Policy directory

BUSINESS CONTINUITY MANAGEMENT AND RESILIENCE POLICY

Date first approved:

14 July 2009

Date of effect:

On Approval

Date last amended:

11 June 2021

Date of Next Review:

11 June 2024

First Approved by:

Administrative Committee

Custodian title & e-mail address:

Chief Operating Officer
business-assurance@uow.edu.au

Author:

Manager, Business Assurance

Responsible
Division & Unit:

Business Improvement & Assurance Division

Supporting documents, procedures & forms of this policy:

Business Continuity Management and Resilience Guidelines

Continuity and Resilience Group - Terms of Reference

Critical Incident Guidelines
Delegations of Authority Policy

Emergency Management Plan

Emergency Response Guidelines
IMTS Disaster Recovery Plan

Privacy Policy

Risk Appetite Statement
Risk Management Framework and Guidelines

Risk Management Policy

Relevant Legislation
&
External Documents:

AS/NZS 5050:2010 Business Continuity - Managing Disruption-Related Risk
AS ISO 22301:2017 Societal Security – Business Continuity Management Systems - Requirements
ISO 22313: 2013 Societal Security – Business Continuity Systems – Guidance
ISO 31000:2018 – Risk Management Guidelines

Audience:

Public – accessible to anyone

Contents

1 Purpose of Policy 3

2 Definitions 3

3 Application & Scope 4

4 Business Continuity Principles 4

5 Business Continuity Management Relationships 4

6 Assurance 5

7 Roles & Responsibilities 5

8 Version Control and Change History 5

    1 Purpose of Policy

      • 1. The Business Continuity Management and Resilience Policy (“the Policy”) is designed to minimise the impact that a disruptive event or incident could have on the critical business functions of the University including teaching and learning, research, administration and operations.
      • 2. The Policy and associated guidelines are designed to build the resilience and response capabilities of the University in order to safeguard people and operations as well as to uphold confidence in the organisation.
      • 3. Business Continuity Management (BCM) is an important component of the University’s risk management framework. The Business Continuity Management and Resilience and Business Continuity Management Framework and Guidelines provide assurance to the University Council, Risk, Audit and Compliance Committee (RACC) and the Vice-Chancellor that disruption related risks are clearly identified and managed appropriately, with consideration to the University’s Risk Appetite Statement and objectives.

    2 Definitions1

Word/Term

Definition

 

Business Continuity

The capability of the University to continue to deliver teaching and learning, research, administration and operational capabilities at an acceptable level following a disruptive incident or event.

Business Continuity Management (BCM)

Holistic management process that identifies potential threats to an organisation and the impacts to business operations those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.

Business Continuity Plan (BCP)

Documented procedures that guide organisations to respond, recover, resume and restore to a pre-defined level of operation following a disruptive event. The BCP is used as a communication and decision support tool and is executed in response to a business disruption.

Critical Process Impact Analysis (CPIA)

Also referred to as Business Impact Analysis (BIA). The process of analysing key business functions and the effects that a business disruption might have upon them. The CPIA provides a level of analysis to examine in detail any consequences that may exceed routine management capability.

Disruption

A major incident or event that interrupts normal business functions, operations or processes whether anticipated (e.g. storm, flood) or unanticipated (e.g. terror attack, biological pathogen, earthquake).

Specialist Recovery Plans

Documented specialised processes or procedures that guide Divisions, Faculties or Business Units to respond, recover, resume and restore to a pre-defined level or operation post a business disruption.

    3 Application & Scope

      • 1. This Policy applies to all faculties, divisions and significant University activities including regional campuses and controlled entities.
      • 2. This Policy must be read in conjunction with the University’s Business Continuity Management and Resilience Guidelines, Risk Management Policy, Emergency Management Plan, Crisis Management Plan and IMTS Disaster Recovery Plan.
      • 3. The University has established a Continuity and Resilience Group (C&RG) that facilitates business continuity and resilience management and the University’s capabilities to react and respond to disruptive events.

    4 Business Continuity Principles

      • 1. The University is committed to the efficient and orderly resumption of critical business functions in the event of a disruption in alignment with the University’s Risk Appetite Statement.
      • 2. The University will maintain a complete, organised and effective approach to BCM that guides the development of business continuity processes and identifies priorities for the restoration and reinstatement of critical and non-critical operations and functions.
      • 3. The University is committed to the establishment and maintenance of Business Continuity Plans (BCP) including organisational, faculty, division and unit plans to maintain continuity of critical business operations and processes within acceptable timeframes. All plans should incorporate the specified requirements as defined in the BCP template that is available on the University’s Enterprise Risk Management System (ERM) inclusive of resource requirements and recovery strategies.
      • 4. The appropriate BCP will be activated following a disruption where there is a sustained impact on the University’s critical business functions.
      • 5. In the event of a disruption, the University will work to reinstate operations at a capacity or level that is sufficient to perform and maintain critical business functions. In doing so, the University recognises that non-critical business operations may operate at a reduced level and require time to resume full capability, capacity and performance.
      • 6. The University commits to testing, maintaining and updating procedures and processes documented in the Business Continuity Management and Resilience Guidelines, BCPs, Critical Process Impact Assessments and any specialist recovery plans on a regular basis.
      • 7. The University maintains a commitment to knowledge development and the delivery of awareness programs, as required, to ensure staff are familiar with the requirements of BCM.

    5 Business Continuity Management Relationships

      • 1. The Policy contains integrated relationships with the University’s Emergency Management Plan, Crisis Management Plan, Pandemic Management Plan and Information Management and Technology Services (IMTS) Disaster Recovery Plans (IT-DRP) depending on the type and severity of the disruption.
      • 2. The C&RG reports to the Risk Management Group on a quarterly basis and to the Risk, Audit and Compliance Committee as required. The broad purpose of the C&RG is to oversee and proactively manage the University’s Crisis Management Plan, Emergency Management Plan, IT Disaster Recovery and BCP testing and processes.

    6 Assurance

      Compliance with BCM will be measured through regular reporting to the Risk Management Group and any significant emerging risks and vulnerabilities will be escalated to the RACC.

    7 Roles & Responsibilities

      • 1. The Chair of the C&RG has responsibility for the management of BCM at the University as outlined in this Policy and its associated documentation.
      • 2. The University’s Incident Assessment Team (IAT) has responsibility for the management of all disruptive events impacting on the University. Once the IAT is notified of an event, it is responsible for determining whether the Crisis Management Team (CMT) is to be activated and, in consultation with the Vice-Chancellor, whether a “crisis” should be declared
      • 3. The IAT and Emergency Management Coordinator, may co-opt any staff from within the University to assist in the implementation and response to disruptive events and activate specialist recovery plans as applicable in accordance with this Policy and the Crisis Management Plan.[1].
      • 4. The Emergency Management Coordinator is responsible for convening the IAT, Emergency Management Plan and BCPs as appropriate in response to a disruptive event.
      • 5. In accordance with the University Delegations of Authority Policy, the IAT Chair and, when convened (as per the CMP), the CMT Chair, has delegated authority to make financial, technological and other emergency response decisions (inclusive of the issuance of communications) where there is insufficient time and/or accessibility to obtain normal approvals due to the urgency or risks arising from the impact of the disruptive event. This extraordinary authority extends for as long as the IAT and/or CMT is immediately responding to the management of a business disruption. This authority is effective from the time of a crisis until such time as normal delegations are able to be resumed.

    8 Version Control and Change History

Version Control

Date Effective

Approved By

Amendment

 

1

1 December 2004

Vice-Principal (Administration)
UOW Internal Audit Manager

First Version

2

27 April 2006

UOW Internal Audit Manager

Update distribution list

3

14 July 2009

Administrative Committee

Major Revision of Policy

4

16 January 2012

Vice-Principal (Administration)

Updated to reflect divisional name change from Buildings and Grounds to Facilities Management Division.

5

24 May 2012

Vice-Principal (Administration)

Updated to reflect the transfer of BCMS responsibilities from UOWIA to Finance and the document registration sequence

6

20 September 2012

DVP – Finance & IT for VP(A)

Triennial Scheduled Review and name change from OHS to WHS

7

11 September 2013

Chief Administrative Officer

Updated to reflect title change from VPA to CAO

8

9 February 2016

Vice-Chancellor

Triennial Scheduled Review – minor updating and alignment to UOW Risk Management Policy and Guidelines

9

23 March 2017

Vice-Chancellor

Reviewed to reflect the agreed changes to the BCM Framework

10

11 June 2021

University Council

    Renaming of the Policy to Business Continuity Management and Resilience Policy;

    Identification of BCM as a component of the University’s Risk Management Framework;

    Updates to the Definitions so they align with those in AS ISO 22301:2017 Societal Security – Business Continuity Management Systems – Requirements;

    Expansion of the Principles to reflect current practice;

    Clear identification of the BCM relationships and removal of the previously used flowchart as this is perceived to be more applicable to the Guidelines;

    Provision of clear roles and responsibilities applicable to the current University Operating environment; and

    Identification of IAT and/or CMT delegations of authority where there is insufficient time to obtain normal approvals due to the urgency or risks arising from the impact of the disruptive event as approved by Council at the February 2021 meeting.

Here to Help

Need a hand? Contact the Governance Unit for advice and assistance on policy issues.