uthsc-h business continuity plan update

University Risk Management & Insurance Association

UTHSC-H Business Continuity Plan Update

Moving towards “disaster resiliency”Jason Bible, MSM, ARM, CHMM

Risk ManagerThe University of Texas Health Science Center at Houston

1851 Crosspoint Drive, OCB 1.330Houston, Texas 77054(713) 500-8100

[email protected]


Types of Disasters

• Acute or evolvingExplosion or disease in community

• Natural or man-madeTornado or industrial chemical release

• Intentional or unintentionalTerrorism or accidental building fire

• Predicable or unpredictableHurricane or electrical blackout


Disaster Event Commonalities:A Recurrent Set of Discrete Stages

1. The pre-event stage1 A. The forecast sub-stage

2. The event

3. The initial response stage

4. The assessment, hazard mitigation, and debris removal stage

5. The business continuity decision-making stage

6. The “return to normal” or “new state of operations” stage

Preparation and Response Elements

Prevention Activities (in place)

EH&S surveillance, training, Area Safety Liaisons program, drills, etc.




Emergency Response Plan (in place)

ESRP




Emergency Response Plan (in place)

ESRP

Business Continuity Plan

Although some elements exist, no consolidated and coordinated plan documented for HSC


Scope of Plan

• Although the impacts of some emergencies can be felt for years, for the purposes of this plan, a 30 day window is considered to be most crucial

• By 30 days post event, temporary fixes will be in place and assessments will be completed to allow for longer term decision making

• This number is based on Tropical Storm Allison experience and other notable events


The Significance of 30 Days

Tropical Storm Allison occurred on June 9-10, 2001. Houston Chronicle headlines 30 days later:

7/17/01 Hermann to reopen trauma unit http://www.chron.com/disp/story.mpl/storm2001/968409.html 7/18/01 Hermann and Baylor recovering http://www.chron.com/disp/story.mpl/storm2001/970234.html 7/19/01 Despite flooding, UH to start on timehttp://www.chron.com/disp/story.mpl/storm2001/971472.html


Other Validations of 30 Days• All Florida State Government entities are required to

maintain COOP’s to cover a 30 day period• The London Train Bombings, July 2005:

“although the London Underground network was closed all day, most of it was up and running the following morning and the entire network was back to normal within a month” Addressing Lessons From the Emergency Response to the 7 July 2005 London

Bombings Ried, J. Home Secretary and Jowell, T Culture Secretary UK Cabinet Office 22 Sept 2006

• The American Red Cross Temporary Shelter Planning Guide describes plans for operating for a 30 day period


The “Reasonableness” Factor

• Impossible to plan for every contingency

• Resource constraints limit scope of preparations as well

• The “day job” doesn’t go away during all of this planning

• Reasonableness strategy

Take an “all hazards” approach

Develop plans for key infrastructure services; ensure units are synchronized and play well together to get job done

Take a “bottom up” approach for front line units


Proposed BCP Strategy

• Necessary institutional infrastructure (in rank order)

1. UT Police2. Facilities3. IT/Communications4. Public Affairs5. EHS/Risk Management6. Animal Care7. Finance (procurement, billing,

payroll)8. HR9. Medical billing10.Registrar11.Auxiliary enterprises

• Planning worksheets for local environments, by type

Administrative units Research labs Clinics Academic endeavors

Fig. 1. UTHSC-H Business Continuity Plan (BCP) Schema

Necessary Institutional Infrastructure/Service Plans (eleven key units/services)BCP to contain highlight information for these ten key unit plans - each unit expected to maintain and execute detailed plan

UT Police Facilities Aux EnterpriseHRFinance:Procurement, Billing, Payroll

EHS/RMPub AffairsIT/Communications Registrar Med Billing

School-level Operating Unit Site Specific Plans (four main worksetting types)BCP contains templates for these plans to be completed and maintained by units within schools with assistance from EH&S/RM, ranked by revenue vulnerability

Animal Care

Research Clinic Academic Administrative

MSB

SPH

DBB

SON

HCPC

SHIS

UCT

GSBS

MSI

IMM


Focus on Vulnerable Revenue Streams

• The BCP acknowledges that maintenance of revenue in times of disasters is crucial to continuity

• Some revenue streams are more sensitive to emergency situations than others

• The local unit BCP worksheets are intended to assist in this regard

100%

Time

100%

Designated FundsClinical Practice, 39%

General RevenueState Funds, 23%

Contracts & Grants, 17%

Local income, 6%

Current restricted, 5%

HCPC, 4%AE Funds, 4%

Time

100%




Local income, 6%



Time

Emergency Event

100%




Local income, 6%



Time

Immediate Impact on Clinical Revenues

100%




Local income, 6%



Time

100%




Local income, 6%



Time

Lagging Impact on Research Revenue

100%




Local income, 6%



Time

100%




Local income, 6%



Time

Key BCP goal: reduce magnitude and duration of revenue loss


Successfully Addressing Disasters

• Definition: “A sudden or great misfortune or failure”

• But a key point that is absent is: disastrous to whom?

• Consider the list of “retained losses” all likely had “locally disastrous” consequences, but were never

reflected in an “insurance loss run”, thus no systemic decisions made to intervene

• The lesson here – “all disasters are local”

• The good news is that the steps taken to address local disasters will work for larger disasters too!

UTHSC-H Retained Loss Summary for FY06(Total FY06 losses by cause and amount in dollars, Total Loss~$390,000)*

Chilled Water Line Leak, $231,000 (58%)

Theft, $90,000 (27%)

Sewage Line Clog, $10,000 (3%)

Breach of Building Envelope, $15,000 (5%)

Building Electrical Disruption, $20,000

(6%)

Burglary, Vandalism, Forgery, $17,000 (5%)

Other Loss, $7,000 (2%)

*Not inclusive of any recorded Capitol Assets inventory irregularities. For additional information contact UTHSC-H Capitol Assets Team


And This is Likely Only the Tip of the Iceberg

• Recent FBI data on computer theft:

“The theft of a laptop results in an average financial loss of $89,000; only a small percentage of the sum actually relates to the hardware cost.”

“Financial loss due to laptop theft has been second only to loss due to computer virus for the last seven years running.”

• Source: 2002 Computer Security Institute/FBI Computer Crime & Security Survey


Addressing the Exposure:Example of BCP Intervention Strategy

• Losses of frozen supplies or specimens

• Can be a locally disastrous event

• What can go wrong and how can we prevent it?

Failure Mode and Effect Analysis for Loss of Research Freezer Capability

Event Control span Effect End Result

Utility power supply interruption Power utility

Emergency generator failure Facilities

Undetected circuit beaker trip Facilities

Emergency power “red plug” not available

Facilities

Freezer not plugged into available emergency power outlet

Lab

Inability to

maintain

desired temperature

Damage or loss of critical supplies or specimens; impacts research plan, impact grant renewals, new discoveries, awards, indirect costs

Freezer inadvertently unplugged

Lab

Freezer compressor or unit failure

Lab

Local freezer alarm failure Lab

Local alarm sounds, no one hears/responds

Lab

Unit door not completely closed Lab

Other damage to unit, room ?







Facilities


Lab

Inability to

maintain

desired temperature



Lab


Lab



Lab



X







Facilities


Lab

Inability to

maintain

desired temperature



Lab


Lab



Lab



Appropriate point of focus is here!


Possible Solutions to Freezer Vulnerability

• Local preventive measures outlined in worksheet

• Identification of surge capacity for freezer space?

• Dry ice suppliers

• Bulk pricing for freezer alarms that call PI directly?

• Back up freezer capacity?


Completed BCP Steps

• BCP text drafted by EH&S, reviewed by M. Tramonte, circulated to committee

• Forwarded to Dr. McKinney proposed mechanism for executive leadership confirmation that 11 essential institutional functions have plans in place

• Completed assembly of data for first ever retained loss summary –all noted perils interestingly covered on proposed worksheets

• Assisted in procurement of BCP supplies for Animal Care, Auxiliary Enterprises, and Facilities, Planning and Construction

• Coordinating installation of donated -80 freezer in MS to provide surge capacity in event of freezer failure


Completed BCP Steps

• Exploring options for direct investigator notification of freezer failure

• Met with MS DMO’s on 9/13/06 on research worksheets – completed forms discussed at follow up meeting on 11/13/06

• Met with Dianna Browning for initial review of clinic worksheet on 9/29/06 – initial response very positive. Group meeting with UTP on 11/11/06 - initial response very positive

• Met with Dr. Buja to discuss academic issues 11/1/06 - initial response very positive

• Met with SPH administrative leaders to discuss on 12/12/06

• Met with Mike Tramonte and associated business affairs administrative leaders on 12/13/06 to review approach


Completed BCP Steps

• Met with M. Tramonte and received revenue and expenditures for departments across UTHSC-H

• Met with Buddy Moore and received all assets related to research and clinical practice with a historic value over $10,000

• Met with the director’s from the Office of Research and discussed BCP issues related to research and administrative functions


Next Steps?

uthsc-h business continuity plan update

Documents