II. Management

Facing with increased exposure to new risks and a decreasing tolerance for disruptions to their operations, universities may find it prudent to evaluate their ability to respond to crisis and mitigate possible future risks.

BCM Lifecycle

BCM Lifecycle is a series of good practices for universities to implement business continuity management. There are four stages in a typical BCM lifecycle.

Stage 1 - Determine Risk Profile

To start the BCM Lifecycle, universities' management shall understand its organisation by reviewing what its objectives are, how it works functionally and the constraints of the environment where it operates. Several tools and methodologies can be used to understand the organisation and determine the risk profile.

  • Business Impact Analysis (BIA)

    BIA evaluates the impact over time of a disruption to an organisation's ability to operate.

  • Continuity Requirements Analysis (CRA)

    CRA estimates the resources, facilities and external services that each activity will require at both resumption and return to “business as usual” after a disruption.

  • Risk Assessment

    Risk assessment estimates the likelihood and impact on specific functions based on threats to known vulnerabilities.

Stage 2 - Determine Business Continuity Management Strategy

After determining the risk profiles (i.e. vulnerability, threat and impact) of universities' key resources and activities based on BIA, CRA or risk assessment outcome, management shall develop corresponding BCM strategies in response to the assessed risk profile of each key resource or activity. The most commonly applied BCM strategies are listed below:

  • Risk Acceptance

    Universities may adopt a “do nothing” BCM strategy if the risk level is low and can be acceptable within universities' risk appetite.

KPMG Publication - Business Continuity Management