Business Continuity Terms of Reference

All-Hazards Approach

An approach for prevention, mitigation, preparedness, response, continuity, and recovery that addresses a full range of threats and hazards, including natural, human-caused, and technology-caused.

Awareness

To create understanding of basic BCM and Emergency Management issues and limitations. This will enable staff to recognize hazardous scenarios or disruptions and respond accordingly. Examples of creating such awareness include distribution of posters and flyers targeted at campus-wide audience or conducting specific business continuity, emergency management briefings for operational staff and executive management. Awareness is less formal than training and is generally targeted at all students, faculty, staff, and contractors.

Business Continuity Management

A holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats—if realized—might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.

Business Continuity Plan

A documented collection of procedures and information that is developed, compiled, and maintained in readiness for use in an incident to enable campus or a department to continue to deliver its critical products and services at an acceptable predefined level.

Business Continuity Planning

Business Continuity Planning is the process of developing prior arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions can continue within planned levels of disruption. The end result of the planning process is the BC Plan.

Business Impact Analysis (BIA)

The process of analyzing business functions and the effect that a business interruption might have upon them. The Office of Business Continuity Planning will complete a BIA for each department once all departmental business units have successfully completed their COOP plans. The BIA provides information needed to complete a department specific business continuity plan.

Business Resumption

Steps taken to resume the business within an acceptable timeframe following a disruption.

Business Unit

A business unit within a department, e.g. the Office of Business Continuity Planning within the Department of Risk Management, Safety & Security a division of Business Affairs.

Call Tree

A structured cascade process that enables a list of persons, roles and/or organizations to be contacted as a part of information exchange or plan invocation procedure.

Campus

A set of buildings which are geographically grouped together and might form one inter-connected set of Business Continuity Plans.

Continuity Coordinators

Faculty and staff who are responsible for developing COOP plans are known as continuity coordinators. The Office of Business Continuity Planning utilizes a unique template to capture critical information about each business unit. Continuity coordinators may also be the person responsible for activating their COOP plan.

Continuity of Operations Plan (COOP)

COOP is a plan to deal with specific sets of adverse circumstances impacting a business unit, e.g. loss of power, infrastructure, data, key staff, or limited building accessibility. All business units will develop a COOP plan that lists typically three to five recovery steps per contingency. Since the most effective time to develop a response plan is before an emergency disruption, COOP plans provide an opportunity to critically think through such procedures including how to reduce the likelihood of disruption.

Corrective Action Plan

The action to eliminate the cause of a detected non-conformity or other undesirable situation that is tracked and reviewed using an annual plan.

Crisis Communications Plan

A documented collection of procedures and information that is used to manage all official communication from the University, including internal messages to students, faculty, staff, media and  external communication other than operational coordination.

Crisis Management

The overall coordination of an organization's response to a crisis, in an effective timely manager, with the goal of avoiding or minimizing damage to the organization's profitability, reputation, and ability to operate.

Critical Business Functions (CBF)

The functions or processes that are essential to the core mission or objectives of a unit, department, or the University. There are many critical business functions across campus and the first step for any continuity coordinator is to identify the most essential functions or processes within their unit or department.

Disaster

The result when a natural or human-caused hazard takes place and impacts a community. The qualification of a "disaster" is such the community is impacted psychologically and physically to the extent that normal daily functions are severely limited.

Disaster Recovery (DR)

The strategies and plans for recovering and restoring the organizations technological infra-structure and capabilities after a serious interruption.

Disaster Recovery Plan (DRP)

The activities associated with the continuing availability and restoration of the IT infrastructure.

Disaster Resilient University

A University developed or redeveloped to minimize the human, environmental, and property losses and the social and economic disruption caused by disasters. A resilient community understands natural systems and realizes that appropriate siting, design, and construction of the built environment are essential to advances in disaster prevention.

Downtime

A period in time when something is not in operation.

Emergency Management (EM)

The capability that enables an organization or community to respond to an emergency in a coordinated, timely, and effective manner following the Incident Command System / National Incident Management System model to prevent the loss of life and minimize injury and property damage.

Emergency Management & Operational Continuity (EMOC)

A collaborative approach to managing emergency management projects that incorporates organizational strengths within Risk Management, Safety & Security from Police and Public Safety, in terms of operations and response management, and strengths from the Office of Business Continuity Planning, in terms of planning and documentation. This approach allows all emergency management issues on campus to be jointly managed and coordinated.

Emergency Notification

An emergency alert that is disseminated within seconds of confirmation of and intended to warn persons about an imminent threat (shooter, severe weather, gas leak) on/to campus using as few characters as possible.

Emergency Operations Center (EOC)

The facility used by emergency response teams to support emergency response operations on the scene of an incident or disaster. EOC Emergency Response Teams will coordinate their support activities following the ICS model and provide logistics, resources and planning assistance to their counter-parts on scene.

Emergency Operations Plan (EOP)

Contains procedures that can be detailed and coordinated for emergency responders; developed and maintained by emergency planning staff.

Emergency Preparedness & Operational Continuity (EPOC)

Business Continuity Planning takes applications from Masters level and graduate certificate candidates to assist with developing and enhancing business continuity and emergency management initiatives campus wide. Graduate students who are accepted as business continuity associates have a unique opportunity to participate in the process of developing an industry leading program. Specifically, these students will receive training in: HSEEP, BIA, Business Continuity Planning, Continuity of Operations, and Emergency Preparedness.

Enterprise Risk Management (ERM)

ERM includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.

Emergency Support Function (ESF)

Emergency support function means support, resources, program implementation, and services that are provided to save lives, protect property and the environment, to restore essential services and critical infrastructure, and help victims and communities to return to normal life. It will be provided following campus or regional events. It serves as an operational-level mechanism to provide assistance to state, local, and tribal governments or to federal departments and agencies conducting missions of primary federal responsibility. Such support functions involves a grouping of government and certain private- sector capabilities into an organizational structure.

Event

A physical event which interrupts business processes sufficiently to threaten the viability of the organization.

Goodwill

Goodwill is an intangible asset that reflects a business’s customer connections, reputation, and other similar factors. An example of this is UNC Charlotte’s reputation and relationship with prospective students, parents, and other customers.

Homeland Security Exercise and Evaluation Program (HSEEP)

HSEEP is a capabilities and performance-based exercise program that provides a standardized methodology and terminology for exercise design, development, conduct, evaluation, and improvement planning. UNC Charlotte utilizes HSEEP to successfully exercise and train emergency personnel during simulated emergencies. HSEEP constitutes a national standard for all exercises. Through exercises, the National Exercise Program supports organizations to achieve objective assessments of their capabilities so that strengths and areas for improvement are identified, corrected, and shared as appropriate prior to a real incident.

Imminent Threat/Danger

A condition under which deadly force or probable harm may occur to persons on campus.

Incident

An occurrence that threatens disruption.

Incident Command System (ICS)

ICS is a standardized, on scene, all-hazards incident management approach. ICS allows for the integration of facilities, equipment, personnel, procedures, and communications operating within a common organizational structure. It enables a coordinated response among various response teams, jurisdictions, and functional agencies, both public and private. ICS establishes common processes for planning and managing resources, and is a subcomponent of the National Incident Management System (NIMS), as released by the U.S. Department of Homeland Security in 2004.

ISO/IEC 27002

The International Organization for Standardization (ISO) and by the International Electrotechnical Commision (IEC) provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). UNC General Administration requires adoption by constituent institutions of the UNC System an effort coordinated by the Chief Information Security Officer (CISO) for UNC Charlotte.

Joint Information Center (JIC)

An interagency entity established to coordinate and disseminate information for the public and media concerning an incident. JICs may be established locally, regionally, or nationally depending on the size and magnitude of the incident.

Mitigation

Any sustained action to reduce or eliminate long-term risk to people and property from hazards and their efforts.

Multi-year Training and Exercise Plan (MTEP)

The schedule is designed to help prepare UNC Charlotte to optimally address both the natural and technical hazards that it may face. It is based

National Incident Management System (NIMS)

Provides guidance to the federal agencies participating the in the National Response Framework  in disaster preparedness. All Federal departments and agencies are required to adopt NIMS and to make adoption by state, tribal, and local organizations a condition for Federal preparedness awards beginning in Federal fiscal year (FY) 2005. Federal preparedness awards can include grants, contracts, equipment, supplies, and other activities.

NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs (2010) edition

NFPA-1600 defines the administrative role, scope, purpose, implementation, definitions, authority, and the two most important ingredients - program management and essential program elements. These two components define program quality from inception. NFPA-1600 is a template that defines common elements, (many of which were greatly expanded in the 2010 version) and best practices. NFPA-1600 is universal to any emergency management program in the United States. FEMA, the International Association of Emergency Managers, and the National Emergency Managers Association (NEMA) now uniformly endorse NFPA-1600 as a national standard.

Recovery Time Objective (RTO)

The target time for resuming the delivery of a product or service to acceptable level following its disruption. In other words, your business unit(s) have been affected by a recent disaster causing downtime. The RTO will be the amount of downtime your business unit can withstand before a lapse of operability begins to impact other operations or campus operations. Typically those business units with "short" RTOs like 12 hours or less than seven days for example are responsible for critical business functions.

Risk Assessment

A technique that identifies threats, vulnerabilities, and impacts. Based on the results of the risk assessment, migitation and risk treatment measures will be identified such as decreases to disruption likelihoods, shortening the period of disruption, and limiting the impact of a disruption.

Risk Profile

Three elements define an organization's risk profile: threat profile, loss profile, and gap profile.

Risk Register

A document that contains results of various risk management processes often displayed in a table or spreadsheet format.

Shelter-in-Place

A process for temporarily seeking an accessible area for immediate safety, such as a classroom, for persons in an affected location where personal safety has been compromised.

Test, Training & Exercise (TTE)

The Office of Business Continuity Planning periodically supports annual exercises to train and evaluate readiness capabilities campus wide. The use of staff and students to support exercise design, development, conduct and evaluation, is an important method for generating greater awareness campus wide while eliciting support from the campus community. The Test, Training and Exercise (TTE) program fulfills the University's need to practice emergency plans.

Timely Warning

An emergency alert that notifies campus students, faculty and staff to enable people to protect themselves against a serious or continuing threat on campus, on immediately accessible public property, or at a non-campus location (i.e. remote fraternity or classroom).