Comments

Discussion Board - Review and Comment

How to make a comment?

1. Use this Protected Document to open a comment box for your chosen Section, Part, Heading or clause.

2. Type your feedback into the comments box and then click "save comment".

3. Do not open more than one comment box at the same time.

4. When you have finished making comments click on the "Continue to Step 2" button at the very bottom of this page.

 

Important Information

Your connection may time out due to inactivity. To avoid losing your comments, we suggest:

  1. Do not jump between web pages/applications or log comments for more than one document at a time.

  2. Do not leave your submission half way through. If you need to take a break, submit your current set of comments. The system will email you a copy of your comments so you can identify where you were up to and add to them later.

  3. Do not exit until you have completed all three stages of the submission process. Your feedback will not be saved until you prove you are human.


Business Continuity Management Framework

Purpose

(1) The purpose of the Business Continuity Management Framework is to improve the University’s capacity to withstand the negative impact of a disruption whilst at the same time, maintain critical academic, research, and administrative activities.

(2) The framework promotes the development of business continuity plans that provide management with a process to identify potential threats to the University and the impacts to critical functions that those threats, if they eventuated, could cause. The plans outline the activities for responding to those threats in a manner that safeguards the interests of key stakeholders, reputation, and the services the University provides to students.

(3) The framework is based on the International Standard ‘Security and resilience – Business Continuity Management Systems ISO 22301:2019’.

Scope

(4) This framework applies to all areas of the University’s business including its academic, research, administrative, and commercial activities. It also applies to outsourced activities that support University operations and services.

(5) Controlled entities of the University are responsible for their own business continuity management activities and provide reports on the status of those activities to the University’s Audit, Risk and Compliance Committee annually and on the request of the Committee.

(6) Business continuity planning will initially be campus-based and focus on critical functions that support the delivery of key services, giving due regard and priority to the health, safety, and well-being of staff, students, and the wider community. Key areas of operations will be introduced to the framework and associated planning activities using a staged implementation approach. The framework will then be extended to other areas of the University’s business as the program matures.

Benefits

(7) Business continuity planning helps to ensure the University operates at optimal, predefined levels of service in the event of a disruption. The framework, plans and policy:

  1. Ensure that procedures, from the initial business response to recovery and full functionality, are aligned and well understood.
  2. Clearly define business continuity roles and responsibilities.
  3. Identify the equipment and resources needed to recover and maintain critical services.
  4. Protect the University reputation/ brand.
  5. Support compliance with regulatory obligations.
  6. Mitigate risks to operations, health and safety, property damage, and loss.
  7. Provide clarity in respect of the overlapping (and separate) duties associated with emergency management planning.

Risk Governance

(8) Risk governance refers to the culture and arrangements developed by the University to manage the risk to its mission and strategic objectives. It includes leadership, accountabilities, and oversight and is an essential part of the University’s overall governance responsibilities.

(9) The Business Continuity Management Framework is one element of the University’s approach to mitigating risk - in this instance, disruption-related risk. The framework provides assurances that responses to disruptions are considered, co-ordinated, comply with regulatory requirements and meet the expectations of all stakeholders, particularly as it relates to the health, safety and well-being of staff, students, and the wider community.

Establishing the Business Continuity Management Framework

(10) The steps involved in the development of the Business Continuity Management Framework and associated business continuity plans are summarised in the following table:

Process step Step summary Activity
Step 1
Commitment		 Gain executive commitment
  1. Business Continuity Management Framework endorsed by executive
  2. Business Continuity Management Policy endorsed by executive
Step 2
Leadership		 Establish and communicate roles and responsibilities
  1. Promote Business Continuity Policy
  2. Promote key objectives of the programme
Step 3
Planning		 Develop continuity planning approach
  1. Consider risk appetite statement
  2. Review Strategic Risk Register
  3. Review Emergency Management Plans
  4. Undertake stakeholder analysis
Step 4
Support		 Develop communication and training plans
  1. Business continuity system user guides (Smartsheet)
  2. Develop business continuity training and awareness materials – workshop, instructional videos
  3. Adopt document management and record keeping protocols
Step 5
Operation		 Develop Business Continuity Plans
  1. Undertake Business Impact Analysis – workshops, interviews, surveys (Smartsheet)
  2. Identify minimum resource requirements
  3. Set service availability strategies
Step 6
Performance and Improvement		 Develop and monitor key performance indicators
  1. Undertake validation exercises, walk throughs, debriefs
  2. Act on outcomes of formal quality and compliance reviews
  3. Undertake post-incident reviews

Leadership

(11) Overall accountability for the development and implementation of the Business Continuity Management Framework has been assigned to the Vice-Chancellor by the University Council. The Vice-Chancellor has in turn delegated this responsibility to the Vice-President Governance and University Secretary. Additional business continuity roles and responsibilities are detailed in the Business Continuity Management Policy which can be found in the Policy Library on the University’s website.

Planning

(12) The University’s approach to business continuity is essentially process-centric or activity-orientated. The framework and underlying activities are designed to minimise the likelihood and impact of threats to core academic, research and administrative operations. The framework does however recognize that the ‘soft’ issues of positive staff behaviour and actions can contribute significantly to continuity efforts. On that basis the framework places significant emphasis on staff training and awareness activities, particularly as they relate to legal and regulatory obligations (consider health and safety) and communication protocols (to ensure early warning signals are transmitted to management quickly and efficiently).

(13) To keep the implementation of the framework manageable, business continuity plans will be developed using a prioritised approach. The risks associated with the loss of critical functions will be subject to formal risk assessments. The outcomes of the assessments will be used to prioritise functions and the subsequent development of continuity plans. Contingency plans/ risk mitigation strategies will also be developed for significant functions not included in the plans. It is anticipated that as the programme matures these significant functions will be progressively included in continuity plans as the plans are updated/ revised.

(14) The business continuity plans will outline:

  1. The purpose, scope and objectives of the plan.
  2. Activation criteria and procedures.
  3. Roles, responsibilities, and authorities.
  4. Internal and external communication procedures – media, staff, students, and stakeholders.
  5. Resource requirements.
  6. Stated assumptions and identification of internal/ external dependencies.

Support

Awareness and Training

(15) To increase the knowledge and skills of staff, awareness and training activities will be conducted on a regular basis with the following target audiences:

  1. Senior Management – in the form of briefings to help them understand their business continuity leadership role.
  2. Staff with specific business continuity responsibilities – fire evacuation wardens, health and safety staff, Campus Security Services, and others detailed in the ‘Roles and Responsibilities’ contained in the Business Continuity Management Policy.
  3. General staff – basic knowledge about the value of business continuity initiatives, information that complements emergency management training.
  4. Critical vendors - raise awareness of the University’s business continuity programme, any specific training required to build vendor capability being the responsibility of the vendor.

(16) Training will cover the overlapping duties associated with emergency management planning and business continuity procedures. The training be facilitated by Risk and Assurance. Additional ad-hoc training will also be provided as required/ on request.

Documentation

(17) Business continuity related documentation will be protected to ensure there is no loss of confidentiality or integrity. It will be maintained on the University’s business continuity system (Smartsheet) and be readily available for use by authorised staff.

Internal and External Communications

(18) Communications during a disruption of normal activities is set out in the University’s Critical Incident and Emergency Management Policy and Procedure, where the definition of an emergency is described as any event that causes disruption to the normal functions of the University.

Performance Evaluation and Improvement

(19) The following Key Performance Indicators will be maintained and reported to the Audit, Risk and Compliance Committee:

Key Performance Indicators Measure Frequency
Tests and debriefs conducted as part of annual emergency exercises Count Annually
Workshops and training sessions Count Quarterly
% of plans updated within the last 12 months % and Count Quarterly

(20) The programme will also be independently reviewed to ensure it conforms to the requirements articulated in the Business Continuity Management Policy and the overarching directions maintained in the Business Continuity Management System Standard ISO 22301:2019. This review may form part of a broader review of Risk and Assurance activities.

(21) If Business Continuity Plans have been activated in response to a disruption a post-incident review will be conducted and the outcomes used to improve/ strengthen associated procedures and activities.

Contact Information

(22) For further information regarding the Business Continuity Management Framework contact Risk and Assurance at risk@cdu.edu.au.