View Current

Business Continuity Policy

This is not a current document. To view the current version, click the link in the document's navigation bar.

Section 1 - Preamble

(1) This Policy was approved by the Vice-Chancellor on 27 August 2014.

(2) This Policy incorporates the following schedules:

  1. Schedule A: Business Continuity Glossary
Top of Page

Section 2 - Purpose

(3) To articulate the guiding principles under which business continuity is to be developed, implemented and managed to enable the University to establish and maintain an effective level of preparedness to respond to incidents that disrupt normal operations.

(4) The Business Continuity Procedure outlines the steps required to comply with this Policy.

Top of Page

Section 3 - Scope

(5) This Policy applies across the University.

Top of Page

Section 4 - Policy

(6) The University recognises that:

  1. the effective and efficient management of disruptions is crucial to ensure the continued delivery of critical and essential University services and activities
  2. the consequences of a disruption to operations may affect the University's strategic, reputational, financial, human resource and service delivery objectives
  3. a planned, documented and exercised response to disruptions will reduce the consequences of a wide variety of incidents
  4. business continuity is the appropriate mechanism to design, develop, implement and manage recovery following a disruption affecting the University's resources and services
  5. business continuity is not an isolated process and to be effective must be integrated with risk management (RM), emergency management (EM), information and communication technology recovery (ICT Recovery) and health, wellbeing and safety processes and procedures.

(7) An 'all hazards' approach will be taken throughout the business continuity planning process to address a number of potential disruptions to operations, including but not limited to:

  1. unavailability of facilities, e.g. flood, fire, power outage, chemical spill, denial of access
  2. unavailability of staff, e.g. pandemic/epidemic, industrial action, extreme flu season
  3. unavailability of information, e.g. ICT systems, hard copy vital records
  4. unavailability of telecommunications
  5. unavailability of an externally provided service, e.g. Australia Post, Microsoft.

(8) Business continuity is an integral part of the University's governance framework and is to be implemented and managed in accordance with this policy and supporting procedure with assurance provided annually to the Executive.

(9) Continuity of service provision must be adequately addressed for services, infrastructure, and/or any resources provided by an external party via certification arrangements, service level agreements and/or other contractual arrangements appropriate to the apparent level of risk.

(10) BCPs must be developed for all faculties, institutes and other areas identified as performing critical activities via the Business Impact Analysis (BIA) process.

(11) ICT Recovery is managed by eSolutions in accordance with this policy and the ICT Recovery Framework.

Accountability

(12) The University Executive will demonstrate a high level of commitment to this policy and support a culture aimed at building organisational resilience through the implementation and continued improvement of preparedness and response capabilities.

(13) The Emergency Management Committee will provide strategic direction and recognise opportunities for improvement in effectiveness, efficiency and integration of the areas of emergency management, risk management, business continuity, ICT recovery and health, wellbeing and safety.

(14) Directors (or equivalent) and Faculty General Managers are the custodians of business continuity preparedness and response capability within their area and are responsible for the development, maintenance and exercising of the BCP.

(15) The Business Continuity Advisor, Campus Services is responsible for centrally coordinated business continuity methodology development and implementation, annual reporting through the Emergency Management Committee, guidance and support, awareness, training and exercise coordination and materials and annual attestation of capability.

(16) eSolutions Managers are responsible for ICT Recovery strategic direction, development and implementation, management and capability validation.

(17) The IT Service Continuity Coordinator is responsible for the guidance, support and coordination of development and exercising of the ICT Recovery processes and procedures and the annual attestation of capability.

(18) The Executive Director, Campus Services is responsible for the strategic direction, development, implementation, management and validation of business continuity, security and emergency management processes and procedures.

(19) The Executive Director, Human Resources is responsible for the strategic direction, development, implementation, management and validation of health, wellbeing and safety processes and procedures relating to staff, including local emergency arrangements.

(20) The Executive Director, Student Life is responsible for the strategic direction, development, implementation, management and validation of health, wellbeing and safety processes and procedures relating to students, including local emergency arrangements.

(21) The Critical Incident Management Team will provide executive decisions and direction on University priorities when responding to large-scale critical incidents affecting multiple areas of the University.

Top of Page

Section 5 - Procedure

(22) Refer to the Business Continuity Procedure.

Top of Page

Section 6 - Definitions

(23) For the purposes of this Policy:

  1. Activity: process or set of processes undertaken by an organisation (or on its behalf) that produces or supports one or more products or services.
  2. Critical activity: any function, process, service or activity identified as critical to the continued delivery of University objectives.
  3. Business Continuity (BC): capability of the organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident.
  4. Business Continuity Management (BCM): the management process that identifies the potential impact to business operations if threats are realised, and which provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities.
  5. Business Continuity Plan (BCP): documented procedures that guide organisations to recover, resume, and restore operations to a pre-defined level following a disruption.
  6. Business Impact Analysis (BIA): process of analysing activities and the effect that a business disruption might have upon them.
  7. Exercise: process to train for, assess, practice, and improve performance in an organisation.
  8. Incident: situation that might be, or could lead to, a disruption, loss, emergency or crisis.
  9. Resources: all assets, people, skills, information, technology, premises, supplies and information that an organisation has to have available to use, when needed, in order to operate and meet its objectives.
  10. Definitions relevant to this Policy are listed in more detail in Schedule A: Business Continuity Glossary).