PROCEDURES BUSINESS CONTINUITY MANAGEMENT FRAMEWORK PURPOSE This Framework has been developed in support of both the Business Continuity and Crisis Management Policy and the Emergency and Fire Evacuation Policy. It is intended for use by the CQUniversity community and controlled entities (such as CMS) to assist in the continuance of key processes and critical infrastructure during identified incidents. CQUniversity s Business Continuity and Crisis Management Policy is the official document by which the University clearly communicates: support for the Business Continuity Management Process; and the expected roles and responsibilities of the various committees and Executive in the control of Business Continuity and Crisis Management. The University will manage a consistent process for the management of its operations across all campuses of the University, facilitated by task groups which will coordinate emergency responses under an overall Business Continuity Framework Business Continuity and Crisis Management Policy. INTRODUCTION 1 What is Business Continuity Management? CQUniversity s business strategies and decisions are based on the assumption that the University will continue to operate as normal on a daily basis. While Risk Management is about identifying possible risks and putting into place treatments to try to prevent an occurrence that impacts on University operations, Business Continuity Management details the necessary procedures and strategies that are to be actioned should an actual disruption occur. The objective of Business Continuity Management is to ensure the uninterrupted availability of all key University resources required to support essential (or critical) business activities. The Business Continuity Management Framework sets out the processes and tools necessary to enable rapid response to incidents, recovery of key processes and restoration to core business activities (Business As Usual). The Business Continuity Management Framework is based on the preparation of: Business Continuity Plans (BCP) for key areas and activities of the University; disaster recovery planning for critical infrastructure and resources; communications and media liaison strategies; and crisis management and recovery, and emergency planning. 2 Link to Risk Management Business Continuity Management is inextricably linked to Risk Management one is the consequence of the other. Where Business Continuity Management (including Planning and Testing) comes into force is through Impact. The risk event has occurred, how should the University respond, recover and restore to full operations? Similarly to Risk Management, the scale and timing of incidents/events cannot be reliably predicted, however the difference lies in being able to categorise where the known impacts can occur. Further information on Risk Management at CQUniversity can be obtained by accessing the Risk Management Framework and Guidelines. Business Continuity Management Framework Page 1 of 7
3 Why a Business Continuity Management Approach? Due consideration needs to be given to the management of incidents and crises across the wider University from a multi-city perspective. This requires collaboration between all campuses (regional and metropolitan) and a two-way flow of information during incidents and events. Planning also allows for both correct local and high level response to occur and also drives fundamental awareness at the University and core resource area level of capital requirements, service availability and gaps. By implementing a Business Continuity Management Framework the University is able to: recognise the risks and impacts, key resources and core processes; respond to the event; protect life, property, systems and other resources; recover the resources, systems and processes; restore to full operations; and review response, test preparedness and recalibrate planning. 4 Responsibility for Business Continuity Management Whilst the University Council is ultimately responsible for monitoring risk and setting the risk appetite for the University, management of the implementation of Business Continuity Management is the responsibility of the Vice-Chancellor within the identified committee structure, as well as senior and local managers of the University for their respective work areas. Business Continuity Planning Committee (BCPC) Crisis Management Control Group (CMCG) Emergency Response Team (ERT) Responsible for the development and review of a strategic framework, including BCP testing, to ensure effective University operations in the event of a major incident or crisis. Event-driven emergency work group, responsible for the coordination of major incident and crisis responses across the University. Activated to effectively manage local crisis events identified on University campuses 5 Definition of Event Levels Business Continuity Management acknowledges that despite the best efforts employed in organisational risk management, events adversely affecting (disrupting) University operations will sometimes occur. At CQUniversity, these events are categorised as follows: Incident/Emergency: Major Incident/Emergency: Crisis: A localised event or outage, within a single area or process, insignificant or minor impact on the University. Please note: Multiple or ongoing incidents may have a cumulative effect, becoming a major incident or crisis. An extraordinary event or outage where key business processes are disrupted or resources are lost; has a moderate or major impact on the University. May affect external areas. A disaster event, or series of incidents, that have the potential for extreme impact on processes, resources and the University s long term prospects or reputation. May affect external areas. It is important to remember that incidents can occur across, or affect a range of categories, and are not limited to the traditionally-expected areas of Facilities Emergencies and ITD Disasters. Taking a broader view allows a wider classification of impacts as per the following impact categories: Business Continuity Management Framework Page 2 of 7
People (Staff, Students, Public); Facilities, Services and Environment; Systems and Communication; Finance and Legal; and Reputation and other. Some examples of incident/emergency/crisis events (risk management link) include but are not limited to: adverse research outcomes; bomb threat; building invasion; bushfire, building fire; chemical, biological and radiological disaster event; civil disorder; cyclones, including major storm damage; hazardous substance incidents; industrial accident; major financial issue; other natural disasters: flood, earthquake; 6 Prioritised Scope BCM Monitoring and Control serious ethical issue, such as fraud, public international student complaints, major legal issues; serious health issue/outbreak of disease or pandemic; severe weather event; significant adverse change in Government policy; structural instability; systems collapse; terrorism event, bomb threat or major intrusion event; and toxic emission. Given the complexity of CQUniversity, it is not possible to plan for every conceivable incident/event type. Therefore, a prioritised, risk-based approach is required to ensure that adequate planning is put in place to ensure that the University is able to respond to and recover from any incident/emergency/crisis, and restore to normal operations across the board as efficiently and effectively as possible. The primary output from the business continuity management process is a development of Business Continuity Plan (BCP) for each of the priority areas identified by the Business Continuity Planning Committee. The BCP comprises many elements which, collectively, define the approach to dealing with an event that adversely affects University operations, and which details the steps to take to enable rapid response, recovery of key processes and restoration to core business activities. For each priority area identified by the Business Continuity Planning Committee, a Business Continuity Plan (or similar document) is to be developed and maintained detailing the following: description and scope; key staff, inputs, processes and resources including Impact Analysis and contacts; key principles and core considerations; escalation procedures maximum acceptable outages, response requirements; any instructions for incoming committees (Crisis / Emergency Management); communication plan (internal and external); specific requirements for each campus/centre; and testing requirements. Business Continuity Management Framework Page 3 of 7
This documentation is not a one-size-fits-all approach, and the final result may need to be much more complex in some areas than it is in others. The most important consideration is that key staff are able to enact the plan with minimal prompting at the time of a Business Continuity event. The following areas have been identified as CQUniversity priorities for this approach (note particularly that they are linked to each other in many cases). The managers of controlled entities, will also need to ensure that a similar approach is taken for these priority areas (where in existence) for their own organisations. For some areas, including group crisis management, and media/communication strategies, participation in an organisation-wide solution is required. Please note the descriptions below are simplistic this is a high level framework only. BCP 1 Campus Operations including Emergency Management Process Owner(s): Head of Campus; Director, Facilities Management Associated Process Owner(s): Director, People and Culture; Manager, Health, Safety, Environment and Training CQUniversity campuses are the hubs of learning and teaching delivery, research activity, engagement work and the day-to-day operations of the organisation. There are various threats (natural or manmade), which could cause a full or partial disruption to the operations of or access to any of these campuses. Appropriate Business Continuity and Crisis planning needs to be in place to ensure that these disruption events can be managed quickly, with particular regard to the safety of life and property being the highest priority. It is recognised that some campuses are entirely contained with a single building or facility, such that the loss of access to or operation of that facility would constitute full closure. Specific Emergency Management protocols are details separately in the associated processes contained within CQUniversity s Fire Evacuation Program; however they are very much linked. BCP 2 Core IT Systems including Disaster Recovery Planning Responsible Manager: Director, Information Technology CQUniversity Core Information Technology (IT) systems will focus on supporting the University s core business of Engagement, Learning and Teaching, Research and Innovation, and Engaged Enterprise. As such it is imperative that appropriate measures are put in place to quickly rectify any disruption to IT services across all our campuses and learning delivery sites. Disaster Recovery Planning is a key requirement in this area, and continuous efforts must be made to ensure that successful enactment of this requirement can be undertaken quickly, to reduce the flow on effects of disruption. Obvious linkage to Campus Operations, thus plans need to take this into account. BCP 3 Financial Operations Responsible Managers: Chief Financial Officer; Director, Financial Services The ability to conduct transactional business (both inwards and outwards) is critical for the operations of any organisation, let alone CQUniversity. Business Continuity Planning in this regard needs to consider activities including Accounts Receivable, Accounts Payable, Treasury and Banking, Financial and Management Reporting (non-exhaustive). Obvious linkage to core IT systems, thus plans need to take this into account. Considerations of fraud and other like inappropriate activity must also be taken into account, and will utilise existing structure / implementation for internal audit, tracking and management control. Business Continuity Management Framework Page 4 of 7
BCP 4 Payroll Responsible Managers: Director, People and Culture; Manager, Salaries, Superannuation and Systems Our employees are the key to delivering CQUniversity s promise to our stakeholders and for meeting the University s strategic aspirations in regards to Engagement, Learning and Teaching, Research and Innovation, and Engaged Enterprise. As such, the University has an obligation to ensure that staff are not personally affected by a disruption to payroll activities. Obvious linkage to Campus Operations, Core IT Systems and Financial Operations, thus plans need to take this into account. Other Areas The priority list does not, nor shall it preclude any other areas of the University or controlled entities from understanding the key inputs, processes and outputs of their day-to-day business in order to build a Business Continuity Management culture organisation wide. All areas of the University are encouraged to utilise this framework to build resilience for their respective work areas. 7 Requirements Responsible Managers will ensure that: a BCP (or similarly fashioned document eg Campus Emergency Response Plan) is developed detailing the steps taken to ensure rapid restoration to business activities; a communication plan is developed; all responsible officers are made aware of the BCP and their responsibilities in the event of an adverse disruption to normal operations; and periodical testing of the BCP is undertaken to ensure its effectiveness. Remember: Impacts will not just be Facilities and Information Technology! Categories: People (Staff, Students, Public); Facilities, Services and Environment; Systems and Communication; Finance and Legal; and Reputation and other. The big concern for responsible managers In the absence of or interruption to any, many or all of the above categories, how processes be kept active, and service to stakeholders going? 8 A Note on Testing of Business Continuity Plans Review of a BCP is essential to ensure it reflects the University s objectives, its core business functions, the corresponding processes and resources and an agreed priority for recovery. Testing and maintenance of the recovery process documented in the BCP will provide management assurance that the plan is effective and will ensure continuity of business should key functions be lost. The major components of the BCP should be tested at least annually and updated based on the results of each test. It is important each component be individually tested. Testing can be disruptive and requires commitment from management to ensure sufficient resources are available. Business Continuity Management Framework Page 5 of 7
Quality assurance reviews of the BCP during its preparation and throughout its life are recommended to ensure its content remains relevant. 9 Corporate Governance Principles Corporate governance is the way in which the University is controlled and governed in order to achieve its objectives. The control environment makes the University reliable in achieving these objectives within an acceptable degree of risk. CQUniversity is committed to establishing an organisational culture that ensures risk and Business Continuity Management is an integral part of all activities. This not only contributes to good governance, it also provides protection for CQUniversity in the event of adverse outcomes. Provided Business Continuity Management has been managed in accordance with the appropriate guidelines, protection occurs on two levels. Firstly, the adverse outcome may not be as severe as it might otherwise have been. Secondly, those accountable can, in their defence, demonstrate that they have exercised a proper level of diligence. The University is committed to business continuity management. This Business Continuity Management Framework, issued under the authority of the Vice-Chancellor and President, will govern the practice of Business Continuity Management. DEFINITIONS Business Continuity Management Framework: sets out the processes and tools necessary to enable rapid response, recovery and restoration to core business activities. Business Continuity Plan (BCP): comprises many elements which, collectively, define the approach to dealing with a break in business continuity, and which prescribes the steps an organisation should take to recover lost business functions. Risk Management: the systematic application of management policies, procedures and practices to the tasks of communication, establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risks to the attainment of the University s outcomes and outputs. Event: an occurrence that affects/disrupts University operations. Levels of events are categorised as incident/emergency, major incident/emergency or crisis. Prioritised Scope: identifies those key priority areas of University operations for focused Business Continuity Planning efforts. Corporate Governance: refers to the way in which CQUniversity is directed and controlled in order to achieve its strategic goals and operational objectives. Risk Management Framework: the structure within CQUniversity that supports the risk management practice, reporting, responsibilities and accountabilities at all management levels within the enterprise. The risk management framework is a description of streams of accountability and reporting that will support the Risk Management Process within the existing organisational structure. RESPONSIBILITIES Vice-Chancellor and President The Vice-Chancellor and President is accountable to the University Council and has overall responsibility as the accountable officer for protecting the University from unacceptable costs or losses associated with its operations and for developing and implementing systems for effectively managing the risks that may affect the achievement of objectives and operational outcomes. Business Continuity Management Framework Page 6 of 7
Executive and Senior Management The effectiveness of risk and business continuity management is unavoidably linked to management competence, commitment and integrity, all of which forms the basis of sound corporate governance. Corporate governance provides a systematic framework within which the executive management group can discharge their duties in managing the University. Line Management Line managers at all levels will be responsible for the adoption of risk management and business continuity management practices and will be directly responsible for the results of activities, relevant to their area of responsibility. All Employees All employees are responsible for: Acting at all times in a manner which does not place at risk the health and safety of themselves or any other person in the workplace; Providing direction and training to persons for whom they have a supervisory responsibility or duty of care provision relating to health and safety; Identifying areas where risk management and business continuity practices should be adopted and advising their supervisors accordingly; Meeting their obligations under relevant legislation including workplace health and safety, equal employment opportunity and anti-discrimination; and Taking all practical steps to minimise the university s exposure to contractual, tortuous and professional liability. RECORDS All records relevant to these procedures are to be maintained in a recognised University recordkeeping system, which will include the normal place of business for records pertaining to each Priority type. Approval Authority Vice Chancellor Administrator Deputy Vice Chancellor (International and Services) Original Approval Date 5 April 2013 Amendment History Date of Next Review 5 April 2016 Related Documents Business Continuity and Crisis Management Policy Emergency and Fire Evacuation Policy Business Continuity Management Framework Page 7 of 7