View Current

Business Continuity procedure

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Preamble

(1) This Procedure was approved by the Vice-Chancellor on 27 August 2014 and incorporates all amendments to 9 February 2016.

(2) This Procedure includes the following schedule:

  1. Schedule A: Business Continuity Methodology/Lifecycle
  2. Schedule B: Business Continuity Overview.
Top of Page

Section 2 - Purpose

(3) This Procedure explains how to comply with the Business Continuity policy.

Top of Page

Section 3 - Scope

(4) This Procedure applies across the University.

Top of Page

Section 4 - Policy

(5) Refer to the Business Continuity policy.

Top of Page

Section 5 - Procedures

Business Continuity methodology/life cycle

(6) The methodology as shown in Schedule A: Business Continuity methodology/life cycle is used to design, develop, implement and manage Business Continuity across the University. This approach aligns with the international standard AS/NZ ISO022301:2012 Societal security — Business Continuity management systems, Technical Specification ISO/TS22317:2015 Guidelines for Business Impact Analysis and the Business Continuity Institute Good Practice Guide.

Business Continuity Program elements

Policy and Governance

(7) The Business Continuity policy outlines the scope and overarching responsibilities in relation to the management of Deakin's Business Continuity Program.

Analysis

(8) A Business Impact Analysis (BIA) is the primary information collection and assessment tool in the development of Business Continuity strategies and Contingency Procedures.

(9) The BIA identifies activities performed and measures the impact of a disruption through assessing the impact over time and determining the 'Die Time' (also referred to as the Maximum Tolerable Period of Disruption),

(10) A Recovery Time Objective (RTO) for each activity is drafted and where these meet the scope of the Business Continuity policy, the dependencies and supporting resources (people, information and communications technology (ICT) services, facilities, equipment, third parties) are subsequently identified. Activities captured in this step are deemed 'critical activities'.

Design

(11) The information captured and assessed via the BIA process is used to prioritise the restoration of critical activities and set a suitable RTO.

(12) Continuity and recovery strategies are then designed to meet the RTO for critical activities

(13) Where these strategies involve ICT requirements, details will be provided to eSolutions for inclusion and consideration in ICT Recovery analysis and planning.

Implementation

(14) The implementation of the strategies that have been developed at the design stage is done through the production of a documented Business Continuity Contingency Procedure.

(15) These procedures provide a pre-defined and approved course of action including strategies to be initiated in response to an operational disruption.

Validation

(16) Validation of the University's Business Continuity capability is undertaken through a validation program that comprises of periodic desk checks, walkthroughs, simulations, tests or rehearsals.

(17) The testing of the University's ICT disaster recovery capability is managed independently by eSolutions.

(18) Risks that are identified from the Business Continuity validation program will be evaluated and treated in accordance with the University's Risk and Compliance Management policy and Risk Management Framework.

Activating a Business Continuity response

(19) Activation of a Business Continuity response is initiated by the Critical Incident Management Team Leader when an incident disrupts the business as usual operations of the University, and the disruption has or threatens to breach the RTO of one or more critical activities.

(20) As a guide, Deakin's Business Continuity response will be activated in accordance with Schedule B: Business Continuity Overview.

Implementing Business Continuity Contingency Procedures

(21) During a Critical Incident Management Team response, the Planning Team has responsibility for Business Continuity and will establish a Business Recovery Team (BRT) who is responsible for coordinating the implementation of Deakin's Business Continuity Contingency Procedures by the Local Recovery Teams (LRT).

(22) To support a large relocation of activities or staff, the Critical Incident Management Team may require the displacement of other areas who are undertaking activities that, through the BIA information, are deemed non-time critical in order to access their resources. This may be required to obtain office space or equipment such as computers.

(23) When the situation has been recovered to the point that the Critical Incident Management Team is stood down, the BRT may continue to work with the LRT of the affected Faculty or Portfolio and report to the Critical Incident Management Team Leader.

(24) Disruptive incidents that do not require a Critical Incident Management Team response are managed through the implementation of the relevant Faculty or Portfolio’s Business Continuity Contingency Procedure.

(25) In these instances, the BRT Team Leader may provide support to the LRT's and mobilise the broader BRT as appropriate.

ICT disaster recovery

(26) ICT disaster recovery is a component of the University's overall business continuity capability. It provides for the timely recovery and restoration of ICT systems and processes, including applications, infrastructure and data resources that support critical activities.

(27) ICT Recovery is managed in accordance with the Business Continuity policy and the Deakin eSolutions ICT Recovery framework and guidelines.

Accountability and Responsibilities

(28) In addition to the Accountabilities listed in the Business Continuity policy, the following shall apply:

  1. Organisational Sustainability within Campus Services is responsible for centrally coordinating the Business Continuity Program and:
    1. undertaking actions (e.g. engagement and training) that continually improve how the principles of Business Continuity are embedded into the University's systems.
    2. facilitate the BIA process and development of Business Continuity Contingency Procedures
    3. maintain the University's Business Continuity software, systems and associated documentation
    4. provide support, advice and guidance to stakeholders in each Faculty and Portfolio across the University
    5. periodically evaluate compliance with applicable legal and regulatory requirements, best practice, standards and conformance with the University's Business Continuity policy
    6. establish and maintain a suitable Business Continuity validation program
    7. facilitate the Business Continuity validation program and provide an annual report to the University Executive on the University's Business Continuity preparedness through the Emergency Management Committee
    8. collaborate with the University's Risk and compliance area to identify and record new threats that could lead to a disruption, record and complete identified actions that improve the Business Continuity capability of a Faculty or Portfolio and monitor existing controls that reduce the risk of a disruptive incident
  2. Faculties and Portfolios are the custodians of their business continuity preparedness and recovery capability and as such must:
    1. participate in the BIA process to identify and agree on critical activities and the resources required to support them
    2. develop Business Continuity Contingency Procedures based on BIA information
    3. nominate members to be responsible for actioning the steps outlined in the Faculty or Portfolio's Business Continuity Contingency Procedures, these people are referred to as the 'Local Recovery Team'
    4. review and update the BIA and Business Continuity Contingency Procedures in alignment with the validation program, following significant organisation change or activation
    5. actively participate in validation exercises, training and awareness sessions to ensure that personnel in their area are familiar with Business Continuity requirements, responsibilities and the response process for disruptions
    6. adequately address business continuity requirements for services and resources provided by third party suppliers
    7. determine and implement treatment actions for risks that are identified throughout the Business Continuity Program in accordance with the University's Risk Management process.
  3. Critical Incident Management Team provides executive decisions and strategic direction on University priorities when responding to critical incidents and managing related Business Continuity responses, and:
    1. directs the BRT during a Business Continuity response
    2. endorses financial decisions relating to the Business Continuity response that are outside of normal delegations
    3. prepares communications to relevant stakeholders during the Business Continuity response.
  4. Business Recovery Team (BRT) is made up of subject matter experts in Business Continuity, ICT, Timetabling and Facilities Services, and:
    1. reports to the Planning Team of the Critical Incident Management Team or the Critical Incident Management Team Leader during a Business Continuity response
    2. coordinates the implementation of Business Continuity Contingency Procedures when an incident has caused a disruption to a critical activity.
  5. Local Recovery Team are those people listed in each Business Continuity Contingency Procedure as being responsible for actioning the relocation, restart, workaround and restoration tasks, and:
    1. report to the BRT during a Business Continuity response
    2. undertake the actions in the relevant Business Continuity Contingency Procedure to recover from an incident that has caused a disruption to a critical activity.
Top of Page

Section 6 - Definitions

(29) Definitions relevant to this procedure are listed in the Business Continuity policy.