Business Continuity Management Framework 2014-18
advertisement
Business Continuity Management Framework 2014 -18 Building organisational resilience Great state. Great opportunity Director-General’s message Effective business continuity management reaches beyond developing of business continuity plans. It requires all of us to acknowledge uncertainty as a natural part of business planning. We all need to be aware that risk is inherent in all decisions and activities and that some risks have the potential to interrupt services, and we need to be prepared to respond to and manage such interruptions. Successfully applying this Business Continuity Management Framework will increase our ability to absorb, respond to and recover from disruptions. It also offers opportunities to understand how we create value and establishes direct relationships to dependencies and vulnerabilities inherent in delivering our outcomes. I ask all staff to ensure that they are well prepared to deliver our critical functions should a disruption occur. Dr Jim Watterston Director-General Department of Education, Training and Employment Relationship to the Governance Framework Business Continuity is part of the Risk Management element of our Corporate Governance Framework, as shown in this diagram. Contents Director-General’s message....................................................................................................... 0 Contents ..................................................................................................................................... 1 Introduction ............................................................................................................................... 1 Purpose .................................................................................................................................. 1 What is Business Continuity Management? .......................................................................... 1 Our policy ................................................................................................................................... 2 Business continuity principles................................................................................................ 2 Business continuity approach .................................................................................................... 3 Plan and prepare phase ......................................................................................................... 4 Response phase ..................................................................................................................... 4 Recovery phase ...................................................................................................................... 5 Monitoring and review .......................................................................................................... 5 Communication ...................................................................................................................... 5 Roles and responsibilities .......................................................................................................... 5 Authority and Related Policies................................................................................................... 7 Glossary of Terms ...................................................................................................................... 8 Introduction Purpose Implementing this framework ensures that we are able to continue delivering critical services following a disruptive event. It aims to build high level resilience in all departmental services and sites when facing major adverse events. What is Business Continuity Management? Business Continuity Management (BCM) is the development, implementation and maintenance of policies, strategies and programs to assist an entity manage a business disruption event, as well as build entity resilience. It is the capability that assists in preventing, preparing for, responding to, managing and recovering from the impacts of a business disruption event. 1 Disruption-related risks may be infrequent, but have severe consequences for critical services, and are not able to be resolved by routine management. Disruption-related risks include physical and non-physical events such as natural disasters, pandemics, significant loss of utilities, financial crises, accidents, and incidents that threaten our reputation. An effective framework equips us to: • • • ensure services that are critical to our objectives continue despite the occurrence of a potentially disruptive event stabilise the effects of a disruptive event and return to normal operations and a full recovery as quickly as possible capitalise on opportunities created by the disruptive event. 2 This adaptive capability builds high level resilience, and: • • • • • • increases security awareness minimises financial effects and effects on service delivery targets improves understanding of functions and opportunities for improvement enhances stakeholder confidence protects corporate assets and reputation strengthens relationships with emergency response partners. 1 ANAO, Business Continuity Management, Building resilience in public sector entities, Better Practice Guide, June 2009 2 AS/NZS 5050:2010 Business continuity - Managing disruption-related risk Page 1 of 8 Our policy Business Continuity Management is a core component of good governance and is integral to our Enterprise Risk Management Framework. Business Continuity Management is applied across the entire organisation – central office divisions, regions, schools and TAFE institutes. Business Continuity focuses on our capacity to achieve our objectives. Our first priority in the case of a disruptive event is the immediate and ongoing safety of customers and staff. DETE’s emergency management arrangements help us to be prepared for, and respond to emergency situations. Following the event, we will ensure that our critical services are operating, and that normal business is resumed as quickly as possible. Finally, we will learn from our experiences of disruptive events to minimise (where possible) their likelihood and consequence in the future. The BCM Framework links with DETE’s emergency management arrangements and with whole of government business continuity arrangements. The Department of Premier and Cabinet has endorsed security and response strategies to increase government agency preparedness for critical incidents including: • • • Queensland Plan for the Protection of Government Assets from Terrorism Queensland Pandemic Influenza Plan Brisbane CBD Emergency Plan Business continuity principles Principles Explanation Integrated into business processes Ensure risk management is an integral part of Transparent and based on best available information Our risk environment and profile: • • • • • • • • governance and accountability arrangements performance, planning and reporting processes program and project management decision making promoting the health and safety of staff and students is drawn from diverse data sources, expert judgment and stakeholder feedback to make evidence-based decisions recognises the capabilities, perceptions and aims of people (internal and external) can aid or hinder the achievement of objectives and takes account of stakeholders in decision making Page 2 of 8 Principles Explanation Responsive and timely Risk management is: Continuously improved Senior executives and staff: Enhance departmental resilience We will learn from each disruptive event to ensure that we are better prepared to respond to future events Take an ‘all hazards’ approach Our business continuity management addresses the consequences of the disruption (its effect on the availability of infrastructure, ICT, and people), rather than on its cause • • • • • systematic, structured and timely and responds to changes in the risk environment monitor and review activities impacting risk continue to build capability seek feedback from stakeholders Business continuity approach Figure 1: The relationship between the activities in managing disruption-related risk Page 3 of 8 Plan and prepare phase Actions taken to reduce or eliminate the likelihood or effects of a disruptive event, as well as developing capabilities to ensure effective response and recovery. Recovery strategies and business continuity plans are developed in response to threats and hazards identified through risk management processes. Process Activities Risk identification and business impact analysis Identify and prioritise critical business activities, and resources necessary to resume these activities when they are disrupted. • identify risks • identify business activities • establish the possible effects of a disruption • determine how long critical business functions can be disrupted • identify resources and requirements for business continuity. Identify response options • identify options for maintaining business continuity, covering people, IT systems and networks and facilities Develop Business Continuity Plans • organise resources to ensure the right people are available to continue critical business activities and/ or deliver essential services Training, testing and maintenance • train staff involved in delivering critical business activities • conduct tests or exercises to validate the completeness and accuracy of the plan • maintain the plan to ensure it remains current Response phase Process Activities Emergency response Initial response to a disruptive event, with the first priority being safety, followed by securing assets. Crisis management Strategic management response to the disruptive event, aiming to stabilise the situation and communicate with stakeholders to limit further deterioration. Page 4 of 8 Recovery phase Process Activities Continuity response Processes, controls and resources made available immediately following a disruptive event to ensure we resume critical functions. Recovery response Process, resources and capabilities that help us to resume normal activities. Also presents an opportunity to assess responses and improve business continuity processes and capabilities. Monitoring and review The business Continuity Plan owner is responsible for its maintenance. Periodic or ad hoc monitoring and review ensures that strategies are up to date and incorporates lessons from testing and activation. Governance, Strategy and Planning will coordinate annual reviews, and prepare a testing schedule for all Business Continuity Plans. Communication A consultative approach brings different areas of expertise together to analyse risks. Effective communication ensures that stakeholders understand risk treatment options, and that different views are considered in evaluating risks. Roles and responsibilities Entity Plan and prepare phase Response and recovery phase DirectorGeneral • • • Executive Management Board (EMB) • Audit and Risk Management Committee (ARMC) • • Accountable officer under the Financial Accountability Act 2009 Advocate for the continual improvement of risk and business continuity resilience • Represent DETE on the State Disaster Management Group (SDMG) Invoke the DETE Executive Response Taskforce (ERT) Provide direction on BCM arrangements Approve the BCM framework and Level 1 BCP Review the effectiveness of BCM arrangements Page 5 of 8 Entity Plan and prepare phase Response and recovery phase Executive Response Taskforce (ERT) • • Oversee and direct operations during a crisis, including communication with stakeholders and with the DETE Incident Controller as commander and chief • Manage prioritisation and coordination of recovery activities as directed by ERT Develop state-wide emergency management policy and procedure Provide emergency advice and assistance to schools, including operational response services Assist schools to review response and recovery procedures • Work directly with regions and Community Safety to maintain staff and student safety until emergency is resolved Manage whole of portfolio situational reporting Ensure that all critical functions have BCPs established, tested, maintained and reviewed Ensure staff are trained on the use of the plans Build resilience and self-sufficiency • Oversee preparedness arrangements DETE Recovery Manager Emergency Management and Response Unit (EMRU) • • • Senior executives • • • Internal Audit • • Conduct compliance audits Report to the ARMC on BCM effectiveness Governance Strategy and Planning • Set and review the BCM framework and procedure Coordinate the development, review and testing of BCPs Provide services to support BCM processes • • • • • Manage operations as directed by the ERT Link with the District Disaster Management Group (DDMG) and Local Disaster Management Group (LDMG) Activate and implement BCPs in response to a disruptive event Page 6 of 8 Authority and related policies This Framework is based on: • Queensland Government – o Financial Accountability Act 2009 o Financial and Performance Management Standard 2009 o Disaster Management Act 2003 • Standards Australia – o ISO/AS/NZS 31000:2009 Risk Management Principles and Guidelines o AS/NZS 5050:2010 Business Continuity – managing disruption related risk It is supported by: • Australian National Audit Office – o Business Continuity Management: Building resilience in public sector entities. Better Practice Guide (June 2009) o Business Continuity Management: keeping the wheels in Motion. A guide for Effective Control (2000) • • • Business Continuity Institute Good Practice Guidelines Queensland Department of Treasury and Trade, Financial Accountability Handbook Queensland Department of Science, Information Technology, Innovation and the Arts, Queensland Government Information Standard: Information Security (IS18). Related policies and procedures include: • • • • • Queensland Government, Building and Fire Safety Regulations 2008 Corporate Governance Framework Risk Management Framework DETE’s emergency management arrangements Procedures relating to – o Risk Management o Business Continuity Management o Curriculum Activity Risk Management o Health, safety and wellbeing o Information security o Legislative compliance Page 7 of 8 Glossary of Terms Term Definition Business area A business area for the purposes of business continuity management includes a division, branch, region or TAFE Institute Business Continuity Management (BCM) The development, implementation and maintenance of strategies and procedures to assist an entity manage a business disruption event, as well as build entity resilience. It is the capability that assists in preventing, preparing for, responding to, managing and recovering from the impacts of a business disruption event. Business Continuity Plans (the plan) Identifies the responses the department will use to deliver a critical business function following a disruptive event. Earliest possible restoration of such functions after disruption is the main objective of business continuity planning. Business Impact Analysis (BIA) The process the department uses to identify which functions are critical business functions and to ascertain the maximum acceptable outage period (MAO) for each identified function. Critical Business Function (critical function) A vital function of the department without which the department cannot operate or carry out its key functions. If a critical business function is interrupted, the department may not achieve its objectives or deliver its services, suffer a financial loss, result in negative reputation or image, breach a legal or regulatory requirement or fail to meet stakeholder expectations. Disruptive event Any event which causes a significant disruption (no building/ infrastructure, no ICT, significant staff unavailability or any combination of the above) in the delivery of the department’s services. Maximum Acceptable Outage (the outage / MAO) Maximum period of time a critical business function can be disrupted before the impact is unacceptable to the department. Page 8 of 8
