Business Continuity Planning
Business Continuity Planning (BCP) is the process of developing advance arrangements and procedures that enable UTMB to respond to an interruption in such a manner that critical business functions continue with planned levels of interruption or essential
change. In simpler terms, BCP is the strategic act of planning a method to prevent, if possible, and to minimize and manage the consequences of an event that interrupts critical business processes.
UTMB Policy 2.1.5 states that all departments must have a Business Continuity
Management (BCM) Plan and ensure that all employees are familiar with their individual roles and responsibilities.
An effective Business Continuity Plan should address the following areas:
- Mission Critical Activities
- Risk Analysis/Business Impact Analysis
- Back-up, Recovery and Resumption Strategies (for those mission critical activities)
- Hurricane Preparedness Checklist
- Back-up Facilities
- Back-up Equipment
- Information Technology (IT) Systems
- Paper and/or Non-electronic Records
- Key Staff
- Emergency Contact Numbers
- Critical Supplies
- Critical Vendor
- Training
- Testing
- Maintenance
- Loss of Work Space/Alternate Sites
**Continuity Planning falls under (and is managed by) the department of Information Technology Services**
Clinical Continuity Planning
-
Disaster Recovery Tier List (Software & Applications)
Information Technology Services (ITS) also manages UTMB's Tier Application List, which shows the order that software and applications will be restored/repaired after a catastrophic outage. For instance, work on restoring EPIC electronic medical record
system will be prioritized over STATA statistical program.
The tiers are bulleted below. Also included are a few examples of each and the target recovery time (RTO) in red.
- Persistent - UTMB's most critical communications and infrastructure systems (e.g., Epic, Microsoft Exchange & Teams, Corrigo/Onguard).These applications will be brought back online as soon as possible.
- Tier 1 - Critical and/or institutionally significant applications and infrastructure systems (e.g., PeopleSoft, Kronos/Payroll, Citrix). RTO of no longer than 3 days.
- Tier 2 - Systems that impact a significant number of customers, departments, or business processes (e.g., Blackboard, Zoom, Landesk). RTO of 3 days to 2 weeks.
- Tier 3 - Remaining systems that do not require immediate recovery or that impact a small subset of users (e.g., STATA, Question Pro, Maximo). RTO of more than 2 weeks.
This list factors in the criticality of each application on UTMB's operations, as well as the time/resources needed to restore each one (including the ITS manpower available to do so).
It is important for every department to do the following:
- Ensure Information Technology Services and Information Security departments know what applications you are using. They can't help you diagnose or fix a problem if they don't know what software you have. If they don't know about your application,
it won't be on their Tier List, therefore you'll be waiting weeks at the back of the line in terms of restoration.
- Know the disaster recovery tier of the software you use. There may be a discrepancy between how important you think the software is and what ITS deems it. Don't be caught thinking your applications will be restored earlier than they actually are.