6 Sutton Park Road, Sutton, SM1 2GD
Business Continuity Plan
Policy Statement
The School is committed to maintaining the continuity of its academic and operational functions amid unforeseen disruptions. Our Business Continuity Plan encompasses risk assessment, response strategies, and recovery processes, supported by our IT Infrastructure Management Policy and Student Protection Plan. These measures ensure resilience and swift resumption of activities, safeguarding the interests of all stakeholders.
Principles
- Preparedness: Proactively preparing for potential disruptions to operations.
- Responsiveness: Responding effectively and efficiently to unforeseen events.
- Resilience: Building and maintaining the School's resilience to disruptions.
- Recovery: Ensuring quick recovery and restoration of normal operations.
- Communication: Keeping clear and timely communication during disruptions.
- Safety: Prioritising the safety of students, staff, and faculty in all continuity planning.
- Risk Management: Identifying and managing risks that may affect the School's operations.
- Resource Allocation: Allocating resources effectively for business continuity planning and response.
- Training: Providing training to key personnel in business continuity roles.
- Testing: Regularly testing and reviewing to ensure effectiveness.
- Compliance: Complying with relevant laws, regulations, and standards for business continuity.
- Continuous Improvement: Continuously improving business continuity strategies based on lessons learned.
Regulatory Context
This Policy has been developed in line with the applicable laws, regulations, regulatory advice, and sector best practices, including the following:
Institutional Resilience and Continuity
Title |
---|
Definition
Business Continuity Plan (BCP) Purpose, Scope, and Goals The Business Continuity Plan (BCP) outlines the purpose, scope, and goals for maintaining operations during disruptions.
This framework ensures that all critical functions are maintained and swiftly restored, aligning with the School’s strategic priorities and regulatory requirements. The BCP supports resilience and effective response in coordination with the Board of Governors, Academic Board, Executive Committee, and Quality, Compliance, and Audit Committee |
Risk Register
Title |
---|
Rule
Proactive Risk Management and Oversight The School adopts a proactive and structured approach to risk management to ensure operational success. The Risk Management Policy provides a framework for identifying, categorising, evaluating, and mitigating risks systematically. Risks are tracked through the School’s automated governance system (AGS) and are managed with the following guidelines:
Departmental Directors use the risk register in daily operations and report on risks and mitigation to the Executive Committee and Quality, Compliance, and Audit Committee. The Quality, Compliance, and Audit Committee meets at least three times annually, aligning with key operational dates as detailed in the Governance Statement. The AGS will:
The Executive Committee will assess strategic and operational risks, including those related to student protection, and coordinate with the Board of Governors and Quality, Compliance, and Audit Committee. The Board of Governors will review risk management at each meeting, and the Executive Committee and Quality, Compliance, and Audit Committee will report on risk management to the Board. This policy ensures a systematic approach to risk management, enabling effective monitoring and mitigation. Regular oversight by key committees and the AGS framework enhance transparency and responsiveness to emerging risks, supporting the School’s operational resilience and strategic alignment with regulatory requirements. |
Business Impact Analysis (BIA) Procedures
Title |
---|
Rule
Business Continuity Impact Assessment Protocol The School conducts a Business Impact Analysis (BIA) as part of its Board of Governors’ reviews to assess the impact of disruptions on essential functions and services. This analysis, undertaken by the Board of Governors, Academic Board, Executive Committee, and Quality, Compliance, and Audit Committee, identifies critical operations, prioritises recovery strategies, and ensures effective continuity planning. The BIA is regularly updated to adapt to changes and maintain resilience. The BIA helps identify and protect vital functions, enabling the School to swiftly address disruptions. By engaging key committees, the analysis aligns recovery efforts with strategic priorities and enhances operational resilience. |
Information Technology (IT) Infrastructure Management Policy
Title |
---|
Rule
IT Incident Response Plan The School’s IT Incident Response Plan, part of the IT Infrastructure Management Policy, is designed to minimise disruption to students' learning and ensure continued service delivery. The Director of Technology (DoT) oversees the plan, initiating it by notifying the Board of Governors, Quality, Compliance, and Audit Committee, and Executive Committee of the incident. The President assesses the situation and authorises the DoT to activate the plan and convene a Response Committee if needed. The Response Committee, chaired by the DoT, meets daily until the incident is resolved and formally closed by the President. The DoT collaborates with IT, Marketing, Wellbeing, and Department of Education (DoE) heads at least twice a year to review and update the plan. The DoT is responsible for reporting on the plan’s effectiveness and ensuring team training. After an incident, the DoT conducts a root cause analysis, evaluates why risk management measures failed, and drafts a report for the Executive Committee, Quality, Compliance, and Audit Committee, and Board of Governors to update the plan. For minor incidents not requiring full activation, the President may authorise the DoT to take necessary actions, with direct reporting to the President. This rule ensures a structured and timely response to IT incidents, safeguarding student learning and service continuity. Regular updates, reviews, and training maintain the plan’s effectiveness, while root cause analyses improve future responses. The clear roles and reporting mechanisms support efficient incident management and adaptation of the plan as needed. |
Student Protection Plan
Title |
---|
Rule
Student Protection Plan for Continuity In the event of a serious risk affecting continuity, the School is committed to protecting students. The School submits an annual Student Protection Plan to the Office for Students (OfS) to ensure student protection in case of significant disruptions. This plan addresses risks such as operational cessation, campus closure, loss of degree awarding powers, inability to deliver programmes, loss of Tier 4 Sponsorship licence, and loss of key staff. The plan details mitigation measures, student refunds and compensation, and communication strategies. The Board of Governors oversees the plan, ensuring that risk management is integrated into School operations. This rule ensures that the School is prepared to safeguard students' interests during significant disruptions. By outlining comprehensive mitigation strategies and communication plans, the Student Protection Plan supports continuity and provides clear actions for protecting and compensating students. The Board of Governors' oversight ensures that risk management is effectively incorporated into the School’s operations. |
Rule
Student Protection Plan Overview The Student Protection Plan ensures that students can either complete their studies or receive compensation if this is not possible due to course, campus, or institution closure. This plan complements, rather than replaces, the protections guaranteed under consumer law. It covers:
This rule ensures that students are aware of their rights and the School’s procedures in the event of significant disruptions. By providing a clear framework for risk assessment, mitigation, and compensation, the plan supports students through potential challenges, ensuring they receive appropriate protection and communication beyond their legal consumer rights. |
Training and Awareness for Business Continuity
Title |
---|
Rule
Business Continuity Training and Preparedness The School will ensure all relevant staff and committees, including the Board of Governors, Academic Board, Executive Committee, and Quality, Compliance, and Audit Committee, receive regular training on the Business Continuity Plan (BCP). This training will cover the plan’s objectives, procedures, and their specific roles during disruptions. Awareness sessions will be conducted annually and updated whenever significant changes occur to the BCP. Regular training and awareness ensure that all key bodies understand their responsibilities and the BCP procedures, enabling a swift and coordinated response during disruptions. This proactive approach helps maintain operational resilience and supports effective recovery efforts. |
Testing and Maintenance
Title |
---|
Rule
Plan Effectiveness Testing and Revisions The School will regularly test and update its Business Continuity Plan (BCP) to ensure its effectiveness and relevance. Testing will involve simulations and reviews, involving the Board of Governors, Academic Board, Executive Committee, and Quality, Compliance, and Audit Committee. Updates will be made based on test outcomes and changing operational needs. Regular testing and maintenance ensure the BCP remains effective and responsive to evolving risks. Engaging key committees ensures comprehensive oversight and alignment with institutional priorities, supporting robust continuity and resilience. |
Documentation and Records
Title |
---|
Rule
Records Management for Continuity Planning The School will maintain comprehensive documentation and records for all aspects of the Business Continuity Plan (BCP). This includes detailed logs of testing results, training sessions, and incident responses. The Executive Committee and Quality, Compliance, and Audit Committee are responsible for ensuring that these records are regularly reviewed, updated, and securely stored to support effective plan execution and compliance with regulatory requirements. Proper documentation and record-keeping ensure that the BCP is consistently monitored and improved. Accurate records provide transparency, aid in regulatory compliance, and enable quick retrieval of information during and after incidents, supporting effective response and recovery efforts. |
Continuous Improvement in Business Continuity
Title |
---|
Rule
Regular Review and Update of Continuity Procedures The School's Business Continuity Plan (BCP) is reviewed and updated regularly to reflect lessons from drills, incidents, and feedback from the Board of Governors, Academic Board, Executive Committee, and Quality, Compliance, and Audit Committee. This ongoing process ensures the plan adapts to new risks and maintains effective response strategies. Regular updates to the BCP ensure its relevance and effectiveness, incorporating feedback and lessons learned. This enhances the School’s resilience, addresses emerging risks, and supports robust continuity strategies to protect operations and stakeholders. The School's governance and risk management systems, as detailed in submissions to the Office of Students (OfS), facilitate timely prevention and mitigation. |
Metrics and KPIs
The following metrics will be measured and regularly reviewed as key performance indicators for the School to ensure the effectiveness of this policy and associated operations.
Title |
---|
Incident Response Time
Track the average time taken to respond to IT incidents from detection to initial action. Quick response to IT issues minimises disruption to academic and operational functions. |
Plan Review Frequency
Track the frequency of formal reviews of the Business Continuity Plan (BCP). Target: Annually or as needed based on major changes. Regular reviews ensure the BCP remains relevant and effective in addressing current risks. |
Recovery Time Objective (RTO) Compliance
Measure the percentage of critical academic and operational functions that are restored within the established RTO. Target: 95% compliance within the designated timeframe. Ensures that the School can resume key functions quickly after a disruption, maintaining continuity and reducing impact. |
Risk Register Update Frequency
Measure the frequency of updates to the risk register. Target: Quarterly updates and reviews. Regular updates ensure that emerging risks are identified and managed promptly. |
Test Drill Success Rate
Measure the percentage of business continuity tests and drills that meet predefined success criteria. Target: 100% success rate. Ensures that preparedness measures are effective and can be implemented successfully during real incidents. |