POLICY: School Governance and Management - Business Continuity Plan POLICY URL: https://lsi-ac.uk/policy/5a5b9270-dab0-4b5b-bfc1-ead9bee1851e POLICY STATEMENT: The School is committed to maintaining the continuity of its academic and operational functions amid unforeseen disruptions. Our Business Continuity Plan encompasses risk assessment, response strategies, and recovery processes, supported by our IT Infrastructure Management Policy and Student Protection Plan. These measures ensure resilience and swift resumption of activities, safeguarding the interests of all stakeholders. POLICY PRINCIPLES: ------------------ - Preparedness : Proactively preparing for potential disruptions to operations; - Responsiveness : Responding effectively and efficiently to unforeseen events; - Resilience : Building and maintaining the School's resilience to disruptions; - Recovery : Ensuring quick recovery and restoration of normal operations; - Communication : Keeping clear and timely communication during disruptions; - Safety : Prioritising the safety of students, staff, and faculty in all continuity planning; - Risk Management : Identifying and managing risks that may affect the School's operations; - Resource Allocation : Allocating resources effectively for business continuity planning and response; - Training : Providing training to key personnel in business continuity roles; - Testing : Regularly testing and reviewing to ensure effectiveness; - Compliance : Complying with relevant laws, regulations, and standards for business continuity; - Continuous Improvement : Continuously improving business continuity strategies based on lessons learned. REGULATORY CONTEXT: ------------------ This Policy has been developed in line with the applicable laws, regulations, regulatory advice, and sector best practices, including the following: R1. JISC (Joint Information Systems Committee): Digital Infrastructure Guidelines - Guidelines for universities and colleges in the UK on how to manage their digital infrastructure. R2. Office for Students (OfS): Regulatory Notices and Advice - Regulatory notices are additional information about OfS' regulatory requirements and are part of the regulatory framework. Regulatory advice helps providers understand and meet OfS requirements. R3. UK Government: Higher Education and Research Act 2017 (HERA) - A UK legislation that reformed the higher education and research sector, particularly by establishing the Office for Students and UK Research and Innovation. R4. Quality Assurance Agency (QAA): The Quality Code - This code represents a shared understanding of quality practice across the UK higher education sector, protecting public and student interests and championing the UK's reputation for quality. R5. Committee of University Chairs : The Higher Education Code of Governance - A code aimed at ensuring the highest levels of governance at higher education institutions. R6. Advance HE: Code of Governance for Universities - A code of governance that sets out the principles and standards that universities in the UK should follow. METRICS: ------------------ The following metrics will be measured and regularly reviewed as performance indicators for the School to ensure the effectiveness of this policy and associated operations: M1. Incident Response Time: Track the average time taken to respond to IT incidents from detection to initial action. Quick response to IT issues minimises disruption to academic and operational functions. M2. Plan Review Frequency: Track the frequency of formal reviews of the Business Continuity Plan (BCP). Target: Annually or as needed based on major changes. Regular reviews ensure the BCP remains relevant and effective in addressing current risks. M3. Recovery Time Objective (RTO) Compliance: Measure the percentage of critical academic and operational functions that are restored within the established RTO. Target: 95% compliance within the designated timeframe. Ensures that the School can resume key functions quickly after a disruption, maintaining continuity and reducing impact. M4. Risk Register Update Frequency: Measure the frequency of updates to the risk register. Target: Quarterly updates and reviews. Regular updates ensure that emerging risks are identified and managed promptly. M5. Test Drill Success Rate: Measure the percentage of business continuity tests and drills that meet predefined success criteria. Target: 100% success rate. Ensures that preparedness measures are effective and can be implemented successfully during real incidents. SECTION 1: Institutional Resilience and Continuity ------------------ 1.1. Business Continuity Plan (BCP) Purpose, Scope, and Goals: The Business Continuity Plan (BCP) outlines the purpose, scope, and goals for maintaining operations during disruptions; ; Purpose: To ensure the School's academic and operational functions continue seamlessly during emergencies. The BCP aims to minimise disruption, protect critical infrastructure, and support rapid recovery while upholding the institution’s mission and safeguarding the interests of students, staff, and other stakeholders; ; Scope: Covers all departments and operations, including academic, administrative, and support services; ; Goals: Establish clear recovery objectives, safeguard stakeholder interests, and minimise disruption to educational services; This framework ensures that all critical functions are maintained and swiftly restored, aligning with the School’s strategic priorities and regulatory requirements. The BCP supports resilience and effective response in coordination with the Board of Governors, Academic Board, Executive Committee, and Quality and Audit Committee. SECTION 2: Risk Register ------------------ 2.1. Proactive Risk Management and Oversight (by Executive Committee): The School adopts a proactive and structured approach to risk management to ensure operational success. The Risk Management Policy provides a framework for identifying, categorising, evaluating, and mitigating risks systematically. Risks are tracked through the School’s automated governance system (AGS) and are managed with the following guidelines:; Prevention: Document measures to prevent the risk from occurring; Alleviation: Outline strategies to reduce adverse effects if the risk materialises, including backup plans; Plans: Specify current and future actions to improve risk ratings; Target Score: Indicate the desired risk rating (red, amber, green) after implementing mitigation measures; Departmental Directors use the risk register in daily operations and report on risks and mitigation to the Executive Committee and Quality and Audit Committee. The Quality and Audit Committee meets at least three times annually, aligning with key operational dates as detailed in the Governance Statement; The AGS will:; Maintain an evidence and audit base; Support Directors with regular reporting and analysis; Alert management, the Executive Committee, and Quality and Audit Committee to emerging or escalating risks; Assist the Quality and Audit Committee with evidence and reporting for effective oversight; The Executive Committee will assess strategic and operational risks, including those related to student protection, and coordinate with the Board of Governors and Quality and Audit Committee. The Board of Governors will review risk management at each meeting, and the Executive Committee and Quality and Audit Committee will report on risk management to the Board; This policy ensures a systematic approach to risk management, enabling effective monitoring and mitigation. Regular oversight by key committees and the AGS framework enhance transparency and responsiveness to emerging risks, supporting the School’s operational resilience and strategic alignment with regulatory requirements. SECTION 3: Business Impact Analysis (BIA) Procedures ------------------ 3.1. Business Continuity Impact Assessment Protocol (by Executive Committee): The School conducts a Business Impact Analysis (BIA) as part of its Board of Governors’ reviews to assess the impact of disruptions on essential functions and services. This analysis, undertaken by the Board of Governors, Academic Board, Executive Committee, and Quality and Audit Committee, identifies critical operations, prioritises recovery strategies, and ensures effective continuity planning. The BIA is regularly updated to adapt to changes and maintain resilience; The BIA helps identify and protect vital functions, enabling the School to swiftly address disruptions. By engaging key committees, the analysis aligns recovery efforts with strategic priorities and enhances operational resilience. SECTION 4: Information Technology (IT) Infrastructure Management Policy ------------------ 4.1. IT Incident Response Plan (by CTO): The School’s IT Incident Response Plan, part of the IT Infrastructure Management Policy, is designed to minimise disruption to students' learning and ensure continued service delivery. The Director of Technology (DoT) oversees the plan, initiating it by notifying the Board of Governors, Quality and Audit Committee, and Executive Committee of the incident. The President assesses the situation and authorises the DoT to activate the plan and convene a Response Committee if needed; The Response Committee, chaired by the DoT, meets daily until the incident is resolved and formally closed by the President. The DoT collaborates with IT, Marketing, Wellbeing, and Department of Education (DoE) heads at least twice a year to review and update the plan. The DoT is responsible for reporting on the plan’s effectiveness and ensuring team training. After an incident, the DoT conducts a root cause analysis, evaluates why risk management measures failed, and drafts a report for the Executive Committee, Audit Committee, and Board of Governors to update the plan; For minor incidents not requiring full activation, the President may authorise the DoT to take necessary actions, with direct reporting to the President; This rule ensures a structured and timely response to IT incidents, safeguarding student learning and service continuity. Regular updates, reviews, and training maintain the plan’s effectiveness, while root cause analyses improve future responses. The clear roles and reporting mechanisms support efficient incident management and adaptation of the plan as needed. SECTION 5: Student Protection Plan ------------------ 5.1. Student Protection Plan for Continuity (by Board of Governors): In the event of a serious risk affecting continuity, the School is committed to protecting students. The School submits an annual Student Protection Plan to the Office for Students (OfS) to ensure student protection in case of significant disruptions. This plan addresses risks such as operational cessation, campus closure, loss of degree awarding powers, inability to deliver programmes, loss of Tier 4 Sponsorship licence, and loss of key staff; The plan details mitigation measures, student refunds and compensation, and communication strategies. The Board of Governors oversees the plan, ensuring that risk management is integrated into School operations; This rule ensures that the School is prepared to safeguard students' interests during significant disruptions. By outlining comprehensive mitigation strategies and communication plans, the Student Protection Plan supports continuity and provides clear actions for protecting and compensating students. The Board of Governors' oversight ensures that risk management is effectively incorporated into the School’s operations. 5.2. Student Protection Plan Overview (by Board of Governors): The Student Protection Plan ensures that students can either complete their studies or receive compensation if this is not possible due to course, campus, or institution closure. This plan complements, rather than replaces, the protections guaranteed under consumer law; It covers:; Risk Assessment: Includes risks such as cessation of operations, loss or suspension of degree-awarding powers, and loss of key staff; Mitigation Measures: Strategies to address identified risks; Refunds and Compensation: Details on how students will be reimbursed or compensated; Communication Plan: Procedures for informing students about their options and the status of their studies; This rule ensures that students are aware of their rights and the School’s procedures in the event of significant disruptions. By providing a clear framework for risk assessment, mitigation, and compensation, the plan supports students through potential challenges, ensuring they receive appropriate protection and communication beyond their legal consumer rights. SECTION 6: Training and Awareness for Business Continuity ------------------ 6.1. Business Continuity Training and Preparedness (by Executive Committee): The School will ensure all relevant staff and committees, including the Board of Governors, Academic Board, Executive Committee, and Quality and Audit Committee, receive regular training on the Business Continuity Plan (BCP). This training will cover the plan’s objectives, procedures, and their specific roles during disruptions. Awareness sessions will be conducted annually and updated whenever significant changes occur to the BCP; Regular training and awareness ensure that all key bodies understand their responsibilities and the BCP procedures, enabling a swift and coordinated response during disruptions. This proactive approach helps maintain operational resilience and supports effective recovery efforts. SECTION 7: Testing and Maintenance ------------------ 7.1. Plan Effectiveness Testing and Revisions (by Executive Committee): The School will regularly test and update its Business Continuity Plan (BCP) to ensure its effectiveness and relevance. Testing will involve simulations and reviews, involving the Board of Governors, Academic Board, Executive Committee, and Quality and Audit Committee. Updates will be made based on test outcomes and changing operational needs; Regular testing and maintenance ensure the BCP remains effective and responsive to evolving risks. Engaging key committees ensures comprehensive oversight and alignment with institutional priorities, supporting robust continuity and resilience. SECTION 8: Documentation and Records ------------------ 8.1. Records Management for Continuity Planning (by Executive Committee): The School will maintain comprehensive documentation and records for all aspects of the Business Continuity Plan (BCP). This includes detailed logs of testing results, training sessions, and incident responses. The Executive Committee and Quality and Audit Committee are responsible for ensuring that these records are regularly reviewed, updated, and securely stored to support effective plan execution and compliance with regulatory requirements; Proper documentation and record-keeping ensure that the BCP is consistently monitored and improved. Accurate records provide transparency, aid in regulatory compliance, and enable quick retrieval of information during and after incidents, supporting effective response and recovery efforts. SECTION 9: Continuous Improvement in Business Continuity ------------------ 9.1. Regular Review and Update of Continuity Procedures (by Executive Committee): The School's Business Continuity Plan (BCP) is reviewed and updated regularly to reflect lessons from drills, incidents, and feedback from the Board of Governors, Academic Board, Executive Committee, and Quality and Audit Committee. This ongoing process ensures the plan adapts to new risks and maintains effective response strategies; Regular updates to the BCP ensure its relevance and effectiveness, incorporating feedback and lessons learned. This enhances the School’s resilience, addresses emerging risks, and supports robust continuity strategies to protect operations and stakeholders. The School's governance and risk management systems, as detailed in submissions to the Office of Students (OfS), facilitate timely prevention and mitigation.