Resilience and Crisis Management
Policy number: 11.3
Policy section: Risk Management
Revised Date: January 2, 2019
Definitions of capitalized terms are set forth in Appendix A.
2. Policy Statement
It is the policy of the University to prepare for and respond to those incidents that may have impact on the life safety, reputation, financial, operations, or asset risks of the University in a coordinated and effective manner.
This policy establishes a framework from which all coordination of pre-incident management, emergency response, and post-incident resumption and recovery will be effectively managed on behalf of the University. This policy sets forth a structure for the management of these events and the continuity of operations should an incident involve a significant disruption to the University.
The scope of this policy applies to faculty, staff, students, volunteers, contractors, and others who are identified as being in any operations and processes, whether temporary or permanent, domestic or international, that are instrumental to the University’s success in achieving effective resilience and crisis response. Identified potential hazards and perils will have pre-response plans prepared by the responsible office(s). Those persons involved in the planning are required to participate in all applicable exercises or training in order to achieve resilience for incident response. While incidents occur in varying degrees of severity and cause, the University will respond in a manner that incorporates best practices and techniques appropriate to a varying degree of severity and dynamic root cause.
Questions about this policy should be directed to the Office of Risk Management.
6. Authorities and Responsibilities
- The President, through the Board of Trustees, shall provide authority to the Vice President for Business and Finance through the Associate Vice President and Chief Risk Officer for the Office of Risk Management (“ORM”) to conduct pre-incident planning and emergency response preparations to effectively mitigate perils or hazards that may impact the University.
- The Higher Education Opportunity Act also provides guidance under 34 Code of Federal Regulations 668.46, Institutional Security Policy and Crime Statics, subsections (a), (b), (e), and (g). While subsections (a), (b), and (e) outline definitions, reporting, and timely warning, subsection (g) requires emergency response and evacuation procedures including disseminating information and testing these procedures. This portion of the Code is most commonly associated with Clery Act compliance but applies to overarching operations.
7. Pre-Incident Planning and Continuity of Operations Plans
- The resilience function is managed through the Incident Planning Committee (“IPC”) and provides a framework for pre-incident planning, recovery, and resumption of operations associated with potential threats or incidents.
- Identified departments and operations will provide and maintain a continuity of operations plan as designated through the IPC and participate in training and exercises as appropriate.
- Pre-incident planning is conducted by the IPC and led by the Executive Director of Emergency Management within ORM. This includes representatives from the Office of the Provost, ORM, SMU Police Department (“PD”), Office of Legal Affairs (“OLA”), Public Affairs (“PA”), Facilities, Office of Information Technology (“OIT”), Student Affairs, Athletics, Human Resources (“HR”), Faculty Senate, and others as appropriate.
- The IPC is responsible for the strategic planning, timelines, and training framework, which should include exercises of the University’s responsiveness to potential incidents.
- The IPC is responsible for identifying departments and operations that must maintain their continuity of operations plans and ensure that they are maintained on a regular basis.
- The IPC is responsible for identifying those potential hazards and perils that might pose an impact on life safety or operations; the IPC must be prepared to respond to unforeseen types of incidents to the best of the University’s ability.
- Departments identified as having academic, operational, or auxiliary functions requiring continuity of operations plans or emergency response plans in support of the University’s resilience shall be responsible for ensuring that their plans are updated and maintained on a regular basis with oversight from the IPC.
- The IPC has oversight responsibility to see that the integrated elements of our emergency response framework are working. These may include automated external defibrillators (“AED”) emergency notification systems, cameras, fire safety systems, lighting, lockdown systems, and third party vendor sources to ensure they are functionally effective in the event of a major incident or emergency whether domestic or international.
- The IPC is responsible for coordinating recovery and resumption plans as part of continuity of operations. The recovery plan is executed by the EOC and is designed to recover any lost operations as quickly as possible. Once the operations are recovered, the resumption plan is coordinated by the EOC, OLA or ORM and is the final step of the process that returns operations to normal.
8. Crisis Management and Emergency Operations Center
- The crisis management function provides a coordinated response to emergencies involving the use of resources from the University, federal level, state level, or local authority.
- The University has established an Emergency Operations Center (“EOC”) framework consistent with Department of Homeland Security National Incident Management System and the Texas Office of Emergency Management involving SMU emergency responders and local authority. Two key guidelines to be consulted:
- The National Response Framework
- Texas Statutes & Government Code, Chapters regarding emergency management and homeland security including: 418 and 421 respectively. (See links in definitions.
- The EOC function is managed through the ORM, Executive Director of Emergency Management, and Associate Vice President/Chief Risk Officer. Members include but are not limited to: PD, ORM, PA, OLA, HR, OIT, Student Affairs, Facilities, Office of the Provost, International Studies, Athletics, Student Health, and others as needed.
- The National Incident Management System (“NIMS”) defines the EOC functions. These include operations, logistics, planning, and finance. The EOC is responsible for identifying those who will act as leads for these functions and ensure that regular training and exercises are conducted for functional excellence.
- The EOC is responsible for identifying Department of Homeland Security (“DHS”) or other appropriate plans that are required to dovetail local authority response with SMU’s EOC. The EOC is also the interface with all federal, state, and local authority emergency service agencies.
- The EOC is activated as outlined in appropriate EOC documentation. The EOC will be activated as needed and deactivated in accordance with standard practices as outlined in the Texas Statutes & Government Code, 418 and 421 specifically.
- The EOC is the lead for all communications through PA as reviewed by PD, OLA, ORM, and others as needed and as time permits.
- The Executive Director of Emergency Operations is responsible for the emergency notification function with support from PA and OIT and will issue notifications as appropriate and test regularly to ensure functional operability.
- The EOC is responsible for strategically maintaining resources for EOC operations. The EOC is responsible for the emergency notification system with support from OIT and PA. The EOC is responsible for maintaining additional third party contracts and ensuring that they are maintained for disaster recovery, international security, emergency evacuation/repatriation, and medical treatment support and other resources as needed. SMU PD also maintains security contacts both domestically and internationally to support notification and response.
- ORM will maintain all documentation regarding EOC activity in a manner that is consistent with records retention as set forth by the University.
- Reporting of EOC activity will be maintained by ORM and provided to the Vice President for Business and Finance as appropriate. In addition, these records will be maintained in accordance with the “Support Antiterrorism by Fostering Effective Technology,” or the SAFETY Act. The SAFETY Act is supported through the U. S. Department of Homeland Security.
9. Claim Management
ORM and OLA will manage any and all claims resulting in incidents on behalf of the University utilizing expertise from the EOC, IPC, or other departments and entities that can help to facilitate risk mitigation for the loss.
10. Continuity of Operations Plans
- ORM will maintain all Continuity of Operations Plans (“COOP”) through the risk management information systems (RMIS) accessible to authorized persons in a shared manner or other means as deemed appropriate by the Vice President for Business and Finance.
- Reporting of continuity of operations planning will be maintained through ORM and shared with the IPC and Vice President for Business and Finance.
11. IPC and EOC Records
ORM will maintain records in accordance with University standards for all IPC and EOC activity.
Non-compliance or non-participation of any department or person identified as required to provide regular updates for continuity of operations or EOC training will be submitted to the Vice President for Business & Finance and subsequently managed through the Provost or the appropriate Vice President level.
Appendix A: Definitions
“CFR 668.46 subsections (a), (b), (e), and (g)” refers to subsections in the Code of Federal Regulations that provide definitions most known for Clery reporting and it also addresses emergency response. Subsection (a) provides definitions including campus, campus security authority and geography. Subsection (b) outlines reporting timelines and requirements. Subsection (e) outlines timely warning requirements. Subsection (g). requires the institution to include its emergency evacuation and response procedures.
“Continuity of Operations Plan (COOP)” refers to a plan that identifies the critical business impact analysis and appropriate workaround procedures to continue operations after an incident has disrupted normal operations. These workaround procedures will help keep the function running through the disruption, and mitigate further loss and impact to the University.
“Emergency Operations Center (EOC)” refers to the pre-identified team that will manage a critical incident on behalf of the University when a major incident occurs. This team manages with a subject matter expert, such as a department chair, who knows the situation well, yet applies the appropriate needs such as planning, operations, financial or communications consistent with each incident.
“Incident Planning Committee (IPC)” refers to the group of institutional leaders who provide long-term oversight for planning and response policy, procedures, and activities on a monthly basis for their areas. The Vice President for Business and Finance attends this with the Office of Risk Management and Emergency Response managing operations for the committee.
“Office of Risk Management (ORM)” refers to the department that reports to the Vice President for Business and Finance and oversees the Resilience and Crisis Management policy, Emergency Management, Continuity of Operations Planning, Fire Safety, and Environmental Health and Safety as well as the Risk Management function.
Revised: January 2, 2019
Adopted: October 3, 2016