From time to time, it’s instructive to look around and see what organisations are doing with business continuity. With business continuity management now an increasingly important part of good business practice, business schools are led to include this in their courses, and hopefully practise what they preach. A visit to the website of the London School of Economics shows that the LSE has defined plans and procedures in this area, although it also leaves one question open.
The LSE publishes its “Major Incident Initial Response Plan” (MIIRP) on its site. It’s a comprehensive document of 92 pages defining how personnel in the business school are to react in the event of any major incident to the campus or to student residences. There’s also a companion document, the Major Incident Business Recovery Plan, and the response plan itself is also “subject to regular testing”. The LSE has a director of business continuity; and a business continuity steering group with published meeting notes referencing various parts of the IT infrastructure and mentioning different vendor or system names.
A business school is perhaps not a commercial enterprise in the sense of a manufacturing company, although competition between such schools often exists. Publishing this level of detail on its site might make sense for the LSE, but the open question is whether this would be a model for other organisations. In this age of security threats, notably non-technical but nonetheless effective social engineering, the more information made available to the public at large, the more clues on how to infiltrate such an organisation.
Perhaps the thinking is that any information made available to staff or students will invariably become available to any determined outside agency, so why not publish it openly – and perhaps that explains why the last published notes for the business continuity steering committee date from over two years ago, more recent meetings being kept more confidential?