FAQs

The Business Continuity Institute defines business continuity as follows:

“The strategic and technical capability of an organisation to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level.”

It further defines Business Continuity Management as:

“A holistic management process that identifies potential threats to an organisation and impacts to business operations that those threats – if realised – might cause, and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.”

There is a tendency to see business continuity as a ‘dark art’ but in fact you probably already do it without even realising it most of the time. In very simple terms, we cannot plan for every single possible incident, so we identify the possible consequences and make sure there is a plan to deal with that eventuality.

The idea is to try and make sure that the disruption caused by an incident is kept to a minimum and everyone knows what they need to do, or who they need to contact. This can be anything from having someone hold a spare key to the office to having a plan for re-routing staff and students should your building become uninhabitable for any reason, or knowing what to do during a School wide emergency.

The overall aim is to make sure that the School's critical business activities can be maintained or recovered quickly.

There is sometimes confusion between incident management or disaster recovery and business continuity. The main distinction is that the first two deal with a specific event that can't always be planned for (e.g. activists have taken over your teaching room and barricaded themselves in), whilst business continuity deals with the consequences of an event (e.g. you have a plan for the provision of an alternative teaching room or other arrangements), and so it takes a much broader approach. Disaster recovery tends to refer to an incident affecting IT systems and DTS have various plans in place should there be a major IT-related incident.

What would you do if your department lost all its exam scripts? Of if there was a School wide power cut, or a flood from the toilets upstairs, that shut down your teaching rooms or your offices? How about if staff couldn’t get in due to severe weather conditions or a large scale failure of the tube system? What would you do if the School email went down for a few days, or if Moodle went down and students didn’t know whether they had successfully submitted their dissertations in time? What if your laptop, with the only copy of some highly sensitive data or research on it, was stolen or lost? Who would you need to speak to and how would you contact them? Who else would be affected? How would you let them know?

Business continuity planning means everyone knows what to do - or who to contact - if there is a problem that affects your department or division, your colleagues and our students.

A good plan safeguards you, your department, your colleagues, the School and in some instances, just as importantly, our reputation. It means that you have something in place to make sure that the critical work you need to deliver for the School and for your area is not irretrievably disrupted.

In addition, business continuity is a responsibility that is devolved to heads of departments and divisions from the Director. This means they have accountability for business continuity within their areas.

Auditors and insurers are increasingly seeking assurances that organisations such as the School have adequate plans and policies in place. Furthermore, other organisations are now expecting certain standards to be complied with before they will work with them (as indeed the School does when it works with contractors) and more and more grant providers are expecting researchers to be able to produce a range of their organisation’s business continuity and disaster recovery plans.

And finally, in the unfortunate event that School or a part of the School became the subject of litigation relating to an incident, it might need to be able to prove that it had adequate, documented and tested plans in place.

Business continuity management at the School is concerned with:

• Anticipating and preventing avoidable interruptions to the work of the School and planning for recovery from the impact of a major incident, such as the loss of a building, a pandemic or a terrorist attack.
• The initial management of any major incident is undertaken through initiating the School’s Major Incident Initial Recovery Plan (MIIRP).
  
• The MIIRP sets out the framework for the actions to be taken at School level in response to the early stages of a major incident affecting the Houghton St campus or a student residence. The primary objective of the plan is to help ensure the safety and wellbeing of people and security of property in the immediate aftermath of the incident. The MIIRP outlines three levels of response – Gold, Silver and Bronze, which mirrors the command structure and language of the Emergency Services to make it easier for us to deal with them.
• As part of initiating the MIIRP, local Business Continuity Plans may be invoked depending on the nature and severity of the incident.

Achieving these objectives is a matter of partnership between the School and its administrative services and academic units. The main outputs from the partnership are guidance where appropriate from the School and local Business Continuity Plans to ensure that normal business is possible and that disruption is avoided, or - should it occur - that its impact is mitigated so that it does not put the achievement of the School’s priorities at risk.

The School does not have a full-time Business Continuity Manager. Chris Lintern (c.lintern@lse.ac.uk) fulfils this role on a part-time basis and can be contacted for any assistance with business continuity activities.

The minimum that the School requires is that every department and division has a plan, that the plan is regularly exercised and that the plan is regularly updated if there are any changes within the department or division. Plans should be reviewed on at least an annual basis.

Plans are normally based on a Business Impact Analysis (BIA). The BIA is a comprehensive survey of critical and non-critical systems and resources across the School by department and division. It looks at optimal recovery times for these systems and resources and is used to identify weaknesses and areas of criticality across the organisation. The information gathered is used to inform both central and local business continuity planning and IT disaster recovery strategies.

Business continuity is a responsibility that is devolved to Heads of Departments and Divisions from the Director. This means they are accountable for business continuity within their areas. Heads of Divisions and Departments may choose to devolve that responsibility to a nominated person within their area.

If your area does not have a plan:
1. You will be unprepared if something happens that stops you being able to undertake the School’s or your department/division’s business.
2. It will take you much longer to sort everything out if no one knows what’s happening, who should do what and when, and who to contact.
3. You may not be able to recover your department’s business critical activities in a timely manner.
4. Your department/division’s and the School’s reputation could suffer damage.
5. Business continuity is a responsibility that is devolved to Heads of Departments and Divisions from the Director. This means they are accountable for business continuity within their areas. If they have chosen to nominate you for that responsibility, you are part of that accountability chain.
6. You may be asked to explain to your line manager and Head of Department/Division what went wrong and why you weren’t prepared.
7. Depending on the seriousness of the incident and its impact, they in turn may be called upon to explain to the School Secretary or the Director what went wrong and why they weren’t prepared.
8. You may know what to do, but in your absence, your colleagues might not. It is good practice to ensure that the information is readily accessible to them.
9. In the (hopefully unlikely) case of litigation or an inquiry into an incident you may be called upon to provide documentary evidence that the decisions made at the time were based upon a reasonable combination of available information and adequate, documented and tested plans/processes.

It is impossible to plan for every situation or scenario, and business continuity is about planning how you would respond to the consequences of an incident that affects the School’s business, not necessarily identifying the incident itself, in a way that allows your area to resume business activities critical to the School as quickly as possible. To do this you need an understanding of what is critical to your area and how you would recover it if necessary.

Things to consider:

• What critical activities do you undertake for the School? E.g. payroll, exams, teaching etc.
• What times of year are critical for you?
• Do you need to share specialist knowledge more widely in your area?
• Are there areas where you are particularly vulnerable?
• Who do you need to contact in an emergency?
• How would you contact people in an emergency?

Have you considered what you would do in some common scenarios? For instance, do you know what to do if:

• You cannot access your offices or teaching space for any reason;
• Staff/students cannot travel into the School;
• You cannot access your IT dependent systems;
• There is a threat to your area’s reputation;
• What happens if there is an incident at your most business critical time of the year;
• What happens if you have insufficient staff to undertake business critical activities, or you are short staffed at a business critical time of year?
• You lose business critical or confidential data, e.g. staff records, exam scripts, contracts, loan agreements etc?

These considerations are covered as part of undertaking a BIA for your area, which is usually the basis for the Business Continuity Plan.

It’s no good having plans in place if they are not exercised - you can’t know if they’ll work or not. Exercising your plans is an opportunity to understand roles and responsibilities within your area of the School and to update the plan accordingly afterwards as a result of any lessons learned.

You can run these yourselves or Chris Lintern can lead the team through a pre-prepared scenario (which wouldn’t take more than a couple of hours).

For any training and support relating to business continuity planning, please contact Chris Lintern. Chris can assist with undertaking BIA reviews, creating Business Continuity Plans, facilitating scenario exercises or anything else relating to business continuity. And if you need any templates or further information Chris will be able to provide these.

The School takes business continuity and risk very seriously and all divisions and departments are expected to have some kind of business continuity arrangements in place. This responsibility will also have been delegated to your Head of Department / Division by the Director. If you have even a basic risk register set up too (as well as completing a Business Impact Analysis), then so much the better as it will help inform your Business Continuity Plans.

The oversight of accountability and governance for business continuity is undertaken by the Business Continuity Management Board, which is chaired by the Deputy Chief Operating Officer.

On a local level, business continuity is a responsibility that is devolved to Heads of Departments and Divisions from the Director. This means they are accountable for business continuity within their areas. They, in turn, may choose to nominate a person in their area to ensure their delegated obligations to business continuity are fulfilled. In addition, the nominee may then ask someone else to undertake the delegated obligations. For instance a Head of Department may ask the Departmental Manager to undertake business continuity within their Department. The Departmental Manager may then choose to delegate this function to another member of staff. Responsibility for business continuity however, remains with the head of the department or division.

Local areas are responsible for ensuring that they have their own plans in place, and outside of any guidance issued, or assistance provided, centrally by the School for business continuity and specific events, they are expected to manage their business continuity plans and events locally.

• Chris Lintern – responsible for business continuity planning on a part-time basis across the School.
• Mel Boucher – Head of Health and Safety (business continuity sits within Health and Safety from a reporting line perspective).

Members of the Resilience and Business Continuity Management Board:

• Deputy Chief Operating Officer - Chair
• Director of Estates
• Director of Facilities Management
• Director of Data and Technology Services
• Director of Human Resources Division
• Director of Communications Division
• Head of Student Services
• Head of Health and Safety

This Board is tasked with overall responsibility for ensuring the School has adequate business continuity arrangements in place and providing assurance.

It is chaired by the School's Deputy Chief Operating Officer.
Other members of the School may be called into the Board’s meetings to discuss specific matters or give presentations on their business continuity arrangements.

The Board is answerable to the Director, and through the Director, to Council.

The proceedings of the Board and its terms of reference can be requested from Chris Lintern.

Get in touch with Chris Lintern (c.lintern@lse.ac.uk) and he can provide you with any templates or further information.

A copy of the MIIRP can be found here: What to do in an emergency.

Contact Chris Lintern who will be able to assist. Typically you may be asked for a copy of the School’s Business Continuity Policy or a copy of your departmental plan by organisations seeking assurance that the School has the relevant plans and governance in place.