IT business continuity plans and post-incident reviews: five questions for higher education IT leaders to consider

Expert Insight

IT business continuity plans and post-incident reviews: five questions for higher education IT leaders to consider

Facing an era-defining global pandemic, IT leaders quickly and efficiently transitioned universities to online operations. And many IT units can attribute their success in some part to their business continuity and disaster recovery (BCDR) planning – the process of regularly assessing potential disruptions to university operations and subsequently developing continuing plans to address them. However, COVID-19 has yet to pass and promises new challenges for institutions in the short- and long-term. As such, in order to prepare for upcoming contingencies in this atmosphere of ongoing uncertainty, institutions should take the time to review their COVID-19 responses to identify what did and did not work and in turn, adapt and bolster their BCDR plans.

BCDR plans are standard practice in business, but some higher education IT organizations have been slow to adopt and incorporate these policies and many that do have BCDR plans often neglect them. Indeed, 2019 EDUCAUSE survey data suggests that only 42 percent of institutions have formal IT business continuity plans that contain the essential policies, procedures, and resources needed to enable the swift restoration of key technology infrastructure and resumption of standard business operations following a crisis. Furthermore, even BCDR plans that meet traditional high standards may not perform well in the current climate because: 1) the COVID-19 crisis breaks the boundaries of most traditional BCDR plans, which assume that threats are localized and bounded in time; and 2) IT itself is changing from an on-premises to a virtualized model, meaning that an institution’s response is less about restoring systems and more about supporting virtualized services. In this new normal, institutions should focus BCDR planning to ensure resilient architecture and scalable, responsive support.

What makes BCDR different in the time of COVID-19?

Traditional BCDR

  • Trigger: Localized disaster with limited perimeter
  • First step: Restore data center
  • Frontline team: Infrastructure, then enterprise systems
  • Plan essentials: Hot/cold alternative site; hardware supply chain; mean time-to-recover estimates; and recovery priorities

COVID-19 era BCDR

  • Trigger: Generalized crisis, no boundary in space or time
  • Frontline team: Client services, then enterprise systems
  • Plan essentials: Vendor management; scaling collaboration tools; and scaling and remote operation of user support

Regardless, before revisiting BCDR plans, IT leaders should ensure that they conduct an assessment to better understand their response to COVID-19. A valuable part of any BCDR plan, post-incident responses allow IT organizations to identify and document key lessons learned and areas for improvement. 

An incident response review unlike any other

1. What is different about this “incident” review?

IT leaders typically conduct post-incident reviews after the IT organization has returned to standard operations to better understand the lessons learned from a disruption – both the good and the bad. However, in the case of COVID-19 – there is no return to normal (at least not for a couple of years). This means that IT organizations will be tasked with conducting a post-incident review while continuing to provide service in an altered environment – the organizational embodiment of “building the boat while sailing.”

2. What categories of metrics should we assess?

The post-response review required by the pandemic should be less focused on the ‘incident’ and more comprehensive in measuring the operations of the IT organization. This is in part because institutions cannot yet document resolution and restoration of services since the pandemic is ongoing and continues to affect operations. Nevertheless, IT leaders can use the crisis as an opportunity to begin building a culture of continuous improvement through regular monitoring of operations and fast-cycled process changes. As such, we suggest that IT leaders assess the following categories:

  • Remote Instruction
  • Digital Divide
  • Work at Home Support
  • Client Services
  • IT Talent Management
  • Core IT Functions
  • Cybersecurity
  • Campus Partnerships

Business Continuity and Disaster Recovery Revisited

In the wake of COVID-19, IT leaders should also place increased emphasis and scrutiny on redeveloped and reimagined BCDR plans. In particular, IT leaders should consider the following:

1. What are our immediate next steps for business continuity and disaster recovery planning?

Institutions are still trying to fully grasp how COVID-19 has and will continue to impact business operations. In this context, institutions should 1) conduct bi-monthly COVID-19 response assessments to understand IT’s operational strengths and deficiencies and 2) document the decisions and changes made to address those gaps, which can later be incorporated into the BCDR plan. This approach enables the agility institutions need to both navigate the medium-term, pro tem operating model as the crisis persists and develop an iterative mindset needed to respond to future disruptions. In the absence of a single grand plan, institutions should focus on resiliency and the ability to respond to change.

An agile, continuous improvement approach to COVID-19 BCDR:

*Changes can be assessed and incorporated into the BCDR plan at any point in the loop

No matter how developed the organization’s BCDR plan is, institutions need response assessments because IT leaders can only incorporate lessons learned from COVID-19 after a process of information gathering and analysis. This process is critical to understanding both the efficacy of the COVID-19 response and the sustainability of future operations in an uncertain climate.

IT leaders should continue to monitor required changes to services and technologies provided to campus and institutionalize these lessons learned to prepare themselves (and future IT leaders) to avoid making the same mistakes again. This means maintaining comprehensive documentation of changes to the IT organization’s investments and workflows, which will be vital to integrate into future BCDR plans. IT leaders can use existing project management tools to track decisions, workflow changes, and service or infrastructure adjustments due to COVID-19 or leverage industry templates, such as this toolkit by Vantage Technology Consulting Group. In particular, IT leaders should track the type and permanence of the change, decision owners and stakeholders, rationale, complexity and expected costs, follow-up action, and metrics for success.

2. When should we more thoroughly revisit our business continuity and disaster recovery plans to make necessary changes (or develop one entirely)?

Depending on institutional resources and expertise, BCDR plans often take one to three months of dedicated effort to develop. And while it is never too early to begin institutionalizing the lessons learned from response assessments in formal IT BCDR plans, a formal exercise is unlikely to take precedence over IT leaders’ competing priorities over the next few months. Therefore, set realistic and achievable goals to continue regular response assessments and revisit BCDR plans at least annually. Institutions should strive to keep updating BCDR plans piecemeal as they identify new areas to strengthen.

3. What changes should we consider making to our business continuity and disaster recovery plans at large?

This will depend largely on the results of the IT organization’s review of the immediate COVID response. Where did IT respond well? Where could IT have supported the institution quicker or more comprehensively? What short-term work arounds and stop-gap measures should be reviewed and potentially redesigned to ensure continuity long-term?

A recent poll of CIOs across various industries, however, points to the following areas as top-of-mind for future BCDR planning:

  • More comprehensive training capabilities for future crises
  • Perfecting seamless work from home capabilities (e.g., laptop provisioning, remote network access, etc.)
  • Ensuring mastery of collaboration tools is a required capability for all personnel (and in higher education, potentially students too)

Areas where higher education institution can specifically focus include:

  • Providing training to faculty on technologies required for online instruction
  • Ensuring access to online material for students lacking required technologies through policies and programs such as laptop loans
  • Building “shell courses” for all university classes in the LMS
  • Integrating business and academic units’ continuity plans

EAB asks you to accept cookies for authorization purposes, as well as to track usage data and for marketing purposes. To get more information about these cookies and the processing of your personal information, please see our Privacy Policy. Do you accept these cookies and the processing of your personal information involved?