View Current

Business Continuity Management and Resilience Policy

This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose of Policy

(1) This Policy is designed to minimise the impact that a disruptive event or incident could have on the University and critical business functions including teaching and learning, research, administration and operations.

(2) This Policy, associated guidelines and plans are designed to build the resilience and response capabilities of the University in order to safeguard people and operations as well as to uphold confidence in the organisation.

(3) This Policy serves as the principal enterprise-level directive, with all other plans aligned to complement and adhere to this Policy and the University Crisis and Critical Incident Plans.

(4) Business Continuity Management (BCM) is an important component of the University’s risk management, policies, guidelines and plans provide assurance to the University Council, Risk, Audit and Compliance Committee (RACC) and the Vice-Chancellor and President that disruption related risks are clearly identified and managed appropriately, with consideration to the University’s Risk Appetite Statement and objectives.

Top of Page

Section 2 - Application and Scope

(5) This Policy applies to all faculties, divisions and significant University activities including regional campuses and controlled entities.

(6) This Policy must be read in conjunction with the University’s Risk Management FrameworkBusiness Continuity Management and Resilience Guidelines, Risk Management Policy, and Specialist Recovery and Incident Management Plans. See Appendix A.

(7) The University has established a Risk, Resilience and Assurance Group) that facilitates the management of the University’s business continuity plans and testing of its resilience capabilities to react and respond to disruptive events.

Top of Page

Section 3 - Business Continuity Principles

(8) The University is committed to responding in a professional and timely manner to a disruption event that may be, or may became, a critical incident or crisis.

(9) The University is committed to the efficient and orderly resumption of critical business functions in the event of a disruption in alignment with the University’s Risk Appetite Statement.

(10) The University will maintain a complete, organised and effective approach to BCM that guides the development of business continuity processes and identifies priorities for the restoration and reinstatement of critical and non-critical operations and functions.

(11) The University is committed to the establishment and maintenance of Business Continuity Plans (BCP) including organisational, faculty, division and unit plans to maintain continuity of critical business operations and processes within acceptable timeframes. All plans should incorporate the specified requirements as defined in the BCP template that is available on the University’s Enterprise Risk Management System (ERM) inclusive of resource requirements and recovery strategies.

(12) The appropriate BCP will be activated following a disruption where there is a sustained impact on the University’s critical business functions.

(13) In the event of a disruption, the University will work to reinstate operations at a capacity or level that is sufficient to perform and maintain critical business functions. In doing so, the University recognises that non-critical business operations may operate at a reduced level and require time to resume full capability, capacity and performance.

(14) The University commits to testing, maintaining and updating procedures and processes documented in the Business Continuity Management and Resilience Guidelines, BCPs, Critical Process Impact Assessments and any specialist recovery plans on a regular basis.

(15) The University maintains a commitment to knowledge development and the delivery of awareness programs, as required, to ensure staff are familiar with the requirements of BCM. 

Top of Page

Section 4 - Business Continuity Management Relationships

(16) The Business Continuity Management and Resilience Framework contains integrated relationships between the University’s Crisis and Critical Incident Management Plans and Specialist Recovery and Incident Management Plans, see appendix A, depending on the type and severity of the disruption.

(17) Risk, Resilience and Assurance Group (RRAG) reports to the University Leadership Group (ULG) and the Risk, Audit and Compliance Committee as required. A primary purpose of the RRAG is to oversee and proactively manage the University’s business continuity response, including the Crisis Management and Critical Incident Management Plans. Also, the alignment of the University response with the emergency or specialist recovery response.

Top of Page

Section 5 - Assurance

(18) Compliance with the policy will be measured through regular reporting to the RRAG and any significant emerging risks and vulnerabilities will be escalated to the RACC.

Top of Page

Section 6 - Roles & Responsibilities

(19) The Chair of the RRAG has responsibility for the management of Business Continuity at the University as outlined in this Policy and its associated documentation.

(20) The Critical Incident Management Team (CIMT) and Incident Management Coordinator has responsibility for the management of disruptive events that may be, or may became, a critical incident or crisis.

(21) Once the CIMT is notified of an event, it is responsible for determining whether the Crisis Management Team (CMT) is to be activated.

(22) The CIMT and Incident Management Coordinator, may co-opt any staff from within the University to assist in the implementation and response to disruptive events and activate specialist recovery plans as applicable in accordance with this Policy and the Crisis Management Plan.

(23) The CMT will be convened when a disruptive event threatens UOW’s strategic objectives, reputation or viability and strategic decision making is required beyond that of CIMT.

(24) The Incident Management Coordinator is responsible for convening the CIMT, as appropriate in response to a disruptive event.

(25) The Chief of Staff is responsible for convening the CMT at the direction of the Chair of the CIMT.

(26) In accordance with the Delegations of Authority Policy, the CIMT Chair and, when convened (as per the CIMP), the CMT Chair, has delegated authority to make financial, technological and other emergency response decisions (inclusive of the issuance of communications) where there is insufficient time and/or accessibility to obtain normal approvals due to the urgency or risks arising from the impact of the disruptive event. This extraordinary authority is effective from the time a critical incident or crisis is declared and extends for as long as the CIMT and/or CMT is immediately responding to the management of a business disruption. Ceasing when normal delegations can be resumed. 

Top of Page

Section 7 - Definitions

Word/Term
Definition
Business Continuity
The capability of the University to continue to deliver teaching and learning, research, administration and operational capabilities at an acceptable level following a disruptive incident or event.
Business Continuity Management (BCM)
Holistic management process that identifies potential threats to an organisation and the impacts to business operations those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.
Business Continuity Plan (BCP)
Documented procedures that guide organisations to respond, recover, resume and restore to a pre-defined level of operation following a disruptive event. The BCP is used as a communication and decision support tool and is executed in response to a business disruption.
Crisis
Abnormal or unstable situation that threatens the organisation’s strategic objectives, reputation or viability.
Critical Incident
An event that is highly salient, unexpected, and potentially disruptive which can threaten UOW’s goals and may have profound implications for its relationships with stakeholders which demands immediate attention, intervention, and management across multiple UOW functions.
Critical Process Impact Analysis (CPIA)
Also referred to as Business Impact Analysis (BIA). The process of analysing key business functions and the effects that a business disruption might have upon them. The CPIA provides a level of analysis to examine in detail any consequences that may exceed routine management capability.
Disruption
A major incident or event that interrupts normal business functions, operations or processes whether anticipated or not.
Emergency
A sudden, unexpected or unforeseen situation or occurrence that poses a risk to health, life, property or environment and requires an immediate action or response and can be contained locally. 
Specialist Recovery and Incident Management Plans
Documented specialised processes or procedures that guide Divisions, Faculties or Business Units to respond, recover, resume and restore to a pre-defined level or operation post a business disruption. A full list is available in Appendix A
Top of Page

Section 8 - Appendix A: Crisis Managment Document Hierarchy

(27) Crisis Management Document Hierarchy