Comments

Discussion Board - Review and Comment

How to make a comment?

1. Use this Protected Document to open a comment box for your chosen Section, Part, Heading or clause.

2. Type your feedback into the comments box and then click "save comment".

3. Do not open more than one comment box at the same time.

4. When you have finished making comments click on the "Continue to Step 2" button at the very bottom of this page.

 

Important Information

Your connection may time out due to inactivity. To avoid losing your comments, we suggest:

  1. Do not jump between web pages/applications or log comments for more than one document at a time.

  2. Do not leave your submission half way through. If you need to take a break, submit your current set of comments. The system will email you a copy of your comments so you can identify where you were up to and add to them later.

  3. Do not exit until you have completed all three stages of the submission process. Your feedback will not be saved until you prove you are human.


Business Continuity Plan Development Procedure

Section 1 - Developing a Business Continuity Plan

(1) Business Continuity Plans contain the procedures necessary for the maintenance of critical functions. They provide the staff with the information needed for the development of reduction, response and recovery plans  to a disruptive incident and to access the resources needed to implement predetermined continuity strategies.

(2) Business Continuity Plans are not intended to address every eventuality as the nature of individual incidents may vary. Responses to disruptions therefore need to be flexible in approach and actions may need to be adapted according to the circumstances.

(3) Business Continuity Plans outline:

  1. The purpose, scope and objectives of the plan.
  2. Activation criteria and procedures.
  3. Roles, responsibilities, and authorities.
  4. Internal and external communication procedures – media, staff, students, and stakeholders.
  5. Resource requirements.
  6. Stated assumptions and identification of internal/external dependencies.

(4) The first step in developing a Business Continuity Plan is to undertake a business impact analysis. 

Business Impact Analysis

(5) The Business Impact Analysis (BIA) helps a Department to determine it’s recovery priorities and objectives. During the analysis, the activities that support the provision of services are identified and the impacts over time of not performing these activities is considered. Elements of the BIA include:

Identification and Classification of Key Functions

(6) The purpose of the evaluation is to assess what critical functions need to be recovered and in what order of priority. Decisions should be made in accordance with legal/regulatory and health and safety requirements and include a consideration of available resourcing and the University’s appetite for risk.

  1. Critical functions are directly responsible for the delivery of services; these functions enable the Department to achieve its objectives and comply with legal and regulatory requirements.
  2. Critical-supporting functions provide outputs to critical functions, without which the critical function could not operate. If they are the only source of supply to the critical function they are classified as single points of failure.
  3. Supporting functions provide support to the critical and critical-supporting functions. Their failure during an incident does not immediately compromise the Department’s ability to achieve its strategic objectives and comply with legal and regulatory requirements.

(7) When deciding what constitutes a critical function, consideration is given to the Department’s key objectives and obligations and how they are achieved. The outputs required to meet these objectives and obligations are identified during the BIA together with the underlying functions that deliver those outputs. This process also includes an evaluation of the timeframes in which the objectives and obligations need to be achieved.

Assessment of Recovery Timeframes

(8) Prioritised timeframes for the resumption of critical functions are established and incorporated into subsequent planning activities i.e.

  1. Maximum Acceptable Outage (MAO) the maximum time period that the Department could operate without a critical function, after which the impact would become unacceptable.
  2. Recovery Time Objective (RTO), the time period in which a critical function must be recovered. Note - The RTO should always be shorter than the MAO.

Identification of Dependencies

(9) The identification of dependencies and the supporting resources for these activities assist in the prioritisation of critical functions and recovery strategies. Upstream dependencies include suppliers, contractors and outsourcing partners, whereas Downstream dependencies are those who rely on the outputs of the Department writing the Business Continuity Plan.

Information Collection

(10) The most common data collection methods are questionnaires, personal interviews and document reviews. These activities are undertaken prior to the workshops where the BIA outcomes are evaluated and endorsed.

(11) The outputs of the BIA include:

  1. A prioritised timeline of activities for the recovery of the Department’s critical functions.
  2. A Business Continuity Resource Requirements Analysis containing the necessary resources to achieve the prioritised recovery of critical functions.
  3. A list of internal and external dependencies of critical functions.
  4. Controls that can be put in place pre-event to minimise the impact of an event on a critical function.

(12) The BIA should be refreshed/undertaken on at least an 18 monthly basis to ensure continuity strategies remain relevant.

Risk Assessment

(13) After identifying critical functions and supporting resources the next stage in the process is a risk assessment.  A risk assessment is undertaken to ensure that business continuity efforts are focused on those critical functions most at risk and that would have the greatest impact on the Department. It is also used to develop an understanding of the interdependencies amongst different critical functions in order to determine single points of failure or areas where there is a high concentration of risk.

(14) Business continuity risk assessments use established risk assessment techniques as described in the University’s Enterprise Risk Management Policy and Procedure, copies of which can be found on the University’s website.

(15) An alternative and less resource intensive approach is to undertake a detailed review of the University’s/department’s risk registers. This activity also provides an overall view of the risk profile of the University and its Departments.

Resource Requirements Analysis

(16) This activity identifies the minimum resources required to maintain critical functions and together with the BIA, assists in the further development of business continuity strategies.

(17) The following considerations should be taken into account when undertaking the analysis.

People

(18) Training – transfer/develop core skills associated with the delivery of critical functions amongst a wider group of staff.

(19) Diversification – different work locations for key staff, separate travel arrangement plans.

(20) Procedures and guidelines – document how critical functions are performed.

(21) Succession planning – identify backup staff.

(22) Specialist third parties – engagement of contractors to perform critical functions.

Premises

(23) Secondary locations – alternate work locations to house critical functions.

(24) Flexible working arrangements – temporary arrangements using business centres, client offices and working from home.

(25) Reciprocal arrangements – agreements with other organisations to share each other’s premises and facilities.

Information

(26) Backup and recovery – methods and effectiveness of recovery processes.

(27) Confidentiality of information – adequacy of safeguards.

(28) Availability – information format, hardcopy or electronic, and storage locations.

(29) Currency – accuracy and reliability of information.

Technology

(30) Power – the provision of an uninterrupted power system (UPS) for critical technology or infrastructure.

(31) Network – voice and data communications and network availability.

(32) Backup storage – security and portability.

(33) Hardware and software – backup, repair, replace, or temporary loan options.

(34) Note – Digital Technology Solutions should be consulted if the identified technology requirements are significant or if any uncertainties exist in terms of resourcing.

Supplies

(35) Buffer stocks – emergency supplies.

(36) Contractual agreements – arrangements with third-party suppliers to deliver stocks on short notice.

(37) Alternative sourcing – availability of a wide selection of critical suppliers.

(38) Validation of business continuity – suppliers to demonstrate business continuity capability (helps to ensure resilience in supply chain network).

Evaluation and Selection of Business Continuity Strategies

(39) A business continuity strategy describes how the Department will recover each critical function within the Recovery Time Objective established during the Business Impact Analysis activity. It details resourcing requirements and sets out how relationships with key stakeholders will be managed at the time of disruption.

Availability of Services

(40) There are three levels at which strategies can be set:

  1. Full availability – critical services cannot fail.
  2. Critical services recovered within Recovery Time Objectives (RTO’s) at an agreed minimum level.
  3. Suspend critical functions.

(41) If the strategy chosen is to suspend a critical function during a disruption a communication protocol should be developed for informing stakeholders who have an interest in the critical function that is to be suspended.

Strategy Selection

(42) The following factors should be considered when evaluating and selecting a strategy for each critical function:

  1. Business requirements.
  2. The agreed recovery time objectives (RTOs).
  3. The maximum acceptable outage for each service.
  4. The key resources required, e.g. people, premises, technology, information, and supplies.
  5. Costs of implementing the strategies compared to the speed of recovery.
  6. Recovery phase (partial or full resumption).
  7. Consequences of inaction.
  8. The business impact analysis and risk assessments.

Consolidation of Recovery Resources

(43) This activity re-evaluates the resources needed to implement continuity strategies associated with each critical function. It ensures that the resources associated with continuity strategies do not conflict with one another are reasonable and achievable and/or fall within predetermined continuity budgets. The outcomes of the consolidation process are summarised in a Business Continuity Resource Requirements Analysis.

Business Continuity Plan Activation

(44) Business continuity plan activation and stand-down (following resumption of normal activity) will be consistent with the authorities detailed in the Critical Incident and Emergency Management Policy and Procedure. The authority to activate business continuity plans rests with the Vice- Chancellor/Critical Incident Controller/Vice-President Corporate and CFO, and for our regional campuses, the relevant Associate Vice-Chancellor.

(45) It is anticipated that in the majority of instances the activation of business continuity plans will be one of many coordinated actions taken in response to an emergency or disruption to services on campus. On that basis staff are expected to escalate any matters involving a campus emergency or disruption to services to management and/or Campus Security Services - the procedures detailed in the Business Continuity Management Framework and Business Continuity Plans support (do not replace) these established communication pathways.

Relationship to Emergency Management

(46) Business continuity planning and Emergency Management are closely interconnected and reinforce each other's effectiveness. Business continuity planning lays the groundwork by identifying risks, assessing impacts, and developing strategies to ensure the continuity of critical business functions. The plans and procedures developed through business continuity serve as a framework for effective emergency response and recovery.

(47) During an emergency, the Critical Incident Management Team and Local Incident Controllers utilise the BCPs as a guide to implement response and recovery measures. Business continuity planning provides the necessary function priorities, communication channels, and resource requirements to address the incident effectively.

(48) The Critical Incident and Emergency Management Policy and Procedure set out the structure, roles and processes that are followed during a disruptive event.

Business Continuity Plan Validation

(49) The purpose of plan validation is to develop staff skills and confidence and to assess the quality of the Business Continuity Plan and associated activities. By exercising the emergency response plans that have been developed based on the information gathered from business continuity plans, the assumptions in the business continuity plans are being tested. Exercises are designed to identify false assumptions and unrealistic recovery time objectives. The exercises can also be used to involve and assess the overall business continuity capability of critical suppliers.

(50) An important component of an exercise is the testing of communications intended to be used during a disruption i.e. availability and alternatives.

(51) The exercises will also be based on realistic scenarios with clearly defined aims and objectives.

(52) When commencing an exercise appropriate staff and stakeholders will be notified prior to the exercise (i.e. Campus Security Services, reception areas). This will help to avoid situations where the exercise could be mistaken for a real event and create a disruption. On that basis procedures for aborting an exercise will also be considered prior to the exercise commencing.

(53) Following an exercise, debriefs will also be held to identify lessons learned and opportunities for improvement. Exercises will be matched to the business continuity maturity level of the department/University.

Top of Page

Section 2 - Contact information

(54) For further information regarding the development of Business Continuity Plans contact Risk and Assurance at risk@cdu.edu.au.