Hurricane Katrina and other natural disasters, the ongoing threats of terrorism, and the auditing profession's increased emphasis on business continuity planning have captured the attention of higher education executives.
Most now realize that they ought to be doing business continuity planning but aren't sure where to begin. George Mason University's (Va.) Enterprise Executive Risk Management Group (EERMG) is building the organization's business continuity plans and capacity.
Risks identified by
department heads never seem to make it to the top of the priority list.
After hearing a Motorola information security executive predict that more and more corporations would create risk management programs that incorporate cyber-risks, GMU's CIO Joy Hughes proposed an EERMG be chartered there.
President Alan Merten appointed Maurice Scherrens, senior vice president for Finance and Administration, to lead the group. The team was charged with assessing information technology risks, physical risks, and risks from departmental procedures and processes, as well as overseeing the development of business continuity plans.
The Traditional Model
University risk assessment projects are often elaborate paper drills designed to satisfy an outside audience such as an auditor. Reams of documents and an exhaustive collection of "plans" may satisfy an external audience, but they're generally impractical to implement without a very significant infusion of resources.
Plus, large sets of plans prepared by people with very different viewpoints tend either to overwhelm with detail or, conversely, include generalizations that give them limited practical use.
Department heads devote significant amounts of both mental energy and time to fill out myriad forms, yet the unit-level problems identified never appear to make it to the top of the priority list. High-priority items for remediation funding usually are the central ones rather than the unit ones because they affect more people and processes. Unfortunately, this approach ensures that the concerns of many individual departments will be left out of the final risk analysis.
GMU's New model
Rather than require every department in the university to fill out risk assessment forms, GMU's EERMG members first identified which departments were most relevant to business continuity planning. The group prioritized the list and developed a timeline by which the top 10 could be assessed within the first year. They created a four-year cycle for every department and associated subdivision to be assessed before the cycle begins again.
The chief safety officer and the IT security coordinator distribute a 20-page risk assessment questionnaire regarding departmental assets, policies, and procedures. The team conducts interviews to clarify questions and conduct on-site security assessments, and then identify risks.
The risk identification process, still in progress, has already resulted in remediation steps. For example, to limit after-hours personnel risk, police escorts were provided and evening hours were reduced.
Several risk assessments were outsourced to vendors such as Protiviti (www.protiviti.com). Because the university team had bundled the risk assessment in with business continuity and disaster planning, the effort could be funded by a grant that Mason had received for business continuity.
The Continuity Piece
The departmental risk assessment questionnaire also requests a business continuity plan. Most departments do not have such a plan and really have no idea how to develop one, nor is there really much expertise in central administration.
Safety Officer Keith Bushey had received a pre-disaster mitigation grant late in 2005 under a FEMA-sponsored program. The EERMG decided to use it to secure assistance in developing a business continuity and risk mitigation plan. D.C.-based James Lee Witt Associates (JLWA) (www.wittassociates.com) was hired to leverage the work done by the risk assessment team.
The end result of the effort will be a FEMA-approved mitigation plan, one of the first at a university anywhere in the United States.
In addition to interviewing department heads, JLWA partners spoke with the heads of other support and service departments and with key city personnel. They reviewed planning documents and did an overall GMU risk assessment, too.
