2 UNCLASSIFIED
Title Business Continuity Management Version 2.1 Authorised
by Executive Committee Effective date
Authorisation date
10/7/2012 10/7/2012
COMCARE BUSINESS CONTINUITY
MANAGEMENT
DOCUMENT OWNER & CONTACT
Name Role Phone Review Date Email
Director
Property
June 2013
CHANGE HISTORY
Version Date Comments Author(s)
2.0 29 August 2011 BCM Refresh Project 2.1 21 June 2012 Update after BCM test and review
DOCUMENT LOCATION
TRIM File 2011/6071 TRIM
Reference DOC1430732
File Name Comcare Business Continuity Management
DOCUMENT LISTING
Business Continuity Management Policy Business Continuity Management Framework
Business Continuity Management Crisis Management Plan
Business Continuity Management Business Impact Analysis (BIA) Appendix A – Crisis Management Team Checklist
Appendix B – Crisis Management Contact List Appendix C – Business Contingency Plans
s47f s47f
3 UNCLASSIFIED
BUSINESS CONTINUITY MANAGEMENT
POLICY
1. OVERVIEW
Comcare identifies Business Continuity Management (BCM) as a key management
component and essential to the long-term survival of the organisation. The continued provision of key services to Comcare clients and the provision of support functions to the business form the basis of Comcare’s Business Continuity Management framework.
2. SCOPE
This policy applies to all client and internal services and supporting infrastructure p r o vi d ed and/or maintained by Comcare.
3. POLICY
3.1 Comcare s h a l l d e v el op , i m p l e m e n t , m a n a g e a n d m ai n t ai n a n
approved B u s i n e s s Continuity Management (BCM) framework to ensure that critical processes are maintained at an acceptable level even during a major disruption to normal operations.
3.2 The BCM Framework shall be reviewed annually to verify it meets the organisations' documented BCM needs.
3.3 A training and testing program shall be developed and exercised annually in support of the BCM Framework to ensure that staff are aware and capable should circumstances arise.
3.4 Documented evidence shall be maintained, for audit purposes, relating to the implementation and performance of this policy and supporting procedures and all related work instructions.
4. DOCUMENTATION
Implementation of this Policy will be through a documented Business Continuity Management Framework.
5. DEFINITIONS
4 UNCLASSIFIED
6. RELATED POLICIES
Comcare IT Security Policy, Section 12. Contingency Planning CEO Guidelines
7. RELATED DOCUMENTS
AS/NZS ISO/IEC 27001:2006 Information technology – Security techniques – Information security management systems – Requirements HB 221:2004 Standards Australia/Standards New Zealand Business
Continuity Management Handbook.
5 UNCLASSIFIED
BUSINESS CONTINUITY MANAGEMENT
FRAMEWORK
1. OVERVIEW
The Business Continuity Management Framework outlines Comcare’s approach to ensuring continuity of critical business processes following a potential crisis incident.
1.1 BCM Framework
2. OBJECTIVES
Comcare’s BCM Policy is that critical services shall be maintained at an acceptable level even during an event which causes a major disruption to normal operations. To this end Comcare’s BCM: Determine Requirements Continuity Management Recovery Management Educate and Communicate Develop BCM Policy
Business Impact Analysis
Develop Crisis Management Plan
Develop Contingency Plans
Develop Disaster Recovery Plans Develop Disaster Recovery Strategy
Test and Train
6 UNCLASSIFIED
Ensure that all significant risks to business continuity are identified assessed and where necessary treated in a consistent and practiced manner (through Business Continuity Plans and training) and reported to management.
Assign responsibility to all staff for the management of business continuity within their areas of control and provides adequate training and testing to build capability.
3. SCOPE
Comcare’s BCM framework shall operate for:
all identified risks to Comcare’s critical processes
unforeseen events that have the potential to disrupt Comcare’s critical business processes.
4. BCM METHODOLOGY
Comcare’s BCM framework has been closely aligned with Standards Australia’s Handbook HB221:2004 and the companion publication HB 292:2006 A Practitioners Guide to Business Continuity Management.
BCM objectives have been identified to ensure that Comcare critical business processes continue to be met even under conditions of major disruption to facilities or staff resources. These critical business processes and agreed timeframes for activation of contingency plans and recovery are documented in the Business Impact Analysis.
The Crisis Management Plan must be adaptable to unforeseen events and still ensure continuity of an acceptable level of service for a predetermined length of time, within which critical business service systems must be returned to normal operation, defined as a
‘Recovery Time Objective’ (RTO).
For each critical service a Contingency Plan must be developed and maintained.
The Crisis Management Team ensure that Business Contingency Plans (BCPs) relevant to the service disruption are deployed and that all stakeholders are appropriately advised.
4.1 Roles and Responsibilities
Key roles and responsibilities during internal and external crisis situations are described in detail within the Crisis Management Plan. This section details the responsibilities for the development, maintenance and improvement of Comcare’s BCM Framework.
4.1.1 Crisis Management Executive
Manage Business Continuity as a component of corporate risk mitigation via the audit Management Committee.
Establish and review departmental BCM context for the organisation
4.1.2 Crisis Management Team (CMT)
7 UNCLASSIFIED
Provide expert input to BCM development and maintenance.
4.1.3 General Managers
Champion BCM within their Group
Endorse critical business processes requiring BCPs Ensure preparedness of their BCPs
4.1.4 Business Contingency Plan Team Leaders
Identify critical business processes requiring BCPs Prepares and maintains BCPs
Champion BCM training, testing and BCP improvements Conduct team BCP training, testing and improvements
4.1.5 Technology Recovery Team
Understand BCPs and ensure resulting return to operation (RTO) objectives are achieved.
Maintain DR preparations and readiness
4.2 Training and awareness
On an annual basis:
All employees will receive information explaining the BCM framework. Identified BCM roles will received training relevant for their role
4.3 Testing and exercising
An annual program of testing and exercising will be developed and implemented.
4.4 Review and update
On an annual basis:
the Business Continuity Framework will be reviewed and updated. the Business Impact Analysis will be revalidated.
BCM documentation will be maintained by the Property Team.
5. REFERENCES
1. Comcare IT Security Policy, Section 12. Contingency Planning 2. BCM Policy (Trim ref 2011/6071)
3. Commonwealth Protective Security Policy Framework
4. Australian Communications Security Instruction (ACSI) 33 September 2007 5. HB 221:2004 -Standards Australia/Standards New Zealand Business Continuity
8 UNCLASSIFIED
9 UNCLASSIFIED
BUSINESS CONTINUITY MANAGEMENT
CRISIS MANAGEMENT PLAN
1. OVERVIEW
This Plan provides guidance for dealing with a crisis in Comcare, using an incident management approach which caters for both internal and external sourced operational failures, using a consistent and simple approach.
The basic components required for successful Incident Management include:
A clear understanding of the incident, whether internally sourced (e.g. office fire, IT failure) or externally sourced (e.g. pandemic, bushfire) and its impact on Comcare’s key business processes.
A Crisis Management Team (CMT), made up of representatives from those areas of Comcare’s organisation impacted by the incident.
A guiding framework from which to make decisions.
Support personnel who can be relied upon to implement CMT decisions and who will provide accurate and timely feedback.
1.1 Crisis Management
In managing a crisis the primary objective is to maintain critical business processes as near to normal operation as practical so that the crisis does not disrupt essential business
delivery. This puts a clear focus on:
The security and wellbeing of all Comcare personnel as the overriding priority. The ability to regulate the jurisdiction, in particular the ability to receive WHS
incident notifications and conduct investigations.
The provision of benefits to injured workers, in particular for employees of client agencies who would suffer hardship should regular payments be delayed.
Restoration of key and operational services on a prioritised and managed basis. This document details the high level structures and procedures that are in place to successfully manage and resolve a significant disruption to business.
The associated Business Continuity Plans (BCP's) provide the details necessary to mitigate any specific Business Continuity risks.
2. CRISIS MANAGEMENT TEAM
2.1 Overview
10 UNCLASSIFIED Comcare’s CMT structure is as follows:
Crisis Manager (DCEO) Deputy Crisis Manager (COO) Business Continuity Manager (Director, Property) CMT Member (GM Recovery and Support Services) CMT Member (GM Regulatory Services) Corporate Communications (Director, Communications and Knowledge) CMT Scr be/Admin Support (Executive Services)
The CMT should manage the crisis in line with the crisis management section of this plan Other resources shall be seconded as are deemed necessary to resolve the crisis and an efficient return to normal operation.
The Crisis Management Contact List is at DOC 1073580.
All CMT personnel, and alternative personnel, for all key roles should be trained prior to crisis management involvement if possible.
2.2 Roles and responsibilities
2.2.1 Crisis Management Team
The CMT is formed when the Crisis Executive and Crisis Management Team members come together. The Crisis Executive is formed by the Crisis Manager and Deputy Crisis Manager.
2.2.2 Crisis Manager
The Crisis Manager is usually the Deputy CEO. The Crisis Manager is responsible for the initial declaration of a crisis, the planning, initiation and monitoring of all
activities associated with the successful management and resolution of the crisis, and for deciding when the crisis is over and the reinstatement of normal operational conditions.
The Crisis Manager is part of the Crisis Executive and should have an extensive knowledge and understanding of:
Comcare’s BCM Methodology
emergency management principles in general
Comcare’s business objectives and responsibilities, structure and operational processes.
11 UNCLASSIFIED the Minister, as appropriate.
The Crisis Manager is also responsible to ensure that clear and documented decisions are made and communicated to all members of the CMT.
In the event that the designated Crisis Manager is not available the Deputy Crisis Manager will assume the Crisis Manager’s role.
2.2.3 Deputy Crisis Manager
The Deputy Crisis Manager is usually the Chief Operating Officer unless a Group GM is appointed by the Crisis Manager. The Deputy Crisis Manager is part of the Crisis Executive, and should have extensive knowledge of:
Comcare’s BCM Methodology
emergency management principles in general
Comcare’s business objectives and responsibilities, structure and operational processes.
The Deputy Crisis Manager is responsible for the overall management of communications within crisis management, and shall endeavour to:
support and assist the Crisis Manager as directed assist with the selection of the Crisis Control members
establish crisis operational procedures and co-ordinating the activities of the Crisis Control
monitor the activities of the Crisis Control to ensure that all key activities and stakeholders are addressed
report to the Crisis Manager as directed/required.
2.2.4 Crisis Management Team
The CMT is appointed at the time of the crisis and usually consists of the General Managers of Regulatory Services and Recovery and Support Services, and the Director of Property and the Director Knowledge & Communications. The Crisis Executive will identify the most appropriate additional personnel to form the CMT. CMT representatives shall have an extensive knowledge of:
Comcare’s BCM Methodology
emergency management principles in general their Group Contingency Plan(s).
The role of CMT members includes:
Managing the implementation of the Group Contingency Plans. Co-ordination of cross Group activities.
12 UNCLASSIFIED Reporting progress to the CMT Executive.
Appointing a communication Coordinator to liaise with the Community Engagement Team to provide regular updated information and assist in the follow of information.
Ensure clear and precise information, timeframes and outcomes are communicated to the Crisis Manager and the Deputy Crisis Manager to facilitate accurate decisions.
2.2.5 Business Continuity Teams (BCT)
The Business Continuity Team consists of members from Groups who have
operational responsibilities for the activities addressed by the Groups’ contingency plans.
The Business Continuity Team shall be well defined and trained wherever possible prior to a service disruption incident. Teams must include a primary and a secondary contact for all key areas of responsibility.
The BCTs have primary responsibility for:
ensuring the effective implementation of Business Continuity Plans to ensure delivery of identified processes at pre agreed levels following the incident ensuring their BCT member is kept informed of progress and operational
issues
ensuring that procedures in the Business Continuity Plans capture an appropriate level of information to enable backlog processing and a smooth transition back to normal operation.
assisting in the physical and electronic restoration of key systems.
2.2.6 Crisis Management Scribe
The Scribe is drawn from the Executive Services Team or other available resource. This is a non-participatory role, this position tracks and records events, decisions and processes that occur during the crisis.
The CMS has primary responsibility for:
capturing the event and consequences of the crisis in a chronological order recording management decisions and the reasoning behind them
capturing and recording the minutes of CMT level meetings
maintaining agendas and action list in association with CMT meetings.
2.2.7 Chief Executive Officer (CEO)
The role of the CEO during the crisis will primarily be one of communication with key stakeholders.
While not directly involved in the operational aspects the response, the CEO is to provide liaison with high level stakeholders including Minister’s office, key
13 UNCLASSIFIED
In addition to the communication aspects, the CEO is also in a unique position to provide advice on processes and systems, as the role is not directly involved in the operational aspects, this role would be highly important during a prolonged crisis.
3. CRISIS MANAGEMENT
A crisis is an event that has a direct impact on Comcare’s ability to carry out its critical business activities; irrespective of the physical location or direct impact of the crisis. Often, a crisis will require Comcare immediately to follow the guidance of the relevant authority responsible for management of the crisis. This could include emergency services personnel, health authorities & State, Territory or Federal Government agencies.
Once all immediate threats have been neutralised and staff accounted for, the focus will need to quickly move towards “What do we need to do to continue doing business?” This is not only the provision of essential critical business services but also how to recover from the crisis and clean up afterwards.
In the event of a crisis Comcare will need to respond in an appropriate and timely manner. There are three basic phases that will be applicable to the management of any crisis.
1. Evaluation and planning phase Emergency Management
2. Plan implementation and coordination phase Continuity/Recovery Management 3. Situation recovery and closedown phase Recovery Management
3.1 Evaluation and Planning
The evaluation and planning phase attempts to achieve four primary goals.
Establish an appropriate Crisis Management Team and where the team will form. Analysis of the crisis and the full range of impacts on Comcare’s people and critical
business processes and personnel.
Development of appropriate Business Continuity Plans, or development of an action plan to deal with the more specific incident.
Development of communications plans to ensure that effective reporting to the appropriate personnel and organisations occurs.
3.1.1 Establish a CMT
The establishment of the Crisis Management Team occurs in two phases: The CMT Executive meets and assesses the incident and determines if it
qualifies as a ‘crisis’ incident by referring to the MAO triggers in the Business Impact Analysis as a guide#. The CMT Executive will also identify the
14 UNCLASSIFIED
Assembly of the Crisis Management Team. The CMT Executive shall brief the CMT on their initial analysis of the crisis and establish all impact/s prior to the development of an Action Plan (which should be, as far as possible, utilise existing BCPs).
At this point it is essential to appoint the Crisis Management Scribe (CMS) and to ensure that those responsible for the Crisis Communications Plan are included in the CMT.
# (Trim ref 2011/6071)
3.1.2 Analyse the Crisis
The analysis process attempts to clearly identify:
The full impacts of the crisis on Comcare, critical business processes, and identify events that may cause an escalation of the crisis.
Identify any critical business service MOA triggers reached and implement those BCPs#.
Identify the most appropriate personnel to form the CMT and ensure their presence for the implementation of relevant BCPs*, or the development, communication and implementation of a more specific Action Plan for an unforeseen event.
# * Comcare has established a prioritised list of critical business processes and business continuity plans for those processes. (Trim ref 2011/6071).
3.1.3 Prepare the Action Plan
The development of the crisis specific Action Plan involves the following: Detailed and ongoing analysis of the crisis and its impacts. Prioritise the recovery tasks and responsibilities.
Identify and allocate the appropriate resources. Prepare CMT and BCT’s for the implementation phase.
3.1.4 Communication Plan
Communications plans should be addressing:
CMT Reporting/Update and an ongoing scheduled of situational reports. Internal notifications – including staff and contractors, interstate Offices. External communications - including Client Agencies, Service Providers,
Support Organisations, Claimants and the public.
All communications will need to be approved by the CMT Executive and should include appropriate detail for the intended audience; communications shall generally include the following detail:
15 UNCLASSIFIED what is being done to fix it
the anticipated impact the crisis will have on services
any temporary arrangements that have or are being put in place the expected time till resumption of normal services.
3.2 Implementation and Coordination
The aim of this phase is to effectively manage the deployment of the Business Continuity Plans or the Specific Action Plan to ensure an appropriate, timely and flexible
implementation of the planned actions. This phase involves:
implementing the Action Plan, including appropriate Business Continuity Plans monitoring the crisis ensuring all stakeholders needs are addressed appropriately monitoring and adjusting the Action Plan to meet changing circumstances
ongoing implementation of the communications plans for both internal and external stakeholders including Comcare management and personnel, client agencies and support services.
3.2.1 Implementing the BCPs or Action Plan
Once the BCPs or Action Plan has been agreed, including the appropriate
prioritisation and coordination of activities as detailed in the selected Contingency Plans, implementation may commence.
This phase involves:
authorising the implementation of the selected Business Continuity Plans commencement of Business Continuity Plan operations
provide timely reports on progress to the CMT as per each Business Continuity Plan’s communications plan.
3.2.2 Monitor and Adjust
All crises and their associated recoveries are dynamic events. Delays occur, situations change and the Crisis Management Team need to remain informed, constantly monitoring the situation and responding appropriately to change. This phase primarily revolves around the following activities:
The Business Continuity Team report back to the Crisis Management Team, who: review progress holistically
16 UNCLASSIFIED
3.2.3 Ongoing Communications
During the implementation phase communication is vital to the recovery process. The following communication activities should be regularly carried out:
CMT Meetings - Ideally morning and night, although to be held more frequently if required
BCT meetings - Ideally following the CMT meetings Progress reporting by the:
BCT to CMT
CMT to the CMT Executive
CMT Executive to Staff and stakeholders
Additional external communications will also be required as alternate services become available – that is, new premises, contact numbers, mailing addresses, reception, etc.
3.2.4 Capturing Information
During a crisis it is important to accurately capture and document all events which occur, including from the individual sections as this is to aid in the recovery and closedown.
To facilitate this process each section will be provided with a Workbook - Record of
Key Decisions (Trim ref 2011/6071), including:
Key decisions or actions which happen inside of the section. Requests for services or support.
The tracking of tasks.
The tracking of sectional resources.
Accurate information may also be required in the event of Comcare wanting to claim under insurance for any financial losses caused by the crisis.
3.3 Recovery and Closedown
Finally, once the crisis has been mitigated, there are several steps that need to be performed before Comcare’s operations can finally be returned to normal including:
Testing of any systems that underwent recovery processing; including access control, data and system integrity, operational procedure.
Backlog processing, physical record storage, resumption of normal roles and responsibilities.
Debriefing sessions for personnel involved in crisis management tasks, at any level, including Lessons Learnt sessions, documentation review, process capture, update of the Treat Risk Analysis (TRA) etc.
17 UNCLASSIFIED BCM Plan
Business Continuity Plans or Specific Action Plan Disaster Recovery Plans and
Procedures – (i.e. Build & Test, Record Management, Security, etc).
4. DEFINITIONS
Term
Definition
CEO
Chief Executive Officer
BCM
Business Continuity Management
BCP
Business Continuity Plan
BCT
Business Continuity Team
CMP
Crisis Management Plan
CMT
Crisis Management Team
Crisis
An adverse event of sufficient magnitude to have a significant
impact on Comcare at the organisational level.
GM
General Manager
Incident
Any event which impacts on Comcare’s objectives with the
potential to escalate to crisis levels
5. REFERENCES
8. Business Continuity Threat and Risk Assessment, V1.0, Dated: August 2004. 9. Protective Security Policy Framework July 2012
10. Contingency Plans (CP1 – CP21) Dated: June 2008. 11. Comcare DRP v1.0 Dated: September 2003.
12. ACSI 33, Defence Signals Directorate.
13. AS/NZ 27001:2005 Information Security Management, Standards Australia International Ltd.
14. Australian Emergency Manual – Disaster Recovery (EMA) 15. 911 Lessons Learnt document (Source: EMA)
16. Comcare BCP Assessment criteria explained, Dated: January 2008. 17. Comcare BCM – Work Instruction and Policy.
18 UNCLASSIFIED
5.1 Supplementary information and forms
The following information and forms can be located in the Business Continuity Management TRIM File 2011/6071:
Crisis Checklist
