Risk Management&Disaster Recovery

David Forbes

Risk Management 2009

• 55 Risk Registers Submitted• Over 500 risks

• Aligned with Faculty & College

College Risk Register at:

http://www3.imperial.ac.uk/riskanddisasterrecovery/riskmanagementhomepage/currentriskregisters

Common Themes form Departments/Divisions

• Financial environment• impact of measures to manage the situation.

• Staff recruitment and retention

• UG recruitment• on student quality.

• Internal Communication, particularly of the College’s strategic vision

• Management of space, particularly in strategic terms

• Problems around the new student Visa application process

• The AHSC

• Damage or Disruption to College operations or infrastructure

Council & Management Board

• Financial environment

• Pension provision

• Swine Flu

• International developments

• AHSC

Risks Transferred or Owned by Others

FM - 49

ICT - 14

Lessons Learnt

• Knowledge library

• College and Faculty Risk Registers available to departments/divisions

• Very cumbersome as spreadsheets

• Avoid duplication• Strategic business risks

• Risks can be opportunities

• Tolerance• ALARP

• Escalation

• Risk Owner is those most affected if the

risk should come about

Most Frequently Cited Risks

• Financial Situation

• Reputation• Tended to be implicit

• Damage or Disruption to College operations or infrastructure

Why Disaster Recovery

2009 Departmental Risk Registers most frequently sited risk:

• Damage to or loss of department infrastructure

Internal audit have identified Disaster Recovery as an area of concern

Governance

Steering Committee sets strategic objectives and direction, approves policy & plans

Working Group develops and implements plans, addresses operational issues

Standing Committee provides first line identification, filtering and escalation

Management Board

Risk & DR Steering Committee

DR Standing Committee

Risk & DR Working Group

Guidance

Available at: https://sharepoint.ic.ac.uk/HQ/DR/DR%20Review%202009/Forms/AllItems.aspx

Policy

Responsibilities

Governance

Overview

Codes of Practice1. Departments

2. Medical Divisions

3. Faculties

4. Campuses

5. Central Admin Divisions

College Philosophy

• Cannot anticipate every eventuality

• Assemble appropriately knowledgeable people at a predetermined place to manage the incident.

Appropriately Knowledgeable People

Understand:

•What activities are disrupted

• Hazards associated with those activities

• Impact of disruption to those activities

• College organisation and management

• College engineering and infrastructure support

Phases of a Disaster

P. U. R. R.

Preparation Response Recovery Understanding

Preparation

Appropriate response and recovery need an understanding of the likely impact of an incident:

a. Identify Key activitiesi. Teaching

ii. Research

b. Impact of disruption to those activities

c. Key Stakeholdersi. Their likely reaction to disruption

d. Recovery Time Objective

e. Recovery Point Objective

f. Minimum acceptable service level

g. What mitigation is or needs to be in place

All on Activity Impact Analysis Template

Response

Needs to be proportional

a. Mobilise the team appropriate to the incident• Contact list• Call out procedure

b. At a predetermined location• Identified by College, Faculty or Campus plans

c. Access to information provided by PREPARATION

d. Effective communication with:• Staff• Students• Other Response teams

e. Information to Emergency Services

f. Manage College Response• Access Control

Recovery

Needs to be proportional

a. Mobilise the team appropriate to the incident• Contact list• Call out procedure

b. At a location to be determined

c. Access to information provided by PREPARATION

d. Establish recovery priorities

e. Implement measures to realise those priorities

f. Communicate with Staff and Students

Will probably commence before Response has completed

DR Plans - Contents

DR plan contains:

1. Activity Impact Analysis

2. Personnel & contact details

3. Departmental Floor Plans and Building Plans» Unique and significant hazards or risks

Additionally: Campus and Faculty DR plans contain:

4. Information about CMG Rooms & Battle Boxes

Callout Procedure

CALL OUT PROCEDURE

Incident discoveredSecurity alerted

4444ERT investigate

Seriousness assessed

Emergency Services called

Security deal with situation

Duty Security Manager called and

informed of situation and

actions

OR

EITHER

ALWAYS

SERG Callout

CMG CalloutSK Security control

call out CMG

Decide locationSK Security control

call out SERG

Incident arisesDuty

Communications alerted

Standing Committee

Potential Level 2 or 3

Other Response Group

Escalate?

YES

NO

YES

Monitor situation

NO

What Next

Website to be updated

Seminars in Nov/Dec

DR Plans to be updated

By end Jan 2010

Sent to Nick Kay

(n.kay@imperial.ac.uk)

Questions?