COMCARE BUSINESS CONTINUITY MANAGEMENT

COMCARE BUSINESS CONTINUITY MANAGEMENT

Title Business Continuity Management Version 2.1 Authorised by Executive Committee Effective date Authorisation date 10/7/2012 10/7/2012 COMCARE BUSINESS CONTINUITY MANAGEMENT DOCUMENT OWNER & CONTACT Name Role Phone Review Date Email s47f Director Property s47f June 2013 s47f CHANGE HISTORY Version Date Comments Author(s) 2.0 29 August 2011 BCM Refresh Project 2.1 21 June 2012 Update after BCM test and review s47f s47f DOCUMENT LOCATION TRIM File 2011/6071 TRIM Reference File Name DOC1430732 Comcare Business Continuity Management DOCUMENT LISTING Business Continuity Management Policy Business Continuity Management Framework Business Continuity Management Crisis Management Plan Business Continuity Management Business Impact Analysis (BIA) Appendix A Crisis Management Team Checklist Appendix B Crisis Management Contact List Appendix C Business Contingency Plans 2 UNCLASSIFIED

BUSINESS CONTINUITY MANAGEMENT POLICY 1. OVERVIEW Comcare identifies Business Continuity Management (BCM) as a key management component and essential to the long-term survival of the organisation. The continued provision of key services to Comcare clients and the provision of support functions to the business form the basis of Comcare s Business Continuity Management framework. 2. SCOPE This policy applies to all client and internal services and supporting infrastructure provi d ed and/or maintained by Comcare. 3. POLICY 3.1 Comcare s h a l l devel op, i m p l e m e n t, m a n a g e a n d mai ntai n an approved B u s i n e s s Continuity Management (BCM) framework to ensure that critical processes are maintained at an acceptable level even during a major disruption to normal operations. 3.2 The BCM Framework shall be reviewed annually to verify it meets the organisations' documented BCM needs. 3.3 A training and testing program shall be developed and exercised annually in support of the BCM Framework to ensure that staff are aware and capable should circumstances arise. 3.4 Documented evidence shall be maintained, for audit purposes, relating to the implementation and performance of this policy and supporting procedures and all related work instructions. 4. DOCUMENTATION Implementation of this Policy will be through a documented Business Continuity Management Framework. 5. DEFINITIONS BCM Business Continuity Management 3 UNCLASSIFIED

6. RELATED POLICIES Comcare IT Security Policy, Section 12. Contingency Planning CEO Guidelines 7. RELATED DOCUMENTS AS/NZS ISO/IEC 27001:2006 Information technology Security techniques Information security management systems Requirements HB 221:2004 Standards Australia/Standards New Zealand Business Continuity Management Handbook. HB 292-2006 A Practitioners Guide to Business Continuity Management Comcare BCM Documentation set: (Trim File 2011/6071) 4 UNCLASSIFIED

BUSINESS CONTINUITY MANAGEMENT FRAMEWORK 1. OVERVIEW The Business Continuity Management Framework outlines Comcare s approach to ensuring continuity of critical business processes following a potential crisis incident. 1.1 BCM Framework Determine Requirements Develop BCM Policy Business Impact Analysis Continuity Management Develop Crisis Management Plan Develop Contingency Plans Recovery Management Develop Disaster Recovery Strategy Develop Disaster Recovery Plans Educate and Communicate Communication and Awareness Test and Train 2. OBJECTIVES Comcare s BCM Policy is that critical services shall be maintained at an acceptable level even during an event which causes a major disruption to normal operations. To this end Comcare s BCM: 5 UNCLASSIFIED

Ensure that all significant risks to business continuity are identified assessed and where necessary treated in a consistent and practiced manner (through Business Continuity Plans and training) and reported to management. Assign responsibility to all staff for the management of business continuity within their areas of control and provides adequate training and testing to build capability. 3. SCOPE Comcare s BCM framework shall operate for: all identified risks to Comcare s critical processes unforeseen events that have the potential to disrupt Comcare s critical business processes. 4. BCM METHODOLOGY Comcare s BCM framework has been closely aligned with Standards Australia s Handbook HB221:2004 and the companion publication HB 292:2006 A Practitioners Guide to Business Continuity Management. BCM objectives have been identified to ensure that Comcare critical business processes continue to be met even under conditions of major disruption to facilities or staff resources. These critical business processes and agreed timeframes for activation of contingency plans and recovery are documented in the Business Impact Analysis. The Crisis Management Plan must be adaptable to unforeseen events and still ensure continuity of an acceptable level of service for a predetermined length of time, within which critical business service systems must be returned to normal operation, defined as a Recovery Time Objective (RTO). For each critical service a Contingency Plan must be developed and maintained. The Crisis Management Team ensure that Business Contingency Plans (BCPs) relevant to the service disruption are deployed and that all stakeholders are appropriately advised. 4.1 Roles and Responsibilities Key roles and responsibilities during internal and external crisis situations are described in detail within the Crisis Management Plan. This section details the responsibilities for the development, maintenance and improvement of Comcare s BCM Framework. 4.1.1 Crisis Management Executive Manage Business Continuity as a component of corporate risk mitigation via the audit Management Committee. Establish and review departmental BCM context for the organisation 4.1.2 Crisis Management Team (CMT) Ensure the functionality and preparedness of Comcare s BCM Framework. Participate in and promote BCM training and awareness. 6 UNCLASSIFIED

Provide expert input to BCM development and maintenance. 4.1.3 General Managers Champion BCM within their Group Endorse critical business processes requiring BCPs Ensure preparedness of their BCPs 4.1.4 Business Contingency Plan Team Leaders Identify critical business processes requiring BCPs Prepares and maintains BCPs Champion BCM training, testing and BCP improvements Conduct team BCP training, testing and improvements 4.1.5 Technology Recovery Team Understand BCPs and ensure resulting return to operation (RTO) objectives are achieved. Maintain DR preparations and readiness 4.2 Training and awareness On an annual basis: All employees will receive information explaining the BCM framework. Identified BCM roles will received training relevant for their role 4.3 Testing and exercising An annual program of testing and exercising will be developed and implemented. 4.4 Review and update On an annual basis: the Business Continuity Framework will be reviewed and updated. the Business Impact Analysis will be revalidated. BCM documentation will be maintained by the Property Team. 5. REFERENCES 1. Comcare IT Security Policy, Section 12. Contingency Planning 2. BCM Policy (Trim ref 2011/6071) 3. Commonwealth Protective Security Policy Framework 4. Australian Communications Security Instruction (ACSI) 33 September 2007 5. HB 221:2004 -Standards Australia/Standards New Zealand Business Continuity Management Handbook 7 UNCLASSIFIED

6. HB 292-2006 - A practitioners' guide to business continuity management 7. Comcare Risk Management Framework 8 UNCLASSIFIED

BUSINESS CONTINUITY MANAGEMENT CRISIS MANAGEMENT PLAN 1. OVERVIEW This Plan provides guidance for dealing with a crisis in Comcare, using an incident management approach which caters for both internal and external sourced operational failures, using a consistent and simple approach. The basic components required for successful Incident Management include: A clear understanding of the incident, whether internally sourced (e.g. office fire, IT failure) or externally sourced (e.g. pandemic, bushfire) and its impact on Comcare s key business processes. A Crisis Management Team (CMT), made up of representatives from those areas of Comcare s organisation impacted by the incident. A guiding framework from which to make decisions. Support personnel who can be relied upon to implement CMT decisions and who will provide accurate and timely feedback. 1.1 Crisis Management In managing a crisis the primary objective is to maintain critical business processes as near to normal operation as practical so that the crisis does not disrupt essential business delivery. This puts a clear focus on: The security and wellbeing of all Comcare personnel as the overriding priority. The ability to regulate the jurisdiction, in particular the ability to receive WHS incident notifications and conduct investigations. The provision of benefits to injured workers, in particular for employees of client agencies who would suffer hardship should regular payments be delayed. Restoration of key and operational services on a prioritised and managed basis. This document details the high level structures and procedures that are in place to successfully manage and resolve a significant disruption to business. The associated Business Continuity Plans (BCP's) provide the details necessary to mitigate any specific Business Continuity risks. 2. CRISIS MANAGEMENT TEAM 2.1 Overview The Crisis Manager and Deputy Crisis Manager form the Crisis Executive. The Crisis Manager brings together the Crisis Management Team (CMT) as soon as possible after the identification of an incident that may be escalating towards a crisis. 9 UNCLASSIFIED

Comcare s CMT structure is as follows: UNCLASSIFIED Crisis Manager (DCEO) Deputy Crisis Manager (COO) CMT Member (GM Regulatory Services) CMT Member (GM Recovery and Support Services) Business Continuity Manager (Director, Property) Corporate Communications (Director, Communications and Knowledge) CMT Scr be/admin Support (Executive Services) The CMT should manage the crisis in line with the crisis management section of this plan Other resources shall be seconded as are deemed necessary to resolve the crisis and an efficient return to normal operation. The Crisis Management Contact List is at DOC 1073580. All CMT personnel, and alternative personnel, for all key roles should be trained prior to crisis management involvement if possible. 2.2 Roles and responsibilities 2.2.1 Crisis Management Team The CMT is formed when the Crisis Executive and Crisis Management Team members come together. The Crisis Executive is formed by the Crisis Manager and Deputy Crisis Manager. 2.2.2 Crisis Manager The Crisis Manager is usually the Deputy CEO. The Crisis Manager is responsible for the initial declaration of a crisis, the planning, initiation and monitoring of all activities associated with the successful management and resolution of the crisis, and for deciding when the crisis is over and the reinstatement of normal operational conditions. The Crisis Manager is part of the Crisis Executive and should have an extensive knowledge and understanding of: Comcare s BCM Methodology emergency management principles in general Comcare s business objectives and responsibilities, structure and operational processes. The Crisis Manager reports as required to: the CEO or their delegate 10 UNCLASSIFIED

the Minister, as appropriate. The Crisis Manager is also responsible to ensure that clear and documented decisions are made and communicated to all members of the CMT. In the event that the designated Crisis Manager is not available the Deputy Crisis Manager will assume the Crisis Manager s role. 2.2.3 Deputy Crisis Manager The Deputy Crisis Manager is usually the Chief Operating Officer unless a Group GM is appointed by the Crisis Manager. The Deputy Crisis Manager is part of the Crisis Executive, and should have extensive knowledge of: Comcare s BCM Methodology emergency management principles in general Comcare s business objectives and responsibilities, structure and operational processes. The Deputy Crisis Manager is responsible for the overall management of communications within crisis management, and shall endeavour to: support and assist the Crisis Manager as directed assist with the selection of the Crisis Control members establish crisis operational procedures and co-ordinating the activities of the Crisis Control monitor the activities of the Crisis Control to ensure that all key activities and stakeholders are addressed report to the Crisis Manager as directed/required. 2.2.4 Crisis Management Team The CMT is appointed at the time of the crisis and usually consists of the General Managers of Regulatory Services and Recovery and Support Services, and the Director of Property and the Director Knowledge & Communications. The Crisis Executive will identify the most appropriate additional personnel to form the CMT. CMT representatives shall have an extensive knowledge of: Comcare s BCM Methodology emergency management principles in general their Group Contingency Plan(s). The role of CMT members includes: Managing the implementation of the Group Contingency Plans. Co-ordination of cross Group activities. Monitoring the overall progress of the emergency management plan with respect to their Group. 11 UNCLASSIFIED

Reporting progress to the CMT Executive. Appointing a communication Coordinator to liaise with the Community Engagement Team to provide regular updated information and assist in the follow of information. Ensure clear and precise information, timeframes and outcomes are communicated to the Crisis Manager and the Deputy Crisis Manager to facilitate accurate decisions. 2.2.5 Business Continuity Teams (BCT) The Business Continuity Team consists of members from Groups who have operational responsibilities for the activities addressed by the Groups contingency plans. The Business Continuity Team shall be well defined and trained wherever possible prior to a service disruption incident. Teams must include a primary and a secondary contact for all key areas of responsibility. The BCTs have primary responsibility for: ensuring the effective implementation of Business Continuity Plans to ensure delivery of identified processes at pre agreed levels following the incident ensuring their BCT member is kept informed of progress and operational issues ensuring that procedures in the Business Continuity Plans capture an appropriate level of information to enable backlog processing and a smooth transition back to normal operation. assisting in the physical and electronic restoration of key systems. 2.2.6 Crisis Management Scribe The Scribe is drawn from the Executive Services Team or other available resource. This is a non-participatory role, this position tracks and records events, decisions and processes that occur during the crisis. The CMS has primary responsibility for: capturing the event and consequences of the crisis in a chronological order recording management decisions and the reasoning behind them capturing and recording the minutes of CMT level meetings maintaining agendas and action list in association with CMT meetings. 2.2.7 Chief Executive Officer (CEO) The role of the CEO during the crisis will primarily be one of communication with key stakeholders. While not directly involved in the operational aspects the response, the CEO is to provide liaison with high level stakeholders including Minister s office, key government agencies, major self-insurers and the media. 12 UNCLASSIFIED

In addition to the communication aspects, the CEO is also in a unique position to provide advice on processes and systems, as the role is not directly involved in the operational aspects, this role would be highly important during a prolonged crisis. 3. CRISIS MANAGEMENT A crisis is an event that has a direct impact on Comcare s ability to carry out its critical business activities; irrespective of the physical location or direct impact of the crisis. Often, a crisis will require Comcare immediately to follow the guidance of the relevant authority responsible for management of the crisis. This could include emergency services personnel, health authorities & State, Territory or Federal Government agencies. Once all immediate threats have been neutralised and staff accounted for, the focus will need to quickly move towards What do we need to do to continue doing business? This is not only the provision of essential critical business services but also how to recover from the crisis and clean up afterwards. In the event of a crisis Comcare will need to respond in an appropriate and timely manner. There are three basic phases that will be applicable to the management of any crisis. 1. Evaluation and planning phase Emergency Management 2. Plan implementation and coordination phase Continuity/Recovery Management 3. Situation recovery and closedown phase Recovery Management 3.1 Evaluation and Planning The evaluation and planning phase attempts to achieve four primary goals. Establish an appropriate Crisis Management Team and where the team will form. Analysis of the crisis and the full range of impacts on Comcare s people and critical business processes and personnel. Development of appropriate Business Continuity Plans, or development of an action plan to deal with the more specific incident. Development of communications plans to ensure that effective reporting to the appropriate personnel and organisations occurs. 3.1.1 Establish a CMT The establishment of the Crisis Management Team occurs in two phases: The CMT Executive meets and assesses the incident and determines if it qualifies as a crisis incident by referring to the MAO triggers in the Business Impact Analysis as a guide #. The CMT Executive will also identify the potential Group members who will form the CMT and where the CMT will meet if access to office is restricted. This should occur as soon as possible following the crisis detection and reporting. 13 UNCLASSIFIED

Assembly of the Crisis Management Team. The CMT Executive shall brief the CMT on their initial analysis of the crisis and establish all impact/s prior to the development of an Action Plan (which should be, as far as possible, utilise existing BCPs). At this point it is essential to appoint the Crisis Management Scribe (CMS) and to ensure that those responsible for the Crisis Communications Plan are included in the CMT. # (Trim ref 2011/6071) 3.1.2 Analyse the Crisis The analysis process attempts to clearly identify: The full impacts of the crisis on Comcare, critical business processes, and identify events that may cause an escalation of the crisis. Identify any critical business service MOA triggers reached and implement those BCPs #. Identify the most appropriate personnel to form the CMT and ensure their presence for the implementation of relevant BCPs *, or the development, communication and implementation of a more specific Action Plan for an unforeseen event. # * Comcare has established a prioritised list of critical business processes and business continuity plans for those processes. (Trim ref 2011/6071). 3.1.3 Prepare the Action Plan The development of the crisis specific Action Plan involves the following: Detailed and ongoing analysis of the crisis and its impacts. Prioritise the recovery tasks and responsibilities. Identify and allocate the appropriate resources. Prepare CMT and BCT s for the implementation phase. 3.1.4 Communication Plan Communications plans should be addressing: CMT Reporting/Update and an ongoing scheduled of situational reports. Internal notifications including staff and contractors, interstate Offices. External communications - including Client Agencies, Service Providers, Support Organisations, Claimants and the public. All communications will need to be approved by the CMT Executive and should include appropriate detail for the intended audience; communications shall generally include the following detail: what has happened 14 UNCLASSIFIED

what is being done to fix it the anticipated impact the crisis will have on services any temporary arrangements that have or are being put in place the expected time till resumption of normal services. 3.2 Implementation and Coordination The aim of this phase is to effectively manage the deployment of the Business Continuity Plans or the Specific Action Plan to ensure an appropriate, timely and flexible implementation of the planned actions. This phase involves: implementing the Action Plan, including appropriate Business Continuity Plans monitoring the crisis ensuring all stakeholders needs are addressed appropriately monitoring and adjusting the Action Plan to meet changing circumstances ongoing implementation of the communications plans for both internal and external stakeholders including Comcare management and personnel, client agencies and support services. 3.2.1 Implementing the BCPs or Action Plan Once the BCPs or Action Plan has been agreed, including the appropriate prioritisation and coordination of activities as detailed in the selected Contingency Plans, implementation may commence. This phase involves: authorising the implementation of the selected Business Continuity Plans commencement of Business Continuity Plan operations provide timely reports on progress to the CMT as per each Business Continuity Plan s communications plan. 3.2.2 Monitor and Adjust All crises and their associated recoveries are dynamic events. Delays occur, situations change and the Crisis Management Team need to remain informed, constantly monitoring the situation and responding appropriately to change. This phase primarily revolves around the following activities: The Business Continuity Team report back to the Crisis Management Team, who: review progress holistically reprioritise activities and resources as required and appropriate communicate these changes and expectations back to the BCT. This process continues throughout the life of the crisis. 15 UNCLASSIFIED

3.2.3 Ongoing Communications UNCLASSIFIED During the implementation phase communication is vital to the recovery process. The following communication activities should be regularly carried out: CMT Meetings - Ideally morning and night, although to be held more frequently if required BCT meetings - Ideally following the CMT meetings Progress reporting by the: BCT to CMT CMT to the CMT Executive CMT Executive to Staff and stakeholders Additional external communications will also be required as alternate services become available that is, new premises, contact numbers, mailing addresses, reception, etc. 3.2.4 Capturing Information During a crisis it is important to accurately capture and document all events which occur, including from the individual sections as this is to aid in the recovery and closedown. To facilitate this process each section will be provided with a Workbook - Record of Key Decisions (Trim ref 2011/6071), including: Key decisions or actions which happen inside of the section. Requests for services or support. The tracking of tasks. The tracking of sectional resources. Accurate information may also be required in the event of Comcare wanting to claim under insurance for any financial losses caused by the crisis. 3.3 Recovery and Closedown Finally, once the crisis has been mitigated, there are several steps that need to be performed before Comcare s operations can finally be returned to normal including: Testing of any systems that underwent recovery processing; including access control, data and system integrity, operational procedure. Backlog processing, physical record storage, resumption of normal roles and responsibilities. Debriefing sessions for personnel involved in crisis management tasks, at any level, including Lessons Learnt sessions, documentation review, process capture, update of the Treat Risk Analysis (TRA) etc. Review and update, as appropriate the: 16 UNCLASSIFIED

BCM Plan Business Continuity Plans or Specific Action Plan Disaster Recovery Plans and Procedures (i.e. Build & Test, Record Management, Security, etc). 4. DEFINITIONS Term CEO BCM BCP BCT CMP CMT Crisis GM Incident Definition Chief Executive Officer Business Continuity Management Business Continuity Plan Business Continuity Team Crisis Management Plan Crisis Management Team An adverse event of sufficient magnitude to have a significant impact on Comcare at the organisational level. General Manager Any event which impacts on Comcare s objectives with the potential to escalate to crisis levels 5. REFERENCES 8. Business Continuity Threat and Risk Assessment, V1.0, Dated: August 2004. 9. Protective Security Policy Framework July 2012 10. Contingency Plans (CP1 CP21) Dated: June 2008. 11. Comcare DRP v1.0 Dated: September 2003. 12. ACSI 33, Defence Signals Directorate. 13. AS/NZ 27001:2005 Information Security Management, Standards Australia International Ltd. 14. Australian Emergency Manual Disaster Recovery (EMA) 15. 911 Lessons Learnt document (Source: EMA) 16. Comcare BCP Assessment criteria explained, Dated: January 2008. 17. Comcare BCM Work Instruction and Policy. 18. AS/NZ HB 221 and 292:2006 A practitioners guide to Business Continuity Management. 17 UNCLASSIFIED

5.1 Supplementary information and forms The following information and forms can be located in the Business Continuity Management TRIM File 2011/6071: Crisis Checklist Crisis Management Team Listing Business Continuity Plans. 18 UNCLASSIFIED