BUSINESS CONTINUITY MANAGEMENT FRAMEWORK
PURPOSE
This Framework has been developed in support of both the Business Continuity and Crisis Management Policy and the Emergency and Fire Evacuation Policy. It is intended for use by the CQUniversity
community and controlled entities (such as CMS) to assist in the continuance of key processes and critical infrastructure during identified incidents.
CQUniversity’s Business Continuity and Crisis Management Policy is the official document by which the University clearly communicates:
• support for the Business Continuity Management Process; and
• the expected roles and responsibilities of the various committees and Executive in the control of Business Continuity and Crisis Management.
‘The University will manage a consistent process for the management of its operations across all
campuses of the University, facilitated by task groups which will coordinate emergency responses under an overall Business Continuity Framework’ – Business Continuity and Crisis Management Policy.
INTRODUCTION
1
What is Business Continuity Management?
CQUniversity’s business strategies and decisions are based on the assumption that the University will continue to operate as normal on a daily basis. While Risk Management is about identifying possible risks and putting into place treatments to try to prevent an occurrence that impacts on University operations, Business Continuity Management details the necessary procedures and strategies that are to be actioned should an actual disruption occur. The objective of Business Continuity Management is to ensure the uninterrupted availability of all key University resources required to support essential (or critical) business activities.
The Business Continuity Management Framework sets out the processes and tools necessary to enable rapid response to incidents, recovery of key processes and restoration to core business activities (Business As Usual). The Business Continuity Management Framework is based on the preparation of: • Business Continuity Plans (BCP) for key areas and activities of the University;
• disaster recovery planning for critical infrastructure and resources; • communications and media liaison strategies; and
• crisis management and recovery, and emergency planning.
2
Link to Risk Management
Business Continuity Management is inextricably linked to Risk Management – one is the consequence of the other. Where Business Continuity Management (including Planning and Testing) comes into force is through Impact. The risk event has occurred, how should the University respond, recover and
restore to full operations? Similarly to Risk Management, the scale and timing of incidents/events
cannot be reliably predicted, however the difference lies in being able to categorise where the known impacts can occur. Further information on Risk Management at CQUniversity can be obtained by accessing the Risk Management Framework and Guidelines.
3
Why a Business Continuity Management Approach?
Due consideration needs to be given to the management of incidents and crises across the wider
University from a multi-city perspective. This requires collaboration between all campuses (regional and metropolitan) and a two-way flow of information during incidents and events. Planning also allows for both correct local and high level response to occur and also drives fundamental awareness at the University and core resource area level of capital requirements, service availability and ‘gaps’. By implementing a Business Continuity Management Framework the University is able to: • recognise the risks and impacts, key resources and core processes;
• respond to the event; protect life, property, systems and other resources; • recover the resources, systems and processes;
• restore to full operations; and
• review response, test preparedness and recalibrate planning.
4
Responsibility for Business Continuity Management
Whilst the University Council is ultimately responsible for monitoring risk and setting the risk appetite for the University, management of the implementation of Business Continuity Management is the
responsibility of the Vice-Chancellor within the identified committee structure, as well as senior and local managers of the University for their respective work areas.
Business Continuity Planning Committee (BCPC) Responsible for the development and review of a strategic framework, including BCP testing, to ensure effective University operations in the event of a major incident or crisis.
Crisis Management Control Group (CMCG) Event-driven emergency work group, responsible for the coordination of major incident and crisis responses across the University.
Emergency Response Team (ERT) Activated to effectively manage local crisis events identified on University campuses
5
Definition of Event Levels
Business Continuity Management acknowledges that despite the best efforts employed in organisational risk management, events adversely affecting (disrupting) University operations will sometimes occur. At CQUniversity, these events are categorised as follows:
Incident/Emergency: A ‘localised’ event or outage, within a single area or process,
insignificant or minor impact on the University. Please note: Multiple
or ongoing incidents may have a cumulative effect, becoming a major incident or crisis.
Major Incident/Emergency: An ‘extraordinary’ event or outage where key business processes are disrupted or resources are lost; has a moderate or major impact on the University. May affect external areas.
Crisis: A ‘disaster’ event, or series of incidents, that have the potential for extreme impact on processes, resources and the University’s long term prospects or reputation. May affect external areas.
• People (Staff, Students, Public); • Facilities, Services and Environment; • Systems and Communication;
• Finance and Legal; and • Reputation and other.
Some examples of incident/emergency/crisis events (risk management link) include but are not limited to: • adverse research outcomes;
• bomb threat; • building invasion; • bushfire, building fire;
• chemical, biological and radiological disaster event;
• civil disorder;
• cyclones, including major storm damage; • hazardous substance incidents;
• industrial accident; • major financial issue;
• other natural disasters: flood, earthquake;
• serious ethical issue, such as fraud, public international student complaints, major legal issues;
• serious health issue/outbreak of disease or pandemic;
• severe weather event;
• significant adverse change in Government policy;
• structural instability; • systems collapse;
• terrorism event, bomb threat or major intrusion event; and
• toxic emission.
6
Prioritised Scope – BCM Monitoring and Control
Given the complexity of CQUniversity, it is not possible to plan for every conceivable incident/event type. Therefore, a prioritised, risk-based approach is required to ensure that adequate planning is put in place to ensure that the University is able to respond to and recover from any incident/emergency/crisis, and restore to normal operations across the board as efficiently and effectively as possible.
The primary output from the business continuity management process is a development of Business Continuity Plan (BCP) for each of the priority areas identified by the Business Continuity Planning Committee. The BCP comprises many elements which, collectively, define the approach to dealing with an event that adversely affects University operations, and which details the steps to take to enable rapid response, recovery of key processes and restoration to core business activities.
For each priority area identified by the Business Continuity Planning Committee, a Business Continuity Plan (or similar document) is to be developed and maintained detailing the following:
• description and scope;
• key staff, inputs, processes and resources – including Impact Analysis and contacts; • key principles and core considerations;
• escalation procedures – maximum acceptable outages, response requirements; • any instructions for incoming committees (Crisis / Emergency Management); • communication plan (internal and external);
This documentation is not a one-size-fits-all approach, and the final result may need to be much more complex in some areas than it is in others. The most important consideration is that key staff are able to enact the plan with minimal prompting at the time of a Business Continuity event.
The following areas have been identified as CQUniversity priorities for this approach (note particularly that they are linked to each other in many cases). The managers of controlled entities, will also need to ensure that a similar approach is taken for these priority areas (where in existence) for their own
organisations. For some areas, including group crisis management, and media/communication strategies, participation in an organisation-wide solution is required.
Please note the descriptions below are simplistic – this is a high level framework only. BCP 1 Campus Operations – including Emergency Management
Process Owner(s): Head of Campus; Director, Facilities Management
Associated Process Owner(s): Director, People and Culture; Manager, Health, Safety, Environment and Training
CQUniversity campuses are the hubs of learning and teaching delivery, research activity, engagement work and the day-to-day operations of the organisation. There are various ‘threats’ (natural or man-made), which could cause a full or partial disruption to the operations of or access to any of these campuses. Appropriate Business Continuity and Crisis planning needs to be in place to ensure that these disruption events can be managed quickly, with particular regard to the safety of life and property being the highest priority. It is recognised that some campuses are entirely contained with a single building or facility, such that the loss of access to or operation of that facility would constitute full closure. Specific ‘Emergency Management’ protocols are details separately in the associated processes
contained within CQUniversity’s Fire Evacuation Program; however they are very much linked.
BCP 2 Core IT Systems – including Disaster Recovery Planning
Responsible Manager: Director, Information Technology
CQUniversity Core Information Technology (IT) systems will focus on supporting the University’s core business of Engagement, Learning and Teaching, Research and Innovation, and Engaged Enterprise. As such it is imperative that appropriate measures are put in place to quickly rectify any disruption to IT services across all our campuses and learning delivery sites.
Disaster Recovery Planning is a key requirement in this area, and continuous efforts must be made to ensure that successful enactment of this requirement can be undertaken quickly, to reduce the flow on effects of disruption. Obvious linkage to Campus Operations, thus plans need to take this into account.
BCP 3 Financial Operations
Responsible Managers: Chief Financial Officer; Director, Financial Services
The ability to conduct transactional business (both inwards and outwards) is critical for the operations of any organisation, let alone CQUniversity. Business Continuity Planning in this regard needs to consider activities including Accounts Receivable, Accounts Payable, Treasury and Banking, Financial and Management Reporting (non-exhaustive). Obvious linkage to core IT systems, thus plans need to take this into account.
BCP 4 Payroll
Responsible Managers: Director, People and Culture; Manager, Salaries, Superannuation and Systems Our employees are the key to delivering CQUniversity’s promise to our stakeholders and for meeting the University’s strategic aspirations in regards to Engagement, Learning and Teaching, Research and Innovation, and Engaged Enterprise. As such, the University has an obligation to ensure that staff are not personally affected by a disruption to payroll activities.
Obvious linkage to Campus Operations, Core IT Systems and Financial Operations, thus plans need to take this into account.
Other Areas
The ‘priority list’ does not, nor shall it preclude any other areas of the University or controlled entities from understanding the key inputs, processes and outputs of their day-to-day business in order to build a Business Continuity Management culture organisation wide. All areas of the University are encouraged to utilise this framework to build resilience for their respective work areas.
7
Requirements
Responsible Managers will ensure that:
• a BCP (or similarly fashioned document eg Campus Emergency Response Plan) is developed detailing the steps taken to ensure rapid restoration to business activities;
• a communication plan is developed;
• all responsible officers are made aware of the BCP and their responsibilities in the event of an adverse disruption to normal operations; and
• periodical testing of the BCP is undertaken to ensure its effectiveness. Remember: Impacts will not just be Facilities and Information Technology! Categories:
• People (Staff, Students, Public); • Facilities, Services and Environment; • Systems and Communication;
• Finance and Legal; and • Reputation and other.
The big concern for responsible managers – In the absence of or interruption to any, many or all of
the above categories, how processes be kept active, and service to stakeholders going?
8
A Note on Testing of Business Continuity Plans
Review of a BCP is essential to ensure it reflects the University’s objectives, its core business functions, the corresponding processes and resources and an agreed priority for recovery. Testing and
maintenance of the recovery process documented in the BCP will provide management assurance that the plan is effective and will ensure continuity of business should key functions be lost.
Quality assurance reviews of the BCP during its preparation and throughout its life are recommended to ensure its content remains relevant.
9
Corporate Governance Principles
Corporate governance is the way in which the University is controlled and governed in order to achieve its objectives. The control environment makes the University reliable in achieving these objectives within an acceptable degree of risk. CQUniversity is committed to establishing an organisational culture that ensures risk and Business Continuity Management is an integral part of all activities. This not only contributes to good governance, it also provides protection for CQUniversity in the event of adverse outcomes.
Provided Business Continuity Management has been managed in accordance with the appropriate guidelines, protection occurs on two levels. Firstly, the adverse outcome may not be as severe as it might otherwise have been. Secondly, those accountable can, in their defence, demonstrate that they have exercised a proper level of diligence.
The University is committed to business continuity management. This Business Continuity Management Framework, issued under the authority of the Vice-Chancellor and President, will govern the practice of Business Continuity Management.
DEFINITIONS
Business Continuity Management Framework: sets out the processes and tools necessary to enable
rapid response, recovery and restoration to core business activities.
Business Continuity Plan (BCP): comprises many elements which, collectively, define the approach to
dealing with a break in business continuity, and which prescribes the steps an organisation should take to recover lost business functions.
Risk Management: the systematic application of management policies, procedures and practices to the
tasks of communication, establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risks to the attainment of the University’s outcomes and outputs.
Event: an occurrence that affects/disrupts University operations. Levels of events are categorised as
incident/emergency, major incident/emergency or crisis.
Prioritised Scope: identifies those key priority areas of University operations for focused Business
Continuity Planning efforts.
Corporate Governance: refers to the way in which CQUniversity is directed and controlled in order to
achieve its strategic goals and operational objectives.
Risk Management Framework: the structure within CQUniversity that supports the risk management
practice, reporting, responsibilities and accountabilities at all management levels within the enterprise. The risk management framework is a description of streams of accountability and reporting that will support the Risk Management Process within the existing organisational structure.
RESPONSIBILITIES
Vice-Chancellor and President
Executive and Senior Management
The effectiveness of risk and business continuity management is unavoidably linked to management competence, commitment and integrity, all of which forms the basis of sound corporate governance. Corporate governance provides a systematic framework within which the executive management group can discharge their duties in managing the University.
Line Management
Line managers at all levels will be responsible for the adoption of risk management and business continuity management practices and will be directly responsible for the results of activities, relevant to their area of responsibility.
All Employees
All employees are responsible for:
• Acting at all times in a manner which does not place at risk the health and safety of themselves or any other person in the workplace;
• Providing direction and training to persons for whom they have a supervisory responsibility or duty of care provision relating to health and safety;
• Identifying areas where risk management and business continuity practices should be adopted and advising their supervisors accordingly;
• Meeting their obligations under relevant legislation including workplace health and safety, equal employment opportunity and anti-discrimination; and
• Taking all practical steps to minimise the university’s exposure to contractual, tortuous and professional liability.
RECORDS
All records relevant to these procedures are to be maintained in a recognised University recordkeeping system, which will include the normal place of business for records pertaining to each Priority type.
Approval Authority Vice Chancellor
Administrator Deputy Vice Chancellor (International and Services) Original Approval Date 5 April 2013
Amendment History
Date of Next Review 5 April 2016
Related Documents Business Continuity and Crisis Management Policy
