welfareand
research
specimens.
Some
disruptionto
animaland
specimen
researchbutno
significant
losses
Damageis
confinedtoa
specific
location.
Infrastructure
notimpacted.
Localized
displacement
(<100)
Limitedimpact
onenvironment
withsomeshort
termandlong
termeffects
Someadverse
commentson
campus.
Limited
interestfrom
external
media
Limited
impacton
University
economics.
Financial
loss
between
$100k-$1
million
Internal
investigation
relatetonon
compliance
withUniversity
policiesand
procedures.
N
E
G
L
I
G
I
B
L
E
Insignificantinjuries
orimpactonhuman
health
Insignificant
impacton
animalhealth
andspecimens
Insignificant
impacton
structuresor
infrastructure
Insignificant
impactonthe
environment
Internalto
Facultyor
Department
only
Insignificant
impacton
University
economics.
Financial
lossof
<$100k
Internal
investigationat
facultyor
department
levelapplicable
tonon
compliance
withpolicies
and
procedures.
Page36of59UniversityofAlbertaEPBCWorkbook02-05-2008
Example:TableColumn3Completed
BasedontheSeverityMatrixColumn3hasbeencompletedinthetablebelow.
Column1
Major
Emergency,
DisasterSector
Column2
Probability
Column3
Severity
Column4
Risklevel
Column5
Ranking
Natural
Fire Probable Catastrophic
Technical
Burstwaterpipe Occasional Critical
Manmade
Riot Remote Marginal
Financial
Legalaction/fines Improbable Negligible
Step4WorkingThroughColumn4
TheRiskMatrixbelowhighlightstheareasfordetermininglow,mediumandhighriskwithrespecttothehazards,risk
andpotentialeventsthatyouanalyzedthusfar.PlaceeacheventthatyouanalyzedinColumn1aboveinthe
appropriatecellinthematrixbasedoncrossreferencingtheprobabilityandseverityassessmentsyoudetermined
aboveinColumns2and3.
RiskAssessmentMatrix
RiskLevels
Probability
Severity
Frequent Probable Occasional Remote Improbable
Catastrophic
Critical
Marginal
Negligible
HighRisk
MediumRisk LowRisk
Page37of59UniversityofAlbertaEPBCWorkbook02-05-2008
Example:TableColumn4Completed
BasedontheRiskMatrixandtheinformationfromColumns2&3,findthecorrectrisklevelforeachevent.
RiskLevels
Probability
Severity
Frequent Probable Occasional Remote Improbable
Catastrophic
Fire
Tornado
Critical
Burst
WaterPipe
Marginal
Riot
Negligible
Legal
action/fines
Step5WorkingThroughColumn5andRankingtheRisks
Nowprioritizeeacheventaccordingtotherisklevel.Thegreatestpriorityshouldbegiventotheriskeventswiththe
highestlevel.
ExampleTable
(Thisiswhatafinishedassessmentshouldlooklike)
Column1
Major
Emergency,
DisasterSector
Column2
Probability
Column3
Severity
Column4
Risklevel
Column5
Ranking
Natural
Tornado Occasional Catastrophic
Medium 2
Fire Probable Catastrophic
High 1
Technical
Burstwaterpipe Occasional Marginal
Medium 3
Manmade
Riot Remote Marginal
Low 4
Financial
Legalaction/fines Improbable Negligible
Low 5
Page38of59UniversityofAlbertaEPBCWorkbook02-05-2008
3.2.1NextStep:Mitigation/CounterMeasures/AlternatemeasuresandVulnerability
IdentificationforRiskTreatmentandActionPlan
1.Takethetoprisksthatyouidentifiedinthepreviousprocessandlisttheminthischartfromhighesttolowestranked.
2.Analyzeeachoneofthoserisksbasedonthesetofquestionsinthecolumnsbelow.
3.Determinevulnerabilityifany
4.Determineactionplantomitigateoreliminatetherisk
KeyRisks
identifiedand
rankedinthis
column.
I.e.Startwith
thenumber1
riskidentified.
Trytolista
minimumof
5-10
Doyouhavealternate
measure/
mitigation/contingency
planinplacealready
tomanagetherisk
IfYes?BrieflyIdentify
IfNo?Identify
vulnerabilityinnext
column
Vulnerability
Identified.
Providesome
details.
i.e.Computer
serversmaybe
damageddueto
water
(leak/spill/breach
ofpipe),
evacuationplan
needed
Whatcanbe
donetoday
atlittleorno
costto
reducethe
risk?
Needalongertermaction
PLANtomitigateor
eliminatetherisk.(Include
projectedcostswhereyoucan
forimplementation).
1.
2
3.
4.
5.
6.
7.
8.
9.
Page39of59UniversityofAlbertaEPBCWorkbook02-05-2008
ThefollowingthreesectionsaredesignedtocapturecriticalinformationneededandrelatedtolistsofKey
Personnel/Vendors/Contractors.
3.3ContactListsforPersonnel
Section1asksyoutolistthekeydepartment/faculty/unitpersonnelyouwouldneedtohaveaccesstointhe
eventofamajoroutageoremergencyimpactingyourservices.Thelistbeginswithyour
faculty/department/unitthenextendstootheruniversityfaculties/departments/unitsonmaincampusfollowed
bykeycontactsatotheruniversitycampuslocations.
Section2initiatesthelistofexternalresourcesrequiredinsupportofaresponse,recoveryandresumptionof
department/facultycriticalservicesandfunctions.Keyvendors,suppliersandcontractorsshouldbeidentified.
Section3providesthemeanstolistthemajorresourcesyouwillneedtoapplyyourcontingencymeasures
andalternatemeansofcontinuingtodeliveryourcriticalservices.
Theinformationonthelistswillformasectioninyourfaculty/department/unitactionplanthatwillbeaccessed
intheeventofamajoroutageoremergencyimpactingtheUniversity.Ensuringthatyourlistsareascomplete
aspossible,havingthemaccessibletokeystaffandmaintainingtheminascurrentformaspossiblewillbe
keystoatimely,efficientandeffectiveresponseandrecovery.
Section1University/InstitutionPersonnel
1.KeyDepartment/Faculty
Personnel(Name)
Position Work
Phone
Cell
Phone
Home
Phone
E-mail
2.KeyDepartment/Staffin
OtherUofA
Departments/Faculty
Page40of59UniversityofAlbertaEPBCWorkbook02-05-2008
3.KeyDepartment/Staffat
otherUniversity/College
Campuses
Section2ExternalContactstotheUofA
Page41of59UniversityofAlbertaEPBCWorkbook02-05-2008
3.4Resources:Equipment,Facility/Workspace,VehiclesandSpecializedNeeds
Listtheminimumresourcesneededtosupportyouralternativemeasuresforthecriticalservicesrecordedin
yourplan.Pleaselistmajoritemsonly.Atthistimedonotlistconsumablessuchaspaper,inksetc.Estimate
yourneeds.
Resource
Item/Unit
Amount
Required.
Numberof
individual
items
neededto
enableyou
togetyour
servicesup
andrunning
again
Instockand
onsite?
Theneeded
materialsand
equipment
areavailable
oncampus.
Locationof
Delivery.
Whereonor
offcampus
wouldyou
requirethe
materialsand
equipmentto
besetup?
TimeConstraints
forRecoverye.g.
Musthavethe
computerssetup
within4hours
Requiredfromoff
site
Contact/Vendor?
Ifyes,listthe
vendorsname.
Thecontact
informationshouldbe
listedontheprevious
pageinthe
ExternalContacts
section.
Sample:
2 YesorNo
answer
TBD 24hourMADTime Grand&Toy
Workstations
(includes
desktop,
computer,
network
connection,
table,chair)
Tobe
determinedat
timeof
emergency
basedonwhich
ofyouralternate
locationsare
available
Laptop
computerand
charger.
Telephone
(hardwired)
Cellphone
Printer
Fax
Page42of59UniversityofAlbertaEPBCWorkbook02-05-2008
Resource
Item/Unit
Amount
Required.
Numberof
individual
items
neededto
enableyou
togetyour
servicesup
andrunning
again
Instockand
onsite?
Theneeded
materialsand
equipment
areavailable
oncampus.
Locationof
Delivery.
Whereonor
offcampus
wouldyou
requirethe
materialsand
equipmentto
besetup?
TimeConstraints
forRecoverye.g.
Musthavethe
computerssetup
within4hours
Requiredfromoff
site
Contact/Vendor?
Ifyes,listthe
vendorsname.
Thecontact
informationshouldbe
listedontheprevious
pageintheExternal
Contactssection.
Copier
Tobe
determinedat
timeof
emergency
basedonwhich
ofyouralternate
locationsare
available.
Scanner
Other
Equipment,
Vehicles,
Specialized
Needs(List)
Server
Buildings/Struct
ure
Page43of59UniversityofAlbertaEPBCWorkbook02-05-2008
AppendixA
SimpleSlideofUpstreamandDownstreamInterdependencies
Critical
Service
<entercritical
servicehere>
Faculty
Department
/Unit
Department
Department/
SupplierandSe ice rv
<typehere>
UpstreamInputsandDependencies
Department/
SupplierandService
<Typehere>
Department/
SupplierandService
<Typehere>
Department/
SupplierandService
<Typehere>
Department/
SupplierandService
<Typehere>
Department/
Supplierand
Service
<Typehere>
Department/
SupplierandService
<Typehere>
Department/
SupplierandService
<Typehere>
Department/
Supplierand
Service
<Typehere>
Faculties
Students
Downstream
Sponsors
Page44of59UniversityofAlbertaEPBCWorkbook02-05-2008
Page45of59UniversityofAlbertaEPBCWorkbook02-05-2008
APPENDIXBOptionalWork
(ReferencetoolonlyifdifficulttodetermineMAD)
MADMAXIMUMACCEPTABLEDOWNTIMEofaSERVICE
Determining:MaximumAcceptableDowntime
&RestartingYourCriticalService
o Ifyouarehavingdifficultydecidinghowlongyourcriticalservicecanbedownforlookatthe
tablebelow,checkofftheareasthatareimpactedbyanoutageofyourserviceovertime.
o TherecoverytimeobjectiveshouldbeashortertimeperiodthantheMAD.
WhatistheMADbeforenegativeconsequences
occur?
RecoveryTime
Objective(RTO)
Potentialnegative
consequences
0-8
hours
9-24
hours
25-72
hours
4-14
days
15-30
days
30+
days
Disruptionof
learning/teaching
Disruptionof
discovery/research
Healthandsafetyof
facultyandstaff
Healthandsafetyof
students,contractors,
visitors
Lossoffaculty
Lossofstaff
Lossofstudents
Paymentdeadlinesnot
met
Lossofrevenue
Legalramifications
Regulatorynon
compliance
DamagetoUniversity
reputation
Substantialimpacton
externalrelationship
Impactonother
Universitydepartments
Page46of59UniversityofAlbertaEPBCWorkbook02-05-2008
AppendixCBusinessContinuityWorkbook
MAJORHEALTHEMERGENCYBUSINESSCONTINUITY
PLANNING
ThisisasubsetplanthatcomplimentsouroverallBusinessContinuityPlanningworkbook.Thereisahighprobabilitythatmaterialfrom
thefirstpartoftheworkbookcanbecutandpastedintothissubworkbookorsameasphraseinsertedintotheblanksinsomecases.
Thissubsetplanfocusesonstaffandasksyoutodetermineessentialservices.Thelastsectionofthissubsetasksyoutothinkabout
thecoordinationofInternationalBusinessasitrelatestoourresponsibilities.
1.DepartmentInformation
NameofFaculty,Department(orSubUnitwithinaDepartment)
PrimaryContactforthisplan:
Alternatecontactforthisplan:
2.CapacityandBusinessImpactAnalysis
Thismatrixisdesignedtocapturehowyourfaculty/departmentwillcontinuetoprovidecriticalservicesandfunctionswiththe
threatofdiminishinghumanresourcecapacityasthepandemicinfluenzaimpactstheUniversity.Bycompletingthematrixa
facultyordepartmentwillbeinapositiontohighlightthe:
alternativemethodsormeasuresthatcanbeimplementedtocontinuedeliveringcriticalservices;
theotherdepartmentsthatyoudependoninordertodeliveryourcriticalservices;
anyarrangementyouhavemadewiththeotheruniversitydepartments;
contractualarrangementyouhavedeveloped;inventoryrequirementsyouseetomaintainservices;
equipmentyouwillneed,fromwhomandwhen.
Thisprocessshouldassistfacultiesanddepartmentsindeterminingessentialpersonnelrequiredtoaccomplishthecritical
servicesandfunctions.Throughtheanalysisyoumayberequiredtoexamineworkflowprocessesespeciallywhenhighlighting
dependencies.
Page47of59UniversityofAlbertaEPBCWorkbook02-05-2008
Listyourcritical
servicesand
functions
necessaryduring
thefollowing
capacityrange
scenariosbased
ontheimpacton
people.
Listthepersonnel
thatperformthe
criticalservice.
(Primaryand
designated
alternates).This
maybethesameas
intheworkbook
Basedonthe
diminishing%of
staffandcapacity
aretherealternate
methodsor
measuresyoucan
implementforthe
continueddeliveryof
thecriticalservice?
Whatotherfacultiesor
departmentsare
criticaltoyouto
continuetodeliverthis
criticalservice?
Haveyoumadeany
arrangementswiththe
identifiedfacultiesor
departments?
Arethere contractual
arrangementsforthe
deliveryofthe
criticalservicethat
youneedtoidentify
andconsiderwhen
capacityis
diminishing?
Whatare the
essentialinventory
requirements,
equipmentneedsor
otherresources
necessarytodeliver
thiscriticalservice?
Youmusthave
thesekeysupport
itemstoperformthe
service
Anyadditional
information
pertinenttothe
deliveryofthe
criticalservice
thatyoushould
record
Scenario1You
areoperatingat
75%-100%
capacity
CriticalService1
CriticalService2
CriticalService3
CriticalService4
CriticalService5
CriticalService6
Page48of59UniversityofAlbertaEPBCWorkbook02-05-2008
Scenario2You
areoperatingat
50-74%capacity
Listthepersonnel
thatperformthe
criticalservice.
(Primaryand
designated
alternates).This
maybethesameas
intheworkbook
Basedonthe
diminishing%of
staffandcapacity
aretherealternate
methodsor
measuresyoucan
implementforthe
continueddeliveryof
thecriticalservice?
Whatotherfacultiesor
departmentsare
criticaltoyouto
continuetodeliverthis
criticalservice?
Haveyoumadeany
arrangementswiththe
identifiedfacultiesor
departments?
Arethere contractual
arrangementsforthe
deliveryofthe
criticalservicethat
youneedtoidentify
andconsiderwhen
capacityis
diminishing?
Whatare the
essentialinventory
requirements,
equipmentneedsor
otherresources
necessarytodeliver
thiscriticalservice?
Youmusthave
thesekeysupport
itemstoperformthe
service
Anyadditional
information
pertinenttothe
deliveryofthe
criticalservice
thatyoushould
record
CriticalService1
CriticalService2
CriticalService3
CriticalService4
CriticalService5
CriticalService6
Page49of59UniversityofAlbertaEPBCWorkbook02-05-2008
Scenario3You
areoperatingat
25-49%capacity
Listthepersonnel
thatperformthe
criticalservice.
(Primaryand
designated
alternates).This
maybethesameas
intheworkbook
Basedonthe
diminishing%of
staffandcapacity
aretherealternate
methodsor
measuresyoucan
implementforthe
continueddeliveryof
thecriticalservice?
Whatotherfacultiesor
departmentsare
criticaltoyouto
continuetodeliverthis
criticalservice?
Haveyoumadeany
arrangementswiththe
identifiedfacultiesor
departments?
Arethere contractual
arrangementsforthe
deliveryofthe
criticalservicethat
youneedtoidentify
andconsiderwhen
capacityis
diminishing?
Whatare the
essentialinventory
requirements,
equipmentneedsor
otherresources
necessarytodeliver
thiscriticalservice?
Youmusthave
thesekeysupport
itemstoperformthe
service
Anyadditional
information
pertinenttothe
deliveryofthe
criticalservice
thatyoushould
record
CriticalService1
CriticalService2
CriticalService3
CriticalService4
CriticalService5
CriticalService6
Page50of59UniversityofAlbertaEPBCWorkbook02-05-2008
Scenario4
Fromyour
originallist
itemizethe
criticalservices
thatcouldbe
deferredforatwo
weekperiod
withoutsevere
negative
consequences
CriticalService
CriticalService
CriticalService
CriticalService
CriticalService
Scenario6
Worstcase
scenarioimpact
andthe
Universityis
declaredclosed.
Essential
servicesmustbe
accomplished
e.g.Heating
plant,security,
safety,carefor
animals.
Identifyanyofyour
criticalservicesthat
aredeemedtobean
essentialservice
thatmustbe
providedintheevent
theUniversitycloses
duetoahealth
emergency
Numberof
personnelrequired
todeliverthe
identifiedessential
services
EssentialService
1
EssentialService
2
EssentialService
3
1.Organizationalchainof
commandforfacultyor
department
Name
Positioni.e. Faculty
orDepartment
Leaderintheevent
ofamajorhealth
emergencyfollow
byahierarchical
chainofcommand
Work
Phone
Cell
Phone
Home
Phone
E-mail Text
Messaging
Capability?
Yes/No
Computer
connectivity
athomeor
other
location?
Ability To
Workfrom
Home
2.PandemicPlanning
Workgroup
Names
3.Communicationscontactfor Positioni.e.Faculty Work Cell Home E-mail Text Computer Ability To
Page52of59UniversityofAlbertaEPBCWorkbook02-05-2008
thefaculty,departmentor
portfolio
Name
orDepartment
Leaderintheevent
ofamajorhealth
emergencyfollow
byahierarchical
chainofcommand
Phone Phone Phone Messaging
Capability?
Yes/No
connectivity
athomeor
other
location?
Workfrom
Home
Primary:
Alternate:
4.Faculty/Department
EmergencyContactList.The
staffthatwillgetnotifiedand
calledoutintheeventofan
emergency.
Page53of59UniversityofAlbertaEPBCWorkbook02-05-2008
4.QuestionSetstoPromptPlanningandDevelopment
AdditionalFaculty/DepartmentInformationImportantForEmergencyPreparednessandBusinessContinuity
QuestionSet4.1:
ListofPersonnel,ContactingYourPersonnel,PersonnelonCall
Doyoumaintainan
updatedlistof
faculty/department
personnelincludingwork
phone,cellphone,
email,officeetc.?Yesor
No
Ifyes,whereisthelist
kept?E.g.officedeskor
officedeskwithcopyoff
site
Doyouhaveaposition
designatedtoensure
updatestothepersonnel
listsarecompleted?
Doesyour
faculty/departmenthave
amethodforrapidly
contactingallpersonnel
onyourlisttoprovide
criticalinformation?E.g.
Pageoutsystem,
automaticdialer
Whatisyourmethodof
communicatingwith:
Faculty
Staff
Students
Inter-faculty
Inter-department
Intheeventofan
emergency?
Doyouhavean
emergencyoncall
methodcompletedwith
designatedpositionsin
theeventofan
emergencyeventinyour
faculty/department?
QuestionSet4.2:
RecordingAbsences,CriticalInventoryList,ListofvendorsandSuppliers,ListofKeyPartners
orSponsors,ListofKeyGovernmentContacts
Doyourecordemployee
(and/orstudentas
applicable)absenceson
adailybasis?
Whoretainstheabsence
recordsinyour
faculty/department?
Doyouhaveareadily
availableandaccurate
listofcriticalinventory
andsuppliesonhand?
Doyouhavereadily
availableanaccuratelist
ofvendorsandsuppliers
ofcriticalresourcesin
theeventofadisasteror
majoroutageof
services?
WhoareyourKey
PartnersorSponsors
thatyouwouldneedto
callintheeventofa
majoremergency?
WhoaretheKey
GovernmentContacts
youwouldneedtocall?
Page54of59UniversityofAlbertaEPBCWorkbook02-05-2008
QuestionSet4.3:
BusinessRelatedtoInternationalActivitiesandFaculty,StaffandStudentsAcrossUofA
Doyoumaintainan
updatedlistofallfaculty,
stafforstudents
travelingorworking
abroadonprograms
managedbyyour
Faculty?
Whoretainsand
maintainsthelistanddo
youhaveameansof
quicklyaccessingthe
list?
Note:CheckwithUofA
EAPcentrallymanaged
program
Doyouchecktravel
advisoriespriorto
faculty,stafforstudents
leavingforinternational
travel?
Doyoumonitorthe
traveladvisorieswhile
youhavepeople
abroad?
Or,doyourelyona
Universitycentralized
functionformanaging
traveladvisories?
Doyouhaveany
employees/students
workingabroadon
programsmanagedor
directedbyyourunitor
Faculty?
Ifyeshowdoyou
maintaincontactwith
them?Howwouldyou
getanemergency
messagetothem?
Doyouhaveany
employees/studentswho
travelinternationally?
Ifyeshowdoyou
maintaincontactwith
them?Howwouldyou
getanemergency
messagetothem?
WhoareyourKey
Partners,Sponsorsor
Universitiesthatyou
wouldneedtocallin
theeventofamajor
emergency?
Doyouhaveacurrent
list?
WhoaretheKey
Governmentcontactsyou
wouldneedtocall?
Doyoucollect,fromthe
faculty,stafforstudenta
listoffamilycontacts
whentheyaretraveling
onUniversitysponsored
businessorworking
abroad?
Ifnot,istheinformation
capturedthroughsome
otherdepartment?
Whoretainsthislistand
doyouhaveameansof
quicklyaccessingthe
information?
Doyouhaveclear
policiesdevelopedfor
authorizingand
monitoringfaculty,staff
orstudentswhenthey
areabroad?
Doyoudevelop
contingencyplansinthe
eventthatyouhadto
evacuateorrecallyour
faculty,stafforstudent
fromtheinvolved
internationalcountry?
Doyouhaveplansin
placefordealingwith
internationalguests,
facultyorstudents
whomaybeworking
withinyourfacultyat
theUofA?
Doyouensurethe
internationalguest
(facultymemberor
student)isregistered
withintheUofA
employeerecords
system?
DoyoucontacttheUofA,
RiskManagementOfficeto
verifyinsurancecoverage
ordoyoucontactother
insuranceagencieswhen
Faculty,stafforstudents
travelorworkaboard?
Priortotraveloccurringis
insurancecoverage
verifiedandcommunicated
tothefaculty,staffor
studentstraveling/working
abroad?
Page55of59UniversityofAlbertaEPBCWorkbook02-05-2008
5.ContingencyPlan,CounterMeasures,InformationandDocumentationActionItems
Note:Thisformisavailableforcapturingactionitemsbasedontheoutcomesofthescenariosandquestionsnotedabove.Thismatrix
addressesthevulnerabilitiesorareasneedingdevelopmentasaresultofyouranalysis.
Item
Number
Task Task
Assigned
to:
Contact
Name:
Contact
Phone
Number:
DescriptionofActionItem Contract
Required?
ItemCompleted?Ifnot
pleaseprovideupdate
Page56of59UniversityofAlbertaEPBCWorkbook02-05-2008
AppendixDBusinessContinuityPlanningWorkbook
VitalRecords,InformationTechnologyandTelecommunications
PurposeandGoal
TheUniversityishighlydependantoninformationtechnologyandtelecommunicationstoprovidethecriticalservicesthatsupportthecore
businessesoflearning,discovery,citizenshipandhealthsafetyandsecurity.
ThepurposeofthistemplateistoprovideguidancefortheITstaffinafacultyordepartmentinanalyzingandassessingtheircurrent
statewithrespecttobusinesscontinuityanddisasterresponseandrecovery.
UsingthequestionpromptsinthetemplatetheITstaffcanfillintheblanksandusetheoutcomesasmaterialtodeveloptheirportionofa
businesscontinuityplan.
ThegoalisfortheITstafftohaveadocumentedbusinesscontinuityplanthatformspartoftheoverallplanforthefacultyordepartment.
WithinthatplanwillbecomponentsrelatedtoITandtelecommunicationsdisasterresponse,recoverymeasuresandevidenceof
protectionandretentionofvitalrecordsthroughtheinformationtechnologysystem
DepartmentInformation
NameofFaculty,Department(orSubUnitwithinaDepartment)
PrimaryContactforthisplan:
Alternatecontactforthisplan:
Scope
ThisisanappendixinthebusinesscontinuityworkbookfortheUniversity.Thetable/templateprovidedintheappendixisdesignedtoassist
thefacultiesanddepartmentsincompletingtheanalysisandsolutionsphasesoftheworkbook.Thetemplateappliestotherelativevital
records,ITandtelecommunicationssystem,applicationsandcomponentsthatareownedandadministeredwithinthefacultyordepartment.
Thetemplatemaynotbeallinclusivethereforerespectivefacultiesanddepartmentsshouldaddtothematerialwhereappropriate.
Responsibility
Theadministratorsofthevitalrecords,ITsystemsandapplicationsandthetelecommunicationssystemforthefacultyordepartmentare
responsibleforcompletingtheportionofthebusinesscontinuityplanrelatedtotheitemizedsubjectsandfieldsinthetable.
Page57of59UniversityofAlbertaEPBCWorkbook02-05-2008
GeneralGuidelinesforPlanDevelopment
1.IdentificationofVitalRecordsandDocumentsthatmustbebackedupand/orpreservedwithinyourFaculty,DepartmentorUnit.
Nameofvitalrecordor
document
Mediumfor
retention;
papercopy,
disk,tape
Locationof
recordor
document
Backupofrecords
ordocuments
requiredand
completed
Locationof
backup
recordsor
documents
Access
measures
tothe
recordor
document
Primary
contactfor
recordor
document
Alternatecontact
forrecordor
document
2.IdentifyBackupofApplicationsandMeasureswithinyourFacultyorDepartment
NameofSystemor
Database
Backup
Frequency
Backup
Media
Automaticor
manualbackup
process
Storage
location
Describe
recovery
measurein
place
PrimaryIT
contact
andphone
number
AlternateIT
contactand
number
Page58of59UniversityofAlbertaEPBCWorkbook02-05-2008
3.IdentifyBackupofServersownedandwithinyourFacultyorDepartment.(IfserversareprimarilyhousedwithinAICTplease
noteinthissectionandobtainbackupandrecoveryplanoutlinefromAICTrepresentative).
Identificationofserverand
location
Describethe
typeof
server;e.g.
database,
web
Backup
Frequency
BackupMedia Automaticor
manual
backup
process
Storage
location
Describe
recovery
measurein
place
Primaryand
alternateIT
contactsand
phonenumber
4.IdentifyBackupofWorkstationswithinyourFacultyorDepartment.(IfworkstationsareprimarilymaintainedbyAICTplease
noteinthissectionandobtainbackupandrecoveryplanoutlinefromAICTrepresentative).
Filesfromworkstationsare
backeduponfacultyor
departmentserver.
Filesfrom
workstations
arebackedup
onfacultyor
department
serverand
throughAICT
Backup
frequency
Automaticbackupor
Manualbackupby
user
100%of
workstation
filesare
backedup
througha
facultyor
departments
process
Individual
usersare
backingup
filesontheir
workstation
versus
facultyor
departments
process
Describe
recovery
measuresin
placefor
workstations
Primaryand
alternateIT
contactsand
phonenumber
5.Telecommunications
Riskhavebeenidentifiedwithrespecttothelossofnormaltelecommunicationswiththefacultyordepartmentandalternate
measuresfortelecommunicationsneedshavebeenidentifiedanddocumentedinyourplan.
Risks
Alternatemeasures
Primarycontactforalternatemeasuresplan
Page59of59UniversityofAlbertaEPBCWorkbook02-05-2008
6.SystemSoftwareandDocumentation
Verifythatsystemsoftware,applicationssoftwareandrelated
documentationrelativetoyourfaculty,departmentorunithas
beenproperlyretained.Itmustbeaccessibleintheeventof
relocationorrebuildneed.
Verifythatequipmentneeds,technicalconnectionsandaccesstomaterialshavebeen
documentedintheeventthatyourfacultyordepartmentmustrelocatetoanalternate
workspace
7.DocumentedRecoveryPlan,TestingandExercises
Verifythatyourfacultyor
departmenthasacurrent
documentedITand
telecommunicationsrecovery
plan.Prioritizationof
applicationsandsystemsis
identifiedintheplan.
Verifythat
maximum
acceptable
downtimesand
recoverypoint
objectiveshave
beenestablishedfor
thesystemsand
applicationswithin
thefacultyor
department
Verifythattheplanis
testedonaregular
frequency.
Documentlastdate
oftesting
Identifywhat
componentswithin
theITsystemhave
beenidentifiedas
toohighariskto
test.Identifythe
contingency
measuresinthe
eventofafailure
Identifyexercisesthat
simulateafailureofa
componentoftheIT
and/or
telecommunications
systemrelativeto
yourfacultyor
departments
PrimaryITcontactand
numberIdentifyITrecovery
team