FAQs

.

1. What is business continuity?

The Business Continuity Institute defines business continuity as follows:

“The strategic and technical capability of an organisation to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level.” 

It further defines Business Continuity Management as:

“A holistic management process that identifies potential threats to an organisation and impacts to business operations that those threats – if realised – might cause, and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.”

www.thebci.org/glossary.pdf

There is a tendency to see business continuity as a ‘dark art’ but in fact you probably already do it without even realising it most of the time. In very simple terms, we cannot plan for every single possible incident, so we identify the possible consequences (e.g. you cannot access teaching rooms for whatever reason) and make sure there is a plan to deal with that eventuality.  

The idea is to try and make sure that the disruption caused by an incident is kept to a minimum and everyone knows what they need to do, or who they need to contact. This can be anything from having someone hold a spare key to the office to having a plan for re-routing staff and students should your building become uninhabitable for any reason, or knowing what to do during a School wide emergency.    

The overall aim is to make sure that the School's critical business activities can be maintained or recovered quickly. 

There is sometimes confusion between incident management or disaster recovery and business continuity. The main distinction is that the first two deal with a specific event that can't always be planned for (e.g. activists have taken over your teaching room and barricaded themselves in), whilst business continuity deals with the consequences of an event (e.g. you have a plan for the provision of an alternative teaching room), and so it takes a much broader approach. 

For a brief introduction to business continuity at the School, you can click on the SLIDE  (PDF) that features in the LSE Induction for new staff. 

2. Why should we care about business continuity?

What would you do if your department lost all its exam scripts? Of if there was a School wide power cut, or a flood from the toilets upstairs, that shut down your teaching rooms or your offices? How about if staff couldn’t get in due to severe weather conditions or a large scale failure of the tube system? What would you do if the School email went down for a few days, or if Moodle went down and students didn’t know whether they had successfully submitted their dissertations in time? What if your laptop, with the only copy of some highly sensitive data or research on it, was stolen or lost? Who would you need to speak to and how would you contact them? Who else would be affected? How would you let them know? 

Business continuity planning means everyone knows what to do - or who to contact - if there is a problem that affects your department or division, your colleagues and the students. 

A good plan safeguards you, your department, your colleagues, the School and in some instances, just as importantly, our reputations. It means that you have something in place to make sure that the critical work you need to deliver for the School and for your area is not irretrievably disrupted. 

In addition, Business continuity is a responsibility that is devolved to heads of departments and divisions from the Director. This means they have accountability for business continuity within their areas.

Auditors and insurers are increasingly seeking assurances that organisations such as the School have adequate plans and policies in place. Furthermore, other organisations are now expecting certain standards to be complied with before they will work with them (as indeed the School does when it works with contractors) and more and more grant providers are expecting researchers to be able to produce a range of their organisation’s business continuity and disaster recovery plans.  

And finally, in the unfortunate event that School or a part of the School became the subject of litigation relating to an incident, it might need to be able to prove that it had adequate, documented and tested plans in place. 

3. About business continuity at the LSE

Business continuity management at the School is concerned with:

  • Anticipating and preventing avoidable interruptions to the work of the School and planning for recovery from the impact of a major incident, such as the loss of a building, a flu pandemic or a terrorist attack;
  • The initial management of any major incident under the Major Incident Initial Recovery Plan (MIIRP) (PDF).
  • The MIIRP sets out the framework for the actions to be taken at School level in response to the early stages of a major incident affecting the Houghton St campus or a student residence. The objective of the plan is to help ensure the safety and wellbeing of people and security of property in the immediate aftermath of the incident.
  • Copies of the Plan have been sent to all members of the School's Emergency Management Teams.
  • The Major Incident Initial Response Plan deals with the preliminary stage of the School's response to a major incident and paves the way into the Major Incident Business Recovery Plan, the objective of which is to ensure the timely and prioritised resumption of key activities disrupted by the incident. The Business Recovery Plan is being finalised and will be circulated and placed on the Business Continuity webpage as soon as possible.
  • A number of other business continuity plans are also being finalised and will be made available as soon as possible. Any queries about business continuity plans should be sent to Veronique Mizgailo.

Achieving these objectives is a matter of partnership between the School and its administrative services and academic units. The Director of the Risk and Compliance Unit is responsible for developing that partnership.

The main outputs from the partnership are guidance where appropriate from the School and local business continuity plans to ensure that normal business is possible and that disruption is avoided, or - should it occur - that its impact is mitigated so that it does not put the achievement of the School’s priorities at risk.

4. What does the School require from local departments and divisions? 

The absolute bare minimum that the School requires is that every department and division has a plan, that the plan is regularly exercised (at least annually) and that the plan is regularly updated  if there are any changes within the department or division, or if the exercise shows that there are areas for improvement (see FAQ 7).  

Alongside this, the School asks that each Business Continuity Rep completes a short annual report at the beginning of the year, that will be submitted to the Business Continuity Executive Working Group. This group meets annually and some reps may be expected to attend (see FAQ 13). A half day conference is also held in the Autumn, and all business continuity reps are invited to attend. The conference is an opportunity to meet other reps across the School, swop best/good practice and take up some training.   

Every three years reps will be asked to complete a Business Impact Analysis (BIA). The BIA is a comprehensive survey of critical and non critical systems and resources across the School by department and division. It looks at optimal recovery times for these systems and resources and is used to identify weaknesses and areas of criticality across the organisation. The information gathered is used to inform both central and local business continuity planning and disaster recovery strategies. (For a diagram of the full cycle of activities see the Documents section of this webpage: 'Business Continuity Compliance Cycle at the LSE').

Business continuity is a responsibility that is devolved to Heads of Departments and Divisions from the Director. This means they are accountable for business continuity within their areas. Heads of Divisions and Departments may choose to devolve that responsibility to a nominated person within their area. 

The Service Divisions have their own, often very detailed, recovery plans as they deal with very specific parts of the School’s administration. The Academic Departments and units have followed suit. Those that do not have business continuity plans in place are encouraged to look at their business critical activities, their ‘pinch’ points both in terms of activities and staff expertise, and have some contingency arrangements in place. 

5. If I don't do anything what could happen?

  1. You will be unprepared if something happens that stops you being able to undertake the School’s or your department/division’s business. 
  2. It will take you much longer to sort everything out if no one knows what’s happening, who should do what and when, and who to contact. 
  3. You may not be able to recover your department’s business critical activities in a timely manner. 
  4. Your own reputation amongst your colleagues might suffer if you look as though you have no control over what has happened. 
  5. Your department/division’s and the School’s reputation could suffer damage.
  6. Business continuity is a responsibility that is devolved to Heads of Departments and Divisions from the Director. This means they are accountable for business continuity within their areas. If they have chosen to nominate you for that responsibility, you are part of that accountability chain.
  7. You may be asked to explain to your line manager and Head of Department/Division what went wrong and why you weren’t prepared.
  8. Depending on the seriousness of the incident and its impact, they in turn may be called upon to explain to the School Secretary or the Director what went wrong and why they weren’t prepared. In the case of past serious IT outages for example, explanations were asked for at Council level. 
  9. You may know what to do, but in your absence, your colleagues might not. It is good practice to ensure that the information is readily accessible to them. 
  10. In the (hopefully unlikely) case of litigation or an inquiry into an incident you may be called upon to provide documentary evidence that the decisions made at the time were based upon a reasonable combination of available information and adequate, documented and tested plans/processes.  

6. How do I start thinking about a business continuity plan?

It is impossible to plan for every situation or scenario, and business continuity is about planning how you would respond to the consequences of an incident that affects the School’s business, not necessarily identifying the incident itself, in a way that allows your area to resume business activities critical to the School as quickly as possible. To do this you need an understanding of what is critical to your area and how you would recover it if necessary. 

Things to consider:

  • What critical activities do you undertake for the School? E.g. payroll, exams, teaching etc.
  • What times of year are critical for you?
  • Do you need to share specialist knowledge more widely in your area?
  • Are there areas where you are particularly vulnerable?
  • Who do you need to contact in an emergency?
  • How would you contact people in an emergency?

Have you considered what you would do in some common scenarios? For instance, do you know what to do if:

  • You cannot access your offices or teaching space for any reason;
  • Staff/students cannot travel into the School;
  • You cannot access your IT dependent systems;
  • There is a threat to your area’s reputation;
  • What happens if there is an incident at your most business critical time of the year;
  • What happens if you have insufficient staff to undertake business critical activities, or you are short staffed at a business critical time of year?
  • You lose business critical or confidential data, e.g. staff records, exam scripts, contracts, loan agreements etc?

Templates for a variety of business continuity plans can be found in the Documents section. See also the diagram ' Business Continuity Planning: things to consider' to help start you thinking about the areas you might want need to cover.

7. How are business continuity plans exercised?

It’s no good having plans in place if they are not tested - you can’t know if they’ll work or not. 

Testing will take the form of regular desktop exercises, although there is nothing stopping you doing an in-house exercise if you want to. The Business Continuity Manager will arrange to come along to the department or division with a scenario, which is designed to test the plans you have in place and see how your department or division might deal with a particular situation.  

The idea is not to catch people out, but to find out where the gaps in current plans might be. Following a test the Business Continuity Manager will work with the person who has responsibility for business continuity locally to improve the plan if needed.

However, having said that, local management do have accountability for business continuity. Divisions and Departments are expected to have a business continuity arrangement of some kind in place and the lines of accountability travel all the way up to the senior management of the School.  

8. What does being a divisional or departmental business continuity rep involve?

As a rep, you are the person nominated by your Head of Department or Division to ensure that the School’s business continuity requirements are met. You will be expected to ensure that there is a plan and that the plan is maintained and updated.  

Depending on the existing level of business continuity planning within your area and what your department/division wants to achieve, you may need to engage in varying levels of initial work to set this up. More information on local management can be found in these FAQs and there are some useful templates in the Documents section of this page. You will also find links to further reading in the Resources section of this page. 

You may also be expected to attend the Business Continuity Executive Working Group (BCEWG) if you represent a Service Division or are one of the three Academic Department Reps nominated at the AUMF to represent Departmental and Research Institute Managers. More information on this body can be found in FAQ 13  in this section.

Support and help is available and more information is contained in the FAQ dealing with training. You can always contact Veronique Mizgailo if you are not sure where to start or want to talk to someone about the role. 

9. What training and support is available?

Hopefully this website will provide a first source of reference and information for those undertaking business continuity within the School. If you need to know more or can’t find something, then contact Veronique Mizgailo

Unfortunately there is no formal training programme for business continuity. Training sessions will be mostly ad hoc, but an annual ‘mini conference’ will be held to which all business continuity representatives will be invited. Over the course of half a day, broadly speaking, we will have a training session, discuss best practice, exchange experiences and stage a scenario as a training exercise. We will obviously try to address any needs that the representatives might have.

There is also a wealth of knowledge amongst your peers, and it may be that you can ask for a mentor from amongst them to help guide you. Conversely if you would like to volunteer to be a mentor and pass on your knowledge and experience please do let Veronique know.

In the meantime, if you have a question, want to discuss an issue, or need some advice or help please contact Veronique. Veronique will be happy to come and meet you on a one to one basis and offer any assistance, or run a scenario for group training purposes too. 

We do have an external provider and if there is sufficient demand we may ask them to provide directed training also. 

10. What is required locally of service divisions and academic departments?

The School takes business continuity and risk very seriously and all divisions and departments are expected to have some kind of business continuity arrangements in place. This responsibility will also have been delegated to your Head of Department / Division by the Director. If you have even a basic risk register set up too, then so much the better as it will help inform your business continuity plans. 

The business continuity arrangements will be tested on an annual basis and there is more information on this in this FAQ section. 

Service Divisions

On a local level, it is expected that all service divisions have plans in place and that business continuity reps are nominated in each division to maintain them and take responsibility for them. Although not compulsory, it is good practice to maintain at least a basic risk register.

Academic Departments

Formerly academic units were given a basic, generic plan, issued by the School. However, almost all academic units have now put in place their own, more detailed plans and each unit should have a nominated business continuity rep to maintain these plans and take responsibility for them.   

If you wish to draw up your own more detailed plan, you can find templates in the Documents section and contact Veronique Mizgailo if you need further help or guidance. In addition each area that completed the 2013 Business Impact Analysis will have received an individual business continuity plan template based on their responses, to use or not as they wish. 

Lines of accountability and governance are in place to ensure that the School's requirements are met and FAQ 11 deals with this subject in more detail. 

11. What are the lines of accountability and governance within the School? 

Organisational chart showing lines of delegation, governance and compliance within the School (PDF).

The oversight of accountability and governance for business continuity is undertaken by the Business Continuity Management Board, which is chaired by the Chief Operating Officer. The Chief Operating Officer is accountable to the Director, and the Director is accountable to the School Council.  

On a local level, business continuity is a responsibility that is devolved to Heads of Departments and Divisions from the Director. This means they are accountable for business continuity within their areas. They, in turn, may choose to nominate a person in their area to ensure their delegated obligations to business continuity are fulfilled. In addition, the nominee may then ask someone else to undertake the delegated obligations. For instance a Head of Department may ask the Departmental Manager to undertake Business Continuity within their Department. The Departmental Manager may then choose to delegate this function to another member of staff. Responsibility for Business Continuity however, remains with the head of the department or division. 

Local areas are responsible for ensuring that they have their own plans in place, and outside of any guidance issued, or assistance provided, centrally by the School for business continuity and specific events, they are expected to manage their business continuity plans and events locally. A diagram of the School's business continuity cycle can be found in the Documents section of this webpage, under 'Business Continuity Compliance Cycle at the LSE'.

12. Who's who in business continuity at the LSE? 

Who's who in Business Continuity at the LSE:  

  • Veronique Mizgailo - Business Continuity Manager and member of the Business Continuity Management Board
  • Members of the Resilience and Business Continuity Management Board:
    • Chief Operating Officer - Chair
    • Deputy Chief Operating Officer
    • Director of Estates.
    • Director of Facilities Management
    • Director of Data and Technology Services
    • Director of Human Resources Division
    • Director of Communications Division
    • Head of Student Services
    • Business Continuity Manager

13. What is the Reslience and Business Continuity Management Board? 


This Board is tasked with overall responsibility for ensuring the School has adequate business continuity arrangements in place and providing assurance. 

It is chaired by the School's Chief Operating Officer.  The actions required by the Board are translated into applicable practice and implemented by Veronique Mizgailo, the Business Continuity Manager. 

Other members of the School may be called into the Board’s meetings to discuss specific matters or give presentations on their business continuity arrangements. 

The Board is answerable to the Director, and through the Director, to Council. 

The proceedings of the Board and its terms of reference can be requested from Veronique Mizgailo.

 

14. Risk and risk registers

This FAQ includes the headings:

  • Do I need a risk register to draw up a business continuity  plan?
  • What is a risk?
  • How is level of risk determined?
  • How do I draw up a risk register?

Most organisations have at least one risk register, whether it is an overarching strategic risk register, or whether it deals with more tangible risks like floods or mechanical breakdown. Although not obligatory, departments and divisions are encouraged to draw up some kind of operational risk register which can then be fed into their business continuity planning.  The School's Strategic Risk Register is held in the Directorate. 

The following is a very simplistic outline of the subject of risk and risk registers. It’s not intended to be a guide to dealing with what is potentially a large and complex subject, but an introduction to some of the basic precepts. If you feel you need more information than can be provided here, then please look at the Resources section where you will find more information on Risk, or contact Veronique Mizgailo, as a starting point.

Do I need a risk register to draw up a Business Continuity Plan?

Not necessarily - it depends on what your unit does. For instance, in areas that deal with IT or infrastructure it would make sense to have a risk register and have your recovery programme and business continuity planning linked to it in some way. If you are a small research unit that does not undertake field trips or teaching and is not wholly reliant on a single grant for example, it may not be that useful to you.

A risk register grades likelihood and impact of risks to help you look at ways to mitigate or prepare for specific threats to your business (e.g. how to lessen the risk of the Thames flooding as it will result in the School closing). 

Good business continuity planning gives you a way to deal with the consequences of an event or incident (e.g. how to respond if the School has to close for any reason). Having said that, business continuity planning can be informed by risk registers, and forward planning might be undertaken around certain, specific risks. For example, the School has a pandemic plan. It's not necessarily a high likelihood, but a pandemic would have a high impact on the School's critical business activities. 

Also, where you have a very high likelihood with potentially a high impact, you may want to have some kind of business continuity mechanism around it. The School’s severe weather plan is an example of this.

In addition, it's always a good idea to consider what risks your department or division might struggle with. For example do you have specific staff expertise and knowledge that is not documented or processes that are known to one person only? If that person left without an adequate handover, leaving no documentation of important activities, or if there was a staff shortage at a critical time, what would you do? A risk register will help you identify these kinds of problems.

What is risk?

PRINCE2 defines risk as follows:

“An uncertain event or set of events that, should it occur, will have an effect on the  achievement of objectives. A risk is measured by a combination of the probability of a perceived threat or opportunity occurring, and the magnitude of its impact on objectives.”

 

 

How is level of risk determined?

Once you have identified a risk, for example, “if my car breaks down I can’t get to work”, you need to then look at:

  1. The likelihood of the risk occurring: is my car likely to break down?
  2. The severity of the impact if the risk occurs: how bad will it be if I can’t get to work?
  3. Can I do anything about the risk? In other words:
    • Can I mitigate the risk? (get my car serviced and arrange with my boss to set up home working access for myself)
    • Can I avoid the risk? (buy a new car or retire)
    • Can I accept the risk? (I can’t afford either of the previous steps, but my boss is pretty laid back, there’s a direct bus, and I can work from home in the worst case scenario so it’s not a big deal if my car does break down.)
    • Can I transfer the risk (I’ll contract the responsibility for my journey to the local cab firm and they can drive me to work.)
    • Is the risk an opportunity? (I’ll start my own business from home and never need to drive in rush hour again.)

The level of risk is usually determined by considering the criteria in points 1-2, i.e. by considering likelihood and impact then looking at the mitigating factors set out in point 3. Bear in mind though that categorising risks is not always as straightforward as it might first appear. It is also worth considering whether some risks provide you with an opportunity rather than a problem.

For example, if you drive an unreliable old banger (likelihood) but your boss doesn’t mind if you work from home (severity of impact and ability to mitigate or accept the risk) then the risk could be moderate (amber).

If on the other hand, you get your car serviced (likelihood and mitigation of risk), but your boss will sack you if you’re late (severity of impact) you may want to upgrade the risk to high (red).

If you buy a new car (likelihood and avoidance of risk) and your boss is happy for you to work from home (severity of impact) then your risk rating is probably low (green).

There are many ways of categorising risks and you will find a plethora of scoring methods on the internet. The above example is just one way of doing it, based loosely on the PRINCE2 methodology.

How do I draw up a risk register?

Your risk register can be drawn up using specialist software, or you can put together something more simple and straightforward in Word or Excel.

One of the simplest ways of drawing up a risk register may be to use a ‘traffic light’ system, i.e. accord a risk a red, amber or green status (as has been done in the example above) according to how serious you think it is. 

There are lots of examples on the internet, or, if you want a template and you're not sure where to start contact Veronique Mizgailo.

15. Glossary of business continuity terms

A link to a dictionary of terminology, taken from the BCI website, can be found on the Resources page. 

16. Where can I find templates?

Templates can be found on the Documents page.

17. Where can I find the MIIRP (Major Incident Initial Response Plan?

A copy of the MIIRP can be found in the Major Incident Initial Response Plan (MIIRP) page.

18. I'm submitting a grant, what documents might I need?

The most commonly requested documents can be found in the Documents section of this page under "Grants". Usually you will be asked for the MIIRP, the IT Recovery Statement and the Alternative Accommodation Plan. If you cannot find what you are looking for please contact Veronique Mizgailo

For further reading and external links, go to the Resources section of this page. A range of internal documents can also be found in the Documents section of this page.