Central Administration
Contingency Planning Guide
d:\106738987.doc
1/21
Contingency Planning
Contingency Planning is the use of proactive management techniques for the development of
plans for business continuity which will prevent or minimise the effects of a range of hazards or
disasters on the operations of the University.
Faculties, Departments and Sections need to identify potential disasters within their areas of
responsibility and ensure the development of Contingency Plans for Business Continuity.
When potential disasters which could pose a threat to the University’s business continuity are
identified the four (4) recognised elements of contingency planning must be addressed in the
development of Contingency Plans for Business Continuity. They are:




Prevention;
Preparedness;
Response; and
Recovery.
The key components of Contingency Planning are the likelihood of an adverse event and the
consequences of that event on the achievement of optimum program outputs or outcomes.
The move to formal Contingency Planning will result in benefits to the University as indicated by:








ability to make better business decisions based on reliable and predictable information;
better protection of University assets;
minimal adverse publicity;
minimisation of security risks;
reduction in the overall potential for loss;
improved safety, performance, and efficiency;
proactive rather than reactive response to potential loss situations; and
the minimisation of disruption to client service delivery.
d:\106738987.doc
2/21
Executive Summary
Contingency Planning for Business Continuity
PURPOSE AND SCOPE
To outline the University’s Central Administration Contingency Planning Policy for officers who
have responsibility for managing activities or controlling or directing staff and, in particular, to
officers with budgetary responsibilities for dealing with potential hazards or disasters which
threaten the University’s Business Continuity.
POLICY
To optimize the net costs of all risks and exposures to business continuity (i.e risks to its fixed and
intangible assets, information technology, budgetary allocations and other income, personnel, and
reputation).
ABBREVIATIONS/DEFINITIONS
Contingency Planning is the use of proactive management techniques in the development of
plans for business continuity that will prevent or minimise the effects of a range of hazards or
disasters on the operations of the Department.
Business Continuity is the ability of the University to perform its normal business activity on a
day-to-day basis.
A Contingency Plan for Business Continuity (CPBC) is the formal record of arrangements and
agreements developed to control, prevent or minimise a potential adverse event, hazard or
disaster.
Disaster can be defined as a sudden or great misfortune or calamity or an event which causes
great damage.
DELEGATIONS / RESPONSIBILITIES
Executive Managers / Directors are responsible for including contingency planning for business
continuity within their overall risk management policies and procedures.
All officers have an obligation to:
 advise their supervising officers if they identify areas where contingency planning
methodologies should be adopted;
 suggest amendments and/or updates to established CPBC in the light of changing
circumstances; and
 participate in training and test exercises.
The Administration Computing Policy Committee (ACPC) is responsible for Contingency Planning
Policy Development.
Departmental systems managers are responsible for coordinating risk management and
contingency planning activities within their business group. Risk Management is coordinated by
the Central Administration / ITS Client Liaison Group.
d:\106738987.doc
3/21
BACKGROUND
All members of the University need to be aware of the possible occurrence of certain potential
disasters which might affect its operating capability and to be ready to take action to:
 prevent or reduce the severity of the effects;
 prepare for, respond to and recover from those effects.
There are a number of Risk Management activities which require formalised corporate
assessment and determination. Broad risk areas include property, personnel and liability. The
University’s reputation, service standards and image also need to be considered as well as direct
and immediate risks to budgetary allocations and other income.
The following agencies might be called upon to contribute to and/or provide support for actions
listed in any CPBC and, where appropriate, should be consulted during preparation of the plan:
 State Emergency Services
 Queensland Police Service
 Queensland Ambulance Service
 Queensland Fire Service
 Local Government/Council
 local service clubs
 local functional committees
 Government, industry and community organisations
 local Defence Force authorities
To be effective, a CPBC must be:
 in writing;
 simple;
 properly disseminated; and
 regularly tested and revised.
The plan should be available for scrutiny and open to criticism, however, some parts of the plan
will be of a confidential nature and access to these parts should be limited.
Faculties, Departments and Centres need to identify potential disasters within their areas of
responsibility, and to ensure the development of a CPBC taking into account the four recognised
elements of contingency planning:




Prevention;
Preparedness;
Response; and
Recovery.
d:\106738987.doc
4/21
Typical measures under the four elements of contingency planning include:
PREVENTION









Risk Assessment
Building codes
Building use regulations
Legislation
Computer systems
Fire protection
Public education
Security and quarantine
Zoning and land use management
PREPAREDNESS










Contingency plans for business continuity
Emergency communications
Evacuation plans
Mutual aid agreements
Warning systems
Education and information
Resource inventories
Training and test exercises
Provision of special resources
Data back-up and offsite storage
RESPONSE









Implement plans
Implement emergency declarations
Issue warnings
Activate Emergency Operation Centres
Loss minimisation
Mobilise resources
Notify public authorities
Provide medical assistance
Provide immediate relief
RECOVERY
 Restoration of essential services
 Counseling programs
 Temporary housing
 Financial support or assistance
 Business systems
 Health and safety information
 Long-term medical care
 Physical restoration and reconstruction
 Client information
 Economic impact studies
Not all of the above measures are likely to be relevant in every case. The hazard, the community
and the nature of their interaction will determine appropriate action. The need to cater for
prevention, preparedness, response and recovery will, however, remain constant.
d:\106738987.doc
5/21
THE CONTINGENCY PLANNING PROCESS
The key components of contingency planning are the likelihood of an adverse event and the
consequences of that event on the achievement of optimum program outputs or outcomes.
These two factors of likelihood and consequences can be assessed as high, medium or low. The
process is made up of the following activities:





identification of possible causes and likely effect of an adverse event;
assessment of exposure taking into account the level of risk;
investigation of methods to reduce or avoid losses;
control by selection of appropriate strategies such as avoidance, prevention and reduction;
establishment and review of on-going procedures and management accountability.
POTENTIAL BENEFITS FROM EFFECTIVE CONTINGENCY PLANNING
The move to formal contingency planning will result in benefits to the University as indicated by:








ability to make better business decisions based on reliable and predictable information;
better protection of University assets;
minimal adverse publicity;
minimisation of security risks;
reduction in the overall potential for loss;
improved safety performance and efficiency;
proactive rather than reactive response to potential loss situations; and
the minimisation of disruption to client service delivery.
IMPLEMENTATION
Executive Directors, managers of operating units and supervisors are responsible for contingency
planning functions i.e. complete the writing of the contingency plan and the regular testing and
revision of the plan.
The role of ACPC is to develop appropriate policies and procedures to ensure that contingency
planning is implemented within Central Administration.
The adoption of contingency planning will contribute to the success of University in the
management of people, property and funds. This will occur through the management of potential
adverse events by:
 addressing potential adverse events as identified;
 monitoring changes in University operating environment; and
 continual review of policies, procedures and practices.
d:\106738987.doc
6/21
GUIDE FOR CONTINGENCY PLANNING FOR BUSINESS CONTINUITY
INDEX
1.
Document Control Information
9
2.
Modification History
9
3.
Plan Distribution and Security
9
4.
Document Sign Off
10
5.
Table of Contents
10
6.
Statement of Confidentiality
10
7.
Introduction
10
8.
Scope of Plan
10
9.
Disaster Scenarios
9.1 Flood
9.2 Fire
9.3 Earthquake
9.4 Cyclone / Wind Damage
9.5 Bombing / Bomb Threat
9.6 Hostage Situation
9.7 Unauthorised Access
9.8 Power Interruption
9.9 Chemical Spill
9.10 Computer Systems Failure
11
11
11
11
11
12
12
12
12
12
12
10.
Worst Case Assumption
12
11.
Order of Succession
13
12.
Prevention / Security
12.1 Physical
12.1.1 Layouts
12.1.2 Locks
12.1.3 Intrusion Alarms
12.2 First Aid
12.3 Fire Protection
12.3.1 Fire Alarms
12.3.2 Fire Extinguishers / Hoses
12.3.3 Fire Drills
12.3.4 General Fire Safety
12.4 Power
12.5 Document Security
12.6 Computer Systems
12.7 Emergency Action Plan
13
13
13
13
13
14
14
14
14
14
14
14
15
15
16
d:\106738987.doc
7/21
13.
Preparedness
13.1 Emergency Telephone Numbers
13.2 Employee Details
13.3 Vendor Information
13.4 Analyse Weaknesses
13.5 Offsite Strategy
13.6 Backup Site Strategy
13.7 Logical Considerations
13.7.1 Control Centre
13.7.2 Office Space
13.7.3 Credit Cards
13.7.4 Employee Notification
13.7.5 Transport
13.7.6 Housing
13.8 Disaster Recovery Teams
16
16
16
17
17
17
18
18
18
18
18
18
19
19
19
14.
Response
14.1 Declaration of Disaster
14.2 Security
14.3 Damage Assessment
14.4 Determine Downtime
14.5 Assemble Teams
14.6 News Release
14.7 Approve Expenditure / Budgets
19
19
20
20
20
20
20
20
15.
Recovery
20
16.
Validation and Testing
21
d:\106738987.doc
8/21
1
DOCUMENT CONTROL INFORMATION
This section should contain the following document details:
 Document Name
 Resident Machine
 Directory
 Editing Tool
2
MODIFICATION HISTORY
All businesses are constantly changing. New employees are added, whilst others leave or are
transferred to new locations. Staff change their home address, work and personal telephone
numbers. Computer equipment and software also change. For these reasons it is imperative
that the disaster plan is updated regularly with a major review annually. To ensure that your
disaster plans are in place, information is current and useable, and plans are available when
needed, a responsible person should be placed in charge of reviewing the plan.
This section should contain:
 Document Version Number
 Date of Modification
 Author
 Description / Reason
3
PLAN DISTRIBUTION AND SECURITY
A copy of the disaster recovery plan should be given to all staff who have disaster recovery
responsibilities and to selected senior management. Other recipients should include ITS; UQ
Security; Property & Facilities. Marketing & Communications should also be made aware of
the plan's existence and contents. (see 14.6 News Release)
These up-to-date copies of the plan should be kept at the work-place, at home and at the
Control Centre. (see 13.7.1)
Parts of the plan will of necessity be confidential and will not be given to all members. For
example details of the security system, or the home addresses and telephone numbers of
other disaster recovery teams will not be given to every team member.
It is imperative that each copy of the plan have a serial number and a record kept of who is
given each numbered copy. It should be clearly stated on the front cover that the document or
parts of the document are not to be copied. If a staff member ceases employment or is
transferred to another location then his / her copy must be returned to the disaster recovery
coordinator.
The section should contain a table of recipients detailing name, department or section,
responsibility, number of copies and serial number(s).
d:\106738987.doc
9/21
4
DOCUMENT SIGN OFF
This section is provided for the inclusion of stakeholder acceptance signatures.
5
TABLE OF CONTENTS
This is self explanatory, however ensure that all sections are properly covered. If for some
reason it is felt that a particular section is not relevant then an explanation should be given in
the body of the plan.
6
STATEMENT OF CONFIDENTIALITY
As the disaster recovery plan contains confidential information ensure that the words
‘Statement of Confidentiality’ are displayed prominently at the beginning of the plan. It should
be made clear that if the plan is lost or ends up in the wrong hands the material is not to be
used or copied and should be returned to the University. It should also be stated that all
questions about the plan or disasters, including questions from the media, are to be directed
to and will only be answered by authorised personnel. (These authorised personnel should be
listed)
7
INTRODUCTION
Describe here the purpose of the plan and detail the plan’s background. Why was it written?
What is it intended to achieve? Who was involved in its formulation? Who is the intended
audience?
This section should also note references as applicable.
8
SCOPE OF THE PLAN
Describe here what assets are to be protected and what disaster scenarios are covered by
the plan, and which scenarios are specifically excluded. What business group / region /
district does it cover? For example, the plan could cover only one campus and one business
group or several buildings and multiple groups at one location. Details of the business group /
department’s core business should be stated and how that core business is delivered to
customers.
d:\106738987.doc
10/21
9
DISASTER SCENARIOS
The types of disasters that should be considered include:










Flood
Fire
Earthquake
Cyclone / Wind Damage
Bombing / bomb threat
Hostage Situation
Unauthorised Access
Power Interruption
Chemical Spill
Computer Systems failure
There may of course be other disasters peculiar to a particular location and these should also
be considered.
9.1
FLOOD
Special consideration will have to be given to offices located near rivers or in flood prone
areas. Of concern is computers or other valuable equipment in basement or ground floor
areas. Remember also that it does not necessarily take a major flood to cause prolonged
interruption to operations.
Localised heavy rain can also cause problems if for example staff and clients are unable to
gain access to the office.
9.2
FIRE
Fires can be started internally through an electrical fault or from an outside source. Consider
what you would do if all the computers and vital records are destroyed. The building, while not
burnt to the ground, could be considered unsafe and access denied for a number of days.
9.3
EARTHQUAKE
Consider the possibility of an earthquake even if the office is not in an earthquake zone.
Again it must be stressed that it does not require a major earthquake to cause significant
disruption. Older buildings are easily damaged and may be declared unsafe limiting access
for a number of days. Whilst your office may not be directly affected earthquakes also cause
power and communications failure. (see 12 below)
9.4
CYCLONE / WIND DAMAGE
Cyclones are a major problem in the northern part of the state whist in the south east corner
storms in the summer months are, and special precautions are needed here. Power lines can
be brought down and buildings unroofed. Again vital computer equipment and records could
be lost or destroyed.
d:\106738987.doc
11/21
9.5
BOMBING / BOMB THREAT
Bombings or the threat of bombing can be caused by disgruntled ex employees, students or
clients. The building could be wholly or partially destroyed or the building evacuated and
rendered unusable for a considerable time.
9.6
HOSTAGE SITUATION
An aggrieved person could hold someone hostage causing the evacuation of the building and
the closure of communication links.
9.7
UNAUTHORISED ACCESS
A large group of protesters (e.g. students) could occupy the main office and refuse to leave,
or after the protesters are removed the police could lock all doors to the complex thus limiting
entry and exit of staff. Also consider the possibility of an overnight break-in where computers
are stolen and vital research data lost.
9.8
POWER INTERRUPTION
Consider power to the building being cut when an electrical sub station is destroyed or
communications interrupted when telephone lines are brought down in a storm. Computers
can be made unusable and personal computers in use at the time can be affected.
9.9
CHEMICAL SPILL
Consider the possibility of a spill either inside or outside the building causing its closure for an
extended period while the spill is cleaned up.
9.10 COMPUTER SYSTEMS
Consider the following:






Failure of critical business process
'A'
'B'
etc
Loss of individual PCs (fault, damage, theft)
Loss of NT server(s)
Loss of main server(s)
Loss of network(s)
Loss of telephone system
10. WORST CASE ASSUMPTION
It should be stated that the plan has been developed to cover a worst case scenario. In
developing the plan re-enforce an ‘after the disaster’ mentality. Select a disaster that may
befall you and consider the total loss of the on-site property. Of course if a less serious
situation occurs then only part of the plan will need to be invoked e.g. temporary loss of
power.
d:\106738987.doc
12/21
11. ORDER OF SUCCESSION
It is important when a disaster strikes to know who is in charge. Staff members can be away
from the office or home and cannot be contacted. Or worse still they could be injured or killed
in the disaster itself.
In a disaster the Divisional Disaster Recovery Management Group (DDRMG) should succeed,
for the purpose of disaster recovery operations, the normal management hierarchy. Their
authority will last until normal operations are restored and the disaster is declared over.
Whatever Disaster Recovery Group is selected it must be ranked in order of succession from
the highest to the lowest. It is recommended that a copy of the organisation chart for the
location / business group be displayed here with the order of succession shown underneath.
12. PREVENTION / SECURITY
Steps must be taken to ensure that mechanisms are in place to try to stop disasters from
happening and if that is not possible, to reduce their effect. For example the installation of
sprinklers can stop a small fire becoming an out of control blaze; moving computer equipment
away from windows or boarding windows following a cyclone alert could considerably reduce
damage.
12.1 PHYSICAL SECURITY
Consider what assets in terms of people, tangible and intangible assets, computers, and
confidential information need to be kept safe. Consider both working hours and after hours
security. During working hours what steps are taken to screen visitors? Are visitors (including
contractors) required to wear identification badges? Have staff been instructed to query
strangers on their presence? Are steps taken to segregate information centres from offices?
12.1.1 LAYOUTS
Layouts of each building showing points of entry / exit, key installations like computer rooms,
and communication centres, should be shown. A separate plan showing the layout of the
computer room and the location of the building in relation to other buildings in the area should
also be drafted.
12.1.2 LOCKS
Ensure all external windows and doors are fitted with locks (preferably key operated dead
locks for doors) and that consideration be given to keeping external doors that are not used
by the public locked during the day. Sometimes doors are left unlocked when only a few staff
use the entrance and they could be issued with a key or key card. Ensure that procedures are
put in place whereby a staff member or their delegate is designated to close the office at
night. Ensure that access to the computer room is strictly controlled and only authorised staff
have access. A procedure should be put in place to ensure that keys are recovered from staff
when they cease employment and safe combinations changed.
12.1.3 INTRUSION ALARMS
If the office is vulnerable to intrusion or vandalism has consideration been given to the
installation of security alarms to control against overnight break-ins. Burglars often set fire to
premises to cover up their crime so not only is valuable equipment stolen but the whole
building could be lost. If intrusion alarms are fitted then details should be given here as to the
type of alarm, the maker, positioning of the detectors and the control panel, the security
monitoring company, and which employee is responsible if the alarm is activated.
d:\106738987.doc
13/21
12.2 FIRST AID
Adequate first aid kits must be supplied to all offices in accordance with the Workplace Health
and Safety Act 1995. Trained first aid officers must also be available, and details should be
given here of the emergency response procedures and training. For example, what should be
done if a staff member suffers a heart attack.
12.3 FIRE PROTECTION
Adequate fire protection is critical as it involves the protection of the lives of employees,
students and visitors. Whilst adequate fire protection might have been initially installed, are
steps taken to ensure the protection is maintained? For example, are fire exit doors clearly
marked and free of obstruction? Are extinguishers marked to show the type of fire they are to
be used on? Are extinguishers clearly visible and properly mounted on walls? Are staff trained
in the use of extinguishers?
12.3.1 FIRE ALARMS
State here what fire alarms if any have been installed and how they are activated and how
they work.
12.3.2 FIRE EXTINGUISHERS / HOSES
State how many extinguishers / hoses are located in each building and display in a prominent
place a layout plan for extinguishers. Ensure that service agreements are in place for the
regular maintenance of extinguishers and hoses and that the service is carried out.
12.3.3 FIRE DRILLS
State here the procedures in relation to fire drills i.e. the person responsible, frequency, staff
induction procedures. (see also 12.7)
12.3.4 GENERAL FIRE SAFETY
Ensure that all exits are properly marked and properly illuminated; state who is responsible for
ensuring all emergency exits are checked to ensure there are no obstructions; ensure that all
work areas have emergency back up lighting and alarms fitted, and ensure all electronically
operated doors return the lock to the neutral position if the power fails. (see also 12.7)
12.4 POWER
What procedures are in place to ensure the facility is provided with continuous power supply
where necessary. Consideration must be given to the computer room and refrigeration
equipment including freezers.
Conduct regular electrical safety checks.
d:\106738987.doc
14/21
12.5 DOCUMENT SECURITY
What procedures are in place to protect the University’s sensitive documents. Issues to
consider include:
 Classification of documents
 Document security
 Fire-proof safe for vital documents and records
 Shredding confidential documents
 Forwarding documents
12.6 COMPUTER SYSTEMS
Ensure documentation for the following are kept up-to-date at the work-place and off-site:










Procedures
Systems
Network Diagram(s)
include all PCs, servers, switches
include all IP addresses
Detailed Equipment / Asset List
PCs
(incl. specifications, operating system versions, software versions, data held locally)
Servers
(incl. specifications, configuration, operating system versions, patches, domain names,
database versions, software versions, disk layouts, disk contents)
Backups
Printers
Fax machines
Copiers etc.
Avoid having procedures or systems knowledge vested in a single individual.
Ensure virus control procedures are in place and that the latest version of detection software
is maintained.
Ensure that operating systems and application software as well as data are backed-up.
Ensure latest backup software is stored off-site.
Use change control procedures.
Ensure correct access levels are set and maintained at database and application levels for
users, including support staff.
Issue instructions to staff regarding the protection of information. Staff should be instructed as
a minimum:
 Not to write down passwords
 Not to disclose passwords
 To log off when not at their terminals
 Not to disclose confidential information
 To use password protected screen savers
d:\106738987.doc
15/21
12.7 EMERGENCY ACTION PLAN
Determine whether your location is covered by an emergency action plan. If a plan has been
completed details should be given here including the name of the emergency response
coordinator. If a plan has not been completed urgent action should be taken to complete one.
13. PREPAREDNESS
13.1 EMERGENCY TELEPHONE NUMBERS
A list should be compiled of all emergency telephone numbers and staff instructed on the
steps to take in an emergency situation. Some locations have protective security officers on
duty and these officers or floor wardens are generally the first point of contact for staff in the
case of an emergency. The numbers you should consider include:
 Police
 Doctors
 Fire Brigade
 Ambulance
 Hospital
 Utility suppliers - electricity, gas, water, telephone
 Department of Environment
 State Emergency Services
A support contact details list should also be maintained at the work-place and off-site. The list
should denote who to contact for what service; details of maintenance or service level
agreements; out-of-hours support arrangements. This list could include:
 Hardware suppliers
 Software suppliers
 UQ Information Technology Services (ITS)
 UQ Security
 UQ Property & Facilities
 Suppliers, banks, insurers,
 QTAC, DETYA
13.2 EMPLOYEE DETAILS
An organisation chart of the Faculty / Department / Section covered by the plan should be
included.
For each member of the organisation covered by the plan, the following should be maintained:
 Direct work telephone number
 Work facsimile number
 Work e-mail address
 Mobile phone number
 Pager number
 Home address
 Home telephone number
 Home e-mail address
d:\106738987.doc
16/21
13.3 VENDOR INFORMATION
Provide here information on suppliers / vendors. Examples of the types of vendors that should
be considered include:
 Real estate agents(for office space)
 Equipment hire companies
 Car and truck rental companies
 Taxi companies
 Suppliers of emergency equipment (including SES)
 Transport companies / removalists
 Computer supply companies
 State Government security
 Electrician and plumber
 Office stationary suppliers
 Office equipment hire and retail
13.4 ANALYSE WEAKNESSES
List services; determine needs; identify resources.
Analyse weaknesses by comparing resources needed with resources available. Any
resources that are not available represents a weakness that will have to be addressed. List all
the services provided to your customers and rank services in order of priority. After compiling
your list of services determine what facilities, equipment, staff and other resources you will
need to provide within
24 hours / 3 days / 1 week / 2 weeks / longer.
Once you have determined the resource requirements compile a list of resources available.
For example the Faculty / Department / Centre may be able to use office space belonging to
another Faculty / Department / Centre. If office space cannot be found at another University
department, approaches will have to be made to local real estate agents or local clubs or
service organisations to determine if suitable space is available.
13.5 OFFSITE STRATEGY
There is no point developing detailed disaster plans and keeping data back-ups if all the
information is kept at one location which is lost in a fire. Give details here of the offsite
storage of records and information. What information is stored, where is it stored, what
security is provided, how do you gain access. Records that should be stored in a secure
offsite location include:
 up-to-date disaster recovery plan;
 backup tapes / disks (incl. backup software, operating system(s), database and
application software);
 business procedures documentation;
 computer system documentation;
 operational manuals;
 special and everyday stationery;
 phone books - UQ and general;
 first aid kit.
d:\106738987.doc
17/21
13.6 BACKUP SITE STRATEGY
Consideration must be given here to the establishment of an offsite facility. Some large
organisations set up hot / cold sites. A hot site is one that is fully equipped and ready to use. It
would involve having a separate computer room with raised floor and air conditioning and
computers standing idle.
Few organisations can afford such an arrangement so consideration is given to the
establishment of a cold site that provides only the basics - an empty room with air conditioning
and power but without computers. Ensure that cabling is in place to enable computers to be
plugged in and connected to the network. (see also 13.7.2)
A number of service organisations also provide computer services on a shared basis, whilst
consideration could also be given to entering a cooperative agreement with another University
department to share the use of a computer. Caution must be exercised to ensure the facilities
are not being shared with too many users rendering them useless in a major disaster affecting
a large area.
13.7 LOGISTICAL CONSIDERATIONS
Thought must be given here as to what resources will be required after the disaster.
13.7.1 CONTROL CENTRE
A control centre or ‘command post’ must be available so the disaster recovery team can meet
after the disaster has occurred. The control centre should be safe, accessible and as close to
the office as reasonably practical to ensure it would not be affected by the disaster.
Select a number of locations but state clearly in the plan the number one site and if it cannot
be used the next desirable site. Enquires should be made of other University offices to see if
space is available but if this is not practicable, consideration will have to be given to rented
office space.
13.7.2 OFFICE SPACE
Consideration must be given to office space requirements. Again check with University offices
but enquiries could also be made of municipal councils, clubs, schools and local real estate
agencies. For a small fee some agencies will ensure that office space is available for a limited
time and notification given if the space is to be let. (see also 13.6)
13.7.3 CREDIT CARDS
Key members of the Disaster Recovery Team and those who are responsible for purchasing
emergency supplies should be issued with corporate credit cards.
13.7.4 EMPLOYEE NOTIFICATION
Thought must be given as to how employees are to be notified about the disaster and whether
or not they will be required to report for work. Arrangements should be made with the local
radio, television stations, and newspapers and details worked out in advance as to who will
contact the media and what will be said.
d:\106738987.doc
18/21
13.7.5 TRANSPORT
If it is envisaged that the temporary office facilities will be some distance from the existing
office then consideration should be given to having arrangements in place to transport staff to
the new location if public transport facilities are poor.
13.7.6 HOUSING
If it is envisaged that staff will be moved to temporary sites at other University locations then
consideration must be given to providing temporary housing for staff.
13.8 DISASTER RECOVERY TEAMS
Consideration will need to be given here as to what disaster teams are required. Typical
teams may include the following:
 Management Group
 Management Support
 Computer Operations
 Communications
 Records Management
 Accounting
 Public Relations
 Transportation
 Emergency Response
 Security
 Damage Assessment / Salvage Supply
Specific personnel must be recruited for these tasks and someone selected to lead the team.
Normally another member of the team will be selected as the alternate leader. Once the
teams have been selected they will have to give consideration as to what specific tasks they
will be required to carry out in the case of an emergency.
For example, the records management team would need to consider such things as retrieving
manuals from off-site storage; notifying Australia Post, courier, and delivery services to hold
all incoming mail and other goods; arrange collection of mail and goods; identify new address
and location of staff for mail and correspondence; notify Australia Post and couriers of new
address.
Communications team would need to ensure that telephones are diverted, that new fax and
phone services are installed and that advice on new telephone and fax numbers is
disseminated to clients.
14. RESPONSE
14.1 DECLARATION OF A DISASTER
An estimate must be made of the expected downtime following an emergency situation. Prior
to this a decision must be made as to what downtime would constitute a disaster and the
need to invoke the full disaster plan.
Whenever it is expected that the interruption to University services will exceed the
predetermined maximum allowable downtime established by the DRMG then the DRMG
administrator or next in the order of succession can declare a disaster.
d:\106738987.doc
19/21
If it is estimated that downtime will be less than that which would constitute a ‘disaster’ then
only part of the plan would need to be invoked and only the action team coordinator of the
area affected will need to be involved.
14.2 SECURITY
If applicable, immediate steps must be taken to secure the premises to control unauthorised
entry to the building and to prevent further damage or loss of assets from pilfering. If approval
is given by emergency personnel on duty to enter the building, staff should ensure that vital
records and valuable equipment are locked away where practicable. Stress however that life
and personal safety are of utmost consideration here.
14.3 ASSESS DAMAGE
An assessment must be made of what is damaged and to what degree, but again spell out
that life and personal safety are of paramount importance. An assessment will also have to be
made of the cost of providing services on site and at the alternative sites.
14.4 DETERMINE DOWNTIME
Assessments will need to be made of the length of time before on-site facilities will be back in
operation, how long it will take to establish operations at the alternative sites, and to gain full
recovery. The expected downtime must be compared to the maximum allowed in order to
determine if a disaster is to be declared and the full disaster plan is to be put into operation.
14.5 ASSEMBLE TEAMS
Once a disaster is declared the various disaster teams will need to be assembled using the
plans established and set out in a 'communication calling tree'. The teams will assemble at
the designated control centre (command post) or back-up site depending on the
circumstances. The various teams will now implement their individual plans.
14.6 NEWS RELEASE
Information to employees, clients, and the general community is vital and should be
disseminated as quickly as possible.
14.7 APPROVE EXPENDITURE AND BUDGETS
Once damage and downtime estimates have been completed, emergency expenditure and
forward budgets will have to be approved by the Management Group. Ideally a separate cost
code should be established to clearly identify the cost of the disaster.
15 RECOVERY
Plan, Schedule and Implement Recovery
Using the various recovery teams commence recovery strategies. After a predetermined time
has elapsed a decision will need to be taken as to whether it is feasible to return to the
original site, stay in the back-up site for an extended period or move to a new site.
d:\106738987.doc
20/21
The decision regarding the feasibility of returning to the old site should be made having
regard to expert advice. The building may have been so badly damaged that it will have to be
demolished and rebuilt or whilst not completely destroyed may have outgrown its use and it
may be desirable to move to a new location. Once this decision is taken the disaster recovery
mode is cancelled and the normal management structure is reinstated.
16 VALIDATION AND TESTING
The disaster recovery plan should be tested at least annually. The purpose of the test is to
familiarise all staff with the plan, to enable each member of the disaster recovery teams to
practice their role in recovery, enable any weaknesses to be revealed before the actual
disaster hits, and to document preparedness.
Have each team simulate what they would do in the test and have someone from the senior
management team take notes. After the test is completed, review the notes to determine if the
teams had the correct approach to the disaster, or if the plans need review.
d:\106738987.doc
21/21