Business Continuity Management Policy

Purpose

The purpose of this policy is to affirm the University's commitment to business continuity management.

Through the adoption of business continuity best practices the University of Otago will achieve its objective to restore its critical administrative, academic, and research activities as soon as possible following a major disruptive event.

This Business Continuity Management Policy forms part of the Business Continuity Management Framework at the University of Otago, which is aligned to the Business Continuity Management Systems standard ISO22301:2019.

Organisational scope

This policy applies to all staff and to all activities of the University.

The University is not responsible for developing business continuity management policy for its controlled entities. The Boards of controlled entities will be responsible for establishing their own business continuity management framework and processes.

Definitions

Business Continuity

The capability of the University to continue the delivery of services at acceptable timeframes at predefined capacity during a disruption.

Business Continuity Management

The process that identifies potential threats to the University and the impacts to business operations those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, and brand activities.

Business Continuity Plan

Documented procedures that guide the University to respond, recover, resume, and restore to a pre-defined level of operation following disruption.

Business Impact Analysis

The process of analysing activities and the effect that a business disruption might have upon the University.

Controlled Entity

An organisation that is related to the University through partial or full control/ownership.

Content

1. General

1. The University is committed to carrying out its activities with the highest regard for the health and safety of its staff, students, and the public, and to protecting its assets and reputation.
2. The University of Otago will therefore:
   1. Establish Business Continuity Plans to ensure business continuity for its key administrative, academic and research activities.
   2. Annually review and update the plans, including the periodic maintenance of the Business Impact Analyses upon which they are based. The process to be followed to complete a Business Impact Analysis and its related Business Continuity Plan is detailed in the Business Continuity Framework.
   3. Review the plans following any major operational or structural changes.
   4. Undertake regular plan validation exercises for staff training and evaluation purposes.
   5. Require management to develop, maintain and devolve business continuity planning within their areas of responsibility.
   6. Encourage the active participation of staff in business continuity matters and ensure that key personnel are able to perform competently during a major disruptive event.
3. These initiatives will be coordinated with activities detailed in the University's:
   1. Emergency Management Plan, which provides for a first response to a critical disruption.
   2. Information Technology Services Disaster Recovery Plan, which focuses on the resumption of critical information technology systems and data.

2. Responsibility for Business Continuity Management

1. The University Council has overall responsibility for business continuity and in exercising this function delegates:
   1. Responsibility for oversight of business continuity management activities to its Audit and Risk Committee, and
   2. Responsibility for the implementation of the Business Continuity Management Framework to the Vice-Chancellor.
2. The Audit and Risk Committee will:
   1. Provide oversight to business continuity management activities across the University and its controlled entities, and
   2. Report at least quarterly to the Council on the performance of business continuity activities (this may form part of a broader report on the work of the Committee).
3. The Vice-Chancellor delegates responsibility for ensuring that business continuity management practices are established and maintained in accordance with this policy to the Chief Operating Officer.
4. The Chief Operating Officer has:
   1. Delegated authority to ensure that business continuity management practices are established and maintained and that support and guidance is provided to the University community, and
   2. Responsibility for the operational management of business continuity management practices University-wide.
5. Senior Managers (DVCs, PVCs, Deans, Head of Departments, Directors):
   1. Senior Managers are business continuity plan owners, and will use all reasonable endeavours to ensure that their essential services/functions, for which they have responsibility, are able to continue through, or resume soon after a major disruptive event, and that arrangements are in place to achieve this. This requires the proactive devolution of business continuity planning within their areas of responsibility to function owners, to ensure the development, resourcing, maintenance, testing and review of business continuity plans takes place on schedule. Senior Managers are expected to encourage the active participation of staff in business continuity issues, and must ensure that key personnel are able to perform competently during a major disruptive event.
6. The Head of Risk, Assurance and Compliance is responsible for:
   1. Promoting and facilitating the implementation of business continuity practices,
   2. The ongoing development of the Business Continuity Management Framework, and
   3. Providing guidance and assistance to senior management and staff in fulfilling the responsibilities defined in this policy.
7. All other management and supervisory staff should familiarise themselves with their relevant business continuity plans and support processes that will help management a significant disruption to University operations and services.

Related policies, procedures and forms

• Business Continuity Management Framework
• Emergency Management Policy
• Emergency Management Plan
• Risk Management Policy
• Risk Management Framework

Contact for further information

If you have any queries regarding the content of this policy or need further clarification, please contact:

Mark Cartwright
Head of Risk, Assurance and Compliance
Email mark.cartwright@otago.ac.nz