Business Continuity Program

Definition:California State University San Marcos is responsible for implementing and maintaining a Business Continuity Program. The program shall enhance the University's abilities to recover operations and essential functions following a catastrophic event or other major disruption.
Authority:Executive Order 1014, CA Government Code Sections 8550, 8607; Governor's Executive Order D-25-83.
Scope:Applies to all departments of the campus community.
Responsible Division:Finance & Administrative Services
Approval Date:02/04/2010
Implementation Date:02/04/2010
Originally Implemented:02/04/2010
Signature Page/PDF:View Signatures for Business Continuity Program Policy


Procedure

I. Definitions

A. "Business Continuity" - The ability of an organization to provide service and support for its customers and to maintain its viability following a catastrophic event.

B. "Business Continuity Coordinator" - A role within the Business Continuity Program that coordinates planning and implementation for overall recovery of an organization or unit(s).

C. "Business Continuity Plan (BCP)" - Process of developing and documenting arrangements and procedures that enable an organization to respond to an event that lasts for an unacceptable period of time and return to performing its essential functions or operations after an interruption.

D. "Business Continuity Program" - A management framework for resuming essential functions or operations after a disaster or emergency that may threaten the health and safety of the campus community or disrupt its programs and operations.

E. "Business Impact Analysis" - A process designed to prioritize business functions by assessing the potential quantitative (financial) and qualitative (non-financial) impact that might result if an organization was to experience a catastrophic event.

F. "Business Unit" - Any academic or administrative departments, unit, center, institute, division, or college.

G. "Essential Function" - Is defined in Federal Preparedness Circular 65 as a function that enables an organization to provide vital services, exercise civil authority, maintain the safety and well being of the general public, or sustain the industrial or economic base during an emergency.

H. "Essential Business Units" - Campus business units which must perform essential functions while the campus is involved in managing emergency response and recovery activities.

I. "Risk Assessment" - Process of identifying the risks to an organization, assessing the essential functions necessary for an organization to continue business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particular event.

J. "Training Record" - Documentation of training for employees, including employee name or other identifier, training dates, type(s) of training, training providers, and attendee sign-in sheets.

II. Responsibility

A. Campus President

  1. The Campus President is responsible for the implementation and maintenance of an effective business continuity program for the university.
  2. The Campus President is responsible for identifying a primary and secondary Business Continuity Coordinator for the program.

a) The Campus President has designated the Campus Emergency Manager as the Primary Business Continuity Coordinator and Emergency Management support staff with secondary responsibility.

B. Business Continuity Coordinator

  1. Establish goals and objectives for Business Continuity Program that reflects the needs of the campus and its operating units.
  2. Identify functions and assets that are critical to the operational continuity, and which are needed to support the campus.
  3. Identify essential business units necessary to complete Essential Business Unit Continuity Plans. Essential business units are those which perform critical functions in supporting the university's resiliency during, and following an emergency situation. A listing of campus essential business units based on current emergency response priorities is available through the Department of Emergency Management.
  4. Facilitate the completion of campus Business Impact Analyses and Risk Assessments.
    a) The Business Continuity Coordinator shall provide Business Impact Analyses and Risk Assessment forms to essential business units.
    b) The Business Continuity Coordinator shall sign-off and maintain all Business Impact Analyses and Risk Assessment forms for a period no less than five (5) years.
  5. Facilitate the completion of Essential Business Unit Continuity Plans.
    a) The Business Continuity Coordinator shall provide business continuity plan forms to all essential business units.
    b) The Business Continuity Coordinator shall sign-off and maintain all Essential Business Unit Continuity Plans for a period no less than five (5) years.
    c) The Business Continuity Coordinator shall facilitate the annual testing of all Essential Business Unit Continuity Plans by providing tabletop exercises and After Action Review forms.
    1) The After Action Review form shall be approved/signed-off by the head of the business unit and the Business Continuity Coordinator.
    2) The Business Continuity Coordinator shall maintain after action review forms for no less than seven (7) years.
  6. Provide guidance and recommend recovery strategies to campus departments.
  7. Develop campus training and awareness programs for business continuity.
  8. Provide administrative reviews and validation of Essential Business Unit Continuity Plans annually or more frequently if needed.
  9. Encourage all non-essential campus business units to complete business continuity plans to assist in their ability to return to normal operations following an emergency situation.
  10. Support and work with campus emergency planners and ensure a smooth transition between emergency responders and continuity of operations personnel.

C. Essential Business Units

  1. Identify a business unit contact for ensuring plans, assessments and analyses are tested, reviewed and updated within established time periods.
  2. Complete and review/update annually the Business Impact Analysis (BIA) and Risk Assessment form.
    a) The Business Impact Analysis (BIA) and Risk Assessment form shall be approved/signed-off by the head of the business unit and the Business Continuity Coordinator.
  3. Complete and review/update annually the Essential Business Unit Continuity Plans.
    a) The Essential Business Unit Continuity Plan form shall be approved/signed-off by the head of the business unit and the Business Continuity Coordinator.
  4. Test and exercise part of the Essential Business Unit Continuity Plan annually and all parts every seven (7) years using the CSUSM Business Continuity Exercise Tool. The CSUSM Business Continuity Exercise Tool is DVD based and can be checked out from the Department of Emergency Management at 750-4504.
    a) Following the completion of each annual exercise the business unit shall complete the After Action Review form which is provided by the Department of Emergency Management.
The After Action Review form shall be approved/signed-off by the head of the business unit and the Business Continuity Coordinator.