Carnegie Mellon University

Business Continuity

Business Continuity Services gives the guidance, tools, and governance needed to provide critical services in the event of a disaster or significant business disruption.

The provision of Business Continuity Services begins with training and awareness in which end users are educated on the Business Continuity Life Cycle, which occurs on an annual basis. This life cycle is comprised of the following phases:

Business Continuity Life Cycle

 

Business Impact Analysys

The Business Impact Analysis is a collaborative data collection activity. Interviews are conducted with the functional owners and administrators of a business function to understand:

  • Services provided by the business function
  • Dependencies that the business function has in order to operate (i.e., facility, people, technology, vendor)
  • Recovery requirements of dependencies
  • Alternatives, workarounds, and/or manual processes in the event the dependencies is unavailable or inaccessible
  • Potential risk impact that the University could experience in the event the business function could not recover and establish continuity within their recovery objective(s).
  • Business Impact Analysis data is housed and maintained within the Business Function tab of the Fusion Framework.

Risk Assessment and Gap Analysis

The Risk Assessment and Gap Analysis consolidates the results of the Business Impact Analysis by prioritizing dependencies based on the criticality of their recovery objectives, and conducting a comparison against current recovery capabilities to determine if a potential recovery gap is present. These results are presented to organizational leadership to review and decide if the potential gap is an acceptable risk or if it should be remediated through additional investments or workarounds. This analysis enables:

  • Senior and functional leaders within an organization/division to understand the potential risks that could impact their continuity in the event of a disaster or significant business disruption
  • Transparency between business recovery requirements and dependency recovery capabilities
  • Thoughtful risk management and informed decision making
  • Facilitation of conversations between business leaders and dependency providers to determine effective solutions for risk remediation

Business Continuity Planning

Business Continuity Planning documents the actions and activities that a business function will execute to establish and sustain continuity of operations at an acceptable level within recovery objective(s) in the event of a disaster or significant business disruption. Plans are designed on an all-hazard approach focusing on four key loss scenarios:

  • Loss of Facility
  • Loss of People
  • Loss of Supplier
  • Loss of Technology

An all-hazard approach focuses on the impact of a loss as opposed to the cause. Business Continuity Plans are developed and maintained within the Fusion Framework.

Plan Exercising and Continuous Improvement

Plan Exercising and Continuous Improvement validates the feasibility of a Plan, identifying opportunities for continuous improvement over time.  Exercises can take the form of a simulated event or a live event.  A live event is a situation in which the Business Continuity Plan was used in an actual disaster or significant business disruption to the business function.  A simulated event is facilitated by DR/BC Services where a business function can exercise a Business Continuity Plan in one of the three ways:

  • Walkthrough – a gathering of the business function team to conduct a detailed review of the Business Continuity Plan, ensuring awareness and understanding of content, roles, and responsibilities
  • Tabletop – a gathering of the business function team to discuss and role play a disaster or significant business disruption for the purpose of exercising the Business Continuity Plan in a controlled environment
  • Functional – a gathering of the business function team to perform and role play a disaster or significant business disruption for the purpose of exercising the Business Continuity Plan in as real of an environment as possible without an actual disaster or significant business disruption occurring

Exercise information and results are maintained within the Fusion Framework.