2025 DRU Summit White Paper

 

2025 DRU National Summit

April 16-17, 2025
Findings and insights from a networking and educational event hosted by the Disaster Resilient Universities (DRU) Network and the University of Oregon.

Table of Contents

Executive Summary

Topic 1: The Role of Risk Assessments in the Campus Environment

Topic 2: The Challenges and Opportunities of Continuity Planning

Topic 3: The Science of Crisis Communications

Appendix: Zebrafish International Resource Center Case Study

Executive Summary

The DRU Network is an online platform for communication, coordination, and collaboration among more than 2,000 members representing approximately 800 institutions of higher education (IHEs).

Its goals are to:

  • Facilitate professional, peer-to-peer communication among members in order to help campuses mitigate, prepare for, respond to, operate during, and recover from natural disasters, acts of terrorism, or other crises or disasters.
  • Give post-secondary risk and safety administrators and practitioners ways to share research, studies, strategy documents, technical papers, process evaluations, and lessons learned.

On April 16-17, 2025 the 2025 National DRU Summit was held at the University of Oregon Portland campus. The goal of the summit is to further the DRU Network's mission and is a way for IHEs to acquire new tools, resources, and ideas for making their campuses more disaster resilient. The summit featured peer-to-peer discussions, networking, and presentations by higher education experts and thought leaders. The summit's 50+ participants also got an exclusive first look at the new DRU platform. 

The 2025 National DRU Summit covered three topical areas:

  1. The role of risk assessments in the campus environment.
  2. The challenges and opportunities of continuity planning.
  3. The science of crisis communications. 

Read the full agenda

Topic 1: The Role of Risk Assessments in the Campus Environment

Presenter: André Le Duc  
Disaster Resilient Universities Network Founder and Administrator
University of Oregon - Vice President and Chief Resilience Officer, Division of Safety and Risk Services

Risk assessments are processes that identify potential risks, analyze what could happen if the risks occur, and identify whether and how to mitigate or control those risks. Because institutions of higher education (IHEs) and other large organizations often cannot pivot quickly, risk assessments can provide a way to link, leverage, and align teams in order to have a better view of risk exposures on campus and to stay on the path of fulfilling the school's mission. 

Types of IHE Risk Assessments

Colleges and universities often perform and manage up to a dozen types of risk assessments: 

  • Physical security: Analyze the organization's tangible security measures to identify vulnerabilities and recommend improvements.
  • Cybersecurity: Identify vulnerabilities in IT systems and data, assess potential impacts of cyber threats, and inform mitigation strategies.
  • Financial: Analyze financial stability, including budgetary risks, funding sources, and financial controls.
  • Compliance: Ensure adherence to legal and regulatory requirements, such as FERPA, HIPAA, and Title IX.
  • Operational: Evaluate risks related to day-to-day operations, including facilities management, human resources, and supply chains.
  • Health and safety: Identify potential hazards to the health and safety of students, staff, and visitors, including emergency preparedness.
  • Academic: Assess risks to academic integrity and quality, including faculty recruitment, curriculum development, and student performance.
  • Environmental: Evaluate the impact of environmental factors, such as natural disasters and sustainability practices.
  • Reputational: Analyze risks that could damage the university's reputation, including media scrutiny and public perception.
  • Strategic: Review risks related to the university's strategic goals and long-term planning.
  • Research: Identify risks associated with research activities, including ethical considerations, funding, and intellectual property.
  • Student affairs: Evaluate risks related to student life, including mental health services, housing, and extracurricular activities. 

Why conduct risk assessments?

Risk assessments have several desired outcomes for IHEs: 

  • Reduced incidents: Fewer accidents, injuries, and near misses due to proactive risk management.
  • Improved safety: A safer environment for all stakeholders, including employees, students, and visitors.
  • Regulatory compliance: Adherence to legal and regulatory requirements, avoiding fines and legal issues.
  • Informed decisions: Better decision-making based on a clear understanding of risks and their potential impacts.
  • Resource efficiency: More efficient use of resources by focusing on the most significant risks.
  • Enhanced reputation: A positive reputation for the organization as a safe and responsible entity.
  • Continuous improvement: Ongoing improvement in risk management practices, controls, and mitigation through regular assessments and updates.

Questions to ask about your university's risk assessment process

Threat assessments, hazard vulnerability assessments, and risk assessments in a university environment are critical processes for identifying potential dangers and preparing for them. Risk and hazard assessments are crucial to protecting the university's mission, prioritizing mitigation efforts, and enhancing safety, preparedness, and resilience. The following questions can help you understand who is doing what regarding risk assessments on campus and can help start a dialog on how to better communicate, coordinate, and collaborate with the various groups on campus in conducting and maintaining risk and hazard assessments for your university or college. 

General Questions

Who is responsible for conducting risk assessments?

  • Which departments or individuals are tasked with this responsibility?
  • How are these roles and responsibilities communicated across the university?

What is the scope of the risk assessments?

  • Are all areas of the university, including academic, administrative, and operational sectors, covered?
  • How are emerging risks identified and included in the assessments?

Process and Methodology

What methodologies are used for risk assessment?

  • Are standardized frameworks or models being used (e.g. COSO, ISO 31000, NIST)?
  • How are these methodologies tailored to fit the university's unique environment?

How are risks prioritized?

  • What criteria are used to determine the severity and likelihood of risks?
  • How is the prioritization process documented and communicated?

How often are risk assessments conducted?

  • Is there a regular schedule for assessments or are they conducted on an ad-hoc basis?
  • How are the results of these assessments reviewed and updated?

Integration and Utilization

How are risk assessment results integrated into decision-making?

  • Are the findings used to inform strategic planning and resource allocation?
  • How do risk assessments influence policy development and operational procedures?

What is the role of leadership in the risk management process?

  • How involved are senior leaders in reviewing and responding to risk assessments?
  • What mechanisms are in place for leadership to provide oversight and guidance?

Communication and Reporting

How are risk assessment findings communicated?

  • What channels are used to report risks to various stakeholders (e.g., board of trustees, administration leadership, faculty, staff)?
  • How is transparency maintained in the communication process?

What metrics are used to track risk management performance?

  • Are there key risk indicators (KRIs) or other metrics in place to monitor risk levels?
  • How are these metrics reviewed and acted upon?

Continuous Improvement

How is the effectiveness of the risk management process evaluated?

  • Are there regular audits or reviews of the risk management framework?
  • How are lessons learned from past incidents incorporated into future assessments?

What training and resources are provided to support risk management?

  • Are staff and faculty given adequate training on risk management practices?
  • What resources (e.g., tools, software) are available to support the risk assessment process?

Understanding and documenting risk appetites

Risk managers at IHEs are often tasked with ensuring the IHE leaders understand the institution's risk calculations and trade-offs, including the financial implications of those trade-offs. Many IHEs may find it appealing to spend $1 now to receive $10 later. Risk managers often find it harder to convince IHEs to spend $1 now to avoid spending $10 later. 

Accordingly, effective risk assessments include understanding and documenting risk appetite. This documentation, called a risk appetite statement, describes the IHE's overall attitude toward risk (i.e., open, averse, neutral) and reflects its strategic objectives, operating environment, risk capacity, risk management capabilities, and expected returns from taking risk. Risk appetite statements help IHEs establish specific risk-tolerance levels for different risks or risk categories to ensure that they apply appropriate levels of risk management in their day-to-day operations. 

Risk appetite statements typically address the following:

  • The IHE's appetite for risks that support the IHE's mission, can be managed, and have a financial return.
  • The IHE's appetite for risks that could create intolerable damage or harm to people, culture, reputation, facilities, financial viability, or legal ability to operate.
  • The IHE's appetite for risks that it cannot effectively or efficiently mitigate or manage.
  • The IHE's appetite for risks that create unsustainable losses or unsustainable negative consequences if they materialize. 

Calculating Risk 

IHEs can calculate inherent risk (the amount of risk that exists in the absence of controls or mitigation) by multiplying the likelihood of the risk materializing in the next five years by a numerical rating of the risk's consequence (insignificant, minor, moderate, major, critical). IHEs can calculate inherent risk across various areas (physical health and safety, culture, compliance/legal, reputation, strategic, financial, operations). 

Inherent Risk = Consequence x Likelihood

IHEs can calculate residual risk (the amount of risk that remains after applying mitigation and controls to the risk) by multiplying the inherent risk by the mitigation effectiveness (the percentage reduction in the likelihood of the risk). 

Residual Risk = Inherent Risk x Mitigation Effectiveness

Back to Top

Topic 2: The Challenges and Opportunities of Continuity Planning

Presenters:

  • Krista Dillon  
    University of Oregon - Chief of Staff and Senior Director of Operations, Division of Safety and Risk Services
  • Amina Assefa 
    University of California - Director of Emergency Management and Business Continuity, Office of the President

In this session, presenters from two major public IHEs described the evolution of their continuity programs, as well as the successes and challenges of continuity programs. 

Continuity programs help IHEs provide essential services and functions before, during, and after an event that disrupts normal operations. Specifically, these programs typically plan for how the IHE will continue and maintain things such as critical teaching functions, necessary campus services, research, visible leadership, emergency services, safety and security, financial stability, infrastructure, reputation, relationships with stakeholders, and patient care. Continuity plans improve an IHE's ability to recover from business interruptions and are a critical component to effective emergency response. 

University of Oregon
Oregon Ready is the University of Oregon's tool for building department-specific business continuity plans and providing guidance to identify key staff and resources. The University of Oregon's separate academic continuity policy guides planning and decision-making so that academic activities continue in the event of a significant disruption to campus operations. The Office of the Provost, Division of Safety and Risk Services, Academic Council, and University Senate manage the academic continuity policy, which is activated if the university president declares a state of emergency. 
University of California
Through its UC Ready software tool, the University of California develops continuity plans for the institution as a whole and for individual departments. These plans contain information and strategies needed during the recovery process, and recommendations for advance preparations. Additionally, the UC Ready IT Disaster Recovery (ITDR) program prepares strategies and procedures for recovering vital information systems, records, and other data following any IT disruption. 

Continuity Program Challenges and How to Tackle Them

Continuity programs are complex endeavors that can present many challenges to IHEs in their construction and application. During a breakout session, participants described the challenges listed below and exchanged ideas for overcoming them. 

Challenge: Poor understanding or buy-in

IHEs often struggle to get departments to prepare continuity plans or engage with the planning process. They can also face skepticism or resistance from leadership teams. Participants noted several related issues such as:

  • Difficulty measuring the return on investment in continuity planning.
  • Lack of understanding among IHE leaders regarding what continuity planning is or why it is important, resulting in fewer resources for continuity planning.
  • Confusing continuity planning with emergency response.
  • No directives or requirements from leadership to engage with continuity planning, or no enforcement of existing policies to engage with continuity planning. 

Some participants have successfully tackled some of these challenges, and they shared tactics including:

  • Asking the provost to communicate continuity planning requirements directly to deans, including sending follow-up emails.
  • Incorporating continuity planning into the annual performance review process for department heads and other personnel as needed.
  • Prorating insurance premiums to departments based on their insurance utilization and developing systems for reducing department insurance charges if the department engages with continuity planning as desired.
  • Collecting data about insurance claims costs, lost hours of class time, lost grant dollars, and similar expenses for every incident that occurs at the IHE so that continuity planners can develop data-based assessments of the cost savings from continuity planning.
  • Tracking or obtaining access to data about deferred maintenance to measure the portion of repair costs and insurance claims attributable to unmaintained assets.  
The culture is not tracking with the policies, and leadership needs to enforce the policies.
Heard in the session
Challenge: Too much focus on documentation
Although IHEs must be sure to document their continuity plans thoroughly, too much emphasis on the mechanics of documentation can inadvertently divert attention away from continuity planning's intended goal, which is to establish processes for providing essential services and functions before, during, and after an event that disrupts normal operations. 
Challenge: Too much focus on specific scenarios
Continuity planners must focus the conversation on what happens when the team's people, facilities, or assets are unavailable for any reason. This helps frame the work around how to move forward rather than on the emergency response. 
Challenge: Not enough focus on enterprise-level planning
Continuity planners might spend so much time managing the coordination of department-level plans that there's little time or budget remaining to develop organization-wide continuity plans. Continuity planning leads must be sure to incorporate enterprise-level planning into their work roadmaps. 
Challenge: Lack of personnel or resources
IHEs may experience high turnover in the continuity planner position or have no dedicated job role for this work. Both situations tend to delay and diminish continuity planning efforts. IHEs that want adequate continuity plans must be willing to devote resources to creating them. Ensuring that continuity planners are not also engaged in response matters can help delineate this work more clearly. 
Challenge: Overly complicated information gathering
Creating a department-level continuity plan typically requires continuity planners to gather a lot of information about the department. However, asking people to answer 75 questions for each of about 20 essential functions isn't sustainable. Participants said information gathering must be streamlined and automated where possible, and IHEs may want to create their own information-gathering tools from off-the-shelf options such as Google Forms, Smartsheet, and even AI rather than purchasing custom software and tools. 
Presenting continuity plans to large room of Summit attendees.

Back to Top

Topic 3: The Science of Crisis Communications

Presenter: Dr. Ellen Peters 
University of Oregon - Director, Center for Science Communication Research and Philip H. Knight Chair and Professor

Having people make good choices around risk and managing risk involves more than giving them the right information. Effective risk communication is a strategic process. To be successful, it is important to understand communication barriers. Using simple, clear messages, repeated often by a variety of trusted and caring messengers can make the desired behavior easy, beneficial, and popular. 

This session outlined barriers that IHEs face when communicating about risk. Here are 10 techniques they can use to overcome those barriers. 

Barriers to effective communication and critical information

  1. Systemic barriers. These are difficulties communicating due to insufficient, uncertain, and changing information.
  2. Overestimation of what the audience knows. Often this occurs when people use their own knowledge to estimate that of others and then insufficiently adjust for those who lack the same specialized knowledge.
  3. Ineffectiveness. Communicators may believe they are communicating well and think they're more effective than they are.
  4. Presentation of risk. How information is presented may matter as much as what is presented. Accordingly, communicating the benefits of an action may decrease the negative perceptions of a risk, but communicating the risks of an action may reduce the positive perceptions of the benefits. 

Ways to overcome barriers to effective risk communication

  1. Identify communication goals and then strategically present information. If the communicator doesn't set a goal for the communication, they may simply present all the information and inadvertently leave the audience to decide what information is relevant.
  2. Communicate about risks and benefits so that they feel closer to people's lives. For example, it may be more effective to communicate how climate action benefits the audience's health rather than the environment.
  3. Communication needs to come from trusted sources. Trusted sources make the message more persuasive and more likely to prompt action. However, who is "trusted" depends on who you ask, and who is trusted can change.
  4. Leverage social networks. This is key to shaping who is influenced and how they are influenced.
  5. Establish and maintain social norms. People tend to underestimate how the bandwagon effect influences their decisions.
  6. Use visual images and narratives. They can bridge the gap between information and understanding. Advising people what not to do is important but showing them why they shouldn't do it can be more effective.
  7. Present key statistics to drive risk understanding. It can show your expertise as well.
  8. Identify and reduce barriers to behaviors. Lack of strength, lack of resources, or similar matters can stand in the way of taking action.
  9. Always furnish solutions. Include a call to action.
  10. Test your success or lack thereof. Don't trust the gut all the time. 

What the participants said

DRU Summit participants gathered for breakout discussions about several topics affecting their crisis communications plans. Two topics stood out: challenges in crisis communications and the frequency of crisis communications drills. 

Frequent Challenges

  • Often limited for various reasons in what they can say in their crisis communications.
  • Having to address and/or respond to fake messages, incorrect messages, or messages from external sources during a crisis. To manage misinformation some IHEs have designated parties monitor social media or create central websites with all information related to the event.
  • Limited communications staff. Some IHEs only have one communications person on staff or one person who is authorized to send messages.
  • High turnover on their teams creates a constant need for retraining and relationship building.
  • A lack of trust culture.
  • Determining the right message-delivery method (e.g. email, phone, or text). 

Drill Frequency

A relatively small cohort of participants discussed this topic. Several noted their IHEs do either full or tabletop crisis communications exercises one to four times per year. Some participants also noted that they test their alert systems monthly, weekly, or even daily. 

Back to Top

Appendix: University of Oregon Zebrafish International Resource Center Case Study

Presenters: 

  • April Freeman 
    University of Oregon - Facility Manager, Zebrafish International Resource Center
  • Zoltan Varga
    University of Oregon - Director, Zebrafish International Resource Center

Background

The Zebrafish International Resource Center (ZIRC) is a central genetic repository of zebrafish lines supporting biomedical research in the US and abroad. 

Close up of zebrafish swimming in a tank

Zebrafish and humans share much of their genetic makeup - approximately 85% of human disease-associated genes are present and function similarly in zebrafish and humans. Zebrafish eggs are completely transparent for 24 to 48 hours, enabling researchers to watch every cell divide and visualize what happens when a gene causes an issue. These features allow researchers to readily translate their findings to humans. 

The National Institutes of Health (NIH) has designated ZIRC as a national biomedical models resource center and supplies all funding for ZIRC. ZIRC contains over 46,000 mutations in its library to distribute to other researchers around the world, and its genetic samples go back to the mid-1990s. The freezers contain samples representing millions of dollars' worth of research investment. Preservation of these samples is important because many of ZIRC's genetic lines are one of a kind, may not be recoverable if lost, and could be the source of cures for human diseases and conditions. 

ZIRC leaders/staff worked with the Emergency Management and Continuity team to develop a continuity plan. 

The Event

On the morning of May 31, 2014, an electrical fire occurred in the quarantine room of the ZIRC building. The building was 10,000 square feet and contained 4,100 one-gallon tanks, 250 20-gallon tanks, and 12 liquid nitrogen freezers with about 350,000 samples. The office area of the building became uninhabitable, because the HVAC system functioned after the fire began, and the ventilation system distributed soot and ash throughout the building. The building, constructed in 2000, did not have a sprinkler system. 

The Response

Firefighters had to open a four-foot hole in the roof to extinguish the fire. Once extinguished, firefighters checked the entire building for safety before clearing it for staff access. ZIRC's continuity plan was put in motion. The insurer was contacted, as was the ZIRC staff, the facilities team, and a professional cleaning team. 

Staff members arrived and began transferring fish in shipping bags. Almost all of ZIRC's fish survived the fire, however three fish lines perished in the quarantine room (approximately 30 fish) and had to be re-imported from the submitting laboratories. The staff also evaluated water chemistry and cleanliness and collected sperm samples from each of the quarantine room fish for cryopreservation the following day. 

ZIRC had to temporarily halt business operations, incurring four months of revenue losses. Operations out of the fish room resumed in phases and ZIRC used temporary alternate workspaces until the offices were renovated. Full recovery took 10 months. 

After Action 

The ZIRC fire prompted several important additions and changes to its mitigation, response, and continuity plans. 

Mitigation

  • Workers perform a full walkthrough of the building each night.
  • ZIRC created a list of pre- and post-event action items to improve future safety preparedness and mitigation efforts.
  • ZIRC distributed print and PDF copies of its emergency management and continuity plans.
  • ZIRC keeps space designations and chemical inventories updated so that staff, responders, and facilities personnel know what is where.
  • The team reviewed and revised other safety plans (personnel safety, biosafety, lab safety, building safety).
  • Several ZIRC team members are trained to provide first aid. 

Response

  • The organization stores physical keys with campus public safety.
  • ZIRC has a building-specific hookup for an emergency generator.
  • It has identified what's most critical to power with the generator (e.g., freezers or water filtration pumps).
  • ZIRC sends duplicates of sperm samples once per year to the National Laboratory for Genetic Resources Preservation (USDA, ARS) to create an additional off-site backup of the genetic samples in case they are lost at ZIRC.
  • The team cross-trains the staff on how to feed and care for fish in case only one or a few people can be in the building at a time.
  • ZIRC keeps more husbandry supplies on hand in case suppliers cannot provide food, chemicals, or animal facility consumables.
  • The organization logs all chemical inventory in the UO Environmental Health and Safety Department database and makes sure staff can log in and see it, and that the information can be communicated with first responders such as firefighters.
  • The team has established scalable life-support strategies to prioritize fish maintenance in an emergency.