BUSINESS CONTINUITY MANAGEMENT POLICY

Purpose and Context

This policy defines the broad framework for the implementation of the University’s Business
Continuity Management System to minimise the impact of business disruption to critical activities
and functions. Full compliance with this policy will ensure procedures exist for recording,
assessing and managing business continuity risk; identifying and prioritising critical activities;
responding to business disruptions or incidents, regardless of cause; and maintaining essential
services (or restoring services to a minimum acceptable level).

CONTENTS
Section Contents PAGE

1. Introduction 1
2. Purpose and Scope 2
3. Definitions and Abbreviations 2
4. Roles and Responsibilities 3
5. Threats and Triggers 3
6. Business Continuity Management process 4
7. Business Impact Analysis (BIA) 5
8. Business Continuity Plans 5
9. Training and Exercising 5
Appendix 1 Critical Functions identified by the Strategic Business Impact Assessment 6-9
Appendix 2 BCMG Terms of Reference and Membership list 10
Appendix 3 University Hazard and Threat Matrix 11

Appendix 4 Business Continuity Planning & Emergency procedure framework and 12

arrangements
Policy Sign-off and Ownership details 13
Business Continuity Management Policy

1. Introduction

Increasingly, there is a requirement for organisations to have in place formal systems which
prepare them for disruptive events and which set out the arrangements designed to minimise the
effects of such events.

Business Continuity Management (BCM) improves the University’s resilience by identifying in

advance potential threats and planning for the possible impacts of sudden disruptions to key
services and critical functions. It provides confidence to funding bodies, stakeholders and the
University community as well as safeguarding the reputation of our University.

The diagram below identifies the BCM lifecycle, and the key steps required to successfully
develop Business Continuity plans and integrate BCM into the organisational culture of the
University.

BCM Lifecycle; BS 25999

In addition, there is an overarching University Major Incident Plan describing the central
arrangements for responding to major disruptive events, managing the effects on the University’s
business and the circumstances in which the Schools and Services local business continuity
plans should be invoked.

Strategic oversight of the BCM programme resides with the Deputy Vice Chancellor supported
by a Business Continuity Management Group.

1
2. Purpose and Scope

This policy provides the strategic framework for the implementation of BCM across the
University. It follows the recognised best practice and business continuity lifecycle model
depicted on the previous page.

All Schools and Services play a key part in maintaining the delivery of critical functions. The
requirement to plan applies to all functions identified as critical in the strategic business impact
assessment.

Business Continuity Plans (BCP’s) contain the recovery arrangements which will enable the
University to perform its critical functions and provide a minimum level of service in the event of
an emergency or disruption.

BCP’s will focus on School and Service areas and will not be incident or interruption specific. In
addition there are ‘events’ rather than functions e.g. open days and graduation ceremonies that
are critical to the continued success of the University. These will be included as critical activities.

BCP’s complement the University’s Major Incident Plan and the Campus Incident Response
Plan.

3. Definitions and Abbreviations

Business Continuity (BC): The concept that critical functions or activities carried out by
the University remain deliverable in the event of a business disruption.
Business Disruption: Any event that has the potential to disrupt the day-to-day activities of the
University. It is commonly recognised that the main causes are; loss of staff, loss of
buildings/accommodation, loss of IT services, loss of utilities and failures of suppliers,
contractors or partners.
Critical Function: Activities, services or events that are vital to the successful delivery of the
University’s Business and Strategy Map, the loss of or interruption of which could cause
significant financial, legal and reputational damage to the University or affect the health, safety
and welfare of staff, students and others. Critical Functions have been agreed by the BCMG and
are listed in Appendix 1. These must be resumed as soon as possible.

Business Impact Analysis (BIA): This is a process that allows functions to be analysed so that
their criticality can be determined, the impact of their loss understood and the arrangements
required to minimise the effect of the disruption and reinstate identified critical
functions/activities.

Business Continuity Plan (BCP): An agreed plan that ensures Schools and Services can
continue to deliver their critical functions/activities to an acceptable pre-defined level following a
disruption.

Business Continuity Management Group (BCMG): A cross-University group which aims to

co- ordinate business continuity and emergency planning efforts across the University.

Major Incident Plan (MIP): This plan sets out the arrangements for a co-ordinated action by the
University in response to major incident on campus.

Campus Incident Response Plan (CIRP): Plan containing procedures for dealing with the
response to and management of minor incidents on campus.

2
4. Roles and Responsibilities

Role Responsibility

Deputy Vice Chancellor • University Emergency Management Team Co-ordinator

• Owner of the University’s Major incident plan and business
continuity framework (appendix 4)
Business Continuity • To oversee programme and policy work development
Management Group • See Appendix 2 for terms of reference

Deans of Schools, and • Internal drivers and supporters of BCM who will lead on the
Directors and Heads of completion of the BCM process in their respective areas and
Service the further embedding of business continuity across the
University
University Staff • Contribute to the business continuity planning process
• Share information on how their functions are delivered
• Have awareness of BC plans and procedures once developed
• Work in accordance with any BC plans and procedures should
they be activated following a business interruption
Director of Estates and • Responsibility for identifying and sourcing alternative
Facilities accommodation for teaching and office space, if required
(See Appendix 1 for more details to add)
• Security
• The estate and facilities

Director of Marketing & • Responsibility for maintaining an Incident Communications

Communications Response Plan, for effective communication with staff,
students and other stakeholders
Director of Computing • Responsibility for the provision and maintenance of data,
and Library Services telecommunications and IT systems and networks, and for
ensuring a robust and suitable response to data and/or
telecoms failures.
Director of Student • Responsibility for arranging the provision of essential student
Services services during and following an emergency.

Director of Finance • Responsibility for managing emergency expenditure and

liaison with the University Insurers

5. Threats and Triggers

There is a hazard matrix at Appendix 3 which identifies the key hazards which could cause a
disruption but the main triggers for plan activation will be one or more of the following:

Partial or total loss of one or more of the following:

1. Staff and/or students

2. Buildings, facilities or equipment
3. Utilities or other critical services e.g. water or electrical suppliers
4. Communications or computer systems e.g. data, network, servers, telecommunications
5. Business critical suppliers, contractors or partners
3
6. Business Continuity Management Process

The following process will be used to embed business continuity across the University. The
process follows the Business continuity lifecycle depicted on page 2 and will be the approach
used for implementation in the University

Gaining
support
Review/ Identify
challenge/ critical
test functions

BCM
Agreement
Reporting
to BCMG Process of critical
functions

Signing
of BC Populate
Plans BIA

Develop
BC Plans

The process involves 8 key stages

Stage 1 - Gaining support: The DVC chairs the BCMG who collectively agree the business
continuity management process, the identified critical activities and the work programme.

Stage 2 - Identify Critical Functions: The BCMG carries out an initial scoping exercise to
identify critical functions that form the prioritised work plan.

Stage 3 - Agreement of Critical Functions: The views of the ‘Lead owners ‘of critical functions
identified in the scoping exercise are sought and reported to the BCMG.

Stage 4 - Populating the BIA: Where critical functions have been agreed, meetings will take
place with the ‘Lead owners’ to populate the risk and BIA template. This will be reviewed by the
BCMG to endorse recovery time objectives and ensure adequate arrangements are in place.

Stage 5 - Developing BCP’s: After populating the BIA, BC Plans or disaster recovery plans will
be developed if needed for each critical function

4
Stage 6 - Signing off BCP’s: Where BCP’s have been developed these will be signed off by the
Dean or Director to which they relate. Deans and Directors will be expected to highlight any
issues to the BCMG that have wider business continuity implications for the University.

Stage 7 - Reporting to the BCMG: Following sign off by Deans/Directors a summary of

completed plans along with any issues that need to be brought to the attention of the BCMG will
be reported to the BCMG.

Stage 8 - Review, Challenge, Test: In order for a BCP to remain current it should be exercised
on a regular basis. Reports on the outcomes of exercise should be submitted to the BCMG.

7. Business Impact Analysis (BIA) Before plans can be drafted an activity analysis must be
made to gather information on critical activities. The University has carried out a strategic BIA
which identifies critical functions and events. These are listed in Appendix 1.

The BIA process considers the following:

• All functions that are undertaken, where these are carried out and what is involved.
• How long the University could manage without the function.
• Whether there are any time sensitivities e.g. critical time periods when the function is
more important and must be reinstated quicker than others.
• The impact of losing the function.
• The type of interruptions that threaten the delivery of the function (e.g. loss of staff,
buildings, IT, utilities and third party suppliers).
• The actions already in place to mitigate against any disruption and additional
actions that may need to be put in place to further mitigate or reduce the
consequences of a disruption.
• The resources (e.g. staff, accommodation, IT) required to reinstate the function.
• Dependents and dependencies.
• Single points of failure.

Critical functions and events identified in the strategic BIA are reviewed by the BCMG to ensure
arrangements are in place to mitigate against the consequences of a disruption and to decide if a
specific BC plan is required. The owners of critical activities and events identified in the BIA will
be expected to take the lead in the event of a disruption.

8. Business Continuity Plans

A BCP is an agreed plan to ensure that Schools and Services can deliver their critical functions
in the event of a business interruption. The plans should be flexible enough so they can be
adapted for use in any situation. BCP’s are the responsibility of the School or Service and it is up
to the Dean or Director together with the Lead Owner to ensure they are up to date, the plans
have been shared with those who have a role and responsibility within it.

9. Training and Exercising

In order to embed business continuity into the University and to ensure plans remain fit for
purpose training and exercising events will take place as well as regular failover testing of key IT
systems and processes.
5
Appendix 1 List of critical activities identified by the Strategic Business Impact Assessment
Activity Owner Activity Description Potential Consequences
Major Regulatory Loss of Safety and Student
financial breach reputation welfare dissatisfaction
loss issue

VCO Statutory incident reporting Reporting of specified incidents within statutory √ √ √

reporting time scales (Reporting of Injuries, Diseases
and Dangerous Occurrences Regulations)

Computing and IT and information Management of the IT service provision across the √ √ √ √
Library systems including university
services Telecoms
Library access and use Management of Library access, use of services such as √ √ √
of systems printing, online books, journals and resources, books,
laptops

Estates and Facilities Security Physical security of the estate, staff and students √ √ √ √
Incident response to Action to respond and recover from incidents √ √ √ √ √
campus emergency, affecting the University Estate
utility or estate
infrastructure failure

Financial Services Procurement Procurement of goods, services and work √ √

Student Records Processing of enrolment, payment of fees etc. √ √ √ √ √

Human Resources Payroll Processing and payment of staff √

Marketing and Open days including post Campus activities to recruit students √ √ √
Communications grad open days, applicant
visits and study fairs
Clearing Process to place students as part of the UCAS √ √ √
processing system following publication of A level
results
Public relations Release of agreed information to the media √ √
including social media and ensuring a website
presence
Student Recruitment Processing of student applications √ √ √ √

Registry Examinations Working with schools (and PINS) to schedule √ √

examinations in suitable locations at suitable times
Graduation ceremonies Organisation of award ceremonies √ √
Course Assessment Boards Confirmation and publication of student results √ √
Research Innovation & Research Services Funding claims/financial reports to funders √ √
Knowledge Exchange
Directorate, Innovation and KE Staffing – customer relations, staff record keeping, √ √
storing committee papers/legal documents,
invoicing/orders, potential loss or delay in generating
revenue
Enterprise IT, telecoms and specialist equipment √ √
Research and Innovation Pure system records all Research activity √ √
Culture

Planning and Statutory data returns Submission of mandatory returns to sector √ √

Information agencies/bodies
Services Timetabling Establishing and maintaining the timetabling system, √
working in partnership with schools and services to
ensure al activities are suitably accommodated

Student Services Learning specialist needs Learning Support to disabled students to fully engage in √ √
teaching, learning and research
Student Comms Access key information via students.hud.ac.uk, e.g. √ √
timetables, emails, Brightspace access etc
Wellbeing Support Mental health support to vulnerable students √ √

International Office International Admissions, Processing of international student applications, Tier 4 √ √ √ √

Immigration and Compliance Visa
checks

Combined School Timetabling Loss of access to Scientia, MyDay, MS authenticator √

BIA’s impacting on scheduling of student activities and
locations for teaching and learning
Student guidance and support Loss of access to data sets, Safeguarding Policy, exam √ √ √ √
papers., Use of Teams/email/telephone/social media, text
messaging service and/or Brightspace announcements
impacting on arrangements for teaching, Learning,
Welfare and Wellbeing advice and help
Placements Loss of key data sets and placement information, current √ √
existing bespoke placement solutions (replacements),
access to H&S, DBS and occupational health checks
impacting on periods of work experience which is an
integrated and assessed part of a student's degree

Home student recruitment Loss of IT access to software and systems and √ √ √

activities buildings/labs, impacting recruitment of home students
are British/Irish citizens meeting residency criteria
Course Assessment Boards Loss of access to key network drives, ASIS (inc. SSRS √ √
reports), Unifunctions or Brightspace, communication with
 external examiners, related reporting requirements (inc.
PSRB’s, Ofsted, NHS etc. Confirmation and publication of
student results, impacting the meeting at which all credit,
progression and awarding decisions are made in relation
to student academic profiles
Attendance Monitoring Loss of access to key network drives, Wisdom, √ √
Attendance Monitoring and swipe card readers, impacts
on Home Office monitoring of attendance, impacting the
monitoring of requirements on students to attend
timetables sessions and for the University to facilitate this
Admissions and Clearing Loss of access to key network drives, including √ √ √ √
SharePoint and/or Teams sites with relevant
documentation. Impacts on the UCAS cycle but with
specific pinch points around January (UCAS deadline)
and August (Main Clearing activity), impacting clearing,
which matches applicants to university places that are yet
to be filled and admissions, as the process through which
students enter higher education at the university
Graduate School-PGR Loss of access to key network drives, PGR Brightspace √ √ √
provision dummy module, PGR Handbook and Graduate School
website, for postgraduate researchers undertaking
research degrees

Graduate School Research No access to networks/data and key software and √ √ √ √

systems, MSOffice, Brightspace, ASIS, Agresso,
Skillsforge. Access to equipment/facilities and impact on
business and PGR labs. Impacts potentially on
communication, service delivery and PGR provision. Loss
of ASIS, Skillsforge, Apollo and access to key UCAS
contacts are potential issues. See Graduate School BIA
for related activity specific to the School.

Applied Sciences Teaching, Learning and No access to Brightspace, Wisdom and other key √ √ √ √ √
Research systems required for assessment and examinations,
including any online examination software
packages. Failure to be able to deliver specialist teaching
and research activity which relies on both specialist and
general systems/software. Damage to sensitive
equipment that requires either a constant power, water or
gas supply, potential damage to sensitive research
equipment including chemical or other hazards. Loss of
staff with subject specialist knowledge. Inability to deliver
specialist teaching/assessment/research if facilities or
materials unavailable. See School BIA for related activity
specific to the School.

Arts and Teaching, Learning and No access to Brightspace, Wisdom and other key √ √ √ √ √
Humanities Research systems required for assessment and examinations,
including any online examination software
 packages. Failure to be able to deliver specialist teaching
and research activity which relies on both specialist and
general systems/software and staff. See School BIA for
related activity specific to the School.

Huddersfield Business Teaching, Learning and No access to network drives, key software and systems √ √ √ √ √
School Research (MSOffice, Sharepoint, Brightspace, Wisdom, ASIS,
Refinitiv, SAP, Refinitiv, Global Capabilities, Qualitrics).
Inability to deliver teaching, research and placement
support. Unable to access the Trading Room or other
specialist research facilities. Impacts on research
projects, funding, research opportunities, REF/league
tables, student retention, etc. Inability to submit research
bids, papers, claims, reports, etc by advertised deadlines.
See School BIA for related activity specific to the School.

Computing and Teaching, Learning and Access to networks/data and key software and systems √ √ √ √ √
Engineering Research (e.g., MSOffice, Brightspace, SharePoint ASIS. Impacts
on meeting Course reaccreditations. Impact on research
equipment/facilities.
See School BIA for related activity specific to the School.

Education and Teaching, Learning and No access to networks/data and key software and √ √ √ √ √
professional Research systems, MSOffice, Brightspace, Wisdom and other key
Development systems required for assessment and examinations,
including any online examination software packages.
Inability to deliver exams, teaching, research and
placement support. See School BIA for related activity
specific to the School.

Human and Health Teaching, Learning and No access to Brightspace, Wisdom and other key systems √ √ √ √ √
Sciences Research required for assessment and examinations, including any
online examination software packages. Inability to deliver
specialist teaching/research and procure deliveries of
consumables for skills training. Inability to deliver teaching,
research and placement support. See School BIA for
related activity specific to the School.
Appendix 2 Business Continuity Management Group

Terms of Reference

The Group will:

• Review the University Business Continuity Management Plan and develop a strategic
business impact analysis
• Review the Major Incident Plan.
• Review any skills and competence requirements and training needs.
• Agree an annual programme of work to review Business Continuity and Emergency Management.
• Communicate with Schools and Services at both strategic and operational level in order
to ensure that colleagues across the University are aware of the purpose of the Group
and to encourage a corporate approach to Business Continuity management and
emergency procedures.
• Meet regularly (monthly) until policies and procedures have been agreed and then once a year.
• Report at least annually to University SLT and University Audit Committee.

Membership and Circulation of Minutes

Membership of the Group will provide expertise in the following key areas: Risk Management,
Legal and Compliance, Health and Safety, Estates and Facilities Management, Information
Systems and Records Management, Student Services, Marketing and Communication and
School Management. The standing membership will include the following:

• Deputy Vice-Chancellor (Chair)

• Pro Vice-Chancellor (Teaching and Learning)
• University Secretary
• Head of Health and Safety
• Director of Estates and Facilities
• Director of Digital Information
• Director of Student Services
• Director of Marketing and Communication
• Director of Human Resources
• School representation – Dean, Applied Sciences, Head of School Administration
• Programme Manager
• Head of Procurement

Visiting members may be invited and sub-groups formed to work on discreet areas of activity, including:

• Director of Research Innovation & Knowledge Exchange

• Director of Finance
• Head of Registry
• Director of International

Minutes of meetings will be shared with Risk and Asset Owners (Deans and Directors) with
responsibility for Business Continuity within their School/Service. The Chair will provide reports
to the University’s Senior Leadership Team. Any policies to be implemented will require the
approval of SLT (Schools and Services)

10
Appendix 3 University Hazard and Threat Assessment / Matrix
Threat Hazard Likelihood Impact Response triggers Response actions BC issues (impact if fails)
Almost Possible Rare Major Moderate Minor
Certain

Major health Pandemic/major health X X Communicable disease Implement communicable diseases Loss of staff and students
incident outbreak notified by PHE protocol Increased cleaning regimes (infection control)
Major Extreme weather events e.g. X X Reports of structural/building Salvage operations Loss of buildings impact on office and teaching
weather wind damage, flooding, or damage Source alternative accommodation space
incident snow, disruption lasting more Weather forecasts Communications Plan Utility interruption – power supply
than 24hr Road/transport disruption impact on staff and
students’ ability to get to campus
Fire/serious building X X Emergency services/Incident Building Evacuation then as above Loss of buildings
damage response team Impact on office and teaching space
Utility failure e.g. power X X Incident response team Supply of generators Loss of facilities e.g. lifts
failure, loss of water Close buildings Access to PC’s, equipment,
welfare issues e.g. lighting, heating, water, toilets,
Major hygiene, etc
incident Loss of building(s)
within UoH Terrorist attack X X Police/Incident response Invacuation/evacuation/police led Loss of buildings impact on office and teaching
campus space
Hostage situation X X Police/Incident response Invacuation/evacuation/police led Loss of buildings impact on office and teaching
space
Bomb threat X X Police/Incident response Invacuation/evacuation/police led Loss of buildings impact on office and teaching
space
Leaks from hazardous X X Emergency Services/Incident Emergency Management Plan Loss of area of campus impact on office and
materials response team teaching space
Industrial action/student X X Notification from Unions Manage situation Loss of staff impact on teaching
protests Loss of students attending lectures etc.
Loss of buildings impact on office and teaching
space
Major IT Loss of IT X X IT – availability impaired IT DR plan activated Access to information, data, communications,
failure teaching materials, online exams, assessments
Web site, internet access
Loss of telephony X X No telephone service Use of email and mobile phones Impact on communication
Cyber-crime X X Slowness and non- Network and systems will be Loss of data, no access to IT
responsive IT systems shutdown. BIA will need to be
activated
Off-site incident e.g. incident X X Contact via third party e.g. Set up helpline Possible impact on service delivery
Major abroad or town centre police, FCO Communications Plan Loss of staff and students
incident Closure of campus
outside UoH No access to student X X Contact via third party Rest centre provision Loss of students (return home)
campus accommodation Alternative accommodation Private provider to have BC plans in place
Fuel Shortage X X Via media or local resilience Provide services remotely Loss of staff (& students), impact of staff
forum undertaking critical activities and getting to
campus
Collapse of major supplier or X X Via media or ‘notice period’ Find alternative suppliers/providers Impact on service delivery
‘service provider’
Appendix 4 Business Continuity Planning and Emergency Procedure Frameworkand Arrangements

Business Continuity (BC) Management Policy

- Including Critical Activities & Functions

- Hazard & Threat Matrix

Major Incident Response Plan

UOH Strategic Corporate Emergency and BC Plans

Schools & Services Business Impact
Business (owner of each plan to be specified):
Assessments (Identification of
Impact Analysis Critical Activities & Functions) - Campus Incident Response Plan
Templates - Campus Evacuation Plan
& - Flood Plan
supportive - Pandemic Plan
guidance - Communicable Diseases Plan
Local Local Business Continuity & documents - Clearing and Early Clearing BC Plans
Emergency Emergency Plans (Schools &
- Crisis Communications Plan
Procedures Services)
(EP) Including:
- Out of Hours Procedures
- Building Evacuation Plan

Information, Management, Training and Exercises

POLICY SIGN-OFF AND OWNERSHIP DETAILS
Document name: Business Continuity Management Policy

Version Number: V1.1

Equality Impact Assessment: 20.06.2023

Approved by: Senior Leadership Team

Date Approved: 29.06.2023

Next Review due by: 29.06.2028

Author: Head of Health and Safety

Owner (if different from above):

Document Location: https://www.hud.ac.uk/media/policydocuments/Business-

Continuity-Management-Policy.pdf

Compliance Checks: Monitoring via the BCMG and post-incident reviews

Related Policies/Procedures: University BIA, Major Incident Plan, Campus Incident Plan

REVISION HISTORY

Version Date Revision description/Summary of Author

changes
V1.0 May 2018 First major redraft under the new Head of Health and Safety
Policy Framework
V1.1 June 2023 Policy Update and Review – Head of Health and Safety
addition of Appendix 4