ODS Continuity Services
We provide implementation and management services for continuity services program (Business Continuity, Disaster Recovery and Crisis Management) for the Office of Digital Solutions which underpins continuous delivery of most critical activities of the University.
WHAT IS BUSINESS CONTINUITY MANAGEMENT?
Business Continuity Management (BCM), one of the main responsibilities of ODS Continuity Service is a holistic management process that identifies potential threats to an organisation and the impacts to business operations those threats, if realised, might cause. BCM helps with the preparedness and mitigation of business continuity-related risk, that includes protecting the processes (what we do) and resources (what we’ve got) that deliver the University’s core mission (teaching & research) that underpins the student experience (learning and outcomes). BCM helps the University’s sustenance capability to continue delivering the products or services at acceptable predefined levels following a disruptive incident.
BCM lifecycle encapsulates the stages of activity that an organisation moves through and repeats with the overall aim of improving organisational resilience.
The three main components BCM are:
- Business Continuity
- Disaster Recovery
- Crisis Management
The ODS BCM Program is targeted to address the recovery of ODS delivered services so that critical operations and services are recovered in a timeframe that meets customer obligations, business necessities, industry practices, and regulatory requirements.
ODS’s BCM journey started in 2005 with the establishment of Disaster Recovery plans for Business Critical, High Priority and Medium Priority systems and applications. Since then, ODS has been incrementally building and updating DR plans for new emerging and existing systems respectively. Regular DR tests are being performed to validate these plans.
In 2015, ODS matured its BCM program to include Business Continuity and Crisis Management. This journey will be detailed in the sections below.
Disaster recovery (DR) focuses on the IT or technology systems supporting critical business functions. DC Plans (DCP) involves a set of policies and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster. These plans include but are not limited to the recovery of relevant IT infrastructure, computer systems, network and communication elements, critical applications, human resources, physical assets, logistics, depended vendors, and cloud sourced critical system components.
Over the years, ODS has deployed multi-site disaster recovery strategies to cater for losing a single Data Centre; a single or multiple applications; loss of access to critical applications for a long period of time and failing over to an externally hosted Environment (Polaris) for Disruption Management. Besides staff familiarisation and awareness building, these recovery strategies has assisted in developing and maturing critical system data replication to a secondary Data Centre and improving and testing critical system Disaster Recovery plans regularly.
To support effective BCM, ODS has recently established an externally hosted environment to enable communication and access to limited critical services during the extreme event of simultaneous failure of both Gold Coast and Nathan data centres.
This external environment will provide authentication services to:
- Access to Learning@Griffith (Blackboard)
- Access to staff and student email (Gmail and Google drives)
- Access to the Service Desk tool
- Single Sign On services that facilitate access to cloud hosted systems.
Crisis Management (CM): encompasses processes to manage a wide range of crises like health and safety incidents; business disruptions; reputational damage etc. CM includes various plans like Crisis Management Plan (CMP), Crisis Communication Plan and Emergency Response Plans. Depending on the type of crisis, the response strategy may include invoking the Business Continuity (BC) or Disaster Recovery (DR) plans.
CMP is the governance structure to manage a major disruption and is critical in CM. It comprises of defining, designing, implementing and maintaining adaptable, scalable advance arrangements that can help respond to and manage a crisis. ODS has developed its ICT CMP that has been endorsed by ODS and University Senior Executives. ODS’s CMP describes the roles and responsibilities of the ODS Crisis Management Team (CMT) in addition to various crisis management processes.
ODS’s CMT (listed below) has conducted multiple workshops emulating major crisis scenarios and responded and managed the situation by invoking the CMP.
View the list of the roles and responsibilities of CMT members and they can be contacted to report any crisis at any time.
ODS CMT will operate in conjunction with the University CMT and escalate relevant issues to the University CMT/Emergency Management Team to seek directions and provide situational reports (Sitreps).
Below is the six step process followed by the ODS CMT
- Crisis management trigger (what, when)
- Convene CMT (key people come together)
- Assess situation (seek and make sense of information)
- Identify what needs to be done (immediate, future) and agree on the Incident Action Plan (objectives, strategy)
- Coordinate and monitor response (delegate tasks)
- Review (defuse, debrief, improve)
A good, clear and targeted communication is very essential in a crisis situation. ODS Crisis Communication Plan describes the best practices and effective communication templates that can potentially be used for is fast and effective communication during a crisis. Proper communication will not only ascertain proper and consistent information reaches the stakeholders it will also help in building an ongoing relationship with key stakeholders. Management of social media channels in a crisis is another significant factor due to its popularity and wide usage and must be carefully handled.
Business continuity (BC): involves identifying potential threats and impacts to the day to day operations of critical processes and creating a plan aiming to keep all essential aspects of the process functioning despite significant disruptive events.
In 2013 Griffith University established a Business Continuity unit and defined an initial list of critical processes (listed below)
- Admissions (domestic and international)
- Timetabling (classes and exams)
- Teaching, learning and assessment
- Checking graduation eligibility
- Research and research grant applications
In order to align ODS’s BCM program to University’s critical processes, ODS conducted a thorough detailed mapping of the above University critical processes and ODS’s specific critical processes to ODS systems and services to identify potential ODS’s processes to build Business Continuity plans. This process is detailed below;
To date, ODS has identified 42 critical business processes. Business continuity plans for 35 processes are in place and 7 are under development. These plans are stored in the continuity repository and are regularly updated.
Validation of these plans is a major component of any BCM program and annual/regular testing of plans is a mandatory component of the ISO 22301 standard. In order to meet this requirement, ODS has scheduled its first table top BCP Validation exercise in February 2018. Here, the BCP will be tested in detail by simulating a real life scenario.
Why BCM? What are the benefits of practising BCM?
By supporting and practising BCM, ODS’s strategy is aligned with
- ISO 22301: Societal Security – BCM system requirements
- Griffith IT Plan 2013 – 2017 operational goal 10 – Resilience – mapped to University strategic priority # 4 – be a sustainable university
- Resilience strategy S10.6 – Develop and implement an IT BCM framework incorporating BC Planning and ITDR planning embedded in University BCM
- Compliance with the University BCP framework
- BCM is like an “insurance policy”, which will better prepare ODS in a disruption...
Besides abiding to the above Corporate strategies, by implementing a BCM Program, ODS can mitigate Operational impacts; Reputational impacts; Academic mission impacts; Loss of income / loss of students and Regulatory impacts etc.
It has been identified that an IT disruption of 19.7 minutes can make an organisation lose $1,046,454 and 118.8 minutes of disruption can cause a loss of $4,255,468. Proactive costs outweigh the reactive costs.
Familiarisation with recovery plans and processes is definitely beneficial during times of extreme stress and pressure.