View Current

Business Continuity Management Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose of Policy

(1) Business Continuity Management (BCM) is a crucial component of the University's risk management framework, providing assurance to the University Council, Risk, Audit and Compliance Committee (RACC)), and the Vice-Chancellor and President that disruption-related risks are clearly identified and managed in accordance with the University’s Risk Appetite Statement and objectives.

(2)  

(3) This Policy is designed to minimise the impact of disruptive events or incidents on the University’s critical business functions, including teaching and learning, research, administration and operations.

(4) This Policy also serves as the principal enterprise level directive, ensuring that all other plans align to complement and adhere to this document and the University’s Critical Incident and Crisis Management Plan.

(5) This Policy, along with associated procedures, aims to build the University’s resilience and response capabilities to safeguard people and operations, and uphold confidence in the University.

Top of Page

Section 2 - Application and Scope

(6) This Policy applies to all faculties, divisions and significant University activities including regional campuses, controlled entities and subsidiaries.

(7) It must be read in conjunction with the University’s Enterprise Risk Management Policy, Critical Incident and Crisis Management Plan and Specialist Recovery and Incident Management Plans. See Appendix A.

Top of Page

Section 3 - Principles

(8) The University prioritises effective business continuity management which includes responding promptly to a disruptive event that may escalate into a critical incident or crisis.

(9) In the event of a disruption, the University will work to reinstate operations at a capacity that is sufficient to perform and maintain critical business functions. In doing so, the University recognises that non-critical business operations may operate at a reduced level and require time to resume full capability, capacity and performance.

(10) The University is committed to establishing and maintaining Business Impact Assessments (BIAs) establishing the priority and criticality of business functions and Business Continuity Plans (BCPs) to maintain continuity of key business operations and processes within acceptable timeframes. All plans will be available on the University’s Enterprise Risk Management System (ERM).

(11) The appropriate BCP(s) will be activated following a disruption where there is a sustained impact on the University’s critical business functions.

(12) The University will regularly test, maintain and update BCM procedures and processes documented in the Business Continuity Management Procedure, Business Continuity Plans, Business Impact Assessments, critical incident and crisis management plans, and specialist recovery plans.

(13) The University is committed to knowledge development and the delivery of required training program to ensure staff are familiar with the requirements of BCM. 

Top of Page

Section 4 - Assurance

(14) Compliance with this Policy will be measured through annual reporting to the University Executive and any significant emerging risks and vulnerabilities will be escalated to the Risk, Audit and Compliance Committee (RACC).

Top of Page

Section 5 - Extraordinary Authority

(15) In accordance with the Delegations of Authority Policy an extraordinary authority is effective from the time a critical incident or crisis is declared and extends for as long as the Critical Incident Management Team (CIMT) is immediately responding to the impacts of a business disruption and will cease upon disbandment of the CIMT.

(16) Any decisions made using this delegation must be recorded by the CIMT secretary as a matter of record and reported to the University Executive as soon as practically reasonable.

(17) On resuming business as usual, a debrief and post incident review will be undertaken and reported to the University Executive by the Chief Risk and Assurance Officer.

Top of Page

Section 6 - Roles and Responsibilities

(18) University Council has overall responsibility for risk management across the University and its entities and it is responsible for approving this Policy.

(19) RACC provides oversight of BCM.

(20) The Vice-Chancellor and President is responsible for:

  1. ensuring the BCM practices are established and maintained in accordance with this Policy;
  2. approving the closure of a Critical Incident or Crisis Management Team;
  3. communicating significant BCM matters to Council and the RACC; and
  4. ensuring the BCM function is appropriately resourced and funded.

(21) The University Executive is accountable for:

  1. the ongoing oversight of BCM;
  2. providing strategic direction and monitoring the management of Business Continuity activities;
  3. reviewing and endorsing the University-wide list of critical business functions;
  4. delegating the day-to-day management of BCM to the Chief Risk and Assurance Officer and Senior Manager, Risk and Assurance; and
  5. delegating responsibility for review of Business Impact Assessments and Business Continuity Plans to the appropriate Business Function owner.

(22) the Chief Risk and Assurance Officer and Risk and Assurance Division:

  1. leads and coordinates the BCM related activities across the University, including undertaking the business impact assessments, Business Continuity Plan development and desktop exercises;
  2. prepares reports as required to enable ongoing monitoring and oversight by the University Executive and Vice-Chancellor and President;
  3. updates and maintains this Policy, BCM Procedures and Critical and Crisis Management Plans;
  4. supports staff to complete BCM-related activities when required; and
  5. provides Secretariat support and records management for the University’s Critical Incident and Crisis Management Teams.

(23) The Chair of the Critical Incident Management Team:

  1. may co-opt any staff from within the University to assist in the implementation and response to disruptive events and activate specialist recovery plans as applicable in accordance with this Policy and the Critical Incident and Crisis Management Plan;
  2. determines whether the disruptive event may threaten UOW’s strategic objectives, reputation or viability and if escalation to Crisis Governance Group is required;
  3. exercise extraordinary delegations in accordance with the Delegations of Authority Policy to make financial, technological and other emergency response decisions (inclusive of the issuance of communications) where there is insufficient time and/or accessibility to obtain normal approvals due to the urgency or risks arising from the impact of the disruptive event;
  4. propose closure of the CIMT to the Vice-Chancellor and President in accordance with the Critical Incident Management Procedures.

(24) The Chief Information Digital Officer is responsible for the Cybersecurity Incident Response, IT Service Continuity and IT Disaster Recovery processes, including the alignment of service levels and disaster recovery priority groups with recovery time objectives identified through BIA’s.

(25) Senior Management and Executives (DVC's/VP's, PVC's, Chief Officers, Deans, Campus Provosts, Executive Directors, Directors) are accountable for:

  1. implementing relevant Policy requirements within the School, Division, or Business Unit and developing, maintaining and validating recovery strategies, plans and requirements for their respective area;
  2. reviewing the output of the BIA process for their respective area, including the list of critical business functions identified;
  3. ensuring disruption-related risks identified by the School/Division/Business Unit are addressed in alignment with the University's Enterprise Risk Management Policy;
  4. ensuring sections of the BCP pertinent to their area are reviewed and updated annually for currency, appropriateness, and completeness; and
  5. completing BCM-related training and exercises as required.

(26) All Staff are required to be aware of this Policy, support and participate in the Business Continuity Management-related activities such as the BIA’s, desktop exercises, and undertake training as required.

Top of Page

Section 7 - Definitions

Word/Term
Definition
Business Continuity
The capability of the University to continue to deliver teaching and learning, research, administration and operational capabilities at an acceptable level following a disruptive incident or event.
Business Continuity Management (BCM)
A framework for identifying potential risks and threats to an organisation and developing plans and strategies to ensure that critical business functions continue to operate during and after disruptive events. It aims to protect the organisation from significant disruptions, minimise the impact on operations, and ensure a quick recovery to normal business activities.
Holistic management process that identifies potential threats to an organisation and the impacts to business operations those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.
Business Continuity Plan (BCP)
Documented procedures that guide organisations to respond, recover, resume and restore to a pre-defined level of operation following a disruptive event. The BCP is used as a communication and decision support tool and is executed in response to a business disruption.
Crisis
Abnormal or unstable situation that threatens the organisation’s strategic objectives, reputation or viability.
Critical Incident
An event that is highly salient, unexpected, and potentially disruptive which can threaten UOW’s goals and may have profound implications for its relationships with stakeholders which demands immediate attention, intervention, and management across multiple UOW functions.
Business Impact Analysis (BIA)
The process of analysing key business functions and the effects that a business disruption might have upon them. The CPIA provides a level of analysis to examine in detail any consequences that may exceed routine management capability.
Disruption
A major incident or event that interrupts normal business functions, operations or processes whether anticipated or not.
Emergency
A sudden, unexpected or unforeseen situation or occurrence that poses a risk to health, life, property or environment and requires an immediate action or response and can be contained locally. 
Impact Rating The level to which a business disruption would impact upon objectives and should be considered in terms of the impact on the University as a whole. The ratings are as per the Risk Appetite Statement i.e. Minor, Moderate, Major and Severe.
Emergency Management Plan (EMP) The written documentation of emergency arrangements for the University, generally made during the planning process. It consists of the preparedness, prevention and response activities and includes the agreed emergency roles, responsibilities, strategies, systems and arrangements.
Risk Management Framework The set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the University.
Recovery Team Responsible for the assessment and escalation of incidents as they occur and for the recovery and restoration of normal business operations at the local level.
Recovery Point Objective (RPO) The point to which information used by an activity is restored to enable the activity to operate on resumption. Used in the BCP primarily for Technology resource identification.
Recovery Time Objective (RTO)
The target time for resuming the delivery of a product or service to an acceptable level following its disruption.
The RTO time period is measured from the point a disaster is declared and the recovery process starts.
Specialist Recovery and Incident Management Plans
Documented specialised processes or procedures that guide Divisions, Faculties or Business Units to respond, recover, resume and restore to a pre-defined level or operation post a business disruption. A full list is available in Appendix A.
Top of Page

Section 8 - Appendix A: Overview of BCM Framework

(27) Overview of BCM Framework