View Current

Business Continuity policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Preamble

(1) This Policy was approved by the Vice-Chancellor on 27 August 2014 and incorporates all amendments to 9 February 2016.

Top of Page

Section 2 - Purpose

(2) This Policy articulates the guiding principles under which Business Continuity is to be developed, implemented and managed to enable the University to establish and maintain an effective level of preparedness to respond to incidents that disrupt normal operations.

Top of Page

Section 3 - Scope

(3) This Policy applies across the University.

Top of Page

Section 4 - Policy

(4) The University recognises that:

  1. the effective and efficient management of disruptions is crucial to ensure the continued delivery of critical activities and University objectives.
  2. the consequences of a disruption to operations may affect the University's regulatory compliance, financial, environmental and University performance, reputation and experience.
  3. a planned, documented and validated capability to respond to disruptions will reduce the consequences of a wide variety of incidents
  4. Business Continuity is the appropriate mechanism to design, develop, implement and manage recovery following a disruption affecting the University
  5. Business Continuity is not an isolated process and to be effective must be integrated with risk management, emergency management, information and communication technology disaster recovery and health, wellbeing and safety processes and procedures.

(5) An 'all hazards' approach will be taken throughout the Business Continuity planning process to address a number of potential disruptions to operations, including but not limited to:

  1. unavailability of facilities, e.g. flood, fire, power outage, chemical spill, denial of access
  2. unavailability of staff, e.g. pandemic/epidemic, industrial action, extreme flu season
  3. unavailability of information, e.g. ICT systems, hard copy vital records
  4. unavailability of telecommunications
  5. unavailability of an externally provided service or resource e.g. Australia Post, contractors, software vendors.

(6) Business Continuity requirements will be assessed via a Business Impact Analysis for activities undertaken by all Faculties and Portfolios.

(7) Activities assessed as requiring recovery within 15 days or less are deemed 'critical activities' and will have a planned, documented and validated Business Continuity capability established.

(8) Business Continuity is an integral part of the University's governance framework and is to be implemented and managed in accordance with this policy and supporting procedure with assurance provided annually to the University Executive.

(9) Continuity of service provision must be adequately addressed for services, infrastructure, and/or any resources provided by an external party via certification arrangements, service level agreements and/or other contractual arrangements appropriate to the apparent level of risk.

Accountability

(10) The University Executive will demonstrate a high level of commitment to this policy and support a culture aimed at building organisational resilience through the implementation and continued improvement of preparedness and response capabilities.

(11) The Emergency Management Committee will provide strategic direction and recognise opportunities for improvement in effectiveness, efficiency and integration of the areas of emergency management, risk management, Business Continuity, ICT disaster recovery and health, wellbeing and safety.

(12) The Critical Incident Management Team will provide executive decisions and strategic direction on University priorities when responding to critical incidents affecting the University and managing related Business Continuity responses.

(13) Directors (or equivalent) and Faculty General Managers are the custodians of business continuity preparedness and response capability within their area and are responsible for the development, maintenance and validation of their specific Business Continuity Contingency Procedures.

(14) Organisational Sustainability within the Campus Services is responsible for centrally coordinating the Business Continuity Program.

(15) Relevant members of the Executive are responsible for the strategic direction, development, implementation, management and validation of supporting capabilities and functions, specifically:

(16) The Executive Director, Campus Services is responsible for Business Continuity, security and critical incident processes and procedures.

(17) The Chief Digital Officer, is responsible for ICT continuity and disaster recovery processes.

(18) The Executive Director, Human Resources is responsible health, wellbeing and safety processes and procedures relating to staff, including local emergency arrangements.

(19) The Executive Director, Student Life is responsible for health, wellbeing and safety processes and procedures relating to students, including local emergency arrangements.

Top of Page

Section 5 - Procedures

(20) Refer to the Business Continuity procedure.

Top of Page

Section 6 - Definitions

(21) For the purpose of this Policy:

  1. activity: process or set of processes undertaken by the University (or on its behalf) that produces or supports one or more products or services.
  2. Business Continuity (BC): capability of the organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident.
  3. Business Continuity Contingency Procedure: a document to be referred to by the affected Faculty or Portfolio during a disruptive incident that outlines the steps required to recover an activity, or set of common activities.
  4. Business Continuity Program: ongoing management and governance process supported by the University Executive and appropriately resourced to implement and maintain Business Continuity management.
  5. Business Impact Analysis (BIA): process of analysing activities and the effect that a business disruption might have upon them.
  6. critical activity: those activities which have been assessed as time-critical to the delivery of key products and services, enabling the continued delivery of University objectives.
  7. ICT: information and communications technology systems used by the University, including applications, infrastructure and data resources.
  8. incident: situation that might be, or could lead to, a disruption, loss, emergency or crisis.
  9. Recovery Time Objective: the period of time following an incident within which an activity must be resumed, or resources must be recovered.
  10. resources: all assets, people, skills, information, technology, premises and supplies that an organisation has to have available to use, when needed, in order to operate and meet its objectives.
  11. validation: periodic process of desk checks, walkthroughs, simulations, tests or rehearsals that provide assurance of the University's Business Continuity capability.