Business Continuity and Disaster Recovery Plan

The Northern Arizona University Comptroller's Office is responsible for maintaining the University's Business Continuity and Disaster Recovery Plan.

Background

For most NAU Colleges and Departments, services to the campus would effectively cease if the core processes supported by key support systems were inaccessible for an unacceptable period of time. In some cases, the failure or inaccessibility of a critical core business process may immediately jeopardize campus health and safety. Each College/Dept. should establish risk management and disaster recovery planning processes for identifying, assessing, and responding to the risks associated with loss of ability to execute its core processes. To adequately address the College/Dept.'s requirements for recovery, plans for such recovery should be developed as a part of an campus-wide Business Continuity Program.

Scope

This document is intended to provide guidance and assistance for all NAU Colleges and Departments in the development, implementation and maintenance of a business continuity program.

Business Impact Analysis

Definition

The Business Impact Analysis (BIA) identifies the operational (qualitative) and financial (quantitative) impact of an inoperable or inaccessible core process on an College/Dept.'s ability to conduct its critical business processes. The BIA provides the basis for formulating your College/Dept. strategies into the Business Continuity Plan (BCP) Template. This assessment guides the selection of recovery strategies that may be employed to restore operations within the required time frames. An campus-wide operational impact assessment is required to develop and implement an appropriate business continuity program and determine the effects on the campus caused by a loss of ability to continue core business processes.

Information regarding the effect of having to recover from an emergency situation is collected through interviews with the managers of core processes. This information is analyzed and a business analysis, operational impact analysis, and financial impact analysis (where appropriate) are developed for each core business process.

The Business Analysis identifies and describes critical, essential and administrative core processes, and the high-level resources that support these functions. It also describes the customers served by these functions. This analysis enables us to confirm the managers’ description of their operations and highlight functional inter-dependencies and single points of failure.

Core Business Processes

Identify the core processes performed by the College/Dept., and understand the flow of information, materials, and services through these core processes.

Considerations for the operational and financial impacts to recover from situations that have disrupted core business processes of a College/Dept. must be identified. This includes a detailed description of the effects on all customers served by each core process.

For each core process, define the Maximum Acceptable Outage (MAO); the point at which resource and functional support should be restored. Describe the financial impact for an outage of the duration suggested by each function’s assigned MAO, and decide whether that level of financial impact is acceptable or if the MAO should be adjusted to reflect different recovery timeframes than the MAO, which was originally assigned to the function.

A College/Dept must then categorized each of the core business processes into one of three different functions:

  • Critical Functions: functions which have a direct and immediate affect on the general campus community in terms of the loss of life, personal injury, loss of property, and/or the ability of the University to maintain direction and control. The loss of a critical function may either result in such losses or inhibit the University’s ability to preclude or minimize such losses. Most University College/Dept.'s will not have "critical functions."
  • Essential Functions: functions, which provide necessary University services to the campus which, are not deemed "critical functions."
  • Administrative Functions: functions which relate to the internal control, management and administration of a College/Dept. supporting its ability to perform business functions, e.g., training, payroll, personnel services, facility maintenance, etc.

Business Analysis

Components

Identify core processes within each College/Department.

Understand and describe the high-level flow of information, goods, and services through these core processes.

Understand and document the customers served by each core process.

Gain confirmation of a "shared understanding" of the College/Department to ensure that the remaining analyses are appropriately focused.

Approach

The high-level approach to the Business Analysis consists of gathering information about core processes, documenting business flows, identifying customers, and gaining confirmation of the information.

Most College/Departments are structured along functional boundaries (e.g.: Accounting, Information Technology, etc.) and the core processes within those units (e.g.: Payroll, Accounting, etc.). In reality, however, a College/Department's business is conducted through one or more business processes. A business process describes a set of recurring activities - a flow of information and/or materials - that produce something of value for a customer. A process may cut across multiple College/Department's, and usually contains several functions. These processes are not always readily apparent. It is more straightforward to analyze the College/Department in terms of the core processes performed. Each College/Department may perform one or more core processes; it is critical to understand the relationships between those core processes and the end customer in order to analyze the impact of an interruption of a given function. The specific approach to understanding these core processes and business flows is:

  • Review relevant documentation (e.g., critical success factors, strategic plans, budgets, performance measurements, IT Plans, Y2K documentation, division goals, organizational charts, etc.) to build an understanding of organizational purpose and structure.
  • Conduct interviews with the College/Department leadership members to collect information on their "first-hand" perspectives on how your College/Department operates. It is important to note that these interviews will serve as data-gathering opportunities for all three steps of the BIA. In other words, a manager should be interviewed only once; in this interview, all information should be gathered for the Business Analysis.
  • Compile the results of your interviews in the form of business flows. These flows should describe each core process and the flow of information, services, or goods into and out of the process to include the customer.
  • Develop descriptions of support functions. Some functions within your area may perform important roles, which contribute indirectly to your College/Department's ability to implement its assigned programs. These can be classified as support functions. For example, every College/Department should have a facility in which to operate, but it would be difficult to describe the specific ways.
  • Develop a matrix (or another document) which describes the relationship of the core processes identified to the organizational structure of the College/Department.
  • Confirm understanding of the Department, its core processes, and its business flows with appropriate management through review of the descriptions of the core processes performed. Much of this confirmation may be accomplished as the materials are developed.

Data Collection

The following information sources should be considered in the business analysis:

Information regarding core processes performed, inputs and outputs of those core processes, and the customers of these outputs gathered through interviews with process managers.

Documentation regarding the agency’s objectives (programs implemented), core processes performed, organizational structure, and the flow of information, goods, and services through your agency to the end customer.

Resources

To conduct the Business Analysis, you will rely primarily on the availability of process managers for participation in interviews and validation meetings. These managers should be at a level from which they oversee one or more core processes - not simply activities or tasks. The level and title of these managers will vary from College/Department to College/Department.

Decision Points

As the documentation of the core processes performed by each College Department is completed, they should be reviewed and confirmed with appropriate management. Any necessary corrections should be made to ensure that the final deliverables represent a shared understanding of how the division accomplishes its goals and delivers its services/products to the customer.

Deliverables

A matrix or other document, which relates the core processes, identifies the function of each process and aligns to the organizational structure of the College/Department needs to be developed.

A depiction of the business flows for all non-support core processes needs to be identified and these depictions may be pictorial or descriptive, and should highlight:

  • The impact on the public
  • Relationships between core processes, support functions, and business units
  • Single points of reliance
  • Support service reliance
  • Interdependency/interactivity of core processes

Business Continuity Critical Functions Assessment

Template

Field Definitions for Template